By Arletta Gorecka, PhD Candidate, University of Strathclyde, UK.

  1. Introduction

Traditionally, competition law and privacy have been seen as separate. The influence of Google, Apple, Meta (Facebook), Amazon, and Microsoft has blurred the divide between privacy and competition law. This post provides a brief overview of the debate, with an attempt to map out the blurry relationship between competition law and data privacy law.

  1. A blurry relationship between competition law and data privacy law: the Facebook saga

The current EU-level approach to privacy infringements, as per the case of Asnef-Equifax (C-238/05, para 177) indicates that: ‘any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection.’ However, the present developments in the digital economy have made the debate on the intersection between competition law and privacy more salient. Below I focus on the Facebook decision (Case B6-22/16, Case C-252/21), as the most recent and quintessential judicial developments on this matter.

In 2019, the German Competition Authority (BKA) found Facebook liable for infringing competition law due to its extensive data collection, aggregation and use of its users’ personal data (Case B6-22/16, ). The BKA was concerned with two antitrust issues: (1) the accumulation of the data allowed Facebook to entrench the dominant position (Case B6-22/16, , page 11), and (2) the single catch-all consent of Facebook users to be unfair under Art 102(a) TFEU (Case B6-22/16, , page 5). The Facebook case (2019) was the first antitrust assessment of unfair digital trading conditions and their corresponding effects on users’ privacy. Hence, the BKA decision faced considerable doubts from the Higher German Courts. Firstly, the Düsseldorf Court of Appeal provided its insight when Facebook sought interim relief again the BKA’s decision and requested an interim suspension of that decision (Case VI-Kart 1/19 (V)). According to the Düsseldorf judges, the BKA was wrong to assume that there was a nexus between possible privacy-related infringement and competition law infringement (taking a form of unfair terms and conditions). Essentially, the Düsseldorf judges indicated that the BKA focus was shifted on data protection infringement rather than competition law infringement, and consequently should be rejected. However, the German Supreme Court (Case KVR 69/19) overturned the decision, confirming that Facebook abused its dominant position on the German social networks market to the detriment of users: users were seen as locked-in in unfair trading terms with Facebook, which deprived private users of Facebook choice as to whether they agree to more personalisation with Facebook having, arguably, unlimited access to characteristics of any internet user.

The case has been referred to the Court of Justice for a preliminary reference (Case C-252/21). In relation to the intersection between competition law and data privacy law, the Court of Justice was asked: (1) whether the consent, as per the GDPR meaning, could effectively be given to a dominant undertaking (Case C-252/21, page 5); (2) whether the BKA was competent to find the GDPR infringement in their competition law investigation (Case C-252/21, page 1). In September 2022, AG Rantos delivered his opinion on the Facebook case, with his decision intending to predate how the Court of Justice could interpret the interpretation of the intersection between competition law and privacy (Case C-252/21, AG Rantos opinion). AG Rantos’ opinion attempted to provide some clarity on the intersection between competition law and data privacy law. AG Rantos emphasised that a breach of the GDPR on its own cannot be unlawful under Article 102 TFEU. Yet, without the GDPR infringement, the conduct that harmed competition would not exist at all. In essence, AG Rantos concluded that, although competition law and GDPR pursue different objectives, competition law should be able to incidentally consider privacy-related harms without triggering the ne bis in idem principle, if a data protection authority has decided the same case. AG Rantos concluded that the BKA was not competent to establish the GDPR breach. However, AG Rantos opined that the BKA did not penalise the breach of the relevant data protection laws by Facebook. Instead, the BKA analysed the alleged abuse of Facebook’s dominant position, through consideration of Facebook’s non-compliance with the GDPR provisions. In AG Rantos’ view, the BKA’s application of the GDPR in the competition law assessment was incidental. AG Rantos’ opinion attempted to provide some clarity on the intersection between competition law and data privacy law. In fact, it emphasised that the GDPR breach on its own cannot be seen as unlawful under Article 102 TFEU. Essentially, AG Santos left the discussion on the intersection between competition law and privacy open, potentially on the ground that it is beyond the scope of competition law to remediate mere privacy related harms.

  1. Achieving a nexus between competition law and privacy

Although AG Rantos provided some guidance on the issue, the debate on the intersection between privacy-related harms and competition law is still popular. Based on the argumentation of AG Rantos, the problems of competition law and data-related harms are interlinked, and competition law should only remediate such concerns that directly harm competition in a relevant market. However, we are still left without guidance on how to assess any privacy-related harms in competition law cases.

The growing economic significance of data requires adoption of a new concept of consumer harm, which adopts an evolutionary interpretation of the current competition enforcement, especially the abuse of market dominance concept. Digital-consumers-oriented markets are characterised by weak competition, and widespread confusion about the privacy-related consequences of the terms and conditions (T&C’s) offered by digital platforms and service providers. Consumers are exploited by the digital platforms as they are unable to act upon the offered T&Cs due to informational asymmetries and their bounded rationality. In this context, I argue that the competition law authorities should focus on establishing the scenarios where the processing of data gives a rise to anticompetitive effects. To this effect, they need to determine (i) the kind of data collected and processed and (ii) whether the data has been collected and processed unlawfully.

I propose the following:

  • Competition law should intervene in conduct involving privacy-related theories of harm only if privacy-related harm relates to the market failure, not to the privacy rights itself.

Competition law and theories of harm as per Article 102 TFEU might acknowledge privacy-related harms in their assessment. Privacy-centred harms connotes a harm direct to a digital end-consumer, and could take a form of unfair terms of use, or extensive data acquisition (Case B6-22/16,). In order to implement competition policy effectiveness for any privacy-related harm, the only possibility is to focus on consumer welfare and the effects on consumers. Hence, the direct harm of the gatekeepers extensive data acquisition could amount to theories of harm, where users are directly harmed, and we could acknowledge privacy as an element of abusive behaviour.

  • Even if we agree that privacy-related harms could form a part of antitrust assessment, privacy-protection will not form a standalone argument.

Privacy could form an element of abuse behaviour and might be taken into consideration by competition authorities as a broader component of an economic and behaviour harm (Case C-252/21, AG Rantos opinion). Acquisition of the data on its own is abuse and could positively influence products or services and promote competition. Instead, the crucial element of antitrust law violation is some form of misconduct that violates competition. This approach acknowledges competition law as being limited to competitive issues but postulates that privacy protection could be seen as a quality parameter (Facebook/WhatsApp, COMP/M.7217; Microsoft/LinkedIn, Case COMP/M.8124). Even if we assume that privacy itself might not be easily reduced to a commodity on the markets, privacy protectionism will be recognised as an element of a product’s quality. To the extent that individuals value privacy, protection competition enables consumers to choose better privacy. By promoting competition in the markets, competition enforcement might ensure consumers can make real choices among products and services.

3.1. How does it relate to consumers?

Digital platforms have become an inevitable part of commercial and social interactions, and the use of data is deeply grounded in the aspects of business-to-consumer relation. The precise contours of relationship between competition law and privacy protectionism remain unclear. Essentially, the debate still fluctuates around the concept that there is no ex ante choice available to the individuals, under the EU data protection law, as to whether they want their personal data to be processed. Although consent is required, individuals are unable to thoroughly consent to a real purpose of data processions. AG Rantos opinion demonstrated that it could be available for competition law tools to consider privacy-related harms in a broader context. This could relate to acknowledging that privacy protectionism is indeed capable of being broadly define. Unquestionably, any breaches of privacy affect a great number of peoples and could potentially compromise the process of democracy. Competition law would be, therefore, able to remediate privacy related harms if they directly refer to breaching competition and would take form of extensive data acquisition. Clearly, such judicial step corresponds to acknowledging the protection of the key EU aims: protection of single market, human rights and democracy.

  1. Conclusions

Competition law could contribute to effective privacy protection if the privacy-related concerns if they directly influence competition. I propose that competition law might acknowledge the privacy parameter in both spectra: through theories of harm and a quality parameter. Due to an unprecedented level of personal data collection and processing activities, large digital undertakings have superior access to data, which they could use for competitive advantage. By recognising the aggregation of personal data as a potential source of market power, competition law enforcement might provide recourse where companies use their market power to inflict harm degrading privacy. Strong competition law policy protects and promotes competitive markets as well as promotes consumer choice and enhances market-based limits on privacy violations.