• No results found

Data protection law and EU Competition law: towards the establishment of a new theory of harm?

N/A
N/A
Protected

Academic year: 2021

Share "Data protection law and EU Competition law: towards the establishment of a new theory of harm?"

Copied!
53
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Hele tekst

(1)

Student: Fation ALLKA E-mail: fatallka@outlook.com Student number: 1293150

Mastertrack: European Competition Law and Regulation

Data protection law and EU Competition law:

towards the establishment of a new theory of

harm?

Supervisor: Zlatina Georgieva

(2)

Abstract

In this paper, the author will try to answer to the question of the possibility of establishing a new theory of harm under competition law based on the violation of data protection law with an emphasis on personal data. The paper will start in the first chapter by having an overview of the meaning of data and will be followed by emphasizing data protection law through primary and secondary law. Afterwards, an assessment will be made of the impact of data protection law (with an emphasis on personal data) on competition law ( such as a parameter and a yardstick for market power)in the second chapter. Finally the third chapter will go over an analysis of personal data under articles 101 TFEU, 102 TFEU and merger regulation as well as a glimpse over data related case law. The thesis will be concluded by a deep analysis of the Facebook v Bundeskartellamt case that might give a beginning of answer to the establishment of a new theory of harm under competition law rules. Finally, we will envisage what would the ECJ answer in such situation based on the previous ECJ case law.

(3)

Table of contents

Introduction

Chapter 1: Data protection and its influence on the competitive

process.

Section 1: What is data?

Section 2: The collecting and monetization of data

Section 3: The protection of personal data in the EU and the European

Commission

A.Overview of European data protection law under primary and secondary legislation B.Data protection under the Charter of Fundamental rights

1. The interplay between the EU Charter and the Commission in a nutshell 2. The positive consequence on competition law

3. The negative consequence on competition law

C. The notions of consent and purpose limitation under the GDPR

1. Article 6(1)(a) GDPR: the notion of consent

2. Article 5(1)(b) GDPR: the notion of purpose limitation 3. Article 20 (1) GDPR: the right to data portability

Section 4: The interplay of data protection and EU competition

Chapter 2: Personal Data as a parameter of Competition Law

assessment

Section 1: Is there a relevant product market for personal data?

Section 2: Personal data as yardstick for market power

Section 3: Facebook/Whatsapp case: considering data protection as part of

competition assessment

(4)

Chapter 3: Data involved in anticompetitive conduct

Section1: Setting the scene

A. An overview of data-related case law

B. Data protection law and anticompetitive agreements: Article 101 TFEU C. Data protection law and Article 102 TFEU

D. Data protection law and Merger Control

Section 2: Facebook v Bundeskartellamt: a first step in the right direction

A. Introduction

B. The Bundeskartellamt arguments of the Facebook decision a. Market definition

1. The relevant product market 2. The relevant geographic market

b. The dominance of Facebook on the German market of social network for private users c. Facebook’s abusive conduct: data policy and abusive business

d. The infringement of the GDPR by Facebook’s data policy and terms of use as manifestation of abuse of dominant position

1. Facebook cannot invoke user consent pursuant article 6(1a)GDPR

2. The data processing at stake isn’t necessary for the performance of the contract based on article 6(1b) GDPR

3. The data processing in casu cannot be justified based on an overriding interest of Facebook or third-party providers towards the interests of data subjects based on Article 6(1f) GDPR.

e. The causal link between Facebook’s dominant position and its abusive behaviour

D.The suspensive order of the Düsseldorf Higher Regional Court and the preliminary decision of the German Federal Court.

E. Facebook’s unfair trading conditions in the light of ECJ competition related case-law

Conclusion

Bibliography

(5)

Introduction

Sir Francis Bacon said centuries ago: ‘scientia potentia est’ or ‘knowledge is power’. This citation is even more true nowadays with our digitalized world brought by the digital revolution. It changed our way of living where all the information is easily accessible as long as we agree to share our personal information as counterpart. Personal data became the backbone of the digital economy used as means of trade not only by undertakings but also by the consumers.1 The technological evolution allowed and increase data processing and eased the way it is done. It led to the creation of data markets where data aggregators and data brokers offer their products and services to powerful undertakings fighting to keep their market shares. But let’s not forget that behind the numbers, there are real people sharing their personal information. The technology isn’t flawless and data leaks happened more than once exposing people’s personal information. Therefore, the EU legislator intervened through primary and secondary law: privacy policy has been set up in order for the consumers to be aware of how their personal data will be processed; consumers have the right to access their personal data and rectify it, they can revoke their consent, they can ask to be forgotten, and others.2 But despite being of a non-economical nature, do the rights mentioned previously not fall under the notion of consumer welfare that is actively used in the application of EU competition Law?3 With the importance of data protection, isn’t it time for the establishment of a new theory of harm under EU competition law? This paper will be divided in three chapters. The first one, after having an overview of what is data as well as some notion under the General Data Protection Regulation, we will deal with the influence of data protection on the competitive process. The second chapter will foresee personal data as a parameter of the competition law assessment. The last chapter will go further into details by first setting scene through EU data-related case laws, then we will have an overview of the interplay of data protection law under article 101, 102 and Merger Regulation and finally we will be focusing on the infamous Bundeskartellamt v

1 Article 3 (1) of the Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services OJ L 136

2 Lazaro, C., Le Metayer, D. (2015) “The control over personal data: True remedy or fairy tale?”, ScriptEd, Vol. 12, Issue 1, p.24

3 Commission (EU), ‘Green Paper on Vertical Restraints in EC Competition Policy’ (Green Paper on Vertical Restraints) COM (96) 721 final, 22 January 1997, 17 ; Commission (EU), Notice: Guidelines on the application of Article 81(3) of the Treaty [2004] OJ C 101/97, 13.

(6)

Facebook case which will be dealt in depth by going through the decision after what an hypothetical outcome through the European Court of Justice case-law will be envisaged.

(7)

Chapter 1: Data protection and its influence on

the competitive process.

Section 1: What is data?

According to the Oxford English Dictionary, ‘a data is an item of information’ that may take ‘a digital form’.4 As it has been said, data can take different forms and among them, big data, personal data and non-personal data must be distinguished.

First, according to the EUROPEAN DATA PROTECTION SUPERVISOR, in its Opinion 7/2015, big data ‘refers to the practice of combining huge volumes of diversely sourced information and analysing them, using more sophisticated algorithms to inform decisions. Big data relies not only on the increasing ability of technology to support the collection and storage of large amounts of data, but also on its ability to analyse, understand and take advantage of the full value of data’5

Second, the definition of personal data can be found under article 2(a) of the Data Protection Directive before being expanded by the General Data Protection Regulation (GDPR) that repealed the Directive.6 According to article 4(1) of the GDPR, ‘personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.7

4 "data, n." OED Online. Oxford University Press, March 2020. Web. 12 April 2020.

5 European Data Protection Supervisor (EDPS), Opinion 7/2015 Meeting the challenges of big data. A call for transparency, user control, data protection by design and accountability, 19 November 2015, p. 7

6 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive) [1995] OJ L 281/31

7 Article 4(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119/1

(8)

Article 3(1) of the Regulation for a framework for the free flow of non-personal data in the European Union provides that non-personal data means ‘data other than personal data as defined in point (1) of Article 4 of Regulation (EU) 2016/679’.8

The conclusion that can be drawn from these three different definitions is that big data is a much broader concept that personal data and non-personal data but it may encompass both.9

Moreover, any data collected that can be used to identify any lambda user usually qualifies as personal data.10

Section 2: The collecting and monetization of data

Undertakings collecting data of customers and consumers already existed before the widespread use of Internet under different and various forms: collecting customers’ orders, consumers habits through their spending related to food, clothes, etc. to quote some of them.11 But what radically improved the collection of data is technological innovation such as Internet, digitalizing each aspect of consumers life through the widespread use of it. This upgrade came hand in hand with new data storing solutions.12 The digitalization improved the accuracy of data collection and widened the scope of it, allowing undertakings to predict consumers habits on a wider range of market thanks to different categories of collected data.13

According to the World Economic Forum, there are three types of data. First, ‘volunteered data are created and explicitly shared by individuals, e.g., social network profiles.14 Second, ‘observed data are captured by recording the actions of individuals, e.g., location data when using cell phones, cookies,etc.’.15 Third, ‘inferred data are data about individuals based on

8 Article 3(1) of Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union [2018] OJ L 303

9 I. Graef (2016). EU competition law, data protection and online platforms: Data as essential facility. (International Competition Law Series; Vol. 68). Kluwer, Law International, p.132

10 Ibid.

11 D. Condorelli, J. Padilla, Harnessing Platform Envelopment Through Privacy Policy Tying (December 14, 2019) p.23

12 Ibid. 13 Ibid. p.24

14 World Economic Forum, ‘Personal Data: The Emergence of a New Asset Class’, January 2011, p.7

15 I. Graef, Market Definition and Market Power in Data: The Case of Online Platforms (September 8, 2015). World Competition: Law and Economics Review, Vol. 38, No. 4 (2015), p. 475; World Economic Forum, ‘Personal Data: The Emergence of a New Asset Class’, January 2011, p.7

(9)

analysis of volunteered or observed information, e.g., credit scores.’16 And fourth, ‘metadata is data about data’17. Furthermore, in their forecasting, undertakings do not only rely on directly collected data but also on indirectly collected one through data supplies from third parties (data-aggregators) and through data portability where technically feasible.18

The reason behind third parties supply of data is that despite the technological evolution, the costs related to the collection and the processing of data into usable information remains very high, thus the booming of data aggregators.19

The importance of data is such that it confers to the undertaking which possess it an undeniable advantage especially in the digital economy. It is logical that such advantage would be monetized and sought after by undertakings and it is without any wonder that ‘personal data

constitute a new economic asset class’.20 The monetization of data and its use as currency has been a reality for some time now; undertakings allowing user to benefit from

its services or products in exchange of the use and processing of the user’s data ( through privacy policy agreement) became a new standard in our digitalized world. Therefore, in order to ensure that the rights of the consumers are respected in the field of digital services and contents, the European Commission adopted a Directive (among other legal instruments) in that sense targeting that practice.21

Section 3: The protection of personal data in the EU and the

European Commission

A. Overview of European data protection law under primary

and secondary legislation

16 Ibid.

17 Ibid. p.37

18 D. Condorelli, J. Padilla, Harnessing Platform Envelopment Through Privacy Policy Tying (December 14, 2019) p. 23

19 Ibid.

20 I. Graef Market Definition and Market Power in Data: The Case of Online Platforms (September 8, 2015). World Competition: Law and Economics Review, Vol. 38, No. 4 (2015), p. 474; World Economic Forum, ‘Personal Data: The Emergence of a New Asset Class’, January 2011, p.5

21 Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services OJ L 136

(10)

The protection of data in the EU is of a very peculiar nature. The framework is made of both primary and secondary law.22 First of all, there is the article 16 TFEU establishing that ‘everyone has the right to the protection personal data concerning them’.23 Based on that article, the European Legislator adopted the GDPR.

Additionally, Article 8 of the Charter of Fundamental Rights of the EU (the Charter) states that ‘everyone has the right to the protection of personal data’ and that ‘everyone has the right of access to data’.24 According to the case-law of the European Court of Justice (ECJ)25 and case Schrems :‘secondary law must necessarily be interpreted in the light of the fundamental rights guaranteed by the Charter’26, focusing especially on the article 7 and 8 of the Charter ( Respect for private and family life and Protection of personal data).

Furthermore, besides the Charter, the European Convention on Human Rights (ECHR) should be considered as it serves as a way to interpret the Charter27. Article 8 of the ECHR provides that there is a right to privacy. According to the case Amann v. Switzerland, the notion of ‘private life must not be interpreted restrictively’ and the Court interpreted article 8 of the ECHR to include data protection.28

This mix of primary and secondary EU law related to data protection applies to a wide range of persons. It ‘applies to personal data processing conducted by natural and legal persons and public and private bodies, with limited exceptions.29

B. Data protection under the Charter of Fundamental rights

22 Costa- Cabral, Francisco and Lynskey, Orla (2017) Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review, 54 (1). p.16.

23 Article 16 (1) TFEU

24 Article 8 (1) and (2) of the Charter of Fundamental Rights

25 Ryneš, Rijkeboer, C-553/07, EU:C:2009:293, paragraph 47; Digital Rights Ireland and Others, C-293/12 and C-594/12, EU:C:2014:238, paragraph 53; Google Spain and Google, C-131/12, EU:C:2014:317, paragraphs, 53, 66, 74 .

26 Case C-362/14, Schrems, EU:C:2015:650, para 38

27 Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, 4 November 1950; Article 52(3) of the Charter of Fundamental Rights; Akerberg Fransson, Case C-617/10, para 44 28 ECHR 16 February 2000, Amann v. Switzerland, No. 27798/95, para 65-67

29 F. Costa- Cabral, O. Lynskey, (2017) Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review, 54 (1), p.16.

(11)

1. The interplay between the EU Charter and the Commission in a nutshell

One of the most relevant articles of the Charter besides article 8 is article 51.

Article 51 (1) of the EU charter states: “The provisions of this Charter are addressed to the institutions and bodies of the Union with due regard for the principle of subsidiarity and to the Member States only when they are implementing Union law. They shall therefore respect the rights, observe the principles and promote the application thereof in accordance with their respective powers.”30

According to this article, EU institutions as well as EU bodies, agencies or offices must respect the Charter while implementing EU law. These EU institutions aimed by this provision are explicitly mentioned under article 13(1) TEU. In other words, the Commission must comply with the Charter when it produces “any act having legal effects vis-à-vis third parties” 31 as it is a legal requirement. Fundamental rights must be respected as it “is a condition of the lawfulness of EU acts”32.

As a guarantor of the Charter as well as EU Treaties the ECJ is entitled to watch over the respect of primary law as it did in cases Schecke and Eifert as well as in Digital Rights Ireland where secondary law adopted by EU institutions did not respect the Charter and it declared the secondary legislation at stake as invalid.33

Conscious of the importance of the Charter in the implementation of Union law, the Commission, as a consequence adopted a “Strategy for the effective implementation of the Charter of Fundamental Rights by the European Union”34.

30 Article 51(1) of the Charter of Fundamental Rights

31 Peers and Others, The EU Charter of Fundamental Rights: A Commentary (Hart, 2014), p. 1426

32 Commission Staff Working Document SEC(2011)567 Final, “Operational guidance on taking account of fundamental rights in Commission Impact Assessments”, 4

33 Joined Cases C-92 & 93/09, Schecke and Eifert and Joined Cases C-293 & 594/12, Digital Rights Ireland and others, EU:C:2014:238

34 Strategy for the effective implementation of the Charter of Fundamental Rights by the European Union, COM(2010)573 Final.

(12)

The Commission explains in its strategy the importance of the Charter as it will take a central role in its proposals through the compatibility of it with a “fundamental rights check-list”35 among other tools.

Among all the tools the Commission has at its disposal, the following paragraphs must be highlighted: “Non-legislative measures adopted by the Commission, such as decisions, are also subject to checks on their compatibility with the Charter during drafting, even if there is no impact assessment. The Commission will pay particular attention to "sensitive" proposals and acts, that is all legislative proposals and implementing acts (Article 291 TFEU) and delegated acts (Article 290 TFEU) which raise specific issues of compatibility with the Charter or which are designed to promote a specific fundamental right under the Charter.”36

According to its strategy, the decisions of the Commission are subject to check on its compatibility with the Charter. In that context, we will see in the following chapters that unfortunately, it hasn’t been the case in previous cases.

2. The positive consequence on competition law

Following the quick analysis of the interplay between the Charter and the Commission, lets now focus on the main positive consequence on competition law. The main positive consequence is that the Commission has an overall obligation to comply with the Charter. This can be illustrated through the commitment remedy under competition law rules.

According to the case Commission v. Alrosa Company Ltd., in examining a commitment offered by infringing undertakings under article 9 of Regulation No 1/2003, the Commission has a very wide leeway in accepting such remedy.37 But one of the consequences of article 6(1) TUE which establishes that the Charter has the same legal value as the Treaties is that it shortens the leeway enjoyed by the Commission in adopting decisions as those have to comply with the Charter under penalty of judicial review.38

35 Strategy for the effective implementation of the Charter of Fundamental Rights by the European Union, COM(2010)573 Final, p.5

36 Ibid. p.6

37 Case C-441/07 P, Commission v. Alrosa Company Ltd., EU:C:2010:377, paras. 60-67.

38 F. Costa- Cabral, O. Lynskey, (2017) Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review, 54 (1) p.44

(13)

It appears that the ECJ is confirming this in its case law39; in its judgement in case Digital Rights Ireland it stated that: “With regard to judicial review of compliance with those conditions, where interferences with fundamental rights are at issue, the extent of the EU legislature’s discretion may prove to be limited, depending on a number of factors, including, in particular, the area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference”40. Additionally, the ECJ states in the next paragraph of the same judgment that: “in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by Directive 2006/24, the EU legislature’s discretion is reduced, with the result that review of that discretion should be strict.”41

In other words, it can be concluded from the previous paragraphs that when the Charter rights are threatened by EU institutions legally binding acts, these are subject to strict review in light of the Charter and may be sanctioned with annulment if they don’t comply with Charter rights42

Another example of positive consequence on competition law (especially its impact on remedies) has been given by a joint paper published by the French “Autorité de la concurrence” and the German “Bundeskartellamt”: respectively the French and German National Competition Authority (NCA).43 The French NCA was confronted with a case involving cross-usage of datasets. In that case, GDF Suez, a gas operator with a dominant position on the gas market in the context of its public service used the data of its customers collected in that regard to propose adapted offers to consumers on related markets.44 The privileged access to that database in one market to reuse it in another related one had a foreclosure effect on competition according to its competitors as well as the French NCA.45As a consequence, the French NCA

39 Case C-343/09 Afton Chemical EU:C:2010:419, paragraph 45; Cases C-581/10 and C-629/10 Nelson and Others EU:C:2012:657, paragraph 71; Case C-283/11 Sky Österreich EU:C:2013:28, paragraph 50; Case C-101/12 Schaible EU:C:2013:661, paragraph 29and Case C-362/14, Schrems

40 Joined Cases C-293 & 594/12, Digital Rights Ireland, 46-47. 41 Ibid. para 48

42 F. Costa- Cabral, O. Lynskey, (2017) Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review, 54 (1). p.45

43 Autorité de la Concurrence & Bundeskartellamt, Competition Law and Data (2016), https://www. bundeskartellamt.de/SharedDocs/Publikation/DE/Berichte/Big%20Data%20Papier.pdf.

44 Ibid. p.20 45 Ibid.

(14)

ordered GDF Suez “to grant its competitors an access to some of the data it collected”.46

Unfortunately, this remedy didn’t take into account data protection concerns, especially in regard of consumers. It led to a Kafkaesque situation where the remedy offered to anti-competitive concerns would possibly violate data protection rules related to natural persons. As a consequence, and in order to respect data protection rules, the French NCA offered a specific remedy which organized a different procedure related to the disclosure of data of natural persons owned by GDF Suez to its competitors in related markets.47

3. The negative consequence on competition law

In order to operate a perfect balance, we should now assess the possible negative consequence on competition law.

The main negative consequence would be that privacy violations, especially personal data violations would be either “turned into competition law violations” or used as a smokescreen to ascertain competition law violations.48 It should be recalled that neither articles 101, 102 TFEU as well as Merger Regulation do refer to personal data protection. Turning violation of personal data protection law into violation of competition law would result into a violation of the principle of legality.49 It would be hard to imagine the Commission use its competition law competences in order to ascertain a violation of data protection law. Moreover, in the Facebook/Whatsapp merger case, the Commission concluded that it had to differentiate infringement proper to each field of law.

Moreover, in the same line of reasoning, it seems that the Commission, in a White Paper dating from 1999, had already decided to not include non-economic concerns in its competition law decision-making fearing of possible political interferences.50

46 Ibid.

47 Décision n° 14-MC-02 du 9 sep. 2014 relative à une demande de mesures conservatoires présentée par la société Direct Energie dans les secteurs du gaz et de l’électricité para 289-294 and p.52. https://www.autoritedelaconcurrence.fr/sites/default/files/commitments//14mc02.pdf

48 G. Colangelo, M. Maggiolino, ‘Data Protection in Attention Markets:

Protecting Privacy Through Competition?’ (2017) 8 JECLP p.9; Costa- Cabral, Francisco and Lynskey, Orla (2017) Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review, 54 (1). p.47

49 Ibid., p.48

(15)

Nevertheless, this negative consequence might be contradicted. A way to ensure that competition law isn’t applied beyond its scope would be to incorporate protection of personal data to the quality of the goods delivered to consumers and so impact their welfare.51 As a consequence, a change of the level of privacy would impact the quality of the good delivered to the consumers as well as their welfare which is one of goal of competition law.52

C. The notions of consent and purpose limitation under the GDPR

In the following paragraph we will have a glimpse over three important notions that will be relevant for our paper which are the notion of consent, purpose limitation and data portability. These two first notions are of capital importance especially to our analysis of the Facebook proceedings by the German NCA while the last one is a useful feature for competition law as it will be seen in the case law.

1. Article 6(1)(a) GDPR: the notion of consent

The notion of consent is enshrined in the GDPR under article 6(1)(a). The notion of consent finds its place in the overall framework of lawfulness of processing. The lawfulness of processing consists in the fact that a data controller can invoke a legal basis upon which it can justify lawfully the processing of data.53

Consent is of a crucial importance as without it, data can’t be lawfully processed. Moreover, that consent may be given in different ways according to article 4(11) GDPR: consent consists of “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”54.

51 G. Colangelo, M. Maggiolino, ‘Data Protection in Attention Markets: Protecting Privacy Through Competition?’ (2017) 8 JECLP p.9

52 Ibid.

53 M. Botta, K. Wiedemann, The Interaction of EU Competition, Consumer, and Data Protection Law in the Digital Economy: The Regulatory Dilemma in the Facebook Odyssey p.431

(16)

Furthermore, the Regulation adds that for a consent to be valid, it must respect the conditions of article 7 GDPR which deals with the proof as well as the evaluation of consent, the conditions of it and the right to easily withdraw it.

Last but not least, when special categories of personal data are at stake such as those mentioned under article 9(1) GDPR, process of such data shall be prohibited unless it falls under paragraph 2 and 3 of article 9 GDPR.

It can be seen that the goal behind the GDPR is to make data subject aware of their digital rights related to their personal data as well as which information they can consent to be processed or not. The GDPR aims at giving back the power of consent and control of data processing to data subjects.55 But despite that, we will see that concentrated markets and network effect on multi-sided online platforms may challenge data subject’s consent and control.

2. Article 5(1)(b) GDPR: the notion of purpose limitation

According to article 5(1)(b) GDPR, personal data shall be: “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. In other words, in theory, when consent is given by a data subject to the collection and processing of its personal data, that consent is limited to what the data subject has agreed, the processing cannot be done for other purposes. But this must be nuanced. The notion of purpose limitation “requires that in each situation where further use is considered, a distinction be made between additional uses that are 'compatible', and other uses, which should remain 'incompatible'.” 56 Moreover, “purpose limitation is designed to offer a balanced approach: an approach that aims to reconcile the need for predictability and legal certainty regarding the purposes of the processing on one hand, and the pragmatic need for some flexibility on the other.”57. What must be understood from this is that further processing (with a different purpose) following the original collection of data isn’t in itself prohibited as long as it is

55 M. Botta, K. Wiedemann, The Interaction of EU Competition, Consumer, and Data Protection Law in the Digital Economy: The Regulatory Dilemma in the Facebook Odyssey p.432

56 Article 29 working party, ‘Opinion 03/2013 on purpose limitation’, WP 20, 2 april 2013, p.5 57 Ibid.

(17)

compatible with the original purpose of the data collection.58 The notion of compatibility has to be “assessed on a case-by-case basis” to establish is the further processing is lawful or not.59

3. Article 20 (1) GDPR: the right to data portability

The right to data portability is a very important right under the GDPR and very relevant for competition law. It allows data subject to not only receive its own transmitted personal data from data controllers but also, gives it the right to transmit those data to other controllers in a free-flowing manner.60 As it is clearly established, the right to data portability only covers personal data.61

The relevance of data portability for competition law resides in the fact that it avoids “lock-in” effects by giving the possibility to data subjects to switch freely and without hindrance between service provider.62 In other words, this switch transition is facilitated by the fact that data subject can easily transfer their personal data to their new service provider without any hindrance, therefore enhancing competition between undertakings for the provided service since data subject won’t be prevented to transfer its personal data to the new service provider. Since lock-in effect is forbidden, it will force undertaklock-ings to compete on an efficient manner on the services offered to consumers (in this case data subjects). Data portability issues may arise under merger control (In 2016, a case involving the joint venture of Google, Sanofi and Dmi raised some data protection concerns related to a possible lock-in effect) but also under abuse of dominant position by, for instance, refusing to enforce the right to data portability leading to a violation of competition law. It can be deducted from the previous observations that, especially in our digital age, GDPR and competition law are not incompatible and a violation of the first one might have as a consequence the violation of the second one.

Section 4: The interplay of data protection and EU competition

58 Ibid. p.21

59 Ibid.

60 GDPR art 20(1)

61 I. Graef (2016). EU competition law, data protection and online platforms: Data as essential facility. (International Competition Law Series; Vol. 68). Kluwer, Law International, p.148

(18)

Since the digital revolution and take-off of digital economy, data weighted more and more on the economic activity of undertakings. Data protection and EU competition law have in common that they both strive to improve interests of consumers.63 Nevertheless, both are also different and, in several occasions, data protection law has been set aside in different cases related to EU competition law. 64

Despite that, it would be a mistake to not consider that nowadays there is an overlap between data protection and EU competition, especially when consumers’ welfare is involved. Data protection and EU competition are overlapping when they share the same goals: ‘promoting market integration, protecting individuals and tackling power asymmetries.65

Moreover, there is growing consensus to include data protection or privacy as a competitive parameter and that consumers may be influenced by this new parameter in their decision-making.66 Therefore, it can be deducted that a real competition on data protection exist and that both are overlapping. This will be analysed in the next chapter of this thesis.

Chapter 2: Personal Data as a parameter of

Competition Law assessment

In the following chapter, we will analyse personal data as a parameter in competition law assessment. We will first start by analysing if there is a relevant market for personal data and after that we will try to understand how personal data can become a yardstick for market power. Subsequently, we will turn into examining data under two specific competition parameters: the first one will be data as a non-price parameter (for a further analysis under EU competition law

63 F. Costa- Cabral, O. Lynskey, (2017) Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review, 54 (1) p.15

64Case No. COMP/M.4731, Google/DoubleClick, of 11 March 2008; Case No. COMP/M.7217, Facebook/ WhatsApp, of 3 Oct. 2014.

65 F. Costa- Cabral, O. Lynskey, (2017) Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review, 54 (1)p.21

66 M. Ohlhausen, A. Okuliar, “Competition, consumer protection, and the right (approach) to privacy”, (2015) Antitrust Law Journal, p.36;

(19)

articles, see Chapter 3) and the second one will be a quick analysis of data under the essential facility doctrine.

Section 1: Is there a relevant product market for personal data?

One of the first questions to ask is whether a relevant market for personal data exists and if yes what kind of market it is. Regarding the definition of the relevant market, the Commission’s Notice on the Definition of the Relevant Market for the Purpose of Community competition law67 shed light on what we have to consider to define if there is an effective market for personal data. First of all, paragraph 7 of the Commission’s Notice defines the relevant product market as:

“A relevant product market comprises all those products and/or services which

are regarded as interchangeable or substitutable by the consumer, by reason of the

products' characteristics, their prices and their intended use”. It further adds under

paragraph 13 of it: “Firms are subject to three main sources or competitive constraints: demand substitutability, supply substitutability and potential competition.”68 This approach has been confirmed in the case AstraZeneca Ab v Commission69 and therefore is useful in trying to answer that question. As a consequence, demand and supply should be considered as it has been the case in the recent Facebook v Bundeskartellamt case.

The examination of such relevant product market for personal data should take into account supply, demand as well as the monetization of it.70Therefore it can be concluded that a relevant product for personal data exists. Moreover, the EDPS concluded in its opinion that data may be a directly-traded commodity.71 Additionally, competition for the acquisition of personal data exists as undertaking are striving for its acquisition as well as its selling.72 Nevertheless, it must be noted that in previous competition cases personal data has been restricted to an ancillary role in which it supports the production of goods and services rather than being the center of gravity of these cases.73

67 Commission Notice on the definition of relevant market for the purposes of Community competition law [1997] OJ C 372/5

68 Ibid. para 13

69 Case T-321/05 AstraZeneca AB v Commission EU:T :2010 :266, para 86.

70 Graef, I. (2016). EU competition law, data protection and online platforms: Data as essential facility. (International Competition Law Series; Vol. 68). Kluwer, Law International.p.87.

71 EDPS Opinion 8/2016, “On the coherent enforcement of fundamental rights in the age of big data”, 23 Sept. 2016. p.6

72 F. Costa-Cabral, O. Lynskey, ‘The Internal and External Constraints of Data Protection on Competition Law in the EU’, LSE Law, Society and Economy Working Papers 25/2015, p. 11.

(20)

In the Facebook/WhatsApp merger, the Commission evaluated if there was any relevant market for personal data. In casu, the Commission stated in its decision that: “Facebook collects data regarding the users of its social networking platform and analyses them in order to serve advertisements on behalf of advertisers, which are as much as possible "targeted" at each particular user of its social networking platform.” 74

It added that it: “has investigated the market definition as regards advertising, since Facebook is currently active in that market. The Commission has not investigated any possible market definition with respect to the provision of data or data analytics services, since, subject to paragraph (70) above, neither of the Parties is currently active in any such potential markets.”75

Consequently, it appears that in the previous case, despite the fact that users “pay” for a service with their personal data that is gathered by Facebook and WhatsApp, the Commission opted for a vison where the relevant market is “the type of product or service offered instead of the means of payment”.76

Section 2: Personal data as yardstick for market power

Trying to establish market power based on personal data is more complex than it appears and this for several reasons. The first one is that information about personal data is different and it cannot be compared in an easy manner.77 The value of personal data differs according to its content. Moreover, other parameters such as data substitutability must be taken into account as data may not be substitutable with each other.78

Additionally, regarding the relationship between personal data and market power, the Bundeskartellamt, in its Facebook decision, did not establish market power solely on the

74 Case No. COMP/M.7217, Facebook/ WhatsApp paragraph 70 75 Ibid. paragraph 73

76 F. Costa- Cabral, O. Lynskey, (2017) Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review, 54 (1) p.89

77 I. Graef, “Market definition and market power in data: The case of online platforms”, 38 World Competition (2015), 501.

(21)

quantity of personal data collected via the Facebook platform but rather through usage of it in targeted advertising.79

Furthermore, it must be kept in mind that in some situations, undertakings gathering personal data do so through programs in which they invested significant economicresources and they may refuse access to these datasets based on intellectual property. This refusal to access can be deducted by analogy to what was considered in the case Telefis Eireann and Independent Television Publications Ltd v. Commission of the European Communities (related to a refusal to grant a license) in which the ECJ, related to an existing abuse of dominant position said that: “it is to be remembered at the outset that mere ownership of an intellectual property right cannot confer such a position”.80

Another reason that makes market power assessment based on personal data more difficult is related to market dynamics. The fact that the traditional competition law view regarding market power is static might reveal itself ineffective when the dynamics of the market are constantly changing. In that regard, both French and German NCA stated that it “should be evaluated on a case-by-case basis and thedifficulties for new undertakings to enter and grow on online or digital markets should not be underestimated and therefore be carefully assessed, along with the possible role of data collection in this regard.”81

Nevertheless, one way to assess market power of an undertaking through personal data is to analyse its ability to monetize it.82 The value of personal data depends on its usage as well as how successful is its usage in order to reach the expected goal. The drawback of such method is that it limits its analysis to monetized data. It doesn’t consider situations where data isn’t monetized but still exploited for economical purposes.83

As it has been already mentioned, it isn’t an easy task to establish market power based on personal data. This complexity might be eased by a report from the UK Competition & Market

79 Y. W. Sih, Abuse of Dominance in Non-Negotiable Privacy Policy in the Digital Market, Eur Bus Org Law Rev (2017) p.793.

80 Joined cases C-241/91 and C-242/91 Telefis Eireann and Independent Television Publications Ltd v. Commission of the European Communities [1995] ECR I-743, para. 46

81 Autorité de la Concurrence & Bundeskartellamt, Competition Law and Data (2016) p.30

82 I. Graef, “Market definition and market power in data: The case of online platforms”, 38 World Competition (2015), 502.

(22)

Authority on the commercial use of consumer data.84 In its report, the UK’s NCA concluded that competition concerned might be raised and personal data may be used in defining market power in the four following circumstances:

The first one is when “markets in which data is a significant input into products and services

produced”85. It happens when an undertaking has the “ability and incentives to exclude competitors by denying access to data will be stronger where the data is a significant input into the quality or other attributes of a product or service.”86

The second circumstance is related to “markets where there are few substitutes for the data

collected by firms”87

The third one relates to undertaking “with existing market power that control the collection of

consumer data in a market.”88 The third circumstance might also be linked to the first one, especially when an undertaking is substantiating a refusal to access to its data on intellectual property.89

The fourth can be deducted from circumstances in which “markets in which firms do not

compete openly over data privacy and transparency of their uses of consumer data”.90

Section 3: Facebook/Whatsapp case: considering data

protection as part of competition assessment

The digital revolution as well as technical progress changed our way of living. Consumers are nowadays more aware of their rights, especially related to data protection following the disclosure of undertaking practice in that regard.91

84 UK Competition & Markets Authority, The commercial use of consumer data. Report on the CMA’s call for information, June 2015, para. 3.78

85 Ibid. 86 Ibid. 87 Ibid. 88 Ibid. 89 Ibid. 90 Ibid.

91 R. Casadesus-Masanell, A. Hervas-Drane, ‘Competing with Privacy’, Harvard Business School Working Paper 13-085, October 2013, p. 4

(23)

To answer their concerns, the European legislator adopted the Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data and was followed later by an upgrade through the GDPR enforcing stricter rules in that regard. From a jurisprudential point of view, the Commission started considering data protection in competition assessment as a parameter of it understanding that consumers choice could be influenced by data protection concerns.

In that regard, we will have an overview over the Facebook/WhatsApp merger.

In Facebook/WhatsApp, the Commission concluded through its market investigation that regarding consumer communicating services, “customers have a broad choice in terms of communication application”92 and among what consumer values in these apps the investigation found out that “privacy and security, the importance of which varies from user to user but which are becoming increasingly valued, as shown by the introduction of consumer communications apps specifically addressing privacy and security issues and by WhatsApp's.”93 Furthermore, the Commission assessed in its investigation that if WhatsApp abandons end-to-end encryption following the merger with Facebook, it may lead to an increasing number of user which will shift from WhatsApp to other safer messaging application over privacy and security concerns.94 As a conclusion, despite the fact that “the Commission has analysed potential data concentration only to the extent that it is likely to strengthen Facebook's position in the online advertising market or in any sub-segments thereof”95, it acknowledged data protection and privacy as parameter of competition in its investigation.

Nevertheless, the Commission’s market investigation also led to a major blow related to the interplay between data protection rules and EU competition law as it stated that: “Any privacy-related concerns flowing from the increased concentration of data within the control of Facebook as a result of the Transaction do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules” 96somehow also confirming a schism between the two.

92 Facebook/WhatsApp (Case COMP/M.7217) Commission Decision [2014] OJ C417/4 para 87. 93 Ibid

94 Ibid. para 174 95 Ibid. para 164 96 Ibid.

(24)

Chapter 3: Data involved in anticompetitive

conduct

Section1: Setting the scene

A. An overview of data-related case law

Until the case Bundeskartellamt v. Facebook in Germany, it appeared that data protection law and competition law have been compartmentalized to their respective fields, but it was not for a lack of trying.

The first case to be mentioned was Asnef-Equifax in 2006.97 That case involved the exchange of information between undertakings active in the finance and insurance industry. In casu, those undertakings were exchanging information related to their clients about their financial situation. The exchange of information was found to fall under article 81 EC now 101 TFEU related to anticompetitive agreements.98 The notoriety of that case relied on the fact that exchange of information could potentially involve data protection law in anticompetitive agreements. Unfortunately, the ECJ decided otherwise: “any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection”.99

Two years later, in 2008, the European Commission was confronted to the review of a merger between Google and DoubleClick in the Google/DoubleClick case. That merger involved both companies that are active on the digital advertisement industry, the first one dealing with online advertising while the second one deals with displaying of advertisement technology.100

97 Case no C-238/05 Asnef-Equifax (2006) ECR I-11125, ECLI:EU:C:2006:734.

98 G. Colangelo, M. Maggiolino, ‘Data Protection in Attention Markets: Protecting Privacy Through Competition?’ (2017) 8 JECLP p.363.

99 Case no C-238/05 Asnef-Equifax (2006) ECR I-11125, para 63

100 M. N. Volmar, K.O. Helmdach (2018) Protecting consumers and their data through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation, European Competition Journal, 14:2-3, p.206

(25)

The relevant fact about it is that online advertising relies on data collection as well as data processing of internet users (data subjects). In casu, the concern was that the combination of data sets of both undertakings will lead to a foreclosure of competition.101 The Commission also raised some concerns regarding data protection law from a factual point of view: “the merged entity would be able to combine DoubleClick's and Google's data collections. Such a combination, using information about users' IP addresses, cookie IDs and connection times to correctly match records from both databases, could result in individual users' search histories being linked to the same users' past surfing behaviour on the internet.”102

Despite that concern, the Commission considered that the combination of both undertakings’ dataset would be very unlikely in conferring a competitive advantage “as to squeeze out competitors and ultimately enable the merged entity to charge higher prices for its intermediation services.”103

Therefore, the Commission cleared the merger and stated in its conclusion, they disregarded the data protection law in the competition law assessment as: “This Decision refers exclusively to the appraisal of this operation with Community rules on competition, namely whether the merger is compatible with the objectives of the Merger Regulation in that it does not impede effective competition in the common market. […] In any event, this Decision is without prejudice to the obligations imposed onto the parties by Community legislation in relation to the protection of individuals and the protection of privacy with regard to the processing of personal data, […]and Member States implementing legislation, which apply to the processing of personal data activities performed by the parties to the merger and by the entity resulting from the merger operation. Irrespective of the approval of the merger, the new entity is obliged in its day to day business to respect the fundamental rights recognised by all relevant instruments to its users, namely but not limited to privacy and data protection. »104

In other words, the Commission let the task to enforce data protection rules to the designated authorities as it will only focus on competition law aspects.

101Commission decision M.4731, 11 March 2008, Google/DoubleClick, para 359 102 Ibid. para 360

103 Ibid. para 366 104 Ibid. Para 368

(26)

Few year later, came the already discussed case Facebook/Whatsapp105 where the Commission

came to the same conclusion as previous case law confirming a schism between competition law and data protection law as privacy concerns do not fall under the scope of EU competition law but EU data protection rules.106 It nevertheless acknowledged data protection and privacy as parameter of competition as it analysed a potential data concentration post-merger.107

In 2016, a case involving the joint venture of Google, Sanofi and Dmi raised some data protection concerns.108 The joint venture aimed at providing services for the management and treatment of diabetes using an integrated digital e-medicine platform.109 Since it will involve a digital platform, therefore it implies data collection of data subjects.

The data concerns in casu were that data subjects using that digital platform would be locked-in due to lack of data portability; locked-in other words, the data subject would be foreclosed to make their medical data available to other digital platform active on the same market.110 In its decision, the Commission supported that based on the data portability principles provided by the GDPR, the data subject would not be locked-in the digital platform provided by the joint venture.111 Once again, data protection matters were incorporated into the competition assessment in order to see if it could effectively foreclose competition but not further. The Commission didn’t rule on EU data protection rules as it stated that “any privacy-related concerns flowing from the use of data within the control of the Parties do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules.”112

Finally, in 2017 came another data related case law with the merger of Microsoft and LinkedIn. In that case, both undertakings are active in the provision of online advertising services.113 In casu, the Commission considered if the combination of both undertakings’ datasets would raise possible competition concerns, hence examining data protection only as a parameter of the competitive process. The Commission used data privacy in the competitive assessment as a parameter that may affect the quality of services and goods that may available to consumers

105 Facebook/WhatsApp, fn 84-88 106 Ibid. fn 88

107 Ibid. fn 87

108 Commission decision M.7813 of 23 February 2016, Sanofi/Google/DMI JV. 109 Ibid. para 63

110 Ibid. para 67 111 Ibid. para 69 112 Ibid. para 70

(27)

online and therefore, that may impact their consuming choice.114 It is also foresaw the use of the GDPR in the competitive assessment by the Commission related to the lawfulness of processing (article 6 GDPR) and the access to collected data.115

In the light of the foregoing case law, it can be ascertained that the ECJ as well as the Commission are clearly against mixing competition law and data protection law together.

Nevertheless, the recent Facebook v Bundeskartellamt case might bring some new elements to the ongoing debate of using data protection law as new theory of harm in competition law matters.

B. Data protection law and anticompetitive agreements: Article 101 TFEU

The question underlying is how to use the violation of data protection law as a benchmark for the violation of competition law under article 101?

According to article 101 TFEU, restriction on the competition could be done by either object or by effect. As it appears116, the combining of data protection law and competition law in order to ascertain a restriction of competition by effect is possible but extremely hard, we will focus on the restriction by object.

Article 101 TFEU provide that agreements between undertaking that restrict or distort competition by object or by effect shall be automatically void. The ECJ, in the Groupement des cartes bancaires case, ascertained that agreements between undertakings restricting competition by object are very harmful for “the proper functioning of normal competition”117

One lead would consist of taking into account the welfare of the consumer – which is also one of the goals of competition – by analogy to what data protection law does with data subjects.118

114 G. Colangelo and M. Maggiolino, ‘Data Protection in Attention Markets: Protecting Privacy Through Competition?’ (2017) 8 JECLP p.367

115 Microsoft/LinkedIn (Case COMP/M.8124) Commission Decision [2017] OJ C388 para 178.

116 M. MERIANI, “Digital platforms and the spectrum of data protection in competition law analyses”, E.C.L.R., 2017, no. 2, 8; F. Costa-Cabral, O. Lynskey, 2015 'The internal and external constraints of data protection on competition law in the EU' Law, Society and Economy Working Papers, no. 25/2015. P18

117 Case C-67/13, CB, para 51.

118 F. Costa-Cabral, O. Lynskey, 2015 'The internal and external constraints of data protection on competition law in the EU' Law, Society and Economy Working Papers, no. 25/2015. P18

(28)

For instance, when undertakings are competing based on data collection as well as data processing and they collude on common collecting and processing condition ( which infringe data protection law ), then, both data subjects and consumers are affected by this in such way that the Commission would have to act since that level of collecting and processing will have negative effect on the quality of the services offered to consumers and will at the same time have adverse effect on the competition.119 In these circumstances, it would be likely possible to prohibit such collusions or agreements under 101 TFEU which are also illegally collecting and processing data of data subjects. In other words, the violation of data protection law as a benchmark to apply article 101 TFEU would be possible if competition on data protection was involved.120

Nevertheless, this finding must also involve a change in the hearts and minds of both the Commission and the ECJ. As it has already been stated above, the ECJ in the Asnef-Equifax (regarding the sharing of dataset of customers between undertakings operating on the same relevant market) ruled that as such, issues related to personal data are not a matter for competition law, therefore, data protection law should be applied.121

C. Data protection law and Article 102 TFEU

The same question underlying in §2 is being asked under article 102 TFEU; could data protection law may be used as a benchmark for the violation of article 102 TFEU? The answer to this question is more likely to be answered in a positive manner.

But first, let’s start by quickly recalling some aspects of article 102 TFEU. First of all, article 102 regards undertakings that are considered as dominant according to the ECJ test in United Brands v Commission 122 or when an undertaking has substantial market power. Moreover, it is not forbidden for an undertaking to be in a dominant position but due to its status, it has a special responsibility as the ECJ stated in the case Michelin v Commission to “not allow its conduct to impair undistorted competition”123 and it has to compete on the merits.

119 Ibid.

120 Ibid. p 20 121 See footnote 91

122 Case 27/76 EU :C :1978 :22, para 65

123 R. Whish, D. Bailey, Competition Law (Ninth Edition, Oxford University Press 2012) p.198 ; Case 322/81 EU :C :1983 :313

(29)

As article 102 TFEU states, the abuse of dominant position may consist in different types of abuses such as imposing unfair purchases or selling prices or other unfair trading conditions (article 102 (2) (a) TFEU). A violation of data protection rules is most likely to happen on that base. That article refers to exploitative behaviours where a dominant undertaking on a relevant market profits at the expense of the customers.124 The prohibition of such exploitative behaviour takes into account price-related as well as non-price related behaviour.125

In that context, the German Bundeskartellamt and the French Autorité de la Concurrence put forward in their Competition Law and Data paper that “data privacy regulation might be a useful benchmark to asses an exploitative conduct”.126 As we have already stated in the foregoing analysis, it is hard to confer to data an accurate pecuniary value. Therefore, data will be most likely considered as a non-pricing parameter in a competition law-based assessment and will be subject to non-priced related exploitative behaviour. But in a more concrete way, how do we use that potential benchmark?

The violation of data protection law as a benchmark to apply article 102 TFEU would be possible if once again competition on data protection was involved127 and that competition violation must be related to exploitative abuse.

This can be illustrated in different ways. We can take an example of a dominant undertaking competing on data protection that fails to compete on the merits by infringing data protection rules such as lawfulness of data processing, purpose limitation or infringing the right of data subjects in the framework of that competition on data protection. Due to its dominant position and the lack of competition constraints it can easily impose unfair trading conditions. These are clear signs that the dominant undertaking is having an exploitative behaviour. This example is closely related to the case Facebook v Bundeskartellamt in which the German NCA found out that Facebook was abusing of its dominant position on the market for social network for private users in Germany by practicing unfair terms and condition on its consumers. This case will be

124 R. Whish, D. Bailey, Competition Law (Ninth Edition, Oxford University Press 2012) p.198

125 A. Gebicka, A. Heinemann, 'Social Media & Competition Law' (2014) 37/2 World Competition p. 162 126 Autorité de la Concurrence & Bundeskartellamt, Competition Law and Data (2016), p.25

(30)

subject to a dedicated section in our ongoing analysis of the establishment of a new theory of harm in competition law based on data protection law.

D. Data protection law and Merger Control

The question regarding the interplay of data protection law and merger control would once again be that how data protection law can be used as a benchmark in the context of merging control?

We have previously considered the use of data protection law as a non-pricing competition parameter under 101 and 102 TFEU and the same approach could be envisaged.

For the record: “Effective competition brings benefits to consumers, such as low prices, high quality products, a wide selection of goods and services, and innovation. Through its control of mergers, the Commission prevents mergers that would be likely to deprive customers of these benefits by significantly increasing the market power of firms.”128 In that regard, data protection

as a non-pricing parameter of competition might be used as a tool to assess the compatibility with EU merger regulation when the concentration of undertakings as a negative impact on it.129 Unfortunately it would be harder to evaluate such degradation of data protection before the merger than to evaluate it post-merger.

Also, in that regard it will require a change in the mind of the Commission as it already stated in the Facebook v Commission case that privacy-related issues arising from a merger are confined to the scope of EU data protection rules.130

Section 2: Facebook v Bundeskartellamt: a first step in the

right direction

128 Guidelines on the assessment of horizontal mergers under the Council Regulation on the control of concentrations between undertakings, O.J. 2004, C 31/5, point 8

129 F. Costa- Cabral, O. Lynskey (2017) Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review, 54 (1). p.37

(31)

A. Introduction

On the 2nd March 2016, the Bundeskartellamt initiated proceedings against Facebook on the grounds of abuse of market power (on the market of social networks) using relevant data protection law as yardstick to substantiate violation of competition law.131 The Bundeskartellamt suspected that Facebook was violating data protection law by using terms and conditions contrary to it and as a consequence, setting its users under unfair conditions.132

On the 7th February 2019, the Bundeskartellamt ruled that Facebook was effectively abusing its dominant position on the German social network market by “combining user data from different sources”.133 It did so by collecting on one hand, users data from Facebook-owned

services (on Facebook) and on the other hand users data from third party websites (off Facebook)134 without their consent due to faulty terms of use and privacy conditions.135 As a consequence, the Bundeskartellamt required Facebook to “implement various measures to terminate the antitrust infringement”136 such as removing and amending the Terms of Service137; specifying the terms of use regarding Facebook’s Data Policies138 and “requiring the parties to expressly clarify vis-à-vis private users that user related data from the sources concerned will not be collected, combined or used without their consent”.139

Facebook appealed the Bundeskartellamt decision to the Düsseldorf Higher Regional Court (OLG Düsseldorf). In August 2019, it ruled in favour of a suspension of the German NCA

131 Bundeskartellamt, ‘Bundeskartellamt initiates proceeding against Facebook on suspicion of having abused its market power by infringing data protection rules’ (press release, 2 March 2016) https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/ Pressemitteilungen/2016/02 _ 03 _ 2016 _ Facebook.html

132 Ibid.

133 Bundeskartellamt, ‘Bundeskartellamt prohibits Facebook from combining user data from different sources’

(press release, 7 February 2019)

https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2019/07_02_2019_Facebook.ht ml?nn=3591568

134 The terminologies “on Facebook” and “off Facebook” were mentioned in the 2017 press releases. 135 Ibid.

136 FCO, Facebook (B-6 22/16) at 946 137 FCO, Facebook (B-6 22/16) at 947 138 FCO, Facebook (B-6 22/16) at 948 139 Ibid.

Referenties

GERELATEERDE DOCUMENTEN

Wie dat advies erbij pakt, leest daarin dat ‘een Tweede Kamer die is voortgekomen uit latere verkiezingen dan die welke mede waren ingegeven door de ontbinding ex artikel 137’

Zowel met het driemaal daags brij verstrekken op een hoog voerniveau met behulp van de brijvoerinstallatie als met het onbeperkt voeren via de droogvoerbak kunnen goede

Als we uitgaan van de veronderstelling dat Spanje en Marokko evenveel middelen per hectare inzetten als Israël, dan worden in deze landen - gezien de lagere productie per hectare

 The optical stimulation generated power changes that were distributed along the spectrum: Although the largest power changes were concentrated in the theta and beta band, in

Article 29 Working Party guidelines and the case law of the CJEU facilitate a plausible argument that in the near future everything will be or will contain personal data, leading to

In die gewone omgang is die term ‘beurtkrag’, bekend as ‘load shedding’ in Engels, wat deur Eskom ingevoer is, summier verwerp.¹⁷⁹ Daar is verduidelik dat dit

When Enlightenment premises were declared dead in the Cold War era, many social scientists such as Marshall and Parsons, in search for a place for social science during the Cold War

In other words, nothing in the jurisprudence suggests that equality has ever been a consider- ation in requiring EU law primacy, except insofar as “equality of the Member