Four years after a landmark decision by the German Federal Cartel Office (FCO) (decision of 6 February 2019, B6-22/16) finding that a major technology company acted abusively due to an alleged General Data Protection Regulation (GDPR) infringement, the European Court of Justice (ECJ) recently confirmed the FCO’s decision in that, depending on the circumstances of the specific case, a GDPR violation can be considered part of a dominance abuse (decision of 4 July 2023, C-252/21). In addition, the court expressed its doubts about the legality of the data processing mechanism in question.

I. The FCO’s decision

Early in 2019, the FCO intervened in the gathering, assigning and processing of data by a major technology company, claiming it did not give its users the option to opt-out from personalised advertising. According to the FCO, this amounted to an exploitative abuse of the company’s alleged dominant market position within the meaning of German competition law (Section 19, paragraph 1 and, paragraph 2, no. 2 of the ARC).

The relevant terms and conditions applied by the technology company at the time determined that users of its social network could only be members if the company was permitted to gather and assign data from all of its own services, as well as collecting and assigning data from third parties. In addition, the company in question carried out data mining where users had disabled web tracking in their browser settings.

In the view of the FCO, due to the company’s allegedly overwhelming dominance in the social network market concerned, an obligatory tick in the acceptance of the terms and conditions of the company was not considered to be sufficient to constitute consent to such extensive data processing. According to the FCO, users had to choose to either accept excessive data terms or waive their membership of the company’s social network. In these circumstances, the FCO declined to view the acceptance of the terms by users to be voluntary and held that personalised advertising cannot be based on the Art. 6 (1b) GDPR performance of contract justification.

The FCO also took into consideration the requisite legal standard to be applied under the GDPR. In the FCO’s opinion, the company was unable to justify under the requirements of the GDPR such data processing from the company’s network services or third-party platforms or assigning such data to user accounts.

Taking these data protection considerations into account, the FCO found that the terms and conditions applied by the technology company were inappropriate terms to the detriment of both private users and competitors. The FCO concluded that by being a manifestation of market dominance, the terms were abusive within the meaning of the German prohibition of dominance abuse, Section 19, paragraph 1 of the ARC. Therefore, it prohibited the use of such terms and conditions and required the company to change them within 12 months.

II. Procedural developments to date

Against this decision, the technology company filed an appeal to the Higher Regional Court of Düsseldorf (Appeal Court), seeking an annulment of the FCO’s decision. Additionally, in preliminary proceedings, the company requested that its appeal should have a suspensive effect on the FCO’s decision due to serious doubts as to the legality of the decision.

Based on the Appeal Court’s order, the FCO’s decision was then suspended. However, in a second instance, the German Federal Supreme Court (Supreme Court) overturned the Appeal Court’s preliminary decision in favour of the FCO and waived the suspensory effect.

In the main proceedings, which are ongoing, the Appeal Court applied to the ECJ for a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union (TFEU) regarding:

  • Whether a national competition authority (NCA) of an EU member state, which is not the responsible supervisory authority within the meaning of Article 51 et seq. of the GDPR, may, for the purposes of monitoring abuses of competition law, make findings on GDPR provisions and order the termination of infringements.
  • Whether the NCA can take into consideration GDPR provisions when assessing a balance of interests in decisions under competition law.
  • How to interpret certain provisions of the GDPR.

III. The ECJ’s key competition considerations

In response to the Appeal Court’s application, on 4 July 2021, the ECJ ruled that when examining an abuse of a dominant position, it can be legitimate for the competition authority to consider unlawful behaviour more generally, such as possible infringements of the GDPR.

The dominant undertaking’s compliance with rules other than competition rules can legitimately be considered when assessing whether that conduct entails resorting to methods governing normal competition and when assessing the consequences of a certain practice in the market, including for consumers.

Depending on the circumstances, infringements may be crucial to establish whether that conduct has the effect of hindering the maintenance or growth of the competition left in the market.

The ECJ particularly considered the high relevance which access to and use of personal data have for competition in the digital economy.

In this context, the ECJ states:

“Therefore, excluding the rules on the protection of personal data from the legal framework to be taken into consideration by the competition authorities when examining an abuse of a dominant position would disregard the reality of this economic development and would be liable to undermine the effectiveness of competition law within the European Union.”

IV. Consistency requirements imposed on national competition authorities

As the FCO is not entitled  to enforce GDPR infringements, it cannot issue such decisions regardless of the responsible supervisory authority.

The ECJ clarified that when making findings on the GDPR, the FCO has a duty of sincere cooperation with the supervisory authorities. For consistent application of the GDPR, the national competition authorities must ensure that their legal interpretation does not contravene that of the relevant competent enforcers.

Therefore, when considering other areas of law for their competition analysis, the ECJ proposes in terms of consistency and cooperation among the regulators the following:

  1. The NCA must ascertain whether the conduct in question or similar conduct has already been the subject of a decision by the competent national supervisory authority. If that is the case, the NCA cannot depart from it, although it remains free to draw its own conclusions for the purposes of applying competition law.
  2. Where it has doubts as to the scope of the assessment carried out by the competent national supervisory authority, the NCA needs to consult and seek the national supervisory authority’s cooperation in order to dispel its doubts or determine whether it must wait for the national supervisory authority concerned to make a decision before starting its own assessment.
  3. Where the national supervisory authority is called upon by a NCA, it must respond to such a request within a reasonable period, providing the NCA with the information in its possession capable of dispelling any doubts.
  4. Only when there is no reply within a reasonable period can the NCA continue its own investigation. The same applies where the competent national supervisory authority and the lead supervisory authority have no objection to such an investigation being continued without having to wait for a decision on their part.

Accordingly, if the data protection authorities find certain conduct to be in line with GDPR provisions, NCAs cannot take a different position.

V. Main takeaways

Considering an infringement of a norm outside competition law to be an abuse of market power is not entirely new. Although this is subject to an ongoing controversy, infringements outside competition law have in the past occasionally (though rarely) been claimed to amount to an abuse of market power, mainly because of having been considered to distort the level playing field for other market participants.

With its decision in 2019, the FCO went a step further in that it prohibited the relevant conduct and requested that the addressee of its decision should remedy the underlying conduct, although the GDPR enforcement fell outside the FCO’s competence.

So far, the question of the relationship between the FCO and primarily responsible authorities had not been addressed by the courts. The ECJ has now clarified that, subject to compliance with its duty of sincere cooperation with the supervisory authorities, the FCO can establish a dominance abuse based on an alleged data protection infringement as this might constitute abusive conduct by a dominant company.  

VI. Outlook

The Appeal Court will now resume the main proceedings, considering the ECJ’s decision (in addition to the Supreme Court’s previous assertions).

For now, the decision of the ECJ should not be understood as meaning that any type of unlawful conduct can be considered an abuse of market power. Rather, infringements outside competition law must have the potential to appreciably affect competition to be caught under the dominance rules. Accordingly, the ECJ contended that the competition concerns in this case specifically derive from the significance of access to data for competition in the light of the relevant digital services.

The ECJ’s ruling has clearly strengthened the FCO’s position in relation to its competition enforcement in the digital economy. While it remains to be seen how the ECJ’s considerations will impact the Appeal Court’s decision, the ECJ has clarified important aspects of the analysis relating to the abuse in question.