Data protection v competition law

Düsseldorf Higher Regional Court refers questions regarding the interpretation of the GDPR to the European Court of Justice in Facebook proceedings

The extraordinary proceedings which the German Federal Cartel Office (Bundeskartellamt) is conducting against Facebook have taken another surprising turn. The case has already caused some furore in the past, as it is the first time that an antitrust authority has dared to base an allegation of abuse on a substantive breach of data protection law. In view of the large number of unresolved legal and procedural issues in this terra incognita, it is not surprising that the proceedings are occupying the courts. The antitrust senate of Düsseldorf Higher Regional Court (Oberlandesgericht) has now initiated the next round. It has suspended the main proceedings and referred fundamental questions on the interpretation of the European General Data Protection Regulation (GDPR) to the Court of Justice of the European Union (ECJ).

Background

On 6 February 2019, the Federal Cartel Office prohibited Facebook with immediate effect from linking and using user-related and device-related data of Facebook users, which is collected and stored when users use Facebook’s own services WhatsApp, Instagram and Oculus, visit third-party websites or use mobile apps of third-party providers (Facebook Business Tools), with the original Facebook data on the basis of its Terms of Service. According to the Federal Cartel Office, the collection and use of Facebook users’ data is in violation of the GDPR, meaning that Facebook is abusing its dominant position as a provider on the national German social network market. On 26 August 2019, Düsseldorf Higher Regional Court ruled in favour of Facebook in summary proceedings and ordered that the Federal Cartel Office’s decision be suspended so that Facebook did not have to implement the decision of the Federal Cartel Office for the time being. The German Federal Court of Justice (BGH) then overruled the Higher Regional Court’s order on 23 June 2020, dismissing Facebook’s application. A second summary proceeding was also unsuccessful. The hearing in the actual main proceedings before Düsseldorf Higher Regional Court on the legality of the Federal Cartel Office’s decision took place on 24 March 2021. Following the oral hearing, the antitrust senate suspended the proceedings and referred a number of questions to the ECJ for a preliminary ruling.

Data-based business models between data protection and competition law

The proceedings are of particular importance from the perspective of whether and to what extent a breach of data protection law can play a role in antitrust law and in whose remit official action against any breaches would fall. This is particularly relevant for data-based business models which indirectly generate revenue from the collection, linking and processing of personal data by using such data for further user analyses or personalised advertising. For digital groups such as Facebook, personal data is known to have a very high competitive relevance.

The Federal Cartel Office accuses Facebook of exploiting its dominant position in the social networks market for abusive terms of use. According to the Federal Cartel Office, users are required to consent to terms of use that allow Facebook to collect extensive data and link it to the data files of other services. Pursuant to Article 6(1)(a) GDPR, such consent is only valid if it is given voluntarily, but the Federal Cartel Office found that this is not the case with Facebook. It maintains that consent can be voluntary only if the user has real alternatives. Given the social network’s overwhelming market position, however, such alternatives cannot be assumed to exist. It held that anyone who wants to connect with others via a social network cannot avoid Facebook and its terms of service.

The Federal Cartel Office holds the view that collecting data on this basis constitutes a breach of data protection law, i.e. an “abuse by breach of law”. This raises a whole series of questions about the relationship between the GDPR and the German Act Against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen, “ARC”) and supervision by the data protection supervisory authorities and the Federal Cartel Office.

When is a breach of the GDPR a problem of economic power and thus to be judged under antitrust law (section 19 (1) ARC) based on assessments according to data protection law? What authority has jurisdiction to determine in a binding manner whether a certain processing operation breaches the GDPR? What about the division of competences between the data protection authorities of the German federal states and a federal authority such as the Federal Cartel Office which is enshrined in the German constitution? What is done to handle the risk of dual regulation of companies (dual “public enforcement”)?

Düsseldorf Higher Regional Court had already stated in the summary proceedings that it considered the case to be about GDPR breaches for which the Federal Cartel Office as a competition authority had no jurisdiction. The Federal Court of Justice, on the other hand, considered the terms of service as constituting an “imposed extension of services” with an anti-competitive character. From this, the Federal Court of Justice derived the relevance under antitrust law.

Questions referred to the ECJ

The antitrust senate of Düsseldorf Higher Regional Court has now referred a total of seven questions regarding the interpretation of the GDPR, which it considers relevant for the further proceedings, to the ECJ. The first question is whether the Federal Cartel Office, as a national competition authority, may issue such an order at all or whether, in the absence of jurisdiction, this is inconsistent with the provisions of Article 51 et seq. GDPR on data protection supervision (first question referred). Since the Federal Cartel Office is mainly focusing on Facebook’s European branch in Ireland, the Irish data protection authority – which has so far remained inactive – might otherwise have jurisdiction. In this context, the Court also asks whether the Federal Cartel Office can make any findings at all with regard to data processing or the implementation of the GDPR in the event of incompatibility (seventh question referred).

Other questions by the antitrust senate raised in the event that the Federal Cartel Office is not overstepping its jurisdiction directly tackle the interpretation of the criteria for the lawfulness of data collection pursuant to Articles 6 and 9 GDPR. This includes the question of the classification of a number of data categories as sensitive data within the meaning of Article 9 of the GDPR (second question referred), the distinction between the contractual necessity and the legitimate interests under Article 6(1)(b) and (f) GDPR (third question referred), the breadth of the definition of legitimate interests (fourth question referred) and a question on the linking of data collected under Article 6(1)(c), (d) and (e) GDPR (fifth question referred).

Finally, Düsseldorf Higher Regional Court also asks whether Facebook Ireland, as a market-dominant company, can even obtain valid consent from its users (sixth question referred). If Facebook’s dominant position ruled out effective consent, for example because consent is not voluntary, this would have far-reaching and drastic consequences in terms of data protection law.

Outlook

In the meantime, the Facebook case has also drawn lawmakers’ attention to the problem of data-driven business models. For example, the digitalisation amendment to the ARC, which came into force in January 2021, not only codifies abusive conduct by companies of paramount cross-market importance by data processing in a manner relevant for competition based on terms and conditions of business (section 19a(2) no. 4a ARC), but also determines that the Federal Court of Justice is to have sole jurisdiction for legal remedies against Federal Cartel Office orders based on section 19a (section 73(5) no. 1 ARC). The European Commission already published a first draft of the Digital Market Act (DMA) on 15 December 2020 containing a provision in Article 5(a) that is very similar to section 19a(2) no. 4a ARC.

The questions referred to the ECJ by Düsseldorf Higher Regional Court concern the lawfulness and design of data-driven business models of large digital groups such as Facebook. In terms of content, they also shed light on fundamental legal issues involving the relationship between supervision, interpretation and enforcement of the GDPR and the ARC – two areas of law that at first glance are unrelated. In terms of their relevance and dramatic implications for legal policy, the entire proceedings and the referral to the ECJ can therefore hardly be overestimated.

Given the usual duration of proceedings, a decision by the ECJ is not expected before the end of 2022. Düsseldorf Higher Regional Court will then decide on the basis of the questions answered by the ECJ, and it is not unlikely that the proceedings will reach the German Federal Court of Justice. The questions raised are therefore likely to occupy the courts, legal authors and lawmakers for several years to come.