The Bottom Line
- Data is a Competition Issue: The line between data protection and competition law has been officially erased. How your company handles personal data is now a critical factor in antitrust assessments, especially if you hold a dominant market position.
- Increased Regulatory Risk: National competition regulators are now empowered to investigate GDPR non-compliance as a form of market abuse. This opens a new front for regulatory action beyond data protection authorities, potentially leading to significant antitrust fines.
- Urgent Review Required: CEOs and General Counsel must re-evaluate their data strategies. It’s no longer enough for your data processing to be GDPR-compliant; it must also stand up to scrutiny from a competition law perspective to avoid claims of unfair advantage.
The Details
The Court of Justice of the European Union (CJEU) has delivered a landmark ruling with significant implications for data-driven businesses. The case revolved around a national competition authority that had fined a dominant tech company, arguing that its method of consolidating user data across various services was not only a breach of the General Data Protection Regulation (GDPR) but also an abuse of its dominant market position. The core question for the Court was whether a data protection infringement could, in itself, constitute an antitrust violation.
In its reasoning, the Court confirmed that it can. The CJEU clarified that in the modern digital economy, competition is often fought over access to and control of personal data. Therefore, if a company with a dominant market share uses practices that do not comply with GDPR—for example, by not securing valid consent for data processing—it is gaining an unfair competitive advantage over rivals who do follow the rules. This exploitation of users and market power, the Court reasoned, can be classified as an “abuse” under EU competition law.
The commercial and legal fallout from this judgment is immediate. It effectively hands a powerful new weapon to competition regulators across the 27 member states. They no longer need to operate in a separate silo from data protection authorities. Instead, they can directly leverage a company’s failure to adhere to GDPR standards as core evidence in an antitrust case. This requires businesses to adopt a holistic approach to risk, ensuring that their data privacy and competition law compliance strategies are fully integrated to prevent a violation in one area from triggering a multi-million-euro penalty in another.
Source
Source: Court of Justice of the European Union
