THE BOTTOM LINE
- Expanded Regulatory Risk: Your GDPR compliance is no longer just the concern of Data Protection Authorities. National competition watchdogs can now investigate and penalize data privacy breaches as part of an antitrust case, opening a significant new front for enforcement.
- Data Strategy as an Antitrust Weapon: How your company collects, combines, and uses personal data can be deemed an abuse of a dominant market position. This development directly links your data strategy to core competition law, turning a potential data asset into a major liability.
- Increased Inter-Agency Scrutiny: Expect closer cooperation and information sharing between competition authorities and data protection regulators. A compliance issue flagged by one agency could easily trigger a full-blown investigation by the other, multiplying your legal exposure.
THE DETAILS
This landmark opinion stems from a case involving Meta Platforms (formerly Facebook) and Germany’s powerful competition authority, the Bundeskartellamt. The German authority found that Meta abused its dominant position by forcing users to agree to have their data combined from multiple sources—Facebook, Instagram, WhatsApp, and third-party websites. The Bundeskartellamt argued this “take-it-or-leave-it” approach to data processing violated the core principles of the GDPR, and that this non-compliance was a key tool in unfairly cementing its market dominance. Meta challenged this, arguing that only a dedicated Data Protection Authority (DPA) had the power to rule on GDPR matters, not a competition regulator.
The Advocate General (AG) of the Court of Justice has now provided crucial clarity, advising the Court that a competition authority can indeed rule on a company’s compliance with data protection rules. The reasoning is that in today’s digital economy, data processing and competition are intrinsically linked. The AG’s opinion states that a company’s adherence (or lack thereof) to regulations like the GDPR is a critical factor in determining whether its market conduct is fair. Ignoring a GDPR violation during an antitrust investigation would mean overlooking a key element of how a dominant company might be competing unfairly.
However, this does not give competition authorities a blank check. The AG stressed that this power must be exercised with caution and in cooperation with the relevant DPAs. A competition authority must consult with and consider the views of the expert data protection regulator to ensure consistent application of the law. It cannot contradict a prior decision made by a DPA on the same issue. While this opinion is not the final binding judgment of the Court, such opinions are highly influential and followed by the judges in the vast majority of cases, signaling a major shift in the European regulatory landscape where data privacy and antitrust law are now two sides of the same coin.
SOURCE
Source: Court of Justice of the European Union
