W5(1) - Competition + GDPR | Quizlet

W5(1)

• Competition + GDPR

structure of art. 102 TFEU (W5(1))

1.    Market definition: on which market is the company active?

1.1. Product Market

1.2. Geographic market

2.    Dominance/Market power: does the company have market power on that market?

2.1. Definition of dominant position (Hoffman-la Roche)

2.2. Threshold for dominance (Akzo-Chemie)

2.3. Further analysis: relevant circumstances for digital market power (Cisco)

3.    Abuse: does the conduct violate article 102 TFEU (have anti-competitive effects)

Abuse is objective (Hoffman La Roche §6)

Special responsibility of a dominant undertaking (Michelin I §57)

abuses on the digital market (9)

abuse on the digital market (W5(1))

1. Predatory pricing --> harder on digital markets bc price is 0, but possible (adobe subscription) (Akzo Chemi) (Tetra Park II)

2. Margin squeezing

3. Refusal to supply (Bronner, Microsoft)

4. Tying/bundling (Microsoft)

5. Exclusivity contracts (Google Android)

6. Rebates (Intel)

+ new forms of abuses:

7. Self-preferencing (Google Shopping)

8.  Excessive data collection? (Meta v. Bundeskartellamt)

data protection and competition law (W5(1))

Data protection and competition are connected:

- Privacy is a “non-price parameter of competition” – privacy is something which undertakings can compete on, consumers may opt for a subscription to not get targeted ads anymore (high privacy product over low privacy product)

-  The GDPR balances privacy with data as an economic resource

- see: art. 1(1) GDPR and art. 6(1)(f) GDPR

- Meta v BKA:

Access to personal data and the fact that it is possible to process such data have become a significant parameter of competition between undertakings in the digital economy. Therefore, excluding the rules on the protection of personal data ... would disregard the reality of this economic development and would be liable to undermine the effectiveness of competition law within the European Union.” §51.

-   On digitial markets, applying competition law is essentially incomplete without considering data protection

art. 1(1) GDPR (W5(1))

Subject-matter and objectives

1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

- strikes a balance between privacy and free movement of data.

- data considered from human-rights pov (right to privacy) and as a resource which can be traded on the internal market (element of competition)

art. 6(1)(f) GDPR (W5(1))

one of the legal bases to process data is 'legitimate interests pursued by the controller'

1. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

- commerical interest of an undertaking can be a legitimate interest (Koninklijke Nederlandse Lawn Tennisbond)

- interest to make money can be a justification to process personal data, but always has to be balanced if the interests or fundamental rights of the data subjects

- very high burden of proof

- Recently a shift where big digital market companies are starting to relying on (f), E.g. meta using instagram posts for AI training

competitive elements in the GDPR (W5(1))

Art. 44 – 50 GDPR: Transferring data to a third country

- Handy if you’re a multinational! , e.g. Google, Meta

- Especially “binding corporate rules”, art. 47 – justification for transferring data outside the EU. Sending data from European branch to e.g. American branch,

Art. 20 GDPR: The Right to Data portability

- Does this actually protect privacy? – data has already been given up, it is merely being moved from company to company.

- More of an economic, competition law provision helping the competitive structure of the market; it lowers lock-in effects and switching costs. Makes it easier for consumers to switch services too.

art. 20 GDPR (W5(1))

the right to data portability under the GDPR

- Right to receive your data from company and be able to transfer it to a competitor

- Rationale: facilitate switching, address the issue of consumer lock-in

 

But it is hardly heard of / invoked:

- only applies to data that the consumer has provided (not that the company has collected)

- Requires substantial interoperability

- Enforcement is lacking, few companies appear to have implemented it to full extent

- No cases to this date

right to data portability (W5(1))

enshrined under:

- Art. 20 GDPR

- Art. 6(9) DMA --> Essentially a repetition of what is already a GDPR right but under comp law/market regulation.

GDPR and competition law (W5(1))

he GDPR dictates how companies on the digital market can operate.

-  And data collection is the core of their business model.

- Many limitations on how targeted advertising, digital ecosystems can be run

excessive data collection (W5(1))

(Meta v BKA)

Collecting excessive data has numerous potentially anti-competitive consequences:

- consumers’ privacy is reduced

- Competitors don’t get the same benefits and are pushed out of the market bc they are complying with the GDPR

- Potential future competitors are prevented from coming into the market bc raises to entry through network effects

- Exploitation + exclusion

excessive data collection as exploitative (W5(1))

commission prioritises exclusion: access to data as a barrier to entry

- but problematic: If data is an ‘essential facility’, then to remedy the abuse a company has to share data with all other competitors.

- can be a reasonable conclusion under comp law but this is a huge GDPR issue (sharing everyone’s data; fundamentally incompatible with the GDPR).

The abuse should be viewed as exploitative instead, excessive collection of data to the detriment of consumers

data ecosystems under the GDPR (W5(1))

is data pooling allowed? Or data analysis/targeted advertising? --> Yes, if there is a legal basis under art. 6 GDPR, or art. 9 GDPR if sensitive.

- Not fundamentally incompatible, data pooling and analysis can be legal under the GDPR.

- but a fine line between when personal interest profiles become sensitive or not (when datas stop being art. 6 data and becomes art. 9 data)

consent under the GDPR (W5(1))

art. 4(11) GDPR

(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

and recital 42 GDPR

“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”  

--> making access to a service conditional on consent does not qualify as freely given consent.

is freely given consent possible with gatekeepers (W5(1))

e.g. Because of Google’s dominant market position, how “freely given” consent?

- Consent is not “freely given” if there is a strong power imbalance (e.g. Employer <-> employee being the traditional example)

ECJ in Meta v BKA:

 On the one hand, dominance:  “does not, as such, prevent the users of that social network from validly giving their consent.” §147.

On the other hand: “the existence of such a dominant position may create a clear imbalance between the data subject and the controller.” §149.

= in theory yes can give consent to a monopoly but in practice it depends (depends on what? We don’t know)

Meta v BKA (W5(1))

--> apply to: excessive data collection / GDPR <=> Competition law / abuse of dominance

Facts:

- Facebook’s privacy policy allows for excessive data collection

- Pursuant to these policies, Facebook also collects data on users and their devices outside of Facebook-related activities via Facebook Business Tools integrated by advertisers, app developers and publishers

- meta was combining personal data from all of its different services (data pooling). For access to meta platform you had to consent to the privacy policy.

- gave access to sensitive data bc of the integration of facebook like button (explicit consent required)

- BKA held that under German law, Privacy policy is a contract, and unfair contracts can be abusive

alleged harm by BKA:

- Harm to consumer welfare (in a broad sense; their privacy interests)

- Unfair advantage over competitors which do comply with the GDPR / barriers to entry ( Facebook is illegitimately improving its competitive position, bad for the competitive structure of the market)

Outcome: correct application of the GDPR, art. 6 and art. 9 GDPR

Rule: Excessive data collection can be abusive (At least under German law, but likely also art. 102 TFEU.)

/ Access to personal data and the fact that it is possible to process such data have become a significant parameter of competition

Rule: violation of the GDPR can be used as a “vital clue” that the dominant company competed unfairly §47.

Rule: competition decision can be based on a GDPR violation on the condition of sincere cooperation (art. 4(3) TFEU) between competition authority and data protection authority §53-57

- Either established prior by the data protection authority, or in sincere cooperation with them.

Rule: Any sensitive data in a pool, which cannot be separated, means the entire pool must be considered sensitive §89

market definition Meta v BKA (W5(1))

social media networks

- Distinction between: private social network market (facebook) vs. content sharing (instagram) vs professional social networking (LinkedIn)

- Concluded undertakings like twitter (more of a content sharing platform) pinterest do not compete with facebook

 

Remember: two-sided market...

Advertising market

- network financed through targeted advertising

- Online vs offline advertising

- Search vs non-search advertising

market power/dominance of meta (W5(1))

BKA considered:

- High market share (user-based) of facebook: > 95%

- Many active users on facebook

- Network effects – strong user base, strong identity-based network effects lead to a lock-in effect which makes it difficult for users or prevents them from switching to another social network

- Access to competitively relevant (personal) data – across not only the facebook social platform but its entire network, facilitating highly personalised advertising

abusive conduct meta (W5(1))

Facebook’s abusive conduct: consisted primarily outside of facebook --> occurred on insta, oculus, third-party facebook integration

- Forcing consumers to give up more personal data than aware of

- Data collection on facebook meant agreeing to data collection on all its other subsidiaries, to data combination, analysis etc.

- Many consumers can simply not leave facebook and its subsidiaries because there is no real substitute for it (strong lock-in effects)

 - Data collection practices did not comply with GDPR: processing sensitive personal info without consent and without a legal basis = GDPR violation

- privacy policy but does not amount to valid consent

- BKA: consumers forced into an unfair contract (privacy policy

BKA decision (W5(1))

BKA decided:

Using and actually implementing Facebook’s data policy, which allows Facebook to collect user and device-related data from sources outside of Facebook and to merge it with data collected on Facebook, constitutes an abuse of a dominant position on the social network market in the form of exploitative business terms pursuant to the general clause of Section 19(1) GWB

--> Bka Decision was taken under art. 19(1) GWB, 4 which prohibits the abuse of a dominant market position similarly to art. 102 TFEU

BKA justification of using GDPR (W5(1))

justified by making the link between data protection and competition law:

- the European data protection regulations, which are based on constitutional rights, can or, considering the case-law of the highest German court specified above, must be considered when assessing whether data processing terms are appropriate under competition law

- These regulations, however, do not rule out that substantive data protection law can also be applied by authorities other than the national data protection authorities… The GDPR does not explicitly state that its provisions are final....

- In the course of the proceeding the BKA maintained regular contact with data protection authorities none of which considered they had exclusive competence

appeal at Düsseldorf (Meta v BKA) (W5(1))

Held:

- No exclusion. No evidence it pushed competitors out.

- No exploitation. “Even exploitation requires anti-competitive effect.” But no economic loss for consumers. The facebook service is and has always been free.

- No excessive data collection, and consumers weren’t forced (should have consulted the privacy policy thoroughly).

- A GDPR violation is not automatically an abuse. Requires anti-competitive effect and the BKA failed to prove that.

appealed to BGH

appeal at BGH (Meta v BKA) (W5(1))

Held:

- “Privacy policy is part of the contract, can be unfair.” 

-  “What about consumers who do want Facebook, but don’t want data collection?” – not an option for consumers; ‘take it or leave it’ approach from facebook

- No choice between personalized social media and more privacy-friendly versions.

- Meanwhile Facebook benefits from that extra data

re. the GDPR: Decisions need to be based on competition law (mandate of the BKA) But the GDPR can help prove an infringement

anti-competitive effects of Meta (W5(1))

Exploitative:

-  No choice for consumers (between personalised social media and a more friendly version)

- “Take it or leave it” approach is not good enough (use of meta ecosystem conditional on privacy policy)

Exclusionary:

- Network effects of (forced) data collection lead to a better Facebook, but competitors can’t do the same.

- barriers to entry are raised --> foreclosure

BKA application of GDPR (ECJ) (W5(1))

Is the BKA allowed to base its competition decision on a GDPR violation? --> ECJ held: yes

comp law POV: Comp law is about “competition on the merits”. A violation of the GDPR can be used as a “vital clue” that the dominant company competed unfairly. §47

- bc of the role of personal data as a “significant parameter of competition”, it would not be realistic for a competition authority to carry out its investigations without taking personal data into account

data protection POV: GDPR establishes data protection authorities, but gives no rules on how they relate to competition authorities

- applied principle of sincere cooperation art. 4(3) TFEU cooperation to ensure effective implementation of and consistency of GDPR interpretation

- a competition authority faced with questions regarding data protection has the responsibility to “consult and cooperate sincerely” with the relevant national data protection authority

- has to follow prior data protection decisions and comply with those, or if there is no prior decision ask the data protection authority. §53-57

BKA application of art. 9 (ECJ) (W5(1))

Did the BKA correctly apply art. 9 GDPR? --> ECJ held: Yes, meta collected sensitive data, pooled data from like & share buttons

- The Facebook Like Button can certainly collect sensitive data. §71 – 72. In which case art. 9 is in effect.

- that art. 9 GDPR is applicable regardless of whether the obtained information is correct, and regardless of whether Facebook intended to collect sensitive data §69 (i.e. intent and accuracy not relevant)

- Any sensitive data in a pool, which cannot be separated, means the entire pool must be considered sensitive §89

- very big assumption that art. 6 applies when dealing with personal profiles

BKA application of art. 6 (ECJ) (W5(1))

Did the BKA correctly apply art. 6 GDPR?  --> ECJ held: Yes, none of the art. 6 legal bases applied

art. 6(1)(a): consent not freely given bc the service was conditional on consent + feely given consent is possible for a dominant company but ECJ was skeptical (power imbalance) §151, §147-149

--> undertaking has the responsibility to ensure that its consumers are free to refuse consent, without then being barred from using the service in its entirety

art. 6(1)(b): “Contractual necessity” only works if data collection is “objectively indispensable for a purpose that is integral to the contractual obligation”(absolutely necessary to run the service.) Useful for Facebook business model =/= necessary. §98-99

art. 6(1)(c)(d)(e): makes no sense to rely on these , facebook is a private company/an economic actor on a social media market

Art. 6(1)(f): Facebook’s economic interests are “legitimate”.

But must be balanced against privacy interests.

“[the user] cannot reasonably expect that the operator of the social network will process that user’s personal data, without his or her consent, for the purposes of personalized advertising”. §117, deemed not proportional

Meta v BKA significance (W5(1))

- a competition authority is at liberty to consider GDPR violations as a “vital clue” to a finding of abuse of dominance, provided it first requested the cooperation of the competent data protection authorities.

- On Digital markets, applying competition law is essentially incomplete without considering data protection

- Ecosystem building and datapooling that companies do

- Confirms the relation between data protection and competition

-   On digitial markets, applying competition law is essentially incomplete without considering data protection

 

- GDPR compliance of ecosystems: Only art. 6(1)a GDPR is available but very strict

- And more likely: art. 9 applies, so explicit consent.

- excessive data collection often has simultaneous exploitative and exclusionary effects.

- no art. 102 violation on excessive data collection to date; shows that this can be possible

- potential to empower the EU Commission

dual GDPR and competition violation (W5(1))

likely that both a GDPR and competition law can be imposed simultaneously:

- ne bis in idem is activated by “identity of the facts, unity of offender and unity of the legal interest protected”

- Competition law and data protection law serve different legal interests; no ne bis in idem.

- Same action but violations of 2 different legal systems with 2 different aims…

GDPR: protect against infringements of fundamental rights by data controllers vis-àvis natural persons

Competition law: most commonly understood to protect consumer welfare and the effectiveness of competition in the internal market

meta v BKA applied to EU commission (W5(1))

the Meta v BKA judgement could in theory apply to the EU commission:

- biggest difficulty in applying the Bka’s reasoning on a EU level is that the GDPR system is strictly nationally enforced; there is no EU data protection authority

- But although there is no EU body: art. 68 European Data Protection Board. Commission could cooperate with them.

- this might not even be needed: Commission already has a seat on the Board, already has a number of powers under the GDPR (e.g. can adopt delegated guidelines, issue Adequacy Decisions for third countries...)

limitation of meta v BKA (W5(1))

Sincere cooperation also means that a competition authority can’t issue a GDPR fine.

- must stay within its own (competition law) mandate.

- a GDPR violation is not enough, it must be proven that that violation is also abusive under competition law, so the following must be proven:

- Dominance

- Anti-competitive effect

-  Consumer harm

- Causality between dominance and conduct

-  Etc.

(“mold the GDPR violation into a competition law case” (link to art. 102)

art. 5(2) DMA (W5(1))

codification of Meta v BKA, prohibition of data pooling between core platform services (gatekeepers)

2. The gatekeeper shall not do any of the following:

(a) process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper;

(b) combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services; (c) cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and

(d) sign in end users to other services of the gatekeeper in order to combine personal data,

art. 5(2) DMA significance (W5(1))

prohibits what hasn't already been prohibited:

- Consent as the main exception (without the Court’s skepticism.)

- Still allows exceptions for art. 6(1)c, d, and e GDPR. (improbable at best).

- Removes exceptions for contractual necessity and legitimate interests.

-Doesn’t distinguish regular and sensitive data (Even though most likely art. 9 (+ explicit consent) applies.)