Carolin Cornely
Number of words: 12778
Supervisor: Prof. Thomas Vandamme
Competition Law, Data Protection Law and
the Testcase of Facebook
Should there be an alignment between Data Protection Law and
Competition Law?
Abstract:
This thesis focuses on the gradual intertwinement of data protection law and competition law taking the recent Facebook v Bundeskartellamt decision as well as the subsequent decisions issued by the OLG Düsseldorf and the Bundesgerichtshof as a point of reference. Dominant undertakings such as i.e. Facebook process vast amounts of data, oftentimes without the express and informed consent of data subjects. This not only violates data protection law, it also violates competition law as the user and his/her data is being exploited. Two areas of law therefore are navigating towards each other which in terms of enforcement and the dangers of dual procedures, brings inherent difficulties with it. This could be witnessed by the three decisions this thesis will illustrate that provide different standpoints on how courts, and most importantly which courts should go after dominant undertakings that process personal data. It will be argued that the current data protection framework, the GDPR, does not sufficiently constitute a legal basis due to its lack of a competition law reference. There appears to be a need to establish more cooperation between data protection authorities and competition law authorities in order to ensure a proper legal enforcement mechanism which is of crucial importance to safeguard the fundamental rights of data subjects whose data is being processed. Data processing will not cease in the near future, it will continue which is why it is desirable, to say the least, that the respective laws keep up.
Table of Contents
I. Introduction 03-04
II. Data Protection
1. Brief Historic Background of Data Protection 05 2. European Convention on Human Rights 06 3. Data Protection within the EU Legal Framework 06-07 4. The General Data Protection Regulation 07-10 4.1 GDPR Impact on Tech Giants 10-11 4.2 GDPR relationship with Competition Law 11-12 III. Abuse of Dominant Position under German Competition Law 12-14 IV. Bundeskartellamt v Facebook 14-15
1. Legal Analysis 15-16 2. Market Dominance 16-17 3. Abusive Data Policy 17-18 4. Applicability of the GDPR 18-19 5. Data Protection Law Infringement leading to Manifestation of Market Power 19-20 6. Significance of the FCO’s Ruling 20 7. Oberlandesgericht Düsseldorf Ruling 20-21 8. Bundesgerichtshof Decision 21-22 V. Intertwinement of Competition Law and Data Protection Law 22-24
1. Differences between Competition Law and Data Protection Law 24-25 2. Dangers of a Dual Mechanism 25-26 3. Role of the Commission 26-27 4. Critical Assessment of the GDPR and possible improvements
of Data Protection Framework 27-29 VI. Conclusion 29-30 VII. Bibliography 31-37
I. Introduction
It cannot be disputed that we live in a new era of technological advancement and increasing digitalisation. Undoubtedly, this comes with great advantages. We are able to virtually connect with anyone, anywhere, worldwide. This happens instantly. Emails, Text-Messages, pictures and videos can be sent to anyone within less than seconds. We are able to pay by credit card and use online banking services such as ApplePay and Paypal which allows us to make transborder financial transactions whenever we want. But everything we send out and everything we click on such as websites, leaves a trace which takes us to the disadvantages of digitalisation. Nothing can ever truly be deleted, anything we choose to put on the internet will stay there.1 As such, we have to be aware of the information we choose to publish online. Because every piece of information about us amounts to personal data and allows the internet to create cyber profiles about each individual user. The user oftentimes is not even aware of this and does not realise that with each click, he or she gives up personal data. The question arises as to who sits at the other end of this data transfer and therefore who is ultimately in control of the data. Technology Giants such as Google, Amazon and Facebook come to mind who attract billions of users every day and thus have an extensive amount of data at their disposal. In relation to Facebook’s quest to combine their collected user data of Instagram, WhatsApp and all other Facebook owned platforms, the German Bundeskartellamt has spoken of a “loss of control” from the user’s perspective.2 The users lose the ability to control how
their personal data is processed and they are not aware which data sources are being merged for which purpose.3 It can even be argued that data is the new currency and as such, similar to other financial currencies, there must be a regulatory framework in place. The question arises as to which legal area plays a role here. On the one hand, Facebook is a dominant force on the market due to its billions of users which would suggest that competition law is the applicable framework. On the other hand, since what is at stake is the abuse of personal data, the data protection law framework plays a fundamental part as well. However, competition law and data protection law are two distinct areas of law with different enforcement and supervisory systems. On which basis do you therefore go after dominant market players such as Facebook? Do you opt for one or the other or do you combine the two? And if Tech giants can be
1 “Why Your Data Will Never Be Deleted”, Forbes, Michael Fertik, June 9, 2015. Accessed 24 July 2020 <https://www.forbes.com/sites/michaelfertik/2015/06/09/why-your-data-will-never-be-deleted/#18e69c662371> 2 “German Regulators Just Outlawed Facebook’s Whole Ad Business”, Wired, Emily Dreyfuss, 2 July 2019. Accessed 24 July 2020 <https://www.wired.com/story/germany-facebook-antitrust-ruling/>
prosecuted on the basis of both areas of law, how would dual procedural issues be dealt with, such as the problem of double jeopardy where an accused party is being tried twice for the same offence? 4 This thesis’ research question is: Should there be an alignment between Data Protection Law and Competition Law?
In order to answer this question, the focus of this thesis will be the recent Facebook v the German Bundeskartellamt judgment as this was the first time, a competition law authority based its legal assessment on the data protection law framework and specifically on the 2018 enacted EU General Data Protection Regulation. The judgement therefore sets an important precedent when it comes to the gradual inclusion of data protection law within the EU/German competition law framework. The thesis will be structured as follows. Firstly, a brief historic overview of the development of data protection law will be provided as well as an illustration of the GDPR and its impact on Tech companies, in particular Facebook. Subsequently, the German competition law framework will be elaborated on as it plays a large role in the judgment issued by the Bundeskartellamt. The Bundeskartellamt case will be discussed in detail after as well as the subsequent judgments delivered by the Oberlandesgerichtshof Düsseldorf and the final judgment given by the Bundesgerichtshof. Afterwards, the discussion of data protection law and competition law will be taken to a more abstract level, diving into a possible intertwinement and the resulting potential benefits and disadvantages. Furthermore, the standpoint of the Commission will be outlined as the EU Commission normally plays a vital role when it comes to the enforcement of competition law. The Commission has largely refrained from going after Facebook when it comes to the exploitative use of personal data. It will be explored why that is and why leaving the enforcement to Member States (such as Germany) perhaps is not the most efficient way to hold Facebook accountable. This will be followed by an analysis of the GDPR and its successes and also detrimental effects. The conclusion will present this thesis’ results.
The research methodology will include primary law such as the TEU, the TFEU and German national law, case law as well as secondary EU law. Further, academic articles, online journals, newspaper articles and books will be utilised. The closing date of research is July 24th, 2020.
4 Art. 50, Charter of Fundamental Rights of the European Union: “No one shall be liable to be tried or punished again in criminal proceedings for an offence for which he or she has already been finally acquitted or convicted within the Union in accordance with the law.”
II. Data Protection
1. Brief Historic Background of Data Protection
The Data protection movement first started in Europe in the 1970s when states adopted laws in order to monitor and keep in check the processing of personal information by the authorities and big companies.5 Subsequently, data protection instruments were adopted Europe wide and since then, data protection has transformed into an established field of law.6 At the European Union level, data protection is a fundamental right.7 In addition, data protection is seen as a right that must be protected proactively as the mere prohibition on interference is not sufficient.8 Accordingly, an appropriate judicial framework must be put in place to safeguard an individual’s rights should their personal data be processed.
In particular, whenever personal data is being processed, it must be subject to autonomous supervision as well as respect the individual’s rights.9
This is laid down in art. 8 of the EU charter of fundamental rights according to which the processing of personal data must be “fair, for specified purposes, and based on either the consent of the person concerned or a legitimate basis laid down by law.”10
Furthermore, it states that “everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified”.11
5 “Handbook on European data protection law”, EU publications, Council of Europe; European Court of Human Rights; European Data Protection Supervisor, European Union Agency For Fundamental Rights. 2018 edition, p.18.
6 Ibid.
7 Art. 8, Charter of Fundamental Rights of the European Union
8 “Handbook on European data protection law”, EU publications, Council of Europe; European Court of Human Rights; European Data Protection Supervisor, European Union Agency For Fundamental Rights. 2018 edition, p.20.
9 Ibid.
10 Art. 8, Charter of Fundamental Rights of the European Union 11 Ibid.
2. European Convention of Human Rights
Art. 8 ECHR “the right to respect for private and family life, home and correspondence” incorporates the right to personal data protection.12
That right is not absolute which means that certain derogations are possible as long as a balance is being upheld between the right to privacy and i.e. freedom of expression.13
Therefore, in order to assess whether or not there has been an interference with the right to personal data covered under art. 8, the Court (ECtHR) aims to conduct a weighing of all interests at stake.14 Just as is the case within the EU, in some cases the ECHR too requires contracting states to take positive action to comply with the right to data protection.15
3. Data Protection within the EU legal framework
The enforcement of the Treaty of Lisbon marked a significant step in the emergence of EU data protection law as it gave the Charter of the European Union legally binding character and added the right to personal data protection.16 That right is also laid down in art. 16 TFEU - “Everyone has the right to the protection of personal data concerning them”.17 Art. 16(2)
provides for an independent legal basis with which the EU can legislate specifically on data protection law matters.18 This is significant as before, any data protection instruments were
based on art. 114 TFEU, namely the commitment to harmonise national laws.19 Art. 16 TFEU
as an independent legal basis provides for the option to develop more modern and far-reaching data protection rules not solely tied to the need to harmonise national laws. The article also emphasises that “Compliance with these rules shall be subject to the control of independent authorities.”20 The supervisory mechanism of data protection is something that will be explored
12 “European Data Protection: Coming of Age”, Gutwirth, Leenes, De Hert, Poullet; Springer, 2013, p. 273. 13 “Protection the right to respect for private and family life under the European Convention”, Ivana Roagna, Council of Europe human rights handbooks, 2012, p. 46.
14 “When Human Rights Clash at the European Court of Human Rights”, Smet, Brems; Oxford University Press, 2017, p. 191.
15 “The Unaccountable State of Surveillance; Exercising Access Rights in Europe”, Norris, de Hert, L’Hoiry, Galetta; Springer, 2017, p. 374.
16 “EU Security and Justice Law”, Arcarazo and Murphy; Bloomsbury Publishing, 2014, p. 183. 17 Art. 16 (1), TFEU
18 Art. 16 (2), TFEU
19 “Handbook on European data protection law”, EU publications, Council of Europe; European Court of Human Rights; European Data Protection Supervisor, European Union Agency For Fundamental Rights. 2018 edition, p.28.
in more detail later on. The recently (2018) enforced General Data Protection Regulation was legislated on the basis of art. 16 TFEU.
4. The General Data Protection Regulation
The GDPR replaces EU Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 21
The GDPR in parts overlaps with EU Directive 95/46 except for its enhanced precision and attention to detail in specific areas. 22 Furthermore, since the GDPR is an EU regulation, it automatically applies in all EU member states without the need to implement the provisions into domestic law first.23 This provides for a level playing field of data protection across the EU with all member states having the same data protection rules in place.
The GDPR also considers the great technological advancement in the past 20 years which is prone to impact data subjects’ privacy rights.24 The extraterritorial applicability of the GDPR
combined with the GDPR’s goal to keep in tact users’ privacy rights in the modern technological era shows that Tech giants such as Amazon, Google and Facebook are greatly impacted by the GDPR. Recital 6 of the GDPR summarises this as follows: “Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.”25 There is no
doubt that the GDPR in general and specifically recital 6 address tech giants who have access to an abundant amount of user data. Before the enactment of the GDPR, that user data which
21 “Why is GDPR important”, Visma, accessed 24 July 2020 < https://www.visma.com/gdpr/why-is-gdpr-important/>.
22 Ibid.
23 “Handbook on European data protection law”, EU publications, Council of Europe; European Court of Human Rights; European Data Protection Supervisor, European Union Agency For Fundamental Rights. 2018 edition, p.31.
24 “Why is GDPR important”, Visma, accessed 24 July 2020 < https://www.visma.com/gdpr/why-is-gdpr-important/>.
was voluntarily disclosed by individuals, could be further processed by Google and Facebook as the rules under directive 95/46 were more lenient.26
Now, as a result of the GDPR, user data may not be processed for any purpose without the explicit consent of the user.27 That principle is called “Purpose limitation” which ensures that personal data may only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.28 This principle will be explained in more detail below.
Some other key articles being enacted in the GDPR deserve to be mentioned here, especially in light of the Bundeskartellamt Facebook case which will be elaborated on below.
It should be noted that many of the principles laid down in the GDPR were already present in the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.29 However, some of these are now more defined or at least made more explicit.30 Moreover, contrary to the directive, there is no principle regarding the individual’s rights anymore.31 Instead, these are now listed separately in Chapter III of the GDPR.32 Additionally, a new principle has been added, namely the accountability principle which obliges the controller to be “responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”.33All seven principles of the GDPR are listed in art. 5 (1). They are respectively ‘lawfulness, fairness and transparency’, ‘purpose limitation’, ‘data minimisation’, ‘accuracy’, ‘storage limitation’ and ‘integrity and confidentiality’.
In light of the focus of this paper and the subsequently discussed Facebook v Bundeskartellamt case, the first three principles will be illustrated in more detail.
As part of the first principle ‘Lawfulness, fairness and transparency”, ‘lawfulness’ relates to the duty to base the processing of data on a legal (lawful) basis. There are six possible legal bases which are: Consent, Performance of a Contract, Legitimate Interest, Vital Interest, Legal Requirement and Public Interest.34
26 “How the GDPR will disrupt Google and Facebook”, Jess Lang, 2017, accessed 24 July 2020 <https://blockthrough.com/2017/08/30/gdpr_risk_to_the_duopoly/>.
27 Art. 5,6 GDPR 28 Art. 5 GDPR
29 „The Principles at a Glance”, Information Commissioner’s Office, accessed July 24 2020
< https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/>.
30 Ibid. 31 Ibid.
‘Fairness’ requires the controller to process personal data in an “honest and fair way”, staying loyal to the data subjects.35 This also means that the collected data should be used in a way
which the data subject reasonably expects it to be used.36 The controller is the person defining the purpose of how the data is processed and, thereby essentially “controls” the data processing.37 Lastly, the transparency principle is being respected if the data controller is open and “transparent” about the reasons for processing personal data and how it will be processed.38 Which further obliges the controller to inform the data subject in an easily understandable and easily accessible format.39 ‘Transparency’ is directly linked to the fairness principle.40
As previously stated, the ‘purpose limitation’ principle requires personal data to only be collected “for specified, explicit and legitimate purposes” and it should further not be “processed in a manner that is incompatible with those purposes”.41 This means that Tech
companies such as Facebook may not use individual’s data for any other purpose than the one they have consented to.42 The purpose itself further has to be specific so as not to leave certain leeway for companies to use to process the data further.43
EU data regulators have made clear that “a purpose that is vague or general, such as for instance ‘improving users’ experience, ‘marketing purposes’, or ‘future research’ will - without further detail - usually not meet the criteria of being ‘specific’”. 44
Last but not least, ‘Data minimisation’ means that only the amount of data absolutely necessary for a given purpose should be processed.45 As the term suggests, the processed data therefore
should be as minimal as possible.46 Moreover, the data collected for one purpose cannot be
35 “Guide to the GDPR”, Gawronski; Kluwer Law International, 2019, p. 182. 36 “Lawfulness, Fairness, & Transparency”, Dataguise, accessed 24 July 2020
<https://www.dataguise.com/gdpr-knowledge-center/lawfulness-fairness-transparency-principle/>.
37 “Responsibilities under GDPR”, Research Support, University of Oxford, accessed 24 July 2020
<https://researchsupport.admin.ox.ac.uk/policy/data/responsibilities#:~:text=A%20data%20controller%20is%20 the,or%20are%20to%20be%2C%20processed.>.
38 Art. 5 GDPR
39 „What does ‘lawfulness, fairness and transparency’ mean under EU Data Protection law”, de la Torre, Bee Journal, accessed 24 July 2020 < https://medium.com/golden-data/what-does-lawfulness-fairness-and-transparency-mean-under-eu-dp-law-a385d249d754>.
40 “Lawfulness, Fairness, & Transparency”, Dataguise, accessed 24 July 2020
<https://www.dataguise.com/gdpr-knowledge-center/lawfulness-fairness-transparency-principle/>.
41 “How the GDPR will disrupt Google and Facebook”, Jess Lang, 2017, accessed 24 July 2020 <https://blockthrough.com/2017/08/30/gdpr_risk_to_the_duopoly/>.
42 Ibid. 43 Ibid.
44 Article 29 Working Party, Opinion 03/2013 on purpose limitation, 2 April 2013, p. 16.
45 “GDPR: General Data Protection Regulation (EU) 2016/679: Post-Reform Personal Data Protection in the
European Union”, Krzysztofek; Kluwer Law International, 2018, p. 283.
used for another purpose without explicit user consent. The ‘Data Minimisation’ principle is therefore closely linked with the ‘Purpose Limitation’ principle.47
One might ask how US based companies like Facebook are covered by EU legislation and further what the impact of the GDPR is on Tech giants and how they are adjusting to all GDPR principles. In light of the former, the GDPR has so-called “extra-territorial effect”, meaning as long as the data collected by a company belongs to a EU-citizen, GDPR rules apply.48 it does not matter where the company is based but instead the focus is on where the data subjects are based.49 Art.3(1) GDPR states as follows: “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”. Companies that are not established in the union are covered in art. 3(2)(a) and (b): “This Regulation applies to the processing of personal data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. Based on art. 3(2)(b), Facebook for instance is covered by the GDPR as Facebook’s services are used by data subjects in the European Union.50 Moreover,
Facebook has its European headquarters in Dublin, Ireland.51
4.1. GDPR Impact on Tech Giants
Now that it is clear that many tech companies, including Facebook are covered by the GDPR, their GDPR related impact should be assessed. The focus will be on Facebook.
It goes without saying that big data companies had to adjust their business model by imposing stricter cyber security measures as well as stricter processes to manage personal data in a GDPR compliant way.52 As a result, Google, Facebook, Amazon and CO. updated their privacy
47 “Lawfulness, Fairness, & Transparency”, Dataguise, accessed 24 July 2020
<https://www.dataguise.com/gdpr-knowledge-center/lawfulness-fairness-transparency-principle/>.
48 “Does the GDPR apply to companies outside of the EU?”, GDPR.EU, accessed 24 July 2020 <https://gdpr.eu/companies-outside-of-europe/?cn-reloaded=1>.
49 Ibid.
50 “The EU could hit Facebook with billions in fines over privacy violations”, Digital Trends, Emily Price, 2019, accessed 24 July 2020 <https://www.digitaltrends.com/social-media/facebook-gdpr-decision/>.
51 Ibid.
52 “The Impact of GDPR on Global Technology Development”, Journal of Global Information Technology Management, Hi Li, Lu Yu, Wu He, 22:1, 1-6, accessed 24 July 2020 <https://www.tandfonline.com/doi/pdf/10.1080/1097198X.2019.1569186>.
policies.53 The question arises whether the updated privacy policies suffice to ensure a fully
data protection compliant business model. Facebook has undoubtedly received heavy criticism and high fines for non-compliance with data protection rules.54
Even before the enactment of the GDPR, the Cambridge Analytica Scandal caused Facebook to drastically rethink their privacy policies as the world got wind of Facebook transferring an abundant amount of user data to third parties in order for those to further their political campaigns.55 After the GDPR came into force in 2018, Facebook received a number of GDPR fines.56 Some of them, such as the UK Information Commissioner’s Office fine of 500.000 still related to the Cambridge Analytica Scandal.57 Moreover, the German authorities fined Facebook for non-compliance with the transparency principle when dealing with hate speech complaints.58 Furthermore, the Italian data protection authorities issued two fines of 10 million for not being honest to Facebook’s data subjects regarding the company’s data policies.59
The fact that Facebook has received so many GDPR related fines for not handling their user data appropriately is particularly bad given the dominant market position of Facebook and their respective access to an extensively large amount of user data. With this amount of data storage, companies should act extra carefully and responsibly.
When it comes to Facebook’s market share on the basis of daily users in Germany, it exceeds 95% on the relevant market, which is the social network market.60
4.2 GDPR relationship with Competition Law
Directly competition law related provisions are, and surprisingly so, missing in the GDPR which is why the question arises whether the GDPR permits warnings under competition law. There is an ongoing dispute regarding the interpretation of GDPR articles, dealing with the
53 “How do you solve a problem like Facebook?”, Information Age, Nick Ismail, 2018, accessed 24 July 2020 <https://www.information-age.com/solve-problem-facebook-123473565/>.
54 “A Year in the Life of the GDPR: Must Know Stats and Takeaways”, Varonis, Rob Sobers, accessed 24 July 2020 <https://www.varonis.com/blog/gdpr-effect-review/>.
55 “The Cambridge Analytica Scandal”, the Guardian, Julia Carriews, 2019, accessed 24 July 2020 < https://www.theguardian.com/technology/2019/mar/17/the-cambridge-analytica-scandal-changed-the-world-but-it-didnt-change-facebook>.
56 “Facebook and its past, present and future fines”, Panda, 2019, accessed 24 July 2020 <https://www.pandasecurity.com/mediacenter/news/facebook-fine-gdpr/>.
57 Ibid. 58 Ibid. 59 Ibid.
recourse to other legal areas.61 Art. 77 GDPR lists various possibilities for affected parties to
take action against data protection violations but does, as stated, not mention any claims under competition law. It is unclear whether the GDPR should be conclusive or not.62 Some argue that art. 77-84 GDPR contain conclusive provisions on the legal consequences of data protection infringements which do not provide for any claims under competition law. On the other hand, the Federation of German Consumer Organisations is of the opinion that European Union law, including the GDPR, does not preclude the assertion of claims under competition law.63 They even go so far as to say that the principle of “effet utile” requires the most effective possible enforcement of the European Data Protection Regulation as the data protection authorities alone are not in a position to the same extent to pursue and sanction GDPR infringements.64 Moreover, as will be stated on later in more detail, the FCO in its decision pointed out that the GDPR states that the GDPR may also be enforced under civil law which according to the FCO opens up the possibility to also enforce the GDPR under a competition lens.65
The previous chapters have been focusing on data protection law but in light of Facebook’s dominant market position in Germany, it must be discussed how this is relevant in the context of German and EU competition law. The central point of this thesis is to analyse the interplay of data protection law and competition law. Now that the data protection framework has been largely covered, this thesis will illustrate the basics of German competition law.
III. Abuse of dominant position under German Competition Law
Under German Competition law, the abuse of a dominant position is prohibited under §19(1) of the Act against Restraints of Competition (“ARC”).66 Similarly to art. 102 TFEU, there are
61 „Kann die DSGVO über das UWG abgemahnt werden?“, Wilde Beuger Solmecke Rechtsanwälte, 2019, accessed 24 July 2020 < https://www.wbs-law.de/wettbewerbsrecht/kann-die-dsgvo-ueber-das-uwg-abgemahnt- werden-lg-wuerzburg-trifft-erste-entscheidung23849/#:~:text=I%2D12%20O%2085%2F15,nicht%20geltend%20gemacht%20werden%20kann. &text=Das%20Oberlandesgericht%20(OLG)%20Hamburg%20hat,Verst%C3%B6%C3%9Fe%20wettbewerbsr echtlich%20abgemahnt%20werden%20k%C3%B6nnen.> 62 Ibid. 63 Ibid. 64 Ibid.
65Andreas Mundt, Fachartikel, 1 August 2017, Wettbewerb und Verbraucherschutz im Internet stärken, Sonderheft ‘Wohlstand für Alle – Geht’s noch?’ of the Ludwig Erhard Stiftung, 60–61 < http://www.ludwig-erhard.de/wp-content/uploads/LES_Sonderheft_2017.pdf> accessed 24 July 2020
two conditions, which are the existence of a dominant position and the abuse thereof (§19(1) ARC). The dominant position is defined in §18 ARC which states that “an undertaking is dominant where, as a supplier or purchaser of a certain type of goods or commercial services on the relevant product and geographic market, it has no competitors (1), is not exposed to any substantial competition (2) or has a paramount market position in relation to its competitors (3).” Usually, an undertaking is dominant if it has a market share of at least 40% (§18(4) ARC). Various other criteria also play a role such as the newly added §18(3a) ARC which lists criteria related to the digital age: “direct and indirect network effects (1), the parallel use of services from different providers and the switching costs for users (2), the undertaking’s economies of scale arising in connection with network effects (3), the undertaking’s access to data relevant for competition (4), innovation-driven competitive pressure (5).
A dominant market position is not prohibited as such but only the abuse thereof. §19(2) ARC lists different scenarios on which basis an abuse would be established such as if an undertaking “demands payment or other business terms which differ from those which would very likely arise if effective competition existed” (§19(1)(2)) or if an undertaking was to “demand(s) less favourable payment or other business terms than the dominant undertaking demands from similar purchasers in comparable markets, unless there is an objective justification for such differentiation” (§19(1)(3)). In general, when assessing whether an abuse took place, a balancing of interest test is struck between the interests of the dominant undertaking and the interests of the undertaking’s customers or suppliers.67 The German Bundesgerichtshof ruled
in the VBL-Gegenwert case that general principles can be taken into account when applying the balancing of interest test.68 This is a rather significant ruling as it broadens the borders of competition law to for instance by including consumer protection law.69 One might argue therefore that the same technique could be used when incorporating general principles in the form of data protection law. In fact, this is what the Bundeskartellamt did with its decision from February 2019 when it ruled that Facebook had failed to obtain consent from its users for combining user data of Instagram, Whatsapp and third parties, thereby violating European data protection law, as well as German and EU Competition law.70
67 FCJ, 6 November 1984, case no KVR 13/83, Favorit para 23; FCJ, 7 June 2016, case no KZR 6/15, Pechstein
v. International Skating Union paras 48, 51; FCJ, 24 January 2017, case no KZR 2/15, Kabelkanalanlagen para
30.
68 FCJ, 6 November 2013, case no KZR 58/11, VBL-Gegenwert I; FCJ, 24 January 2017, case no KZR 47/14, VBL-Gegenwert II.
69 FCJ, 6 November 2013, case no KZR 58/11, VBL-Gegenwert I para 65; FCJ, 24 January 2017, case no KZR 47/14, VBL-Gegenwert II para 35.
The Bundeskartellamt granted Facebook a grace period of 12 months to get consent from its users regarding the planned data merger of all platforms Facebook uses to collect data.71 The
judgement is of great legal significance as for the first time, a competition law authority issued a judgement on the basis of data protection law and not competition law as such. It has led to a fruitful debate of how Tech giants such as Facebook, who process vast amounts of personal data, can be tamed and whether the enforcement should be based on the competition law or data protection law framework.72 This legal debate received particular attention from legal scholars worldwide when the Oberlandesgericht in Düsseldorf squashed the Bundeskartellamt’s decision in August 2019 and ruled that Facebook be granted a suspension until a final decision is made by the Bundesgerichtshof.73 The following chapters will focus on an analysis of the legal reasoning of both the Bundeskartellamt and the Oberlandesgericht Düsseldorf. Subsequently, a few conclusions will be drawn and the legal dilemma will be brought on a more abstract level focusing on the interplay between data protection and competition law and what a potential intertwinement could look like.
IV. Bundeskartellamt v Facebook
For the purposes of answering the research question, only the most significant parts of the rather long judgement will be elaborated on. The Bundeskartellamt (‘FCO’) based its decision of February 6th, 2019 on §19(1) ARC and argued that Facebook acted unlawfully by forcing users to agree to the combining of Facebook user data as well as all data collected by Facebook’s subsidiaries such as WhatsApp, Oculus, Masquerade, and Instagram, without obtaining explicit user consent.74 Facebook thereby allegedly makes the use and membership of Facebook dependent on Facebook being able to collect and combine data of all its owned and third-party-owned platforms.75 The FCO applied the same reasoning in connection to Facebook collecting data of Facebook users visiting websites or using third-party mobile applications.76 There is therefore no express and voluntary consent of the user as the data collection by Facebook amounts to a necessity in order for the user to be allowed to use
71 Ibid.
72 „Datenschutzrechtsverstöße als kartellrechtlicher Konditionsmissbrauch?“, Privacy Topics, pingdigital, Martin Fokken. Accessed 24 July 2020 < https://www.pingdigital.de/.download/_sid/UXQU-947655-pXb0/149038/ping_20190509.pdf>
73 “Facebook vs. Bundeskartellamt”, D’Kart, Rupprecht Podzun, 2019, accessed 24 July 2020 < https://www.d-kart.de/blog/2019/08/30/en-facebook-vs-bundeskartellamt/>.
74 FCO, Beschluss vom 06.02.2019, B6-22/16, para. 1(a). 75 Ibid.
Facebook. The FCO acknowledged that Facebook has an interest in collecting data for advertising purposes.77 However, it clarified that the advertising interest does not outweigh the interests of data subjects to not have their data processed used outside of Facebook services.78 This is especially the case when users have little to no control as to the processing of their personal data and attribution to their respective Facebook accounts.79 Essentially, Facebook does not only collect data from users when they visit Facebook but also user data collected outside of Facebook with the help of ‘Facebook Business Tools’, a program used by advertisers, developers, and publishers.80 This is the case for instance when a Facebook user visits a third-party website that features a social plugin, i.e. a Facebook “like” button. Facebook justifies this by putting forward its legitimate interests as a legal basis.81
1. Legal Analysis
The FCO started its legal examination by defining the relevant market.82 With a view to the newly added Sections 18(2a) and (3a) of the German Competition Act (‘ARC’), the FCO started with an assessment of Facebook’s business model and unique feature of its services.83
Section 18(2a) and 18(3a) of the ARC respectively read: The assumption of a market shall not be invalidated by the fact that a good or service is provided free of charge” (§18(2a) and “In particular in the case of multi-sided markets and networks, in assessing the market position of an undertaking account shall also be taken of: 1. Direct and indirect network effects, 2. The parallel use of services from different providers and the switching costs for users, 3. The undertaking’s economies of scale arising in connection with network effects, 4. The undertaking’s access to data relevant for competition, 5. Innovation-driven competitive pressure.”
It pointed out that Facebook is free of charge to its users and constitutes a multi-sided network pursuant to §18(3a). It is a multi-sided network as Facebook members make use of Facebook’s services free of charge on the one hand and on the other, Facebook sells the user data to
77 “Protecting consumers and their data through competition law? Rethinking abuse of dominance in light of the
Federal Cartel Office’s Facebook”, Maximilian N. Volmar & Katharina O. Helmdach, 2018, accessed 24 July
2020 <https://www.tandfonline.com/doi/full/10.1080/17441056.2018.1538033>. 78 Ibid.
79 FCO, Beschluss vom 06.02.2019, B6-22/16, p.794. 80 Ibid.
81 Ibid.
82 FCO, Beschluss vom 06.02.2019, B6-22/16, para. 166 83 Ibid.
advertisers for the purpose of targeted advertising.84 This leads to the existence of indirect
network effects between Facebook users and advertisers as essentially, the more users Facebook attracts, the more advertisers will be interested in buying the data in order to place advertisements. Additionally, Facebook offers products to publishers (businesses) and developers, such as marketing and analytic tools, i.e. social plugins in the form of “Like” buttons.85 As a result, the Facebook network is to be classified as a market service in line with §18(2a) ARC despite being free of charge to private users.86
Part of the FCO’s definition of the relevant product market, they assessed various other online services active in the “social media” sphere, such as Snapchat, Twitter, Pinterest, Xing, and LinkedIn. Crucial in determining the relevant market is how the offered product differs from other products on the market. The FCO found that the specific service Facebook offers cannot be compared with other services.87 LinkedIn and Xing for example pursue services more towards professional and career ambitions and therefore concern another product market. The same holds true for Snapchat, Twitter, and Pinterest which all have diverse central functions and purposes. The FCO focused its investigation on the German market and correspondingly considered Germany as the relevant geographic market.
2. Market Dominance
The FCO deemed Facebook to hold a dominant position in the national (German) ‘social network for private users’ markets in line with §18(1) read together with (3) and (3a) ARC. It took into account all relevant criteria for market power and concluded that Facebook’s market power is not subject to an appropriate level of oversight by competition. To that end, the FCO emphasized Facebook’s immense market share. When it comes to daily active users, Facebook has a market share of over 95%. In light of this, it is unlikely that users will quit Facebook and resort to an alternative online platform as the user will not enjoy using a different service when
84 “Understanding Multi-Sided Platforms”, Samghoshblog, Sam Ghosh, 2015, accessed 24 July 2020 < https://samghoshblog.wordpress.com/2015/10/12/understanding-multi-sided-platforms-social-networks-and-more/>.
85 “Facebook’s latest transparency tool doesn’t offer much”, Tech Crunch, 2020 accessed 24 July 2020 < https://techcrunch.com/2020/02/25/facebooks-latest-transparency-tool-doesnt-offer-much-so-we-went-digging/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAA
ALlgmldPuEwCYnBlwieiXk9nmmjSMtJA_UpBTfkb6LabOm8P_Elw38IzyKZkI6LZwdjz7-FDSSAmTuFpsOqWkov69ix1ifyWAlQtXunqnafetQnC30SY6Ez9O_IYN60FSjZLCmLggzDycHddx3dZcqJL KPaELni_iBi-sf1Z1wjT>.
86 FCO, Beschluss vom 06.02.2019, B6-22/16, para. 74. 87 Ibid.
the majority of users will refrain from switching to another network. Facebook’s strong market power becomes further evident by the fact that other similar competitors have exited the market completely, such as SchülerVZ, StudiVZ, and Google+. The high number of Facebook users also enables Facebook to collect vast amount of data which is another factor supporting the assertion that Facebook is a dominant player. Facebook’s access to an abundance of data enables the network to send out targeted advertising on a large scale and specific to each user.
3. Abusive Data Policy
With regards to the data collection, the FCO ruled that the fact that Facebook collects data from networks outside of Facebook and merges together all collected user data leads to an abuse of dominance on the social network market, violates the GDPR principles and amounts to exploitative business terms contrary to §19(1) ARC.88 The FCO cited the VBL-Gegenwert and Pechstein cases where the German Federal Court of Justice (‘Bundesgerichtshof’) relied on §19(1) ARC and ruled that contractual terms are abusive when they violate Section 307 of the German Civil Code (‘Bürgerliches Gesetzbuch’).89 This is especially the case if the abusive
conditions are applied by a dominant undertaking that possesses significant market power. In said cases, the Bundesgerichtshof said it was necessary to apply a balancing of interest test, taking account also the constitutional rights in the Pechstein case.90 Applying that same
reasoning, the FCO stated that when it comes to the assessment of contractual conditions where one party is more powerful than the other, this can extend to other areas of law too, including data protection law. The main basis for this reasoning, therefore, is the VBL-Gegenwert and Pechstein case, ruled by the Bundesgerichtshof, the highest court in Germany.
The goal of data protection law is to ensure a fair and just handling of data where the data controller is more powerful than the data subject, it therefore concerns the need to weigh interests in the case of one party (data controller) being very powerful and thereby closely resembles the cases decided by the Bundesgerichtshof previously. To this end and with a view to enforcing its decisions also under data protection law, more specifically the GDPR, the FCO emphasizes that it is vital to hold dominant undertakings accountable under competition law for how they process data as data plays an important role when it comes to the competitive
88 §19, ARC (1): The abuse of a dominant position by one or several undertakings is prohibited. 89 FCJ, 6 November 2013, case no KZR 58/11, VBL-Gegenwert I; FCJ, 24 January 2017, case no KZR
47/14, VBL-Gegenwert II; FCJ, 07.06.2016, case no KRZ 6/15, Pechstein v. International Skating Union paras. 48, 51
market of tech companies.91 Moreover, neither the responsibility nor the consistency
regulations in the GDPR prevent the FCO from examining whether data processing activities are in line with the GDPR.92 This is especially evident given the fact that it is stated in the GDPR that data protection law may also be enforced under civil law which strongly implies that it may be enforced under competition law too.93 Further, the GDPR remains silent regarding the abuse of dominant companies and since the GDPR provisions are not deemed final94, the possibility of a GDPR based legal assessment by other authorities like the FCO, is not ruled out.
4. Applicability of the GDPR
After establishing that indeed the FCO may hold Facebook accountable under data protection law, they went on to apply the particular GDPR provisions to Facebook’s data processing activities and Facebook’s data policy. Facebook’s data policy makes reference to all legal basis stated in the GDPR to justify their data processing: “We collect, use and share the data that we have in the ways described above:
• as necessary to fulfil our Facebook Terms of Service or Instagram Terms of Use;
• consistent with your consent, which you may revoke at any time through the Facebook settings and Instagram settings;
• as necessary to comply with our legal obligations;
• to protect your vital interests, or those of others;
• as necessary in the public interest and
• as necessary for our (or others') legitimate interests, including our interests in providing an
innovative, personalised, safe and profitable service to our users and partners, unless those interests are overridden by your interests or fundamental rights and freedoms that require protection of personal data”. 95
The FCO held that the fact that Facebook collects data from not only Facebook users but also other business services such as Facebook Business Tools, infringes the consent requirement
91 FCO, Beschluss vom 06.02.2019, B6-22/16, para. 529. 92 Ibid.
93 FCO, Beschluss vom 06.02.2019, B6-22/16, para. 530.
94 The GDPR at least does not mention that its provisions are final
under the GDPR as the user’s consent is not freely given and thereby contrary to art. 6(1)(a) GDPR.96 It is not freely given as due to Facebook’s dominant market position, users
sign up and agree to have their data processed solely to enter into a contract with Facebook and to become a member. Essentially, there is no voluntary and free consent regarding the processing of user data if that consent in itself is a necessity to enter into a contract with Facebook. Moreover, it cannot be established that Facebook has to process data to fulfil its contract pursuant to art.6(1)((b) GDPR. This type of justification would have to be construed as narrowly as possible. It cannot justify the offering of personalised service as simply basing Facebook’s data processing on its business model and thereby ‘personalised’ service offering would enable Facebook to access an infinite amount of data. The FCO clarified that a ‘personalised service’ can be offered without the amount of data processing currently maintained by Facebook such as i.e. collecting third party user data.
According to the FCO, also none of the other legal basis stated in art. 6 GDPR ((1) c-e) are suitable to justify Facebook’s data processing. In particular, Facebook cannot invoke the ‘legitimate interest’ (art. 6(1)(f)) ground as Facebook’s commercial interests do not outweigh the interests and fundamental rights of its users.97
5. Data Protection Law Infringement leads to Manifestation of Market Power
By violating data protection law, Facebook has abused its market power. The infringement of data protection is in direct relation to Facebook being a dominant undertaking on the social network market since as a large corporation they are in such a powerful situation, their conduct must also be assessed under a data protection lens. With regards to the competition law aspect, the FCO pointed out that due to Facebook’s access to an abundance of user data which is processed unlawfully, it disrupts competition as it has a competitive advantage over their competitors who do not have the same kind of data access. To conclude its legal assessment, the FCO reiterated the similarities of competition law and data protection law as both fields concern a situation where one party is more powerful than the other. Both fields of law require a balancing of interests and both must take into account market dominance aspects.
96 FCO, Beschluss vom 06.02.2019, B6-22/16, para. 1(b).
The FCO ordered Facebook to cease its data processing in relation to data collected via Facebook’s corporate services and Business Tools, as well as the combination of that data with Facebook user data.
6. Significance of the FCO’s ruling
The FCO’s ruling is significant as for the first time, a competition authority based its legal assessment partly on the basis of data protection law. The FCO did this by incorporating the GDPR into §19(1) ARC and thereby clearly states that data protection law and competition law directly relate to each other. They certainly received praises for their bravery but they were also faced with criticism. Interestingly, the Oberlandsgericht Düsseldorf (OLG) disagreed with the FCO in its decision six months later.
7. Oberlandesgericht Düsseldorf Ruling
The OLG decision suspended the FCO’s ruling until a final decision by the Bundesverfassungsgericht will be issued.98 The court expresses serious doubts about the entire
proceedings against Facebook. The central point of criticism is that data protection law and competition law are being improperly merged. Following that line of reasoning, the OLG ruled that even if the data processing complained of violates data protection regulations, it does not at the same time constitute a violation of competition law. The consumers are not weakened economically by the data collection, because they do not lose their data on Facebook. In contrast to a classic user fee, data is duplicable. The court even doubts that there is any violation of data protection law in the first place. Since users agree to Facebook's terms of use before registering which is why there is no "loss of control", as determined by the FCO. Instead, the data processing is carried out with the knowledge and will of the users.99
According to the OLG, the VBL-Gegenwert case that the FCO based its reasoning on, as it used it to read data protection law violation into German competition law, cannot serve as such a legal basis. The unfairness of the abuse of market dominance presupposes anti-competitive behaviour. This also applies within the scope of application of the general clause of §19(1) of the ARC. The OLG stressed that in the VBL-Gegenwert case, the anticompetitive effect of the
98 OLG Düsseldorf, Beschluss vom 26.08.2019, VI-Kart 1/19 (V), WRP 2019, 1333, para. 28 99 Ibid.
dominant undertaking’s conduct was out of the question. Because in said case, the clause on which the decisions were based made it unreasonably difficult for the other side of the market to terminate the contractual relationship and thus led to a disadvantage of the customers, thereby amounting to exploitation.100 That harmful exploitation the OLG did not see in Facebook’s processing of user data because as briefly mentioned above, no exploitation is taking place due to the fact that user data will not be lost and it is duplicable hence the consumer does not suffer economically. The decision highlights very relevant issues in light of the many giant tech companies currently on the market that collect vast amounts of user data. It further makes clear that there exists some degree of uncertainty and even disagreement regarding how to go after these tech giants and how to hold them accountable. The FCO seems to think it would be possible to merge competition law and data protection law, whereas the OLG Düsseldorf is of the opinion that this is indeed not possible.
8. Bundesgerichtshof Decision
On June 23rd, 2020 the Bundesgerichtshof sided with the FCO’s decision and enforced the ban issued by the FCO with regards to Facebook processing personal data without proper user consent.101 Facebook may no longer do so. The Bundesgerichtshof has no doubts regarding
Facebook’s dominant position on the German market for social networks or Facebook abusing its dominant position. For the Bundesgerichtshof and therefore contrary to the FCO, however, the decisive factor is not the question whether the processing and use of personal data of Facebook users is in conformity with the GDPR. The decisive factor is rather that the terms of use are abusive as they leave private Facebook users no choice regarding a) whether they want to use the network with a more personalised user experience, which is associated with potentially unlimited access to user data for Facebook or b) whether they only want to agree to personalisation based on the data they disclose on Facebook themselves.102 According to the Bundesgerichtshof, Facebook as the market-dominating network operator bears a special responsibility for maintaining the still existing competition in the social network market. In this context, the great importance of access to data from an economic perspective must also be
100 Ibid.
101 BGH, Beschluss vom 23.06.2020, KVR 69/19, Nr. 808/2020. NB: the full written judgement is not accessible yet which is why no page references can be provided. However, the press release can be accessed here:
https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilungen/DE/2020/2020080.html;jsessionid=38F1D9 E343E20776C61DF147ECFEDDE.1_cid286?nn=10690868
taken into account. The lack of choice for Facebook users not only impairs their personal autonomy and the preservation of their right to informational self-determination, which is protected by the GPDR.103 It also constitutes an exploitation of the users which is relevant under competition law. This is because the function of competition as a “controlling force” can no longer be exercised due to Facebook’s dominant position on the market. The decision clearly shows that the Bundesgerichtshof deems data protection law and competition law to be interrelated in some way as it connects the loss of informational self-determination with Facebook’s dominant market position. This outcome is certainly welcomed. However, the Bundesgerichtshof did not go into specifics on how future competition law/data protection law cases should be dealt with. It did not set a clear precedent that could serve as a legal framework facilitating the gradual alignment of the two areas of law. Though perhaps that is the task of the legislators who undoubtedly will at least use the Bundesgerichtshof’s decision as a point of reference. Before drawing some conclusions, some general facts to be considered when thinking of a possible data protection/competition law merger will now be outlined.
V. Intertwinement of Competition Law and Data Protection Law
Undoubtedly, there is an intertwinement between data protection law and competition law as tech companies collect and process user data and do not always do so lawfully.
The correlation between competition law and data protection law has given rise to the question of who should be the principal enforcer. The FCO (within Germany) or the data protection authorities? According to the President of the FCO, it should be the FCO due to their resources and comprehensive litigation experience.104
However, according to Article 51 of the GDPR, the independent data protection supervisory authorities are responsible for the enforcement of data protection provisions. The cartel authorities simply do not have the appropriate authority to supervise compliance with data protection law.105 The interpretation of data protection standards by an antitrust authority would also interfere with the uniform interpretation of data protection law aimed at by the
103 Ibid.
104Andreas Mundt, Fachartikel, 1 August 2017, Wettbewerb und Verbraucherschutz im Internet stärken, Sonderheft ‘Wohlstand für Alle – Geht’s noch?’ of the Ludwig Erhard Stiftung, 60–61 < http://www.ludwig-erhard.de/wp-content/uploads/LES_Sonderheft_2017.pdf> accessed 24 July 2020
105 „Datenschutzrechtsverstöße als kartellrechtlicher Konditionsmissbrauch?“, Privacy Topics, pingdigital, Martin Fokken. Accessed 24 July 2020 < https://www.pingdigital.de/.download/_sid/UXQU-947655-pXb0/149038/ping_20190509.pdf>
GDPR, as the antitrust authorities would not participate in the coherence procedure of the data protection supervisory authorities of the Member States.106
Regarding the uniformity of data protection law, it must be stated that the laws governing data protection within the EU are the GDPR on the one hand and regional EU Member States specific laws on the other.107 This is already creating somewhat of confusion and a lack of legal clarity which is ironic since the GDPR was drafted specifically as a regulation, so that it would apply similarly across all EU Member States as opposed to a directive that would have to be implemented first and could be adapted to Member States’ legal systems.
Moreover, the data protection authorities themselves do not always come to the same conclusions when applying the GDPR. In Germany alone, 17 data protection authorities exist that are not always aligned with each other. The involvement of an additional enforcement authority, namely competition authority surely would just detrimentally impact the already existent uncertain legal enforcement structure.
The Bundeskartellamt already countered these arguments in its decision.108 According to the FCO and as mentioned earlier, the GDPR does not contain any provision prohibiting the examination of substantive data protection law in the context of standards that do not relate to data protection law. Moreover, the FCO does not act as a supervisory authority under data protection law but rather examines a violation of antitrust law. Facebook’s data processing is a violation of Section 19(1) ARC. The FCO merely included legal assessments from other areas of law. Furthermore, the decisions of the antitrust authorities could be challenged in court and ultimately submitted to the ECJ, so that a uniform interpretation of data protection law in Europe is not endangered but, quite to the contrary, it is being promoted.109
Another point to consider is the different punitive provisions. The structure of the sanctions regime for violations of the GDPR, in particular with regard to the possible assessment of fines on the basis of the worldwide annual turnover, follows the model of cartel law to a large extent. However, the maximum level of fines under the GDPR does not come close to that of antitrust law. An infringement of the principle of lawfulness of data processing can be sanctioned under Art. 83 (5)(a) with a fine of up to four percent of the company's annual worldwide turnover.
106 Ibid.
107 Data Guidance Article (dec 19) “EU: Interplay of competition law and data protection”, Data Guidance, David Klein and Stefan Horn. Accessed 24 July 2020 < https://www.dataguidance.com/opinion/eu-interplay-competition-law-and-data-protection>
108 Datenschutzrechtsverstöße als kartellrechtlicher Konditionsmissbrauch?“, Privacy Topics, pingdigital, Martin Fokken. Accessed 24 July 2020 < https://www.pingdigital.de/.download/_sid/UXQU-947655-pXb0/149038/ping_20190509.pdf>
According to Section 81(4) ARC, on the other hand, a fine of up to 10 percent of the worldwide annual turnover can be imposed in the event of a violation of Section 19 ARC. A blocking effect of data protection law would, however, prevent sanctioning under Section 81 ARC. The paradoxical result would, therefore, be that companies which abuse their dominant position would be privileged if the abuses also constituted a violation of substantive data protection law.110 This would also open up the possibility of the legal “double jeopardy” dilemma, where a person is tried twice for the same offence.111 This problem will be illustrated in more detail below.
An alignment of the two areas of law would therefore be welcomed in order to ensure, no undertaking can find a legal loophole and circumvent the competition law provisions on fines.
1. Differences between Competition Law and Data Protection Law
Some inherent differences between data protection law and competition law should be underlined too such as inter alia the main purposes of both areas of law.
The focus of competition law is very much market-based.
Competition law aims to protect competition in a quest to favor the consumer.112
The central desire of data protection law is to safeguard the rights and freedoms of individuals whose data has been processed.113 The fundamental rights lens could serve as an argument to
criticise a strict separation of competition law and data protection law as competition law authorities, such as the Commission at EU level, must take due account of fundamental rights, including art. 8 of the Charter of Fundamental Rights of the EU: the right to protection of personal data.114 One could even argue that as a result of the clear intertwinement between data protection law and fundamental rights, the former enjoys supremacy as of course, fundamental rights must be safeguarded and uphold at all cost. This also raises the question as to why the
110 Ibid.
111 “Double Jeopardy”, Encyclopaedia Britannica, Jerry Norton, accessed 24 July 2020 <https://www.britannica.com/topic/double-jeopardy-law>
112 Data Guidance Article (dec 19) “EU: Interplay of competition law and data protection”, Data Guidance, David Klein and Stefan Horn. Accessed 24 July 2020 < https://www.dataguidance.com/opinion/eu-interplay-competition-law-and-data-protection>
113 “Data Protection under GDPR”, Your Europe European Union, accessed 24 July 2020 < https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/index_en.htm>
114 ‘Family Ties: The Intersection Between Data Protection and Competition in EU Law’, Francisco Costa-Cabral and Orla Lynskey (2017) 54 CMLR 11-50
Commission has continuously stayed out of any specific analysis of data protection law. More on the role of the commission will be provided below.
2. Dangers of dual Mechanism
Another potential dilemma of a competition law and data protection law merger deserves to be mentioned. If both competition authorities and data protection authorities were to legally assess a breach of data protection, the scenario could arise where both supervisory bodies could draw different conclusions.115 A competition authority could deem a measure legal whereas a data protection authority could regard the same measure as an abuse of data protection law. This would not only contradict the principle of legal certainty, it would also go against the notion of the rule of law, as laid down in art. 2 TEU.116
Furthermore, as briefly mentioned in the introduction, a situation of “double jeopardy” could emerge, also known as the “ne bis in idem” principle. The principle prevents an accused from being charged twice for the same (or a similar) offence. This means that if a data protection authority found a measure to be incompatible with privacy laws, the competition authority would have to prove that it also has a specific detrimental effect on competition. The two violations would have to be sufficiently unrelated to each other so that an undertaking could be fined twice. But what if there will always be a causal link between the two areas of law? If a company is capable of having abusive policies in place due to its dominant market position, there automatically is a direct link between data protection law and competition law.117 This is exactly where those two areas intertwined and as such it would be nearly impossible to circumvent the danger of a “double jeopardy” phenomenon, as the two areas can hardly be sufficiently distinguished if the unlawful conduct is based on the company being dominant and abusing data protection law at the same time.
The “ne bis in idem” principle has also been recognised by the CJEU in case law and is codified in art. 50 of the Charter of the European Union as well as in Protocol No 7 (art. 4) to the European Convention for the Protection of Human Rights and Fundamental Freedoms.118
115 “Protecting consumers and their data through competition law? Rethinking abuse of dominance in light of the
Federal Cartel Office’s Facebook”, Maximilian N. Volmar & Katharina O. Helmdach, 2018, accessed 24 July
2020 <https://www.tandfonline.com/doi/full/10.1080/17441056.2018.1538033>. 116 Art. 2 TEU
117 “Protecting consumers and their data through competition law? Rethinking abuse of dominance in light of
the Federal Cartel Office’s Facebook”, Maximilian N. Volmar & Katharina O. Helmdach, 2018, accessed 24
July 2020 <https://www.tandfonline.com/doi/full/10.1080/17441056.2018.1538033>. 118 Case C-17/10 Toshiba Corp., paras 93-103, ECLI:EU:C:2012:72;
Surely, having in place only one enforcement system would simplify the current uncertainty of who is in charge of enforcement. To that end, it is worth analysing the role of the Commission.
3. Role of the EU Commission
Since the Facebook FCO case concerns competition law to a very large extent, the question arises why the EU principal enforcer of competition law, the Commission did not go after Facebook. Does the Commission’s silence imply the desire to keep data protection and competition law strictly apart? Indeed, previous EU case law suggest this to be the case. The 2006 Asnef-Equifax case is significant as here the CJEU stated that “any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection”.119
Similarly, in the Google/DoubleClick case concerning a merger between two advertising companies where data played a big role in their business transactions, the commission stated the following: “This Decision refers exclusively to the appraisal of this operation with Community rules on competition, namely whether the merger is compatible with the objectives of the Merger Regulation in that it does not impede effective competition in the common market” 120. The Commission emphasized its sole focus on competition law in the subsequent
Facebook/Whatsapp merger where the two companies’ data were combined: “Any privacy-related concerns flowing from the increased concentration of data within the control of Facebook as a result of the transaction do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules”.121 The same reasoning was adopted
in the Sanofi/Google/DMI JV case regarding the non-portability of data to other platforms: “For the purposes of this decision, the Commission notes that any privacy-related concerns flowing from the use of data within the control of the Parties do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules.”122 It can clearly be seen, therefore, that the Commission so far favors a strict separation between competition law and data protection law. At least the Commission does not base any decisions on mergers on data protection law as it states that this will be subject to review by the data protection authorities which will limit the companies involved in mergers from exploiting any data. It is
119 Case no C-238/05 Asnef-Equifax (2006) ECR I-11125, para. 63 ECLI:EU:C:2006:734 120 Commission decision M.4731, 11 March 2008, Google/DoubleClick, para 368. 121 Commission decision M.7217, 3 October 2014 Facebook/WhatsApp, para 164 122 Commission decision M.7813 of 23 February 2016, Sanofi/Google/DMI JV, para. 70
