Kartellrecht und Datenschutzrecht – zugleich ein Beitrag zur 10. GWB-Novelle und zum Facebook-Verfahren

Abstract

Competition Law and Data Protection Law – a tour d’horizon including the 10th amendment of the German Act against Restraints of Competition and the Facebook Case

While competition law cases that intersect with data protection law date back several decades, the topic has attracted much attention in recent years due to the ongoing digitisation of the economy. This paper analyses the interplay of both fields of law, revealing alignments as well as dissonances between the two. In doing so, it evaluates the implications of the draft of the 10th amendment to the German Act against Restraint of Competition (GWB-E) recently published by the German Ministry of Economics as well as the Facebook case of the German Federal Cartel Office (Bundeskartellamt). Besides, this paper examines how both fields of the law can be aligned with regard to their interpretations.

The paper shows that the EU’s General Data Protection Regulation (GDPR) functions as a determinant factor of effective competition in the European economy, inter alia with the aims to promote competition and to protect consumers where they are in an inferior position. There are good reasons to consider data protection as a quality feature in the context of Art. 101(3) TFEU, irrespective of whether congruent preferences of the consumers affected are verifiable. However, these considerations will only rarely be of practical relevance.

In merger control the Commission has acknowledged that the competitive assessment of a concentration between undertakings can entail important preliminary questions concerning data protection law. However, the Commission seems to have overestimated the potential of the GDPR to promote competition. In this regard, the Commission’s merger control practice is subject to criticism for several reasons: First, it is said to neglect quality competition. But consumer decisions concerning data protection are rarely reliable indicators of consumer preferences and welfare effects. Second, the Commission is criticized for disregarding a merged entity’s incentives to contravene data protection law. However, it would overburden merger control to fully consider possible future violations of the GDPR. Third, it is argued that merger control provision should be interpreted with a view to data protection law. While this is a valid concern in principle, it nevertheless seems that the legal and economic conditions for these questions to be of practical relevance are rarely met.

The goals of EU competition law can also influence data protection law (GDPR). For instance, if a merger can be cleared only on the condition to share personal data, the permission to process these data could be found in Art. 6(1)(f) GDPR, which refers to cases where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Notably, the legitimate interests must relate to individuals, so that general interests of the community as such are not to be taken into account.

Additional access rights provided by competition law could indirectly change the balance of data protection and competition via Art. 6(1)(c) GDPR. Nevertheless, the new rules envisaged in the draft of the 10th amendment to the German Act against Restraints of Competition do not take this step. This shall not create new legal bases for the processing of personal data.

According to the German Federal Court (BGH), an impediment imposed on an actual or potential competitor amounts to an abuse of dominance if the conduct in question can impair effective competition within a market (potential effect). It follows that, contrary to the Higher Regional Court of Düsseldorf in the Facebook Case, the preliminary question of whether a market participant’s conduct is to be qualified as an impediment at all, be it legally relevant or not, cannot be answered with a legal standard that is more narrow. In view of the goals of competition law and economic policy, such an understanding seems especially appropriate for the digital economy.

As the draft of the 10th amendment to the German Act against Restraints of Competition brings about new rules on abusive practices, but does not touch upon the existing level of protection of personal data, it effectively brings about a distinction of the accessibility to personal and non-personal data respectively. In practice, however, the two may oftentimes be hard to separate. Moreover, apart from the new sec. 19a GWB-E, which is devised as a mechanism to control tech giants like the GAFA, it seems questionable whether the draft of the 10th amendment really fulfils the original intentions of its drafters as regards innovation policy and industrial policy. The envisaged new data access rights will arguably be enforceable most easily with respect to machine and production data. Therefore, they might affect e. g. German “hidden champions” that dominate industrial niche markets, while the big U.S. internet firms’ businesses relate to personal data. The revised sec. 20(1a) GWB-E shall protect large undertakings, too, if they require access to data to enter a certain market.

There are two approaches to ascertain whether a particular contractual clause is abusive according to sec. 18 GWB because it violates data protection law. The first one asks whether the behaviour in question is “quantitatively abusive”. This requires an analysis of the economic value of the product and service package in question, including all conditions associated with it. Determining this value has turned out to be prohibitively difficult and burdensome in practice. The second approach asks whether there is an abuse in “qualitative terms”, that is whether a certain contractual clause is proportionate when balancing all interests affected, including values embodied by norms outside the realm of competition law. With respect to the latter approach, many issues are in dispute, in particular the notion of causality required. The draft of the 10th amendment to the German Act against Restraints of Competition attempts to resolve the dispute by stating that it suffices if the conduct in question may strengthen the market participant’s dominant position (normative causality). However, the definition of causality in the draft statement of reasons seems unclear. Notwithstanding the above, there are good reasons to reject the requirement of so called strict causality. Concerning Art. 102 TFEU, the corresponding discussion is less developed. The ECJ applies a balancing test – this also holds for cases that deal with intellectual property and personality rights.

In the Facebook case, impediments to the disadvantage of competitors and exploitative effects to the detriment of consumers coincide. This suggests viewing the case as a form of exclusionary conduct (Behinderungsmissbrauch, unfair impediment of competitors). This raises the question which standard of proof applies for theories of harm in the context of the digital economy. At least if exploitation and impediment coincide, as it is typically the case with regard to data driven business models in multi-sided markets, it should suffice that the conduct in question is capable of impeding competition.

To appropriately reconcile data protection law and competition law, it seems preferable to define a “clear imbalance” within the meaning of recital 43 sentence 2 GDPR by putting the service requested in relation to the intended data processing on a case by case basis. In doing so, data protection law should take into account the criteria posed by competition law analysis.