Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated undertakings from continuing to use it. The case rapidly resonated in the antitrust realm as it was the first time a competition authority had based an abuse of dominance finding on a violation of data protection rules. Recently, the long-awaited opinion of Advocate General Rantos of the European Court of Justice (“ECJ”) (“Opinion”), which lays down a marker for the implementation of data protection rules in competition law, was delivered on 20.09.2022. As the Opinion casts light on key points stemming from the intersection between the General Data Protection Regulation (“GDPR”) and competition law, the Opinion and its potential effects on competition law will be discussed in this article.
The proceedings against Meta date back to 2016, when the Bundeskartellamt investigated Meta’s dominant position in the social network market and its terms of service on the use of user data to find out if Meta’s conditions were in violation of data protection provisions. Bearing in mind that not every law infringement action brought against a dominant company is relevant under competition law, the gist of the investigation rested on the suspicion that Meta’s use of its terms of service could pose an abusive imposition of unfair conditions on its users residing in Germany. The “take it or leave it” nature of its terms of service allowed Facebook to collect data on its users and their devices from Facebook’s corporate services (i.e. WhatsApp and Instagram), as well as from sources outside of a user’s Meta related-activities (via Facebook Business Tools) and merge it with user data from the Facebook social network. Meta argued that it has a legitimate interest in collecting and processing such data, required in order to provide its services. Although the Bundeskartellamt considered that an advertising-funded social network generally needs to process a large amount of personal data, it concluded that Facebook’s extensive processing of personal data from other corporate services and Facebook Business Tools enables, among other things, “profiling” and “device printing” of the users and hence subject to the affected user’s consent pursuant to data protection requirements. However, it held that there can be no effective consent if it is a prerequisite for using the Facebook.com service in the first place. Accordingly, Facebook’s data policy clearly overstepped the data protection boundaries set forth in the GDPR and constituted an abuse of dominant position in the form of “exploitative business terms”. Consequently, the Bundeskartellamt not only prohibited the relevant parts of the terms of service that allow collection of data via corporate services and Facebook Business Tools and cookie policies, but also the actual processing of data carried out by Facebook based on these terms.
The decision was suspended upon Meta’s appeal on 11.02.2019, as the Düsseldorf Higher Regional Court Court expressed “serious doubts” about the legality of the Bundeskartellamt’s decision. It was also sceptical that any harm occurring as a result of Meta’s data processing policy gave rise to competitive injury for either consumers or competitors. However, the Federal Court of Justice overturned the Higher Regional Court’s order. It found that access to data is an essential competition parameter and that it helped the social network to grow using the profits generated from advertising contracts. Hence it found that the market for online advertising would also be affected.
Opinion of AG Rantos
Before deciding on the merits of Meta’s appeal, The Düsseldorf Higher Regional Court referred seven questions to the ECJ for a preliminary ruling. The subjects referred and corresponding answers discussed in the Opinion are as follows:
On the competence of a competition authority to penalise a breach based on processing of personal data and its obligations to cooperate with the lead authority under GDPR
The examination of an abuse of a dominant position on the market may justify the interpretation of rules other than those related to competition law, such as those of the GDPR, provided that such an examination is carried out in an incidental matter and is without prejudice to competition authority’s duty to inform and cooperate with the competent supervisory authority. In his Opinion, AG Rantos concluded that there was sufficient evidence that the Bundeskartellamt had fulfilled its duties of diligence and sincere cooperation against the lead authority.
On the processing of sensitive data manifested by data subject by way of visiting websites, apps and entering information and clicking or tapping the buttons integrated into them
AG Rantos expressed the view that there is no substantial difference between personal data that are sensitive because they “reveal” a certain situation about a person and the data that are inherently sensitive under Article 9(1) of the GDPR, which prohibits the processing of sensitive personal data. In other words, AG Rantos stated that the prohibition of processing sensitive data extends to the aggregation of personal data that help infer conclusions about a user’s preferences. Therefore, although collecting sensitive personal data about a visit to a website or an app may not itself be same as processing sensitive personal data, linking the data to the user’s Facebook account or using the data, amounts to such processing. As for the exception to the rule prohibiting processing of sensitive personal data, the user must be fully aware that, by an explicit act, he or she is making personal data public. AG Rantos concluded that inferring consent for the collection of the data subject’s personal data by cookies or similar technologies is not sufficient to justify the processing of data, as prior consent is necessary to install these technical means in user’s devices. Therefore, they do not show the data subject’s intention to make such data manifestly public.
On the necessity of processing the personal data by Meta
The Opinion emphasizes that, although a link between various services offered by Meta, for example between Facebook and Instagram, could be “useful” for the user in terms of personalised content, the processing of personal data is not “necessary” for the performance of the contract between Facebook and its’ users. Considering the user profiling activities of Facebook that involve collecting information on its users from outside sources, the alleged justifications also do not correspond with a user’s reasonable expectations when signing up to Facebook. Thus, in the present case, the alleged justifications such as personalisation of advertising, network security and product improvement cannot be considered as legitimate justifications for the controller to avoid obtaining the user’s consent.
On whether if a consent by the user may be given effectively to an undertaking having a dominant position
The Opinion expresses the view that consent should not serve as a valid legal ground for processing data when there is a clear imbalance between the data subject and controller; especially when provision of service is conditional upon consent to the processing of personal data that is not necessary for the performance of the contract. That said, the mere fact that an undertaking enjoys a dominant position in the market for social networks does not, on its own, render the consent of the user invalid to process the personal data. However, a finding of dominance can influence the assessment of whether the consent of the user was given freely and effectively.
What Does the Opinion of AG Rantos Mean for Competition Law?
The Opinion was highly anticipated in competition law circles, as many were hoping that it could provide guidance for competition authorities, as well as for digital platforms, like Meta, which are facing investigations concerning their data policies all around the world. In fact, on 11.01.2021, The Turkish Competition Authority (“TCA”) ex officio launched an investigation against Meta which focused on Meta’s new “WhatsApp update notification” policy, that brings mandatory data sharing to WhatsApp users in Turkey. The TCA concluded that Meta’s newly introduced data policy, which requires WhatsApp users’ agreement in order to make private use of WhatsApp, would create serious competitive concerns. According to TCA WhatsApp data which is linked to Meta’s other corporate services would pave the way for the exclusion of Meta’s competitors, as Meta abuses its market power in the consumer communication services market. It is also found that this policy would lead to excessive data collection and processing of user data which would ultimately result in consumer exploitation. As a result, the TCA imposed an interim measure on Meta and ordered the suspension of Meta’s new terms of service.
Following a hearing, the TCA also imposed an administrative fine in the amount of TRY 346,717,93.40 on Meta. It found that Meta had abused its dominant position in the market for personal social network services, the market for consumer communication services and the market for online video advertising by merging data gathered from its Facebook, Instagram and WhatsApp services.
The decision of the TCA is important because it displays competition authorities’ ever-increasing tendency to penalise digital platforms, which derive great value and insights from collecting the user data obtained from various sources and merging it with their existing datasets. In this respect, TCA’s decision largely mirrors the Bundeskartellamt’s decision and the Opinion, with an additional finding on the exclusion of competitors in relevant markets as well.
Although the answers to the questions for the preliminary ruling is up to the ECJ’s final decision, there are some key points in the Opinion which suggest that platforms will be required to change the way that they process data.
The key points in the Opinion are i) in the exercise of their own powers, competition authorities can apply GDPR rules to decide on the illegal conduct in competition law, ii) dominant position plays an important role in the assessment of the validity of a data subject’s consent, ii) the prohibition of processing sensitive data also applies to online tracking of user data, iv) the trails left by a user online do not constitute data manifestly made public by the user, and v) in order for data controller to have a legitimate interest in the processing of user data, such processing must be objectively necessary for the performance of the contract and no less intrusive alternatives should available. Provided that the Opinion is confirmed by the ECJ, this will be a reference for future cases and help further implement GDPR in competition law. As for the question of whether the missing piece of the puzzle has been found in the intersection between the GDPR and antitrust law, the answer is “probably not”. However, a vital clue to that answer has certainly been provided by the Opinion.
- The Opinion of Advocate General Athanasios Rantos, https://curia.europa.eu/juris/document/document.jsf;jsessionid=185B1351FFE39552EC40994D9E65F286?text=&docid=265901&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=254586
- The Press Release of Bundeskartellamt, https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2016/02_03_2016_Facebook.html
- The Higher Regional Court of Düsseldorf’s Decision, https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2020/23_06_2020_BGH_Facebook.pdf?__blob=publicationFile&v=3
- The Federal Court of Justice (Bundesgerichtshof – BGH) is Germany’s highest court of civil and criminal jurisdiction
- The Federal Court of Justice’s Decision, https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2020/23_06_2020_BGH_Facebook.pdf?__blob=publicationFile&v=3
- The Press Release of Turkish Competition Authority, https://www.rekabet.gov.tr/Dosya/1-meta-nihai-karar-internet-duyurusu.pdf
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...