TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, 26 March 2021 Related reading: Irish DPC WhatsApp decision: What do you need to know?

rss_feed

""

GDPR-Ready_300x250-Ad

Greetings from Brussels!

For my money, the big news in Europe this week comes out of Düsseldorf, Germany. The news involves a case that piqued my interest back in 2016, when the German competition authority, the Bundeskartellamt, announced it had launched a probe into Facebook over whether it had abused its market position and power by infringing EU data protection rules. An eventual 2019 decision would follow, with the federal authority imposing restrictions on Facebook with respect to the collection, processing and merging of user personal data across its companies and third-party apps. The fundamental argument was users were not given a choice in the matter and the appropriate level of consent was not obtained.

Facebook disagreed with the authority’s conclusions, which it viewed as an attack on their business model and appealed the decision to the Düsseldorf Higher Regional Court. This is where it gets interesting: The presiding court judge, Jürgen Kühnen, opined Facebook’s data-processing activities did not result in an abuse of its dominant position, adding the office was unable to prove Facebook was hindering competition. Not to be deterred, the authority lodged its own appeal with the federal supreme court in Karlsrühe, which ruled provisionally in favor of the Bundeskartellamt’s restriction order.

Fast forward to this week, and the case was back on the slate at the Düsseldorf court in the front of Kühnen to deliver a final verdict on Facebook’s appeal. The court’s findings were inconclusive: “The question of whether Facebook is abusing its dominant position as a provider on the German market for social networks because it collects and uses the data of its users in violation of the GDPR cannot be decided without referring to the [Court of Justice of the European Union].” The court effectively deferred the verdict concluding that guidance from the CJEU is required in that the original restriction order concerns arguments and allegations relating to a violation of EU data protection law. Moreover, at the heart of the issue is whether Germany’s competition authority may have exceeded its authority in the application of competition law on what is fundamentally a question of data protection and privacy.

The cartel’s case remains fairly unique in Europe, with the approach of fusing tenets of both competition and privacy law into its proceedings and subsequent decision. The basic question though has merit: When does a company’s use and default harvesting of digital data to its own ends outweigh market, and by extension, consumer benefits? Indeed, the overlap of competition with data protection law and policy is not new area of discussion and, in addition to dominant market positions, has been debated in relation to mergers and acquisitions, for example. As a side note, the Competition Commission of India ordered an investigation into WhatsApp’s new privacy policy for allegedly breaching the nation's competition law on the grounds that forced consent to sharing user data with other Facebook companies was made a precondition for availing of their services. The new privacy policy goes into effect in India in May and comes at a time when WhatsApp is expanding its digital payment services to Indian customers — India is WhatsApp’s biggest market with more than 500 million users.

Back in Europe, the German competition case could have explosive repercussions depending on where the CJEU lands. This will take time to resolve but is well worth keeping an eye on. For its part, Facebook is standing their ground, saying the Düsseldorf court expressed doubts as to the legality of the Bundeskartellamt decision. The company also argued the order violates European law. The court will make a formal submission to the CJEU in the coming weeks.

1 Comment

If you want to comment on this post, you need to login.

  • comment Pranvera Këllezi • Mar 26, 2021
    Excellent, thank you very much for the article. It seems that the first question to the CJEU will be whether a national competition authority has jurisdiction to apply the GDPR, given the "one stop shop" system. 
    If the answer is yes, the Court in Düsseldorf will need guidance on how much data a controller can collect and process on the basis of a contract (terms and conditions in this case), so the CJEU ruling could be extremely important. The discussion on remedies made by the Court hints also to the question of consent, whether consent should be collected before collecting data, or it could be done after collection for a specific processing. I have drafted an article on the BKA FB decision, for those who wish more details (in english): "Data Protection and Competition Law: Non-Compliance as Abuse of Dominant Position", available at SSRN: https://ssrn.com/abstract=3503860
    Thanks again for the follow-up and the report, Pranvera