THE BOTTOM LINE
- Simplified Risk Landscape: Your company’s risk of being directly fined for GDPR infringements is now confined to Data Protection Authorities (DPAs). National Competition Authorities (NCAs) have lost the power to impose fines on this basis.
- New Defense Strategy: In a competition investigation involving data, you can now challenge an authority’s jurisdiction if it makes its own finding of a GDPR breach. The focus must shift to cooperation between the competition and data protection bodies.
- Data Compliance is Still Key: This is not a free pass. A company’s non-compliance with the GDPR can still be a critical factor for an NCA to determine an abuse of a dominant market position, but the authority must now rely on the DPA’s assessment of the data protection issue.
THE DETAILS
In a landmark decision, the Court of Justice of the European Union (CJEU) has clarified the distinct roles of Europe’s powerful regulators. The case centered on whether a national competition authority, tasked with enforcing antitrust law, could independently find that a company’s data practices violated the GDPR and issue a fine for it. The Court’s answer is a clear “no.” This ruling stems from a case where a competition watchdog concluded that a company’s terms of service, which involved extensive data processing, constituted an abuse of its dominant market position precisely because they were deemed non-compliant with the GDPR.
The Court’s reasoning is rooted in preserving the integrity of the GDPR’s own enforcement structure. The regulation was designed with a specific “one-stop-shop” mechanism, empowering a lead Data Protection Authority to ensure consistent application of the rules across the Union. The CJEU held that allowing 27 different National Competition Authorities to also interpret and enforce the GDPR would create a fragmented and unpredictable system. This would undermine legal certainty for businesses and contradict the EU’s goal of a harmonized data protection framework. The power to find a GDPR infringement and levy fines for it rests exclusively with the DPAs.
However, this judgment does not build a wall between competition law and data protection. The Court clarified that an NCA is not blind to GDPR issues. A company’s data practices can still be a crucial element in an antitrust investigation. The key difference is procedural: the competition authority cannot act alone. If it suspects a company’s conduct is anti-competitive due to a potential GDPR violation, it must consult and cooperate with the relevant DPA. The DPA is the sole arbiter of whether the GDPR has been breached; the NCA can then use that official finding as evidence in its own competition case. This decision forces greater collaboration between regulators while providing businesses with clearer jurisdictional lines.
SOURCE
Court of Justice of the European Union
