On 20 September 2022, Advocate General Athanasios Rantos delivered his opinion in case C-252/21 referred to the Court of Justice by the Higher Regional Court of Düsseldorf in Germany. The preliminary questions relate, among other things, to the competence of national competition authorities to assess the compliance of data processing with the GDPR.
In 2019, the Bundeskartellamt, the German competition authority, found that Facebook (currently Meta Platforms) abused its dominant position and imposed far-reaching restrictions on the processing of users’ data. The anticompetitive practice consisted of the fact that Meta Platforms collected data from its other services, such as Instagram and WhatsApp, as well as from third-party websites and apps, and then linked those data with the user’s Facebook account and used them to sell tailored online advertising. Meta Platforms filed an appeal against the Bundeskartellamt’s decision before the referring court.
The first question asked by the referring court pertains to the competence of a national competition authority to rule primarily on the infringement of GDPR rules and to issue an order to end possible breaches. The Advocate General, however, is of the view that the Bundeskartellamt did not sanction Meta Platforms for breach of the GDPR but reviewed, for the sole purpose of applying competition rules, an alleged abuse of its dominant position while taking account, inter alia, of that undertaking’s non-compliance with the provisions of the GDPR. The Advocate General therefore considers the first question to be irrelevant.
The Advocate General then turns to the question concerning the power of a competition authority to establish as an incidental question, i.e. when prosecuting infringements of competition rules, whether data processing activities comply with the GDPR. The Advocate General is of the view that the GDPR does not preclude competition authorities from being able, in exercising their own powers, to take account of the compatibility of a certain conduct with the provisions of the GDPR. The compliance or non-compliance with the GDPR of an undertaking’s conduct may constitute a vital clue to establish whether that conduct amounts to a breach of competition rules.
However, the Advocate General clarifies that this must be without prejudice to the competent supervisory authority’s powers under the GDPR so as not to undermine the uniform interpretation of the GDPR.
To that end, national competition authorities should inform and cooperate in good faith with the data protection authorities. Where the data protection authority has ruled on the application of certain provisions of the GDPR in respect of the same or similar practices, the competition authority cannot, in principle, deviate from the interpretation of that authority and should comply with any decisions adopted by that authority concerning the same conduct. In the event of doubts as to the interpretation given by the data protection authority, the competition authority should consult that authority.
Furthermore, even without a decision by the competent data protection authority, it is still the competition authority’s duty to inform and cooperate with the data protection authority where that authority has begun an investigation of the same practice or has indicated its intention to do so, and possibly to await the outcome of that authority’s investigation before commencing its own assessment.
Please contact Karel Janssens for further information about this topic and/or for general advice relating to privacy and data protection.