The Legal Ambiguity of the Virtual Era: The Battle Between European Competition Law and European Data Protection Law for the Abuse of Data.

(1)

MASTER THESIS:

International and European Law: EU Competition Law and Regulation 2018 - 2019

Research Topic:

The Legal Ambiguity of the Virtual Era: The Battle Between European Competition Law and European Data Protection Law for the Abuse of Data.

Interdisciplinary Descriptive, Evaluative and Predictive Research on the effect of the ne bis in idem principle during an abuse of dominant position fine and a

breach of data protection fine based on the same data related facts.

Nour Odeh 12329029 25 July 2019

Supervisor: Stijn de Jong

(2)

(3)

Table of Contents

1. Introduction ... 5

1.1 Modern debate on the importance of the topic in the field of law ... 6

1.2 Context and definitions ... 7

1.3 Structure of the Thesis ... 8

2. The Modern Data Economy ... 10

3. Competition Law in the European Union ... 13

3.1 What is Abuse of a Dominant Position? ... 13

3.1.1 Supranational Level ... 13

(i) (a) Can the European Commission issue a fine against an undertaking based on data related facts under its respective legal framework? ... 16

3.1.2 Member State Level ... 21

(i) (b) Can the GCA issue a fine against an undertaking based on data related facts under its respective legal framework? ... 23

3.2 Fines for the Abuse of a Dominant Position ... 25

3.2.1 Supranational Level ... 26

3.2.2 Member State Level ... 26

4. Data Protection Law in the European Union ... 28

4.1 General Data Protection Regulation (GDPR) ... 29

4.1.1 GDPR Authorities ... 30

4.1.2 GDPR and Facebook in Practice ... 31

(ii) Can a data protection authority issue a fine against an undertaking based on data related facts under its respective legal framework? ... 31

4.1.3 Fines for the Breach of Data Protection ... 32

5. Ne bis in idem in the European Union ... 33

(iii) Can an undertaking be fined twice by a competition authority and a data protection authority based on the same data related facts without triggering the ne bis in idem principle? ... 34

5.1 Ne bis in idem in Competition Law ... 35

5.2 Ne bis in idem in Data Protection Law ... 36

(4)

Bibliography ... 41 Primary Sources ... 41 - Legislation ... 41 - Case law ... 42 - Decisions ... 43 Secondary Sources ... 44 - Books ... 44 - Academic Journals ... 45 - E-Articles ... 48

(5)

1. Introduction

‘The enemy of my enemy is my friend’ is an archaic proverb which suggests that two opposing parties should collaborate in order to defeat a common threat.1 This proverb was used as a foreign policy in many wars, including that of World War II where the Western Allies and the Soviet Union conspired together against the threat of the Nazi aggression despite having their inherent differences.2 Although this expression seems rather far-fetched for the purpose of explaining the recent legal relationship between European competition law and data protection law, it still describes it best: two fields of law working together against a common undertaking. This newly established relationship can be depicted in the German Competition Authority’s (GCA) decision against Facebook for its abuse of dominance having exploited its users’ data with the help of the undertaking’s pro data-oriented policy.3 Due to this emergence of dominant platforms’ collection and analysis of personal data, it has brought the liaison between competition law and the rules on data protection.4

Although the GCA did not fine Facebook and simply issued a decision as a means of a warning mechanism,5_{this thesis was nevertheless inspired by the presumption} that this undertaking was fined. As a matter of fact, this presumption was the foundation of the research question of this thesis:

“Can a competition authority and a data protection authority issue a fine, under their respective legal frameworks, against a same undertaking based on the same data related facts without triggering the ne bis in idem principle?”

1_{Rongxing Guo, An Economic Inquiry into the Nonlinear Behaviors of Nations: Dynamic}

Developments and the Origins of Civilizations. (Palgrave Macmillan 2017) 110.

2_Ibid.

3_{Bundeskartellamt Decision (German Competition Authority – GCA) - Facebook [2019]}

B6-22/16; Christophe Carugati, 'The 2017 Facebook Saga: A Competition, Consumer and Data Protection Story.' (2018) 2 European Competition and Regulatory Law Review 4, 4-5.

4_Ibid.

5_{Rupprecht Podszun, ‘Regulatory Mismatch? Competition Law, Facebook and Consumer}

(6)

1.1 Modern debate on the importance of the topic in the field of law Data has become the world’s most valuable resource which companies use in order to better compete on the market.6 The more data an undertaking has, the better their business model will be.7 Therefore with the progress of technology, the easier it becomes for undertakings to collect more personal data.8 In fact, in the current state of our technology, almost any electronic device or Internet page that an average person uses on a daily basis is a data collection haven.9 That is why the European Union (EU) has a new set of stringent data protection rules that aim protecting EU citizens’ fundamental freedoms of privacy and data.10_Data protection regulators are trying to keep up with this ever-growing development of technology.11 However, that is not the only field of law that is adapting to such change: competition regulators are increasingly focusing on the complex relation between data, market power, and competition with the aim to better understand the possible effects for consumers and digital markets.12

These two sets of rules have attracted heated debate and criticism by scholars.13 One of the essential concerns with these rules coexisting is which authority will have priority fining an undertaking or can their fining systems be applied simultaneously without triggering the ne bis in idem principle.14

6_{European Commission, ‘Competition in big data world.’ (2016).}

7_{Francisco Costa-Cabral and Orla Lynskey, ‘Family Ties: The Intersection Between Data}

Protection and Competition in Eu Law.’ (2017) 54 Common Market Law Review 11, 13-14.

8_{Eduardo Magrani, ‘We are Big Data: New Technologies and Personal Data Management.’ (20}

June 2018).

9_{The Economist, ‘Regulating the internet giant: the world’s most valuable resource is no longer}

oil, but data. The data economy demands a new approach to antitrust rules.’ (6 May 2017).

10_{Charter of Fundamental Rights of the European Union (adopted 01 December 2009) OJ C326}

artt. 7 and 8; Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [2016] OJ L 119.

11_{Daniel Malan, ‘The law can’t keep up with new tech. Here’s how to close the gap.’ (21 June}

2018); Viktor Mayer-Schonberger and Yann Padova, 'Regime Change: Enabling Big Data through Europe's New Data Protection Regulation.' (2016) 17 Columbia Science and Technology Law Review 315, 317-318.

12_{Claire Jeffs and Nele Dhondt, 'Rapidly Changing Online Markets: Can Competition Enforcers}

Keep up' (2016) 2 Competition Law and Policy Debate 15, 21-22.

13_{Giuseppe Colangelo and Mariateresa Maggiolino, ‘Antitrust Über Alles. Whither Competition}

Law After Facebook?’ (2019) 42 (3) World Competition Law and Economics Review 1.

14_{Maximilian N. Volmar and Katharina O. Helmdach, ‘Protecting consumers and their data}

through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation.’ (2018) 14 (2-3) European Competition Journal 195, 211-213.

(7)

There are set rules on this double-jeopardy principle in European law and the Court has ruled on it in the past.15_{However, it is not for certain whether these pre-existing} rules can be applied by analogy to the above competition-data protection scenario.

1.2 Context and definitions

Prior to delving into the subject-matter of this thesis, an explanation should be given on what is meant by the broad term of European Competition Law (ECL). Since this thesis focuses on the abuse of a dominant position as well as its fines, ECL then refers to Article 102 Treaty on the Functioning of the European Union (TFEU)16 and Article 23 Regulation 1/2003,17 as well as EU national competition laws that deal with abuse of dominance. The GCA’s Facebook decision is central to the analysis of this thesis, therefore German competition law on abuse of dominance will also be covered under the realm of ECL. Moreover, when this thesis mentions ‘EU competition law’, then it is exclusively referring to the Supranational rules and not the Member States (MSs) rules.

In this thesis, when referring to ‘European data protection law’, emphasis is mostly given to the newly established General Data Protection Regulation (GDPR)18 unless explicitly specifying otherwise.

Another crucial distinction should be made between the legal terms ‘ne bis in idem’ (sometimes referred to as ‘non bis in idem’) and ‘double jeopardy’. The ne bis in idem principle implies that no one can be tried or punished twice for the same cause of action for which he has already been judged by means of a decision having the force of res judicata.19_{This principle of law is an inherent part of the European} legal system. The term ‘double jeopardy’ bears the same definition as ne bis in idem but rather refers to U.S law. However, some scholars use these two terms

15_{Eurojust, ‘The Principle of Ne Bis in Idem in Criminal Matters in the Case Law of the Court of}

Justice of the European Union.’ (September 2017); Bas van Bockel, Ne Bis in Idem in EU. (Cambridge University Press 2016) 1-12.

16_{Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the}

European Union (TFEU) [2016] OJ C202/1 art. 102.

17_{Council Regulation (EC) No 1/2003 on the implementation of the rules on competition laid down}

in Articles 81 and 82 of the Treaty (Regulation 1/2003) [2002] OJ L1 art. 23.

18_{Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of}

personal data and on the free movement of such data (GDPR) [2016] OJ L 119.

19_{Jeroen Dewispelaere, 'The Non Bis in Idem Principle and Decisions of National Regulatory}

(8)

interchangeably. Therefore, when this thesis refers to ‘double jeopardy’, it will be used as a synonym to ne bis in idem and it will not remotely relate to U.S law.

In this thesis, more concrete explanations will be given as to what these terms refer to and what legislations they entail.

1.3 Structure of the Thesis

The main research question of this thesis is essentially split up into three parts: (1) Can a competition authority issue a fine against an undertaking based on data related facts under its respective legal framework?

(2) Can a data protection authority issue a fine against an undertaking based on data related facts under its respective legal framework?

(3) Can an undertaking be fined twice by a competition authority and a data protection authority based on the same data related facts without triggering the ne bis in idem principle?

Prior to answering the above questions, this thesis will firstly illustrate the importance of the modern data economy and why competition law and data protection rules should be involved in this process.

The legal fields of competition and data protection will be elaborated on along the way in order to better understand their stance regarding data-related matters. Moreover, to achieve better coherency and consistency amongst the chapters, the facts behind the GCA’s Facebook decision will be used as a common denominator. These facts will be explained along the way in each chapter whenever they are relevant. Furthermore, since the GCA’s Facebook decision was based on ‘abuse of a dominant position’, this thesis will use this very notion to tackle the above question on competition law.

Are the pre-existing rules on abuse of dominance even able to capture a data protection violation as a form of abuse? If negative, are there any other alternatives? What is ‘breach of data protection’ and why did it gain importance? What is ne bis in idem and how was it applied in the aforementioned fields of law in the past?

(9)

This thesis will begin by answering the above cluster of questions by categorising the different sets of laws in the EU that address these terms, and further analysing what legal interests these laws aim at protecting and where they can be found in their corresponding legislation. For this reason, when assessing the MS perspective, German law and practices will be zoomed into. From this, the differences between the rules and fines as well as their respective authorities will be established. Thereafter, a general overview on the ne bis in idem principle will be conducted. Within that chapter, the role as well as the impact of this principle in the specified legal fields will be analysed. These collective studies will help predict whether these pre-existing practices can be applied by analogy should a fine be imposed on Facebook in both legal fields for its data related breach. Lastly, with all the information accumulated in research and using descriptive, evaluative as well as predictive methodologies on this information, this thesis will answer the main research question:

“Can a competition authority and a data protection authority issue a fine, under their respective legal frameworks, against a same undertaking based on the same data related facts without triggering the ne bis in idem principle?”

(10)

2. The Modern Data Economy

“Data is rapidly becoming the lifeblood of the global economy. It represents a key new type of economic asset. Those that know how to use it have a decisive competitive advantage in this interconnected world, through raising performance, offering more user-centric products and services, fostering innovation – often leaving decades-old competitors behind.”20

Google, Amazon, Microsoft and Facebook are considered to be the titans of the tech industry.21 All these tech companies have two common denominators: they are the most valuable undertakings in this present day, and they all deal with data.22 The obvious link between these two common denominators is that these businesses’ wealth position would have been much more challenging to reach if it was not for their use of data.23 From these set of facts, it has been stated that data has become the new oil; data is contemporarily the most valuable resource in our present economy.24

These tech-giants are dominant undertakings in their respective line of business and their services have been of great benefit to many consumers worldwide from their outset and throughout.25_{In reality, most of the customer satisfaction can be}

derived from the fact that the services are rendered free of charge.26_{However, this}

does not mean that there is no quid pro quo.27

20_{European Commission, ‘Enter the Data Economy – EU Policies for a Thriving Data Ecosystem.’}

(11 January 2017).

21_{Marc J. Jr. Veilleux, 'Alexa, Can You Buy Whole Foods: An Analysis of the Intersection of}

Antitrust Enforcement and Big Data in the Amazon-Whole Foods Merger.' (2019) 37 Cardozo arts and Entertainment Law Journal 481, 492.

oil, but data. The data economy demands a new approach to antitrust rules.’ (6 May 2017); Marc J Jr Veilleux, 'Alexa, Can You Buy Whole Foods: An Analysis of the Intersection of Antitrust Enforcement and Big Data in the Amazon-Whole Foods Merger.' (2019) 37 Cardozo arts and Entertainment Law Journal 481, 492.

23_{OECD, ‘Hearings: The Digital Economy.’ (2012) 121.}

oil, but data. The data economy demands a new approach to antitrust rules.’ (6 May 2017); Maximilian N. Volmar and Katharina O. Helmdach, ‘Protecting consumers and their data through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation.’ (2018) 14 (2-3) European Competition Journal 195.

25_Ibid.

26_{Ira Winkler, ‘Facebook is not free.’ (17 October 2017).} 27_Ibid.

(11)

What has been made apparent with time is that consumers do pay for these services with their data which essentially is the source of dominance for these tech-companies.28 The more data a company has, the more enhanced the service will be, which in turn will appeal to consumers even more.29 This is the very notion of direct network effects; an economical concept of competition law.30

These data-oriented businesses, such as Facebook, do not only focus on individuals.31 Another user group that they focus on are advertisers.32 Meaning, when these tech-giants collect as much information on their users, the better they know what these individuals’ interests are; they have a complete profile on each person. In turn, with the use of their platforms, advertisers will be able to target specific groups of people that have a much higher chance of being interested in the product being displayed.33 This type of behaviour is referred to as indirect network effects.34

The alarming factor of these sorts of network effects is that they are an endless cycle: the more the service is appealing, the more users will opt-in for it which will eventually generate even more data.35_{Therefore, these undertakings will always}

have an easy source to improve their business.36_{How does this behaviour leave}

room for new entrants to the same market? Simply answered, it is rather difficult and almost unlikely for other companies to enter the market with such dominant undertakings holding the fort.37 Another concern is that competitors that were

28_Ibid.

29_{Catherine Tucker, ‘Digital Data, Platforms and the Usual [Antitrust] Suspects: Network Effect,}

Switching Costs, Essential Facility.’ (2019) 54 (4) Review of Industrial Organization 683, 685-687.

30_{Justus Haucap and Ulrich Heimeshoff, ‘Google, Facebook, Amazon, eBay: Is the Internet}

driving competition or market monopolization?’ (2014) 11 (1-2) International Economics and Economic Policy 49.

31_{Catherine Tucker, ‘Digital Data, Platforms and the Usual [Antitrust] Suspects: Network Effect,}

Switching Costs, Essential Facility.’ 54 (4) Review of Industrial Organization 683, 685-687.

32_Ibid.

33_{Damien Geradin and Monika Kuschewsky, ‘Competition Law and Personal Data: Preliminary}

Thoughts on a Complex Issue.’ (2013) 2 Tilburg Law and Economic Center 1, 2.

34_{Gintare Surblyte, ‘Competition Law at the Crossroads in the Digital Economy: Is it all about}

Google?’ (2015) 4 (5) Max Planck Institute for Innovation and Competition Research Paper Series 170, 11.

35_{Maurice E. Stucke and Allen P. Grunes, ‘Introduction: Big Data and Competition Policy.’ in Big}

Data and Competition Policy. (Oxford University Press 2016) 6-12.

36_Ibid.

oil, but data. The data economy demands a new approach to antitrust rules.’ (6 May 2017); Interaction Design Foundation, ‘How to Break Barriers to Market Entry.’ (25 June 2019).

(12)

already on the same market would be pushed out.38_{This consequence is also}

attributed to network effects: individuals would want to use a platform that has more users, since that would increase the probability of them finding the people that they want to connect with.39 In other words, these individuals would not necessarily join a platform because the service is good but because it has more users.40 This behaviour is the very essence of what competition authorities are actively trying to avoid as it does not leave room for competition.41 As will be examined in the following chapter, dominance on its own is not anti-competitive, only its abuse is. This leads to the following question: are these tech-giants retrieving their data in an illegal manner which gives them a competitive advantage? Should the answer to this question be positive, are then competition laws able to capture this illegality as a form of abuse with their current legal framework? The following chapter will tackle these concerns.

Competition law is the not the only legal field that is involved in this development.42 The regulatory framework of data protection in the EU has changed because of the way these tech-giants affect the privacy of many EU individuals.43_{This change will briefly be explained in the beginning of chapter 4}

as it impacts the way the current framework functions. This change is also a prime example on how the law tries to adapt with technological progress.

38_Ibid. 39_Ibid.

40_{Nicholas L. Johnson, ‘What are Network Effects?’ (15 February 2018).}

41_{Charles A Miller, 'Big Data and the Non-Horizontal Merger Guidelines' (2019) 107 California}

Law Review 309, 325-329.

Keep up' (2016) 2 Competition Law and Policy Debate 15, 21-22.

43_{Daniel Malan, ‘The law can’t keep up with new tech. Here’s how to close the gap.’ (21 June}

(13)

3. Competition Law in the European Union

The general concept of competition law is made up of four main areas: (1) anti-competitive agreements, (2) abuse of dominance, (3) mergers and (4) public restrictions of competition.44 In the EU, there are two groups of competition law present: ECL, which are Supranational rules, and National competition laws, which are independents laws that each MS has in their national legal system.45

This thesis will focus on the 'abuse of dominance for the sake of the research question. Moreover, the following sub-chapters will explain this notion under both the Supranational level and MS level; more specifically German Competition law for the latter.

3.1 What is Abuse of a Dominant Position? 3.1.1 Supranational Level

The term ‘abuse of a dominant position’ is enshrined in Article 102 TFEU; an article that was drafted in 1957 and has not changed since.46 To some, this Article seems outdated, but it has nonetheless managed to camouflage with the changes that our society was facing and is still facing.47_{The most prominent change is} technology; this sector is ever growing since its beginning and there is a belief that a constant struggle exists for the law to keep up with such growth.48_However, observing the case-law that emerged out of this Article, it can safely be said that there was no need for any amendments thus far.49 The reason for this is because the Article itself is open-ended and is constantly being defined by the CJEU in light of societal developments.50 The core interpretation of this Article has

44_{Richard Whish and David Bailey, Competition Law. (9}th_{ed., Oxford University Press) 3.} 45_{Wolf Sauter, Coherence in Competition Law. (Oxford University Press 2016) 1.}

46_{Martin Herz and Hans H. B. Vedder, ‘ A Commentary on Article 102 TFEU.’ in Hermann-Josef}

Blanke and Stelio Manigiameli, The Treaty on the Functioning of the European Union. (Springer 20107) 2.

Keep up.' (2016) 2 Competition Law and Policy Debate 15, 21-22.

48_Ibid.

49_{The European Commission issued most of its controversial decisions Article 102. Microsoft was}

fined €497.2 million for its refusal to supply interoperability information to competitors and the tying of a media player with its operating software. Intel was fined €1.06 billion for its exclusionary and its exclusivity rebates to customers who purchased all or most of their microprocessor chips from that undertaking. Google was fined €2.42 billion for abusing its dominant position for its search engine tool in order to promote its own comparison-shopping service.

(14)

nevertheless remained the same: the prohibition for undertakings to abuse their dominant position on the market in order to ensure market efficiency and protect consumers.51

The overarching objective of EU competition law is set to protect and enhance consumer welfare; this is generally achieved by safeguarding the competitive process and the competitive structure of the market.52 Article 102 TFEU is laid down to prevent a firm that has acquired a dominant position and substantial market power from: (1) taking undue advantage of this position and (2) to avoid lessening the existing competitive forces on the market.53 An antitrust case brought under Article 102 TFEU is an ex-post enforcement of the rules; meaning that it seeks to correct an anticompetitive behaviour that took place or is taking place.54

The application of this Article is a multi-step process and is of a cumulative nature. Therefore, for Article 102 TFEU to apply, there must be: (1) an undertaking55 (2) that has a dominant position56 (3) which it is abusing (4) that may affect trade between Member States.57_{For the sake of the research at hand, focus will}

51_{Craig and de Búrca, EU Law: Text, Cases, and Materials. (5}th_{edn., Oxford University Press}

2011) 960; C-209/10 Post Danmark A/S v Konkurrencerådet [2012], ECLI:EU:C:2012:172, para. 36; C-23/14 Post Danmark A/S v Konkurrencerådet [2015], ECLI:EU:C:2015:65, para. 49.

52_{Richard Whish and David Bailey, Competition Law. (8}th _{edn., Oxford University Press 2015) 19.}

European Commission - DG Competition, ‘DG Competition Discussion Paper on the Application of Article 82 of the Treaty to Exclusionary Abuses - Public Consultation.’ (December 2005) .

53_{Neil A. Campbell and William J. Rowley, 'Proposals for Evolving the Patchwork of Domestic}

Monopolisation and Dominance Laws.' (2011) 12 Business Law International 5, 20.

54_{Björn Lundqvist, ‘Regulating Competition and Propety in the Digital Economy – The Interface}

Between Data, Privacy, Intellectual Property, Fairness and Competition Law.’ (2018) 54 Stockholm Faculty of Law Research Paper 1, 34-35; Marco Botta and Klaus Wiedemann, ‘EU Competition Law Enforcement vis-à-vis Exploitative Conducts in the Data Economy – Exploring the Terra Incognita.’ (2018) 18 (8) Max Planck Institute for Innovation and Competition Research Paper 1, 67-68.

55_{Case C-41/90 Klaus Höfner and Fritz Elser v Macrotron GmbH [1991] ECLI:EU:C:1991:161}

para. 21; in this case the CJEU specified what makes an undertaking: “entity engaged in an economic activity, regardless of the legal status of the entity and the way in which it is financed”.

56_{Case 27/76 United Brands v Commission [1978] ECLI:EU:C:1978:22 paras. 65 and 250; Case}

85/76 Hoffman-La Roche v Commission [1979] ECLI:EU:C:1979:36 para. 38; The CJEU held that a dominant position relates to a position of economic strength enjoyed by an undertaking which enables it to prevent effective competition being maintained on the relevant market by giving it the power to behave to an appreciable extent independently of its competitors, customers and ultimately of its consumers.

57_{The very nature of online companies is liable to affect intra Union trade since they are active in}

multiple Member States. Many EU citizens can access any website from all over the world and subsequently this triggers the attention of many MSs.

(15)

exclusively be given on the third step, ‘abuse’, and all other steps will be assumed to have been fulfilled when examples are given hereinafter.

Without ‘abuse’, Article 102 TFEU is deemed inapplicable. 58_{Dominance on its} own is not a concern; it is the abuse of it that is considered to be a breach Article 102 TFEU.59 Then, what behaviour is considered to be an abuse?

As prescribed within Article 102 TFEU, the concept of abuse was clarified by the Court of Justice of the European Union (CJEU) in the Hoffmann-La Roche case.60 The Court established that ‘abuse’ is an objective concept that relates to the dominant undertaking’s behaviour.61_{Depending on the market position of this} very undertaking, its behaviour must influence the structure of a market where the degree of competition is weakened and which has the effect of hindering the maintenance of existing competition in the market, or the potential growth of that competition.62 This hinderance of competition can be achieved through recourse to methods different from those which condition normal competition in products or services based of the transactions of commercial operators.63

More concretely stated, abusive behaviours are thus generally divided into two categories64_{: those who have the aim of exploiting consumers, and those who have}

58_{C-322/81 NV Nederlandsche Banden-Industrie Michelin v Commission of the European}

Communities [1983] ECLI:EU:C:1983:313, para. 57; “finding that an undertaking has a dominant

position is not in itself a recrimination but simply means that, irrespective of the reasons for which it has such a dominant position, the undertaking concerned has a special responsibility not to allow its conduct to impair genuine undistorted competition on the common market”.

59_Ibid.

60_{C-85/76 Hoffmann-La Roche & Co. AG v Commission of the European Communities [1979]}

ECLI:EU:C:1979:36 para. 91.

61_Ibid.

62_{Gonenc Gurkaynak and Derya Durlu and Margaret Hagan, 'Antitrust on the Internet: A}

Comparative Assessment of Competition Law Enforcement in the Internet Realm.' (2013) 14 Business Law International 51, 73-74.

63_Ibid.

64_{Fernando Diez, ‘Article 82, Sector-Specific Regulation, Microsoft and Telefonica: Really a New}

(16)

the aim of reducing the amount of competition on the market. The former is known as ‘exploitative’65_{behaviour and the latter as ‘exclusionary’}66_behaviour.67

Article 102 TFEU establishes four categories of example abuses that may distort competition and they are as follows: (1) Exclusive purchasing, which is when a dominant undertaking requires buyers to purchase all units of a particular product only from that specific undertaking; (2) Predatory pricing, when a dominant undertaking sets prices below production costs for the sole reason to drive competitors out of the market; (3) Refusal to supply, when an dominant undertaking refuses to supply input indispensable for competition in an ancillary market; (4) Excessive pricing, when an undertaking charges much more than the production costs because customers are already locked in. 68

These four examples are however not exhaustive and other forms of abuse can arise.69 Moreover, these categories are divided into exploitative and exclusionary practices.70

(i) (a) Can the European Commission issue a fine against an undertaking based on data related facts under its respective legal framework?

In order for there to be a fine, there must first be a breach. Therefore, having established the basics of ‘abuse of a dominant position’ and with the information at hand, can the competent Supranational institutions capture data protection violations as a form of abuse? Before applying the rules by analogy, a lookback

65_{Behaviours where a dominant company takes advantage of its market power, e.g. by charging}

excessive prices.

66_{Behaviours by a dominant firm which are likely to have a foreclosure effect on the market.} 67_{Craig and de Búrca, EU Law: Text, Cases, and Materials. (5}th_{edn., Oxford University Press}

2011), 1025; European E&M Consultants ‘More Economics Based Approach in Article 102 TFEU: New Test Procedures.’

68_{Art. 102 (a), (b), (c), (d); European Commission, ‘Competition: Antitrust procedures in abuse of}

dominance – Article 102 TFEU cases.’.

69_{Nigel Foster, Foster on EU Law. (4}th_{edn., Oxford University Press 2013) 351.}

70_{Lorenzo Federico Pace and Katja Seidel, ‘The Drafting and the Role of Regulation 17: A}

Hard-Fought Compromise.’ in Kiran Klaus Patel and Heike Schweitzer, The Historical Foundations of

(17)

should be done on how data protection concerns were received in the field of EU competition law?

As can be evidenced from a handful of cases and a few mergers, the CJEU as well as the European Commission (EC) were both determined in the past to separate, to the furthest extent possible, the fields of competition and data protection from each other.71

“Any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection.”72

When the EC had to review mergers that involved data, it assessed data protection rules to the extent that it affected competition law.73 For instance, the extent that data protection laws are taken into account is when, for instance, a merger could strengthen the position of a pre-existing dominant undertaking in the same or in any sub-segments of the market.74_{What can be deduced from this practice is that,} to a certain extent, the EC uses data protection to restrict its review and not to broaden it.75

Taking the above observation and applying it to Facebook’s situation, the EC can assess the breach of the GDPR since it does affect competition law: by actively breaching the GDPR with invasive terms and conditions, the undertaking can have

71_{C-238/05 Asnef-Equifax, Servicios de Información sobre Solvencia y Crédito, SL v Asociación}

de Usuarios de Servicios Bancarios (Ausbanc) [2006] ECLI:EU:C:2006:734 para. 63; Commission

Decisions - Case No COMP/M.4731 Google/ DoubleClick [2008] 927 final; Case No COMP/M.7217 Facebook/ WhatsApp [2014] 7239; Case No M.7813 Google/ Sanofi/ DMI JV [2016] 1223 final.

72_{C-238/05 Asnef-Equifax, Servicios de Información sobre Solvencia y Crédito, SL v Asociación}

de Usuarios de Servicios Bancarios (Ausbanc) [2006] ECLI:EU:C:2006:734 para. 2 – Although

this case was based on Article 101 TFEU, the CJEU’s rationale was henceforth used when data protection concerns were present in a competition law case.

73_{Commission Decisions - Case No COMP/M.4731 Google/ DoubleClick [2008] 927 final; Case}

No COMP/M.7217 Facebook/ WhatsApp [2014] 7239; Case No M.7813 Google/ Sanofi/ DMI JV [2016] 1223 final.

74_Ibid.

through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation.’ (2018) 14 (2-3) European Competition Journal 195, 207.

(18)

access to as much data as possible, giving the entity a significant competitive advantage.

Should these Supranational institutions continue to oppose the direct use of data protection rules in the analysis of Article 102 TFEU, are there other means that they can opt for in order to capture this breach? Possibly applying by analogy, the pre-existing rules and notions on abuse of dominance?

As was established previously in this chapter, Article 102 TFEU makes a distinction between exclusionary and exploitative behaviour.76 Facebook’s data-oriented policy directly targets its users, which is the conduct that makes part of the definition of exploitative behaviour.77 The second part of the definition begs the question whether the behaviour at hand revolves around the imposition of unfair purchase or selling prices, or the imposition of unfair trading conditions. Since Facebook does not charge its users for its service at any point, this automatically excludes the former part on purchase and selling prices. A data-privacy abuse, like the one that is alleged in the Facebook case for its intrusive terms and conditions, may potentially be prohibited on the basis of an unfair trading condition. But when is a trading condition unfair?

The definition of an unfair trading condition in a competition law context has first been established in 1974 in a copyright case.78 Ever since, each time the CJEU or the EC were faced with a breach of dominance based on unfair trading conditions, the further they fed into the definition.79 The definition thus far constitutes as follows: Unfair trading conditions are essentially obligations imposed on counterparties that exceed what is absolutely necessary for the attainment of the business,80 and that deprive these counterparties from certain aspects of their

76_{Ibid. at 201.}

77_{Art. 102 (a) TFEU; an exploitative abuse targets both customers as well as suppliers.}

78_{Case 127-73 Belgische Radio en Televisie and société belge des auteurs, compositeurs et éditeurs}

v SV SABAM and NV Fonior [1974] ECLI:EU:C:1974:25 para. 15.

79_{C-385/07P Der Grüne Punkt – Duales System Deutschland GmbH (DSD) [2009]}

ECLI:EU:C:2009:456 paras. 32 and 141; T-151/01 DSD [2007] ECLI:EU:T:2007:154 para. 121; Commission Decisions - 82/204/EEC IV/29.971 - GEMA statutes [1981] OJ 1982 L94/12 para. 36; 92/163/EEC IV/31043 - Tetra Pak II [1991] OJ 1992 L72/1 para. 107; 2001/463/EC D3/34493 -

DSD [2001] OJ 2001 L166/1; C-385/07P DSD [2009] ECLI:EU:C:2009:456 para. 112.

(19)

rights.81_{Moreover, conditions may be deemed to be unfair when they do not meet} the principle of proportionality.82

In summa, in order for terms and conditions to be considered as unfair within the meaning of Article 102 (a) TFEU, they must be (1) unnecessary to achieve the objective of the contract and (2) disproportionate in view of the objective. Essentially, there is only one test since necessity makes part of the proportionality test. Proportionality is a general principle of EU law and is a means of weighing interests involved. As proportionality is a general principle of EU law, it is usually assessed through a three-legged test: (i) suitability, (ii) necessity and (iii) proportionality strictu sensu.83 It should be specified that neither the EC nor the CJEU have referred to the three-legged test in their assessment of unfair conditions. In fact, these three steps are usually applied to evaluate laws and regulations enacted by Supranational or governmental bodies.84 However, this means of determining proportionality is straight-forward and achieves clarity, and that is why it is used in this thesis.

The above criteria on proportionality will be put to test using Facebook’s terms and conditions. This will help assess whether a dominant data-oriented undertaking is abusing its position by imposing unfair trading conditions. The below quote explains how Facebook’s terms and conditions are ‘unfair’ within the meaning of the word.

“Facebook’s practice of forcing users to choose between accepting the whole Facebook package or not using Facebook at all indicates that Facebook is imposing unfair conditions and/or foreclosing rivals, with the ultimate effect of impairing competition in the advertising market.”85

81_{Commission Decision - 92/163/EEC IV/31043 - Tetra Pak II [1991] OJ 1992 L72/1 para. 107.} 82_{Commission Decision - 2001/463/EC D3/34493 - DSD [2001] OJ 2001 L166/1; C-385/07P DSD}

[2009] ECLI:EU:C:2009:456 para. 112; T-151/01 DSD [2007] ECLI:EU:T:2007:154 para. 121.

83_{Ljubica Dzabirova, ‘European Proportionality in Macedonia’s Political and Judicial Systems.’}

(04 April 2009) 2-4.

84_Ibid.

85_{Giuseppe Colangelo and Mariateresa Maggiolino, ‘Data accumulation and the privacy-antitrust}

(20)

Applying the rules to the facts at hand: Firstly, in order to determine whether Facebook’s terms and conditions are suitable to achieve their aim, one must first establish what the undertaking’s aim is. According to speculations, Facebook wants to enhance its user experience by improving its target-advertising.86 As was explained in chapter 2, the more data this tech-giant accumulates on individuals, the better it can personalise advertisements. In turn, this will positively benefit the advertisers that use Facebook’s platform to sell their products as targeted-advertisement results in higher sales and user satisfaction. Therefore, the terms and conditions are suitable to enhance user experience.

Secondly, necessity essentially begs the question whether there are less intrusive means for the undertaking to achieve its objective. From the above quote, it can be seen that Facebook has a ‘take it or leave it’ approach; meaning that an individual must accept all the terms and conditions in order to access the platform.87 As a matter of fact, Facebook also collects data from outside its platform which is a practice prescribed in their terms and conditions.88 This behaviour is the ultimate example of what constitutes an unnecessary means to achieve an objective. A less intrusive approach would be for individuals to be given a choice. For instance, an opt-in/opt-out list of conditions which will ultimately give users the choice on what data they want to share with the possibility of still being able to make use of the service provided.

Thirdly, proportionality strictu sensu entails a balancing of interests. Facebook is in a more advantageous position than its users.89 The undertaking is gaining more popularity as a social media platform and in turn its revenue is increasing.90 On the other side of the spectrum, the users are losing control of their personal information

through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation.’ (2018) 14 (2-3) European Competition Journal 195, 202; Basil A DiSipio, 'Global Positioning Systems and Social Media - Anathemas to Privacy.' (2017) 84 Defense Counsel Journal 1, 11.

87_{Giuseppe Colangelo and Mariateresa Maggiolino, ‘Data accumulation and the privacy-antitrust}

interface: insights from the Facebook case.” (2018) 8 (3) International Data Privacy Law 224, 227.

88_{Allen St. John, ‘How Facebook Tracks You, Even When You’re Not on Facebook.’ (11 April}

2018); Bundeskartellamt (German Competition Authority – GCA), ‘Bundeskartellamt prohibits Facebook from combining user data from different sources.’ (07 February 2019).

89_Ibid. 90_Ibid.

(21)

which, as will be explained in the following chapter on data protection, is a fundamental right that is deemed to be of high importance from a legal perspective.

To conclude the application, Facebook is breaching its abuse of dominance based on unfair trading terms. Proportionality determines when trading terms are unfair. With the three-legged approach on assessing proportionality, if at least one of the tests are not fulfilled, then the terms and conditions are deemed disproportionate. According to the above analysis, Facebook’s terms and conditions are disproportionate since they are not necessary to achieve the objective of the business and are disproportionate strictu sensu.

In brief, should these Supranational institutions continue to oppose the direct use of data protection rules in the analysis of Article 102 TFEU, then, analogous with pre-existing rules and notions, they may capture data-related behaviours as a form of abuse of dominance.

3.1.2 Member State Level

The difference in application of ‘abuse of a dominant position’ between a Supranational level and a MS level, is that they both have different objectives.91 The former has the objective of promoting and maintaining fair competition on the EU market as a whole, whilst MSs have the objective of promoting and maintaining fair competition on their national market.92 Moreover, EU competition law features a decentralised application by MSs; meaning there are situations where National Competition Authorities (NCAs) apply Supranational law.93

Decentralised application is laid down in Regulation 1/200394 which is an obligation directed towards NCAs and national courts.95 When a situation features

91_{Jeroen Dewispelaere, 'The Non Bis in Idem Principle and Decisions of National Regulatory}

Authorities.' (2017) 1 European Competition and Regulatory Law Review 334, 335.

92_{Ibid. at 337.}

93_{Kati Cseres, ‘Comparing laws in the enforcement of EU and national competition laws.’ (2010)}

3 (1) European Journal of Legal Studies 7, 7-8.

94_{Art. 3 (1) of Regulation 1/2003.}

95_{Kati Cseres, ‘Comparing laws in the enforcement of EU and national competition laws.’ (2010)}

(22)

an effect, or potential effect, on trade between MS, then the aforementioned national bodies should apply EU antitrust rules alongside their national rules.96 This had become a possibility since the biggest EU enlargement in 2004 when the EC was no longer able to handle the enforcement on its own.97

As a concrete example to establish the national application of abuse of dominance, the German perspective will be elaborated on since the GCA’s decision against Facebook is within the scope of this thesis.

In Germany, the rule on abuse of a dominant position is enshrined in §19 (1) of the Act against Restraints of Competition (ARC).98 Just like most MSs rules on competition, the German rules also highly resembles EU law on the subject-matter.

§19 (1) ARC stipulates that the abuse of a dominant position by one or several undertakings is prohibited. Meaning, just like under Article 102 TFEU, §19 (1) ARC is applicable once there is: (1) one or several undertakings that (2) have a dominant position and (3) have an abusive conduct.99

Dominance is defined in §18 (1) ARC, but just like this topic was not delved into on an EU level, it shall refrain from doing so at a national level. Therefore, the step of dominance shall be assumed to have been fulfilled and focus will be given to ‘abusive conduct’.100

In Germany, just like on EU level, dominance on the market is not prohibited but only its abuse is.101 Moreover, the different types of behaviour that may amount to an abusive practice are also to similar to that of the Supranational level but are rather worded slightly differently. This can be seen in § 19 (2) Nos. 2 and 3 ARC, where undertakings are prohibited from exploiting their dominant position by

96_Ibid. 97_{Ibid. at 8-9.}

98_{Gesetz gegen Wettbewerbsbeschränkungen (Act against Restraints of Competition – ARC) para.}

19 (1).

99_Ibid.

through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation.’ (2018) 14 (2-3) European Competition Journal 195.

(23)

imposing conditions or prices that are outside the realm of normal competitive behaviour.102_{More precisely, the question that is asked in order to determine} abuse, or exploitation as is referred to in Germany: if there was effective competition in the relevant market, would the undertaking still be able to behave in the manner at hand?103 This question is answered by establishing whether the practices of the dominant undertaking are negatively impacting a weaker party in a way that is contrary to general legal principles.104 Usually, the German courts take the active role of weighing these interests and conclude whether the undertakings’ behaviour is exploitative.105 Substantively speaking however, the GCA also has the competence to conduct such a task.106

(i) (b) Can the GCA issue a fine against an undertaking based on data related facts under its respective legal framework?

What is interesting to observe, is the way in which the German courts as well as the GCA may be able to use any form of legal breach as a means of an exploitative behaviour. This practice derives from the German Federal Court of Justice (FCJ) where it held that when weighing interests within the meaning of §19 (2) ARC, general legal provisions and principles can be taken into account.107 This concept is called ‘conditions abuse’.108

102_Ibid.

103_{Bundeskartellamt, ‘Control of abusive practices. German and European competition law both}

prohibit the abuse of a dominant position.’

through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation.’ (2018) 14 (2-3) European Competition Journal 195, 198-199.

105_Ibid. 106_Ibid.

107_{Bundesgerichtshof (German Federal Court of Justice – FCJ), case no KZR 58/11}

VBL-Gegenwert I [2013]; FCJ case no KZR 47/14 VBL-VBL-Gegenwert II [2017].

108_{FCJ case no KZR 58/11 Gegenwert I [2013] para. 65; FCJ case no KZR 47/14}

VBL-Gegenwert II [2017] para. 35; Maximilian N. Volmar and Katharina O. Helmdach, ‘Protecting

consumers and their data through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation.’ (2018) 14 (2-3) European Competition Journal 195, 198-199.

(24)

The most relevant example of this conditions abuse is the GCA’s Facebook decision.109_{In this decision the breach of the GDPR was used a means of an} abusive/ exploitative behaviour since Facebook is a dominant undertaking in the German market for social networks.110 For the purpose of this chapter, it should be stated that this decision was considered to be a landmark since the use of data protection violations as a form of an abusive conduct has not been precedented.111

To summarise the relevant facts of the Facebook case, the GCA differentiated between the means in which this dominant undertaking collected its data.112 More precisely it divided it between the data that was directly generated through the Facebook platform and data that was obtained by Facebook but outside of its platform; the GCA’s decision was based on the latter behaviour.113_{The reason why} this competition authority focused on that behaviour is because it had an added weight of concern.114 More precisely, apart from data protection and competition protection, there was also consumer protection; consumer protection being one of the central enforcement pillars that the GCA has been trying to introduce.115

“[The GCA is] mostly concerned about the collection of data outside Facebook's social network and the merging of this data into a user's Facebook account. Via APIs, data are transmitted to Facebook and are collected and processed by Facebook even when a Facebook user visits other websites. This even happens when, for example, a user does not press a "like button” but has called up a site into which such a button is embedded. Users are unaware of this. And from the current state of affairs we are not convinced that users have given their effective

109_{Bundeskartellamt Decision (German Competition Authority – GCA) - Facebook [2019]}

B6-22/16

110_Ibid.

111_{Rupprecht Podszun, ‘Regulatory Mismatch? Competition Law, Facebook and Consumer}

Protection.’(2019) 8 (2) Journal of European Consumer and Market Law 49, 49-50; Andrew Keen,

How to Fix the Future: Staying Human in the Digital Age (Atlantic books 2018) chapter 6.

112_{Bundeskartellamt, ‘Preliminary assessment in Facebook proceeding: Facebook's collection and}

use of data from third-party sources is abusive.’ (19 December 2017)

113_Ibid.

through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation.’ (2018) 14 (2-3) European Competition Journal 195, 198-199; Rupprecht Podszun, ‘Regulatory Mismatch? Competition Law, Facebook and Consumer Protection.’ (2019) 8 (2) Journal of European Consumer and Market Law 49, 49-50.

(25)

consent to Facebook's data tracking and the merging of data into their Facebook account. The extent and form of data collection violate mandatory European data protection principles.”116

Having briefly covered the expansive ways in which German law determines exploitative conduct, an observant reader would make a remark that the breach of data protection laws as a form of abuse was bound to happen. This is due to the fact that general legal provisions and principles can be taken into account when determining abuse; essentially any law can fall within that broad definition.

To summarise, the very nature of German law on abuse of dominance was broad enough to capture Facebook’s data protection violation as a form of abuse. However, not all MSs necessarily share the same nature of rules and they may not all be able to have this progressive feature in their law. Nonetheless, from what was analysed in the above ‘Supranational level’ sub-chapter, dominant undertakings imposing unfair trading terms are deemed to be an abusive behaviour. Therefore, the data related concerns can be caught under pre-existing rules on abuse of dominance.117118

3.2 Fines for the Abuse of a Dominant Position

In most abuse of dominant position situations, the competent authority would usually fine the undertaking. The reason for the fine is due to the fact that once the abusive behaviour is detected and declared contrary to competition law, most of the harm would have already been done.119 Therefore, the fines would serve as a

116_{Bundeskartellamt, ‘Preliminary assessment in Facebook proceeding: Facebook's collection and}

use of data from third-party sources is abusive.’ (19 December 2017)

117_{Andrew Keen, How to Fix the Future: Staying Human in the Digital Age. (Atlantic books 2018)}

chapter 6.

through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation.’ (2018) 14 (2-3) European Competition Journal 195.

119_{Björn Lundqvist, ‘Regulating Competition and Propety in the Digital Economy – The Interface}

Between Data, Privacy, Intellectual Property, Fairness and Competition Law.’ (2018) 54 Stockholm Faculty of Law Research Paper 1, 34-35; Marco Botta and Klaus Wiedemann, ‘EU Competition Law Enforcement vis-à-vis Exploitative Conducts in the Data Economy – Exploring the Terra Incognita.’ (2018) 18 (8) Max Planck Institute for Innovation and Competition Research Paper, 67-68.

(26)

deterrent effect to that specific undertaking and all other undertakings.120_{That is} why the sum would usually be of a significant amount.121

3.2.1 Supranational Level

The rules on enforcement of EU competition law are laid down in the Council Regulation 1/2003. This Regulation empowers the EC122 as well as the NCAs123 to conduct investigations and impose fines on undertakings for the violations of Article 102 TFEU.

The Regulation sets out specific rules on how much an undertaking can be fined. The widely known feature of competition law is their high value fines: the maximum amount that a dominant undertaking can be fined is capped at 10% of its the overall annual turnover.124

Moreover, the CJEU has the competence to review the EC’s decisions and may even change the amount levied.125 Statistically, during appeal attempts by undertakings, only 10% of the value of fines were appealed by the Court; making most fines upheld.126

3.2.2 Member State Level

As was stated in chapter 3.1.2, EU competition law may be applied by MSs when an actual or potential cross-border hinderance of competition is achieved. Consequently, in such circumstances, NCAs are then entitled to impose fines on undertakings up to 10% of their total turnover in the preceding financial year.127

When competition law violations are purely internal, then NCAs may exclusively apply their national rules on competition. In Germany, competition law fines are

Keep up.' (2016) 2 Competition Law and Policy Debate 15, 22.

121_Ibid.

122_{Art.5 Regulation 1/2003.} 123_{Ibid. at art. 23 (2) (a).}

124_{Art. 23 (2) (c) Regulation 1/2003.}

125_{European Commission, ‘Fines for breaking EU Competition Law.’} 126_Ibid.

(27)

different to that of the Supranational level; more precisely, they are two-fold.128 Firstly, the GCA must identify one or more individuals who have committed a competition infringement.129 Secondly, after having identified the individual(s), the GCA must then attribute the individual(s)’ behaviour to the legal entity they represented.130 Both these entities will then receive a fine each. Individuals may be fined up to €1 million and 10% of the consolidated group turnover on a legal entity.131

128_{Gesetz gegen Wettbewerbsbeschränkungen (Act against Restraints of Competition – ARC)}

para. 81 (4); Katharina Apel and Tobias Rump, ‘Dominance.’ (April 2019).

129_Ibid. 130_Ibid. 131_Ibid.

(28)

4. Data Protection Law in the European Union

The EU taking notice of the importance of fundamental rights, it had decided to take initiative and legislate its own set of rules. These rules granted the CJEU with the power on examining the validity of secondary EU law and national measures implementing them.132 This is what led to the Charter of Fundamental Rights of the European Union (Charter) which became legally binding after the Lisbon Treaty entered into force in 2009.133

Within the Charter, the right to data protection was made explicit and was enshrined in Article 8 Charter; this was a different approach to that of the prior set of rules that the Supranational institution relied on.134 As can be understood from the explanations relating to the Charter, Article 8 was based on the predecessor of Article 16 of the TFEU, namely Article 286 of the Treaty establishing the European Community (TEC). This Article states that “everyone has the right to the protection of personal data concerning them”135 and further gives the EU competence to legislate upon this area.136

It should be noted however, that the key legal instrument that had been used for a little over two decades when applying the right of data protection in the EU was the Data Protection Directive (DPD).137_{The purpose of the DPD was not only to} create extensive rights for individuals when it comes to their personal data, it also created rules in order to achieve a free flow of individual’s data between MSs of the EU.138

The unique feature of Directives in the EU is that they need to be implemented in

132_{Stefania Alessi, ‘Eternal Sunshine: The Right to Be Forgotten in the European Union after the}

2016 General Data Protection Regulation.’ (2017) 32 (1) Emory International Law Review 145, 150.

133_Ibid.

134_{Prior to the Charter, the EU relied on the European Convention on Human Rights (ECHR) which}

did not differentiate between the right to private life and data protection; both these fundamental rights fell under the same article – Article 8 ECHR.

135_{Art. 16 (1) TFEU.}

136_{Ibid. at art 16 (2); Explanations relating to the Charter of Fundamental Rights OJ C 303,}

14.12.2007.

137_{Directive 95/46/EC of the European Parliament and of the Council on the protection of}

individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281.

(29)

every national legal system. In turn, there were 28 different versions of the DPD across the EU which consequently lead to diverging levels of protection;139 meaning there was room for improvement which the General Data Protection Regulation (GDPR) 140_{sought to address.}

4.1 General Data Protection Regulation (GDPR)

The GDPR was adopted in 2016 which was the result of an almost everlasting trilogue negotiation between the European Parliament, EC and the Council.141 The aim of this legal instrument was to build upon the pre-existing rules on data protection and to fill the gaps that were necessary in order to achieve greater protection.142 Just like the DPD, the GDPR is a secondary law of the EU. Nonetheless, the change from a Directive to a Regulation plays a great importance in the implementation process.143 Since the nature of regulations in the EU does not require implementation of the rules into the national legal systems, they are directly applicable.144 Therefore, when individuals apply the GDPR, they may directly rely on the rights prescribed from within in any Member State, ensuring individuals more personal control and easier access to their personal data.145 Moreover, it leaves the chance for MSs to cooperate together as they fall under one set of rules.146_{With this legislative reform, the EU has paved the way for more} harmonisation in this field of data protection. This facilitates the coherency of the law in the MSs by making it more comprehensive.147

139_{Shaniqua Singleton, ‘Balancing a Right to Be Forgotten with a Right to Freedom of Expression}

in the Wake of Google Spain v. AEPD.’ (2015) 44 (1) Georgia Journal of International and Competition Law 165, 171.

140_{Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of}

personal data and on the free movement of such data [2016] OJ L 119

141_{Olivier Proust, ‘Privacy, Security and Information Law - Unravelling the mysteries of the GDPR}

trilogues.’ (16 July 2015).

142_{Lee A. Bygrave, Data privacy law: An international perspective. (Oxford: Oxford University}

Press 2014) 71.

143_{Ibid. at 72.} 144_Ibid.

2016 General Data Protection Regulation.’ (2017) 32 (1) Emory International Law Review 145, 162-163.

146_{Art. 60 GDPR.}

2016 General Data Protection Regulation.’ (2017) 32 (1) Emory International Law Review 145, 162-163.

(30)

One of the main reasons why this Regulation attracted global attention is due to its expansive scope of application148_{and the fines entailed for the breach of the rights} prescribed in its articles. Once there is an EU citizens’ personal data involved, the scope of application of the GDPR is triggered.149

4.1.1 GDPR Authorities

As stipulated in the GDPR, each MS must have a supervisory authority that is not influenced by other public entities.150 These authorities are referred to as National Data Protection Authorities (NDPAs) and they are regarded to be the guardians of the GDPR.151 Their main mandate is to protect the fundamental right of personal data and to facilitate the free flow of this data within the EU, and they do so by monitoring the application of the Regulation.152

As tech undertakings conduct their business through the Internet, they are essentially impacting many EU citizens across the EU. This prompts the attention of several NDPAs which may be able to assist each other153 and eventually conduct a joint operation.154_{In such situations a lead supervisory authority must be} assigned depending on certain facts.155

There also exists a data protection body on a Supranational level, the European Data Protection Board (EDPB), which assists the NDPAs in order to promote coordination and consistent interpretation of the GDPR.156 Moreover, this entity may even issue binding opinions in cases where NDPAs object with each other when cooperating in cross-border situations. However, the EDPB lacks

148_{Art. 2 GDPR establishes the material scope which covers the processing of any type of personal}

data related to EU citizens using any means for its processing, whether it be electronically or not. Art. 3 GDPR establishes the territorial scope which covers the processing of personal data that has been conducted from any country in the world.

149_{Art. 1 GDPR.} 150_{Ibid. at art. 4 (21).} 151_{Ibid. at artt. 51-54.} 152_{Ibid. at art. 51.} 153_{Ibid. at art. 61.} 154_Ibid.

155_{Ibid. at art. 60 - It depends on where the undertaking’s headquarters, or where the processing of}

data takes places. Should the aforementioned take place outside the EU, then the MS with the most affected individuals will take the position of lead supervisory authority.

(31)

enforcement powers; it may not directly conduct an investigation, nor may it directly impose a fine on an undertaking.157

Overall, these new practices are a step towards progress, and they demonstrate the necessity as well as the commitment of the EU to provide higher levels of data protection.

4.1.2 GDPR and Facebook in Practice

(ii) Can a data protection authority issue a fine against an undertaking based on data related facts under its respective legal framework?

This sub-chapter is in place in order to give a brief example on what would be considered a breach of the GDPR. For the sake of consistency and coherency, Facebook’s terms and conditions, as were introduced and elaborated on in chapters 3.1.1 and 3.1.2 of this thesis, will be used as a set of facts.

Article 5 (1) (c) GDPR enshrines the concept of data minimisation. This means that when an undertaking collects personal data that exceeds the necessity of the objective of the business, then this practice is deemed to be a breach. As was detailed in chapter 3.1.1 (i), Facebook is breaching the ‘necessity’ step with its instructive terms and conditions. It was evidenced in this thesis that there are less intrusive means for this undertaking to achieve its business aim.

This Article is one of the many possibilities that can be used to determine Facebook’s breach of the GDPR. Therefore, it is a high possibility that this undertaking could be fined based on this Regulation using the same facts that the GCA issued a decision on.

157_{Ibid. at art. 70; Meaning that there is basically no data protection enforcement at the EU level}

(32)

4.1.3 Fines for the Breach of Data Protection

One of the most controversial aspects of the GDPR is the hefty fine it enforces for the breach of its rights.158 Infringements of the Regulation can cost an undertaking up to administrative fines up to 20 000 000 EUR or 4% of its total worldwide annual turnover159 Fines can even be levied where only a single individual’s privacy was breached.160

158_{Paul J. Watanabe, ‘An Ocean Apart: The Transatlantic Data Privacy Divide and the Right to}

Erasure.’ (2017) 90 (5) Southern California Law Review 1111, 1134-1135.

159_{Art. 83 (5) GDPR.}

160_{Paul J. Watanabe, ‘An Ocean Apart: The Transatlantic Data Privacy Divide and the Right to}