Position paper on Interplay between data protection and competition law

[Access official publication on EDPB website]

Executive summary

Promoting cooperation between personal data protection and competition authorities can be useful to protect individuals and increase their choice. In fact, as companies’ business models evolve, personal data and the rules applicable to its processing are becoming increasingly central. It is therefore essential to consider ways of promoting coherence among separate but interacting areas of regulation, bearing in mind the risks from their incoherent application at individual and societal levels.

This will require a better understanding of the relationship between concepts used in data protection and competition law, so as to strengthen the ability of data protection authorities of taking into account the economic context, and the ability of competition authorities of incorporating potentially relevant data protection considerations in their assessments and decisions.

  • In accordance with the CJEU’s judgment in 21, cooperation between data protection and competition authorities is, in some cases, mandatory and not optional.
  • Policymakers should be aware of the possibility that regulatory authorities and bodies competent to supervise the digital sector might need to cooperate more closely in certain cases.
  • Currently the degree of cooperation between authorities varies considerably between Member States and is not harmonised by EU law.
  • Within authorities, internal measures such as setting up a dedicated team to coordinate cooperation tasks and to act as a single point of contact for other authorities, could promote cooperation with other supervisory authorities.
  • With a view to ensuring efficient cooperation, authorities should develop a basic understanding of and familiarity with the regulatory framework employed by relevant counterparts

The European Data Protection Board has adopted the following position paper:

1 INTRODUCTION

  1. For data protection regulators, recent changes in the legal landscape raise numerous issues at the intersection of data protection and competition law. It is clear from the decision in Meta v Bundeskartellamt1 that data protection and competition regulatory objectives cannot always be pursued in isolation. Instead, regulators may need to cooperate and coordinate in order to explore synergies and to engage in coherent, effective and complementary enforcement activities. Such cooperation can benefit individuals, corporations and other entities: it enables different regulators to protect individuals in the EU in the most effective and efficient manner and ensures a consistent interpretation and application of legal norms.

  2. While the GDPR and competition law may apply to the same actors and activities, they are clearly distinct areas of law, based on different legal concepts and objectives and with their own enforcement framework. While data protection law aims at guaranteeing data subjects’ fundamental right to the protection of their personal data, in particular against unlawful, unfair and opaque processing of their personal data^[Footnote 2 - See article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), which provide that everyone has the right to the protection of personal data concerning him or her.], competition law aims “to protect the efficient functioning of markets”^[Footnote 3 - European Commission: Directorate-General for Competition, 2017, EU competition policy in action: COMP in action, Publications Office of the European Union. https://data.europa.eu/doi/10.2763/897035.]. Hence, analysis is needed to assess situations where the interplay between data protection and competition arises.

  3. With this position paper, the EDPB provides a short analysis of this interplay and give recommendations for further development of existing cooperation between regulators.

    2 PROMOTING COOPERATION AND CONVERGENCES

    2.1 Protecting individuals

  4. EU data protection law and competition law are clearly distinct legal frameworks and fields of law that pursue different objectives. However, they have a number of potential commonalities, such as the protection of individuals and their choices. Indeed, while data protection policy aims to protect individuals from any unlawful or unfair processing of their personal data, competition policy aims to guarantee the conditions for free and undistorted competition between companies on the relevant markets in the interests of consumers^[Footnote 4 - See Article 101 and 102 of the TFEU.], by promoting innovation, diversity of supply and attractive prices^[Footnote 5 - European Commission: Directorate-General for Competition, 2024, Protecting competition in a changing world: Evidence on the evolution of competition in the EU during the past 25 years. Publications Office of the European Union. https://data.europa.eu/doi/10.2763/089949.]. This aim of protecting individuals in their role as consumers under competition law is expressed in the prohibition of cartels, abuse of dominant positions and countering anticompetitive mergers, which without intervention may lead to harm to consumers, in the form of higher prices, less choice or lower quality and innovation.^[For example, Article 102 of the TFEU specifies that an abuse of a dominant position consists of “limiting production, markets or technical development to the prejudice of consumers”.]

  5. Strengthening the link between the protection of personal data and competition can contribute to the protection of individuals and the well-being of consumers by reinforcing the common consideration of respect for their fundamental rights and the proper functioning of competitive markets.

  6. It would therefore seem beneficial to strengthen cooperation between data protection and competition authorities especially in those cases where there is a clear intersection between the application of competition law and the application of data protection rules. This would assist in identifying and tackling upstream the tensions that could arise in certain situations between both fields of law. In this way, increased cooperation between authorities could make it possible to improve consistency and effectiveness in their respective actions, to the benefit of both individuals and entities that must comply with the legal requirements of both fields.

    2.2 The evolution of data protection with the development of the digital economy

  7. The digital economy has put personal data at the heart of many business models. As a result, data protection has become in some cases an important parameter of competition^[See also European Commission, Competition policy brief, April 2024, Non-Price Competition: EU Merger Control Framework and Case Practice, Issue 1, p. 4. Paragraph 51 of the judgment in Case C-252/21, states that “access to personal data and the fact that it is possible to process such data have become a significant parameter of competition between undertakings in the digital economy. Therefore, excluding the rules on the protection of personal data from the legal framework to be taken into consideration by the competition authorities when examining an abuse of a dominant position would disregard the reality of this economic development and would be liable to undermine the effectiveness of competition law within the European Union.”]. At the same time, EU data protection law aims to prevent unlawful and unfair processing of personal data, including in the case of power imbalances between data controllers and the individual whose personal data is collected.

  8. In its new Notice on the definition of the relevant market^[European Commission, 2024, Communication from the Commission – Commission Notice on the definition of the relevant market for the purposes of Union competition law, Official Journal, C 1645, ELI: http://data.europa.eu/eli/C/2024/1645/oj], the Commission recognises that when defining the relevant market, the protection of privacy and personal data offered to consumers may be one of the parameters of competition to be considered^[European Commission, 22 February 2024, Commission Notice on the definition of the relevant market for the purposes of Union competition law, Official Journal, C/2024/1645, paragraph 13.]. In other words, privacy is considered to be one of the parameters especially “in the assessment of digital and tech mergers”.^[In the context of non-price competition, See European Commission, Competition policy brief, April 2024, Non-Price Competition: EU Merger Control Framework and Case Practice, Issue 1, section 1.3, p. 5.]

  9. A competitive market can be a decisive facilitating factor in creating circumstances for privacy friendly options^[European Commission, 20 December 2020, Commission staff working document Impact assessment report accompanying the document proposal for a Regulation of the European parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act), points 65-66.]. In other words, if the consumer has different options in the market, this can encourage the minimisation of the amount of personal data collected or avoid massive combinations and uses of personal data from different sources that are harmful to users^[OECD, 13 June 2024, The intersection between competition and data privacy – Background Note, paragraphs 39, 47 and 57, p.11.]. The reverse is also possible. This is the case with exclusionary strategies, which limit the number of players on the market, and can thus artificially affect the number of privacy-friendly solutions. Lack of commercial alternatives can lead users to opt for less privacy-protective products.

  10. In the digital sector the behaviour of companies in a dominant position may raise questions about the role of personal data processing in strengthening and exploiting this position. Data-driven advantages from the combination and the cross-use of personal data from different sources by ‘gatekeepers’ in digital markets and the risks such advantages pose to the fairness and contestability of such markets are highlighted by the prohibitions in Article 5(2) of the DMA.^[Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act).]

3 HOW CONCEPTS CAN INTERRELATE

3.1 Protecting individuals and their decision making

  1. In the Bundeskartellamt judgment, the CJEU clarified the role of the dominant position in the context of the validity of consent under the GDPR. As such, a dominant position does not systematically imply that consent is invalid^[Meta v Bundeskartellamt judgment, paragraph 154.]. Nevertheless, certain conditions are necessary to ensure the validity of consent^[EDPB, 17 April 2024, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms. - https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-082024-valid-consent-context-consent-or_en] because the dominant position is liable to affect “the freedom of choice of that user, who might be unable to refuse or withdraw consent without detriment”^[Meta v Bundeskartellamt judgment, paragraph 148, referring to Recital 42 GDPR.] and “may create a clear imbalance (…) between the data subject and the controller”.^[Ibid., paragraph 149, referring to Recital 43 and Article 7(4) GDPR.]

  2. For example, “where a clear imbalance of power exists, consent can only be used in ‘exceptional circumstances’ and where the controller, in line with the accountability principle, can prove that there are no ‘adverse consequences at all’ for the data subject if they do not consent, notably if data subjects are offered an alternative that does not have any negative impact”,^[EDPB, 17 April 2024, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models. Implemented by Large Online Platforms, point 79, p. 21.] including the possibility of discrimination or social exclusion, especially in cases where digital services have a prominent role, or are decisive for individuals’ participation in social life or access to professional networks, even more so in the presence of lock-in or network effects.^[Ibid., point 182, p. 39.] Dominance could therefore be useful for identifying when a data controller could have an impact on users. However, this concept is not sufficient in itself to assess the validity of consent under GDPR, but is useful in a broader assessment of the imbalance of power under the GDPR. Moreover, a controller does not need to have a ‘dominant position’ within the meaning of Article 102 TFEU for their market position to be considered relevant for enforcing the GDPR.^[Ibid., paragraphs 103 to 105.]

3.2 Lawfulness 5.1 (a): an application of the Meta case within GDPR

  1. In its judgment, the CJEU ruled that, when competition authorities are assessing whether an undertaking abuses its dominant position within the meaning of Article 102 of the Treaty on the Functioning of the European Union (TFEU), subject to compliance with their duties of sincere cooperation with data protection supervisory authorities, they can assess if the general terms of use of undertakings relating to the processing of personal data and their implementation are not consistent with the GDPR, where this is necessary to establish the existence of such an abuse^[Meta v Bundeskartellamt judgment, paragraph 62.]. However, the assessments of competition authorities on the compliance of general terms of use with the GDPR for the purpose of Article 102 TFEU cannot replace the assessment of the competent data protection authority (“DPA”)^[Article 55 GDPR.], in particular of the lead supervisory authority (“LSA”) in the case of cross border processing within the European Union.^[The LSA being, per Article 56 GDPR, the supervisory authority of the main establishment or the single establishment of the controller of processor, it being competent to act as LSA for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60 GDPR. ] On the basis of Article 4(3) of the Treaty on European Union (TEU), the CJEU considered that the various national authorities involved are all bound by the duty of sincere cooperation and that competition authorities are required to consult and cooperate with DPAs when they are called upon, in the exercise of their powers, to examine whether an undertaking’s conduct is consistent with the provisions of the GDPR^[Bundeskartellamt judgment, paragraphs 54, 58 and 59.]. Therefore, in accordance with the CJEU’s judgment, cooperation between regulatory authorities is, in some cases, mandatory and not optional. According to the settled case-law of the Court, the principle of sincere cooperation enshrined in Article 4(3) TEU implies that, in the regulatory fields covered by EU law, the European Union and the Member States, including their administrative authorities must, in full mutual respect, assist each other in the performance of their tasks arising from the Treaties^[Ibid., paragraph 53 and Article 4(3) TEU]. In particular, Member States must take all appropriate measures to fulfil their obligations arising from EU law and refrain from taking any measures that could jeopardise the attainment of the objectives of EU law^[See, to that effect: Judgments of 7 November 2013, UPC Nederland (C-518/11, EU:C:2013:709), paragraph 59, and of 1 August 2022, Sea Watch (C-14/21 and C-15/21, EU:C:2022:604), paragraph 156.].

  2. The CJEU’s judgment creates an important incentive for authorities to streamline their cooperation and to agree on practical ways to consult one and other.

3.3 An example of strengthening consideration of data protection

  1. Building on experiences such as that of the Digital Clearinghouse established by EDPS and its early Opinions on the need for a coherent enforcement^[EDPS Opinion on “Privacy and competitiveness in the age of big data https://www.edps.europa.eu/sites/default/files/publication/14-03-26_competitition_law_big_data_en.pdf EDPS Opinion on “coherent enforcement of fundamental rights in the age of big data” https://www.edps.europa.eu/sites/default/files/publication/16-09-23_bigdata_opinion_en.pdf], in 2020 the EDPB published a statement^[EDPB, 19 February 2020, Statement on privacy implications of merger. - https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_statement_2020_privacyimplicationsofmergers_en.pdf] on privacy implications of mergers which highlights the risk of the further combination and accumulation of sensitive personal data by a major tech company. The EDPB recalls that “It is essential to assess longer-term implications for the protection of economic, data protection and consumer rights whenever a significant merger is proposed”^[Ibid.]. It also states that “the implications that this merger may have for the protection of personal data in the European Economic Area” will be considered by the EDPB^[Ibid.]. Hence, privacy and data protection should be carefully considered, where appropriate, in merger assessments.^[See also European Commission, Competition policy brief, April 2024, Non-Price Competition: EU Merger Control Framework and Case Practice, Issue 1, p. 5.]

  2. Given the possible impact of EU data protection in merger assessments, increased cooperation between competition and data protection authorities - including at EU level - could help regulators to be better informed about potential personal data issues.

4 BUILDING ON COOPERATION

4.1 Why data protection and competition authorities should cooperate

  1. The EDPB has examined the issue of cooperation between authorities e.g. by listening to experts in this field and by launching a survey to understand how various authorities cooperating with one another.

  2. From this, the EDPB gained the following insight: good cooperation between authorities promotes coherence and synergies between decisions taken in matters of competition and data protection. This does not only benefit individuals, but also businesses by improving understanding of how the regulatory frameworks are applied.

  3. Moreover, as legislation and case law in the two legal fields develop, the need for cooperation between the respective competent authorities may even increase.

    4.2 Existing cooperation models within EU Member States

    1. Currently the degree of cooperation between authorities, which depends both on the legal framework and on other elements, such as the degree of mutual trust between authorities, varies considerably between Member States and is not harmonised by EU law. The EDPB carried out an analysis of existing cooperation models in EU Member States in September 2023. Based on the degree of formalisation of cooperation, the following picture emerges: A. In some Member States, there is no specific legal provision mandating or enabling cooperation between DPAs and competition authorities, and no regular and structured cooperation on a voluntary basis. Cooperation takes place informally via ad hoc consultations e.g., in the context of administrative procedures or sector inquiries or occasional joint projects in areas of overlapping regulatory competence or drafting policy papers. B. Cooperation can also take place without a specific legal basis in national law by arrangements for regular, coordinated and structured cooperation. These can be established in jointly drafted cooperation protocols, joint declarations or Memoranda of Understanding (MoU). Such arrangements, which are not necessarily legally binding, detail modalities like joint workshops, trainings, events, regular meetings and sharing of best practices. C. In some Member States there are explicit legal requirements that govern cooperation. The specific form of cooperation varies depending on the individual case. Deliverables of this type of cooperation are typically opinions on cases at the request of the other authority. D. The highest level of formalised or structured cooperation is found in Member States where there are both legal requirements and practical arrangements for cooperation between authorities.
  4. Even a minimum level of formalised cooperation allows authorities to cooperate through occasional contact on specific issues. In certain circumstances, there might be cases in which those authorities are under an obligation to cooperate because of the principle of sincere cooperation.

    4.3 Ways to improve cooperation

  5. It may prove beneficial that authorities learn from each other, identify matters of common interest and possible areas of interplay regardless of ad hoc consultations, minimise obstacles for cooperation, and jointly develop strategic actions. For this purpose, workshops, informal or regular meetings or special expert working groups could be agreed upon in cooperation frameworks, e.g. administrative agreements, joint declarations or Memoranda of Understanding. These instruments may also lay down key principles, methods and rules of the cooperation between the authorities (e.g. with regard to the form of communication to be used, deadlines to be observed for answers - including any relevant objections - common guidelines, policy recommendations, etc.), as well as the consideration of decisions and penalties that have been previously issued by each of the authorities. These agreements may also govern how much information is shared, what can be exchanged (e.g. personal data) and what degree of coordination on a given topic is expected between the concerned authorities.

  6. Taking into account the constitutional and administrative framework in the relevant Member State, the national legislator and/or the government should also be aware of the need for regulatory authorities and bodies to cooperate more closely in the digital sector. This might be important also to ensure that authorities are provided with the necessary tools and resources to be able to cooperate efficiently, and to address legal requirements that may prevent authorities from sharing information and thus cooperating effectively during investigations.

  7. Within authorities, internal measures such as setting up a dedicated team to coordinate cooperation tasks and to act as a single point of contact for other authorities, could promote cooperation with other supervisory authorities. It could also prove helpful if the point of contact receives regular trainings on the relevant legal landscape and related legal developments of cooperation in general and participates in corresponding working groups or networks^[E.g.: EDPB’s Taskforce on Competition and Consumer law (TF C&C), Global Privacy Assembly’s Digital Citizen and Consumer Working Group (GPA DCCWG), Exchanges with the Consumer Protection Cooperation Network within the CPC-DPA Framework). An overview of the EDPB’s existing collaborations can be found here: https://edpb.europa.eu/our-work-tools/support-cooperation-and-enforcement/international-cooperationcooperation-other_en.]. Additionally, with a view to ensure an efficient cooperation, authorities should develop a basic understanding and familiarity with the regulatory framework that is supervised by their counterparts in the different legal field. For example, before entering discussions with a competition authority on a specific issue, it would be beneficial for data protection authorities to have a preliminary understanding on the concept of relevant market in general, whether certain entities in that market(s) occupy (or may occupy) a dominant position, etc.

  8. There may be situations where a more structured and regular form of cooperation may be preferable or even necessary to ensure the coherent and effective application of different EU laws (see illustration above, C and D). Establishing cooperation protocols between different competent authorities under the duty of sincere cooperation may be the most effective way to ensure reciprocal consultations with the right scope and at the appropriate time. This may also help to avoid instances of double jeopardy in cases where two competent authorities decide to impose sanctions against the same entity for the same conduct under two or more separate legal frameworks. ^[Judgment of the Court of Justice of 22 March 2022, bpost SA v Autorité belge de la concurrence (C-117/20, ECLI:EU:C:2022:202). According to the CJEU, for a valid duplication of proceedings and penalties under sectoral rules and competition law, the two sets of legislation at issue must pursue legitimate objectives of general interest (paragraph 44). Furthermore, for a valid duplication of proceedings and penalties, there must be “clear and precise rules making it possible to predict which acts or omissions are liable to be subject to a duplication of proceedings and penalties, and also to predict that there will be coordination between the different authorities, whether the two sets of proceedings have been conducted in a manner that is sufficiently coordinated and within a proximate timeframe and whether any penalty that may have been imposed in the proceedings that were first in time was taken into account in the assessment of the second penalty” (paragraph 51).]

  9. Finally, joint sector inquiries and joint investigations could also be pursued, to the extent possible and in line with the relevant legal framework, as an even more reinforced form of cooperation among authorities.

5. CONCLUSION

  1. Promoting synergies between personal data protection and competition authorities can improve the ability of both regimes to protect data subjects and users. In fact, as companies’ business models evolve, personal data and the rules applicable to its processing are becoming increasingly central. It is therefore essential to consider ways of increasing the coherence of separate but interacting regulations, bearing in mind the impacts of their incoherent application at individual and societal levels. In particular, this will require a better understanding of the relationship between concepts used in data protection and competition law, so as to strengthen the ability of data protection authorities to take into account of the current economic context, and the ability of competition authorities of incorporating potentially relevant data protection considerations in their assessments and decisions.

For the European Data Protection Board

The Chair

Anu Talus

Footnotes

  1. Judgment of 4 July 2023, Meta Platforms and others (C-252/21, ECLI:EU:C:2023:537), also referred to as ‘Bundeskartellamt judgment’ in this position paper.]