March 2019
CPI EU News Column edited by Thibault Schrepel, Sam Sadden & Jan Roth (CPI) presents:
CPI EU News: FCO Facebook Quadriptych
In early February 2019, the German Bundeskartellamt (“FCO”) announced its highly anticipated and “ground-breaking” Facebook decision. CPI EU News is pleased to present a Quadriptych of four short articles on this hot topic from a great panel of authors.
The FCO concluded that Facebook infringed German competition law by violating the European General Data Protection Regulation. The case is the first to establish an infringement of competition law rules where the practices were in conflict with data protection principles… thus, “straddling the line between competition policy and data protection.”
Some authors argue that the decision “ultimately pushes competition law far beyond its natural confines.” Others opine that the case “may represent an important step into European competition law’s future in digital markets.” What consequences might this case have beyond Germany?
– Samuel Sadden, Editor in Chief
Click here for a PDF version of the article
The Theory of Harm in the Bundeskartellamt’s Facebook Decision – By Viktoria H.S.E. Robertson (University of Graz)
Facebook’s Hunger For Your Data: Network Effects in the FCO Decision – By Alec Burnside, Clemens York, Marjolein De Backer (Dechert LLP.)
The FCO’s Facebook Decision: Putting Privacy Before Competition – By Dirk Auer (International Center for Law & Economics)
Privacy and Antitrust: Searching for the (Hopefully Not Yet Lost) Soul of Competition Law in the EU after the German Facebook Decision – By Renato Nazzini (King’s College London)
The Theory of Harm in the Bundeskartellamt’s Facebook Decision – By Viktoria H.S.E. Robertson (University of Graz)1
Click here for a PDF version of the article
Introduction: What We Know About the Facebook Decision
On February 6, 2019, the German Bundeskartellamt decided its long-awaited Facebook case, kicking off what promises to be years of litigation. Next stop: Higher Regional Court of Düsseldorf.2 As the decision is not yet publicly available, what we know so far stems from three documents that the Bundeskartellamt has published so far: a press release, a background paper, and a case summary.3 For competition lawyers, this means that some reading between the lines is necessary in order to understand the essence of the case: the theory of harm it relies on. This is worth the while, as Facebook may represent an important step into European competition law’s future in digital markets.
The Theory of Harm in Facebook
The Bundeskartellamt takes issue with Facebook’s practice of third-party tracking, i.e. its collection of personal user data through the tracking of user behavior on other websites or applications.4 The German authority found that third-party data is made available to Facebook in a number of instances, e.g. when users use digital services that are owned by Facebook, such as WhatsApp or Instagram; when a third-party website embeds visible Facebook interfaces such as the “Like” or the “Share” buttons – even if the user does not click on any such option; and also when a website relies on Facebook Analytics without this being visible to the user. In order for Facebook to track user behavior, the user does not need to be logged onto or registered with Facebook. By combining extensive third-party data sets with the data it gathers through its own website and applications, Facebook is able to turn multi-source data into comprehensive user profiles. Users do not freely agree to this practice, as theirs is an all-or-nothing choice: Either access Facebook’s popular social networking services and accept its exploitative data practices, or be shut out from that dominant social network. In the eyes of the Bundeskartellamt, this does not represent voluntary consent.
For the Bundeskartellamt, Facebook has a special responsibility under the competition laws due to its dominant position on the German market for social networks. The case rests on the finding that Facebook abused its dominant position through the extent to which it collects, uses, and merges data in user accounts. This amounts to an exploitative abuse akin to excessive prices, with the twist that in this digital market, it is excessive data that is being collected.
Comment
At a time at which data is widely regarded as the new oil of the economy, and users pay for digital services with their personal data (and their eyeballs) rather than with money, there is a possibility that digital platforms exploit users through excessive data collection. Through amendments of its Competition Act, the German legislature has already drawn attention to the importance of data for competition law: Under Section 18(3a) of the Act, the assessment of a company’s market position in multi-sided markets should now consider access to data that is relevant to competition. In addition, the Act also recognizes in Section 18(2a) that a relevant antitrust market may exist where a service is provided free of charge in monetary terms. The Facebook decision is the first major case that navigates the question of what type of abuse merits antitrust scrutiny in the data-driven digital environment. In Europe, competition law has mostly neglected exploitative abuses in recent years. With the Facebook case, this may be set to change.
A controversial issue in the Facebook case is its relationship with the EU’s data protection laws. The Bundeskartellamt is of the opinion that Facebook does not obtain effective user consent for its data gathering and processing practices under the General Data Protection Regulation (“GDPR”).5 This understanding is backed by a passage in the GDPR’s recitals, which states that consent by a data subject “is presumed not to be freely given if … the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”6 This data protection breach by Facebook, according to the authority, is linked to Facebook’s market power.7 The Facebook case appears to rely on a breach of data protection rules which, framed from the vantage point of competition law, constitutes user exploitation. Here, it may be worthwhile to reflect on whether or not such a competition law infringement needs to be premised on a breach of data protection rules.8
The Bundeskartellamt’s analysis of the abuse of dominance relies on the asymmetry in the bargaining power between Facebook and its users.9 Users are overwhelmingly unaware of the extent of third-party tracking and of the value of their personal data that Facebook gathers, merges and exploits commercially. Facebook, on the other hand, relies on personal user data for its commercial success, which in turn reinforces its dominant market position. By relying on this imbalance, the authority makes its case for an exploitative abuse. The authority also believes that Facebook’s data practices inflict competitive harm on advertising customers and competitors.
The Facebook case was decided based on Section 19(1) of the German Competition Act.10 In that respect, it might be recalled that national rules on abuse of dominance may be stricter than their European equivalent, Article 102 TFEU.11 However, Article 102 TFEU may just as well provide a suitable basis for such an antitrust action, as it explicitly prohibits “directly or indirectly imposing unfair purchase or selling prices or other unfair trading conditions” (Article 102(a) TFEU). This is also recognized by the Bundeskartellamt.12
The German authority relies on judgments by the German Bundesgerichtshof in which the latter held contract terms to be abusive within the meaning of competition law if they violated the German Civil Code. The authority argues that this must also hold true for violations of data protection rules.13 Under European competition law, one might look to cases such as SABAM or Duales System Deutschland in order to establish benchmarks for data policies that are unfair within the meaning of Article 102(a) TFEU. These cases show that while exclusive data collection may constitute a new type of abuse, it can rely on precedent in order to flesh out the theory of harm that it relies upon.
In the early case of SABAM (1974), the Court of Justice of the European Union held that a collecting society’s trading conditions may be unfair where the society’s members need to agree to conditions that are not indispensable for the contract, “and which thus encroach unfairly upon a member’s freedom to exercise his copyright.”14 And in Duales System Deutschland (2001), the European Commission held that a company in a dominant position needed to observe the principle of proportionality in its commercial terms in order for them to be compliant with Article 102(a) TFEU.15
This analysis, it would seem, can be transferred to the data exploitation that is at issue in Facebook. It is also in line with the view of the EU’s data protection advisory body, which holds that the collection of personal data may be unfair where third-party tracking goes beyond the user’s reasonable expectations.16 Under EU competition law, the respective bargaining power of users on the one side and the social network on the other, as well as the proportionality between what a user gives in terms of third-party data and what he receives in return, will need to be at the heart of any such analysis.
1 Viktoria H.S.E. Robertson is an Assistant Professor in Law at the University of Graz.
2 Facebook has already appealed the decision; Bundeskartellamt, Case Summary: Facebook, Exploitative Business Terms Pursuant to Section 19(1) GWB for Inadequate Data Processing (February 15, 2019) at 12, https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__blob=publicationFile&v=3.
3 Bundeskartellamt, Bundeskartellamt Prohibits Facebook from Combining User Data from Different Sources (February 7, 2019), https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2019/07_02_2019_Facebook.html; Bundeskartellamt, Background Information on the Bundeskartellamt’s Facebook Proceeding (February 7, 2019), https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2019/07_02_2019_Facebook_FAQs.html; Bundeskartellamt, Case Summary, supra note 2.
4 See already Ariel Ezrachi & Viktoria HSE Robertson, Competition, Market Power and Third-Party Tracking, 42 World Competition (forthcoming 2019), pre-print version available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3272552.
5 Bundeskartellamt, Background Information, supra note 3, at 6.
6 Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR) [2016] OJ L119/1, Recital 43.
7 Bundeskartellamt, Case Summary, supra note 2, at 11.
8 See Ezrachi & Robertson, Third-Party Tracking, supra note 4.
9 Bundeskartellamt, Background Information, supra note 3, at 5; Bundeskartellamt, Case Summary, supra note 2, at 8.
10 Gesetz gegen Wettbewerbsbeschränkungen (German Competition Act), Federal Law Gazette Nr I 2013/1750, as last amended; Bundeskartellamt, Case Summary, supra note 2, at 7.
11 Treaty on the Functioning of the European Union (TFEU) [2016] OJ C202/47; Council Regulation (EC) No 1/2003 of December 16, 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty [2004] OJ L1/1, art 3(2).
12 Bundeskartellamt, Background Information, supra note 3, at 6.
13 Bundeskartellamt, Case Summary, supra note 2, at 7 f.
14 Case 127/73 BRT v. SABAM EU:C:1974:25, para 15.
15 Duales System Deutschland (Case COMP/34.493) Commission Decision of April 20, 2001 [2001] OJ L166/1, para 112. Upheld on appeal in Case T-151/01 Duales System Deutschland EU:T:2007:154; Case C-385/07 P Duales System Deutschland EU:C:2009:456.
16 Article 29 Data Protection Working Party, Opinion 03/2013 on Purpose Limitation (April 2, 2013) at 13, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf.
Facebook’s Hunger For Your Data: Network Effects in the FCO Decision – By Alec Burnside, Clemens York, Marjolein De Backer (Dechert LLP.)1
Click here for a PDF version of the article
Introduction
On February 6, 2019, the Bundeskartellamt (Federal Cartel Office – “FCO”) ruled that Facebook abused its dominant position as a social network in Germany by imposing exploitative business terms on its counterparties, Facebook users. The terms highlighted by the FCO allow Facebook to collect and combine data from non-Facebook services such as Facebook’s subsidiaries WhatsApp and Instagram, and from non-owned third-party sites.
The case is ground-breaking because it is the first to establish an infringement of competition law rules because practices were in conflict with data protection principles. We review this finding, and consider the potential for the approach to gain traction outside Germany.
However, the case also raises more traditionally economic issues in the ongoing debate about “Big Data” and antitrust, i.e. the value of data for competition and the application of antitrust to the digital industry. Those important aspects, less noticed in the early reactions to the decision, are the principal focus of this comment.2
Facts of the Case
Facebook operates a social network which users can join for free. Facebook monetizes its service substantially through targeted advertising.3 This means that Facebook collects data about users to develop user profiles which will allow identification of the type of advertising most likely of interest to a particular user.4 The FCO accepts that it is an essential component of Facebook’s business model to aggregate data per user based on the user’s interactions with the Facebook platform. Users, the FCO says, know that the data they make available through their Facebook account will be collected and used to a certain extent. However, many users are unaware, according to the FCO, that Facebook also collects data about them outside of the Facebook platform: Facebook collects data about users not only through two of its other companies, WhatsApp and Instagram, but also through third-party websites which have embedded so-called “Facebook Business Tools” – such as “Like,” “Share,” or “Facebook Login” buttons, or which use analytical services such as “Facebook Analytics.” This data flows to Facebook, which combines it with data users provide directly on the Facebook platform and uses it for numerous data processing purposes.5
The Federal Cartel Office’s Decision
The FCO found that Facebook is active on the private social network market where Facebook’s counterparties are the private users.6 The market is limited to Germany and within that geography the FCO concluded that Facebook holds a dominant position because Facebook’s remaining rivals are limited to some smaller German providers of social networks.7
Due to this dominant position, the FCO found that Facebook has a much stronger position than its counterparties, Facebook users. Users who create a Facebook account therefore have no choice but to accept Facebook’s data collection practices when signing-up to the Facebook social network service. This includes “ticking a box” allowing Facebook to collect personal data about the user from other apps and sites. The FCO concluded that any idea that the user has a choice is illusionary, since there are only two binary options: (1) accept Facebook’s terms and conditions, including the data collection from non-Facebook platforms and sites, which the FCO labels as excessive; or (2) not have a Facebook account.8 Based on the FCO’s assessment – in discussion with data protection authorities – this approval of Facebook’s terms and conditions does not meet the criterion of “voluntary consent” under the European General Data Protection Regulation (“GDPR”) and were therefore in conflict with the data protection principles protected by the GDPR.9
The FCO then relies on the German Federal Court of Justice’s case law to find that Facebook’s GDPR infringement also constitutes an infringement of the German Competition Act’s abuse of dominance prohibition (Section 19(1)). Specifically the German Federal Court of Justice has ruled that violations of the German Civil code10 or constitutional rights11 can be abusive under Section 19(1) “in particular if the fact that such terms and conditions are applied is a manifestation of market power or superior power of the party using the terms”12 or “where one contractual party is so powerful that it is practically able to dictate the terms of the contract and the contractual autonomy of the other party is abolished.”13 The FCO concludes that, in this case, Facebook is the more powerful party and the law must therefore intervene to balance the interests of Facebook and its users: “It is the authority’s view that the European data protection regulations, which are based on constitutional rights, can or, considering the case-law of the highest German court …, must be considered when assessing whether data processing terms are appropriate under competition law.”14
This exploitative abuse of Facebook’s users is, however, not only a GDPR issue but relevant also for the dynamics of the market, because “the conduct of online businesses is highly relevant from a competition law perspective.”15 Social networks are, the FCO notes, data-driven products, and access to personal data of users is thus essential for a social network’s market position. On that basis, the question of how a company handles personal data is not only a data protection concern but also an economic issue, and thus one relevant for competition authorities. We return to this below.
The FCO concluded that Facebook’s processing of data from third-party sources is not required to operate the social network or to monetize the social network because, as a personal network, this could largely be based on the data obtained through the user’s interaction with the Facebook platform itself.16 The FCO therefore required Facebook to either seek effective voluntary consent from its users for the extensive data collection; or allow users to have a Facebook account without consenting to that wider collection.17 Facebook has appealed the FCO decision.
Opinion
While the FCO’s decision is groundbreaking in as far as it combines antitrust and data protection, it is entirely in line with the newly conventional wisdom among antitrust authorities that data is an important asset with economic value. The FCO’s finding that “Facebook’s comprehensive data sources are highly relevant for competition as a social network is driven by such personal data”18 is in line with precedents from e.g. the European Commission (“Commission”). The importance of datasets as an “asset” relevant to a market analysis under antitrust has been well-established in e.g. the Commission’s merger decisions such as Google/DoubleClick,19 Microsoft/LinkedIn,20 and Facebook/WhatsApp.21 Data also drove the Commission’s Google Android case22 and the Commission’s pending examination of Amazon’s practices focuses on Amazon’s use for its own benefit of third-party retailer data.23
Indeed the DOJ’s head of antitrust has recently given a ringing endorsement of the principle, contrasting with an earlier absence of U.S. enthusiasm.24 As mentioned by the FCO,25 the Facebook decision also responds to recent reforms to the German Competition Act which made it explicit that access to data is a relevant factor to assess market dominance: “In particular in the case of multi-sided markets and networks, in assessing the market position of an undertaking account shall also be taken of … 4. the undertaking’s access to data relevant for competition.”26 This statutory amendment puts to rest any German debate on the issue,27 but the point is in any event beyond doubt in other jurisdictions.
From this starting point, the FCO analyzes the creation and maintenance of Facebook’s dominant position through the large datasets Facebook assembles,28 applying customary principles. In this context the FCO concludes that Facebook’s economies of scale and the significance of direct network effects have marginalized Facebook’s competitors29 because Google+ and the smaller German players cannot offer users the possibility to connect with similar numbers of other users. Users are therefore unlikely to switch30 and there was no evidence of users multi-homing and using different social networks in parallel.31 Facebook, on the other hand, the FCO found, can use the vast amount of data to optimize its own service and tie more users to its network, to the detriment of alternative social network providers.32
The FCO’s analysis also focuses on one aspect particularly important in relation to user data: personalized advertising.33 The FCO finds that “the attractiveness and value of the advertising spaces increase with the amount and detail of user data.”34 It is challenging for alternative ad-funded social networks to enter the market because they need a large private user base to succeed. Without a critical mass of users, the social network will not be sufficiently attractive for advertisers.35
But, as mentioned above, users are unlikely to switch to an alternative which does not yet have a significant number of people on the platform. Facebook is therefore becoming more and more indispensable for advertising customers which are faced with a dominant player for advertising space on social networks.36 The value of data in the online advertising space is already the subject of a French and German sector inquiry.37 The Commission has also examined online advertising markets, e.g. in Microsoft/LinkedIn the Commission examined the effect of the parties’ concentrated datasets on online advertising services,38 in Telefonica UK/Vodafone UK/Everything Everywhere/JV the Commission analyzed whether competing providers of advertising services would be foreclosed,39 in Google/DoubleClick the Commission assessed whether the acquisition of DoubleClick’s display and ad serving technology by Google could lead to foreclosure based on the combination of databases on customer online behavior.40 Most recently, the Google Android case examined how Google’s contractual terms ensured continuous data flows for Google’s own advertising service.41
Based on the available materials, the FCO has conducted an analysis of direct and indirect network effects based on the concentration of data and foreclosure of rivals. It is obvious that data collection and processing are in that respect economic activities which are relevant under competition law. The detail of that analysis will be of interest, once the full decision is available for the demonstration of market power and foreclosure effects, going beyond the loss of choice for private users resulting from Facebook’s exploitative business terms. While the headlines greeting the case have focused on the GDPR nexus, this part of the decision, based on more familiar economics, is also of great significance.
Finally: will we see an export to other jurisdictions of the FCO’s joining of data protection and antitrust law principles? The reasoning is grounded in German constitutional rights but the protection of personal data is also recognized as a specific right in the European Charter of Fundamental Rights:42 this is a horizontal right which protects not only against interference by the state, but against any processing that does not meet minimum safeguards.43 The European Commission – and other national authorities – can be inspired directly from the overriding Charter principle of minimum safeguards,44 many of which are specified in Article 8(2) of the Charter itself. Dominant firms can afford to be “more casual about users’ privacy than others. There is no reason for antitrust regulators to treat this beyond their reach … the fairness of ‘trading conditions’ – here the provision of the online service in return for extensive (and often unwitting) waiver of privacy rights – is explicitly a criterion within Article 102.”45 There is therefore no reason that a similar result which takes into account that users have de facto no choice but to sign up to Facebook’s terms and conditions while direct and indirect network effects strengthen Facebook’s position and keep users locked-into its ecosystem, cannot be reached under EU competition rules applying the “unfair trading conditions” abuse foreseen in Article 102 TFEU. The Austrian, Dutch, Italian, and Spanish competition authorities have already voiced interest in the findings of the FCO and the potential parallels in their jurisdictions.46
1 Dechert LLP.
2 Our discussion is based on the materials published by the FCO to date, i.e. the FCO’s press release, background paper and summary decision: Bundeskartellamt’s press release: Bundeskartellamt prohibits Facebook from combining user data from different sources (February 7, 2019), available at https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2019/07_02_2019_Facebook.pdf?__blob=publicationFile&v=2; Facebook FAQ, Background information on the Bundeskartellamt’s Facebook proceeding (February 7, 2019), available at https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2019/07_02_2019_Facebook_FAQs.pdf?__blob=publicationFile&v=6.; B6-22/16 – Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate data processing (February 15, 2019), available at https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__blob=publicationFile&v=3.
3 B6-22/16 – Facebook, p. 2.
4 Ibid.
5 Id. p. 3.
6 Ibid.
7 Id. p.5-6. See also Facebook FAQ Background information, p. 3.
8 Bundeskartellamt’s press release: Bundeskartellamt prohibits Facebook from combining user data from different sources (February 7, 2019), p.2, https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2019/07_02_2019_Facebook.pdf?__blob=publicationFile&v=2.
9 B6-22/16 – Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate data processing (February 15, 2019), p. 9-11, https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__blob=publicationFile&v=3.
10 KZR 58/11, VBL-Gegenwert I, 2013; KZR 47/14, VBL-Gegenwert II, 2017 and B6-22/16 – Facebook, p. 8.
11 KZR 6/15, Pechstein v. International Skating Union, 2016 and B6-22/16 – Facebook, p. 8.
12 B6-22/16 – Facebook, p. 9.
13 Ibid.
14 Id. p.8.
15 Ibid.
16 Id. p.10.
17 Id. p.12.
18 Id. p.7.
19 M.4731, Google/DoubleClick, http://ec.europa.eu/competition/mergers/cases/decisions/m4731_20080311_20682_en.pdf.
20 M.8124, Microsoft/LinkedIn, http://ec.europa.eu/competition/mergers/cases/decisions/m8124_1349_5.pdf.
21 M.7217, Facebook/WhatsApp, http://ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132_EN.pdf.
22 AT.40099, Android, unpublished. The Commission’s Google Android decision considered how Google’s different abuses contributed to a continuous flow of data for its advertising service. See, e.g. Commission fines Google €4.34 billion for illegal practices regarding Android mobile devices to strengthen dominance of Google’s search engine (July 18, 2018), http://europa.eu/rapid/press-release_IP-18-4581_en.htm.
23 Margrethe Vestager, European Commissioner for Competition, Speech at the Youth and Leaders Summit in Paris: New technology as a disruptive global force (January 21, 2019), https://ec.europa.eu/commission/commissioners/2014-2019/vestager/announcements/new-technology-disruptive-global-force_en.
24 Makan Delrahim, Assistant Attorney-General, Speech at the Silicon Flatirons Annual Technology Policy Conference at The University of Colorado Law School: “I’m Free”: Platforms and Antitrust Enforcement in the Zero-Price Economy (February 11, 2019), https://www.justice.gov/opa/speech/assistant-attorney-general-makan-delrahim-delivers-keynote-address-silicon-flatirons. See also Barry Nigro, Deputy Assistant Attorney General, Speech at the Capitol Forum and CQ’s Fourth Annual Tech, Media & Telecom Competition Conference (December 13, 2017), https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-barry-nigro-delivers-remarks-capitol-forum-and-cqs.
25 Facebook FAQ, Background information on the Bundeskartellamt’s Facebook proceeding (February 7, 2019), p. 7, https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2019/07_02_2019_Facebook_FAQs.pdf?__blob=publicationFile&v=6.
26 Act against Restraints of Competition (Competition Act – GWB), section 18(3a), http://www.gesetze-im-internet.de/englisch_gwb/.
27 The reform improved the application of the German Act against Restraints of Competition to the digital industry and confirmed the importance of data in that sector. Deutscher Bundestag, Gesetzentwurf der Bundesregiering: Entwurf eines Neunten Gesetzes zur Änderung des Gesetzes gegen Wettbewerbsbeschränkungen, Drucksache 18/10207 (December 7, 2016), p. 48-51, available at http://dipbt.bundestag.de/doc/btd/18/102/1810207.pdf.
28 Facebook FAQ, p. 4-5 and B6-22/16 – Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate data processing (February 15, 2019), p. 7, https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__blob=publicationFile&v=3
29 Facebook FAQ, p. 3-4.
30 Id. p. 4.
31 Id. p. 5.
32 Ibid.
33 Id. p. 7.
34 Bundeskartellamt prohibits Facebook from combining user data from different sources (Feb. 7, 2019), p. 3, https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2019/07_02_2019_Facebook.pdf?__blob=publicationFile&v=2.
35 Facebook FAQ, p. 4-5.
36 Id. p. 5.
37 Autorité de la concurrence : Avis n° 18-A-03 du 6 mars 2018 portant sur l’exploitation des données dans le secteur de la publicité sur internet, (March 6, 2018), http://www.autoritedelaconcurrence.fr/pdf/avis/18a03.pdf and Bundeskartellamt, Bundeskartellamt launches sector inquiry into market conditions in online advertising sector, (February 1, 2018), https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2018/01_02_2018_SU_Online_Werbung.html.
38 M.8124, Microsoft/LinkedIn, http://ec.europa.eu/competition/mergers/cases/decisions/m8124_1349_5.pdf.
39 M.6314, Telefonica UK/Vodafone UK/Everything Everywhere/JV, http://ec.europa.eu/competition/mergers/cases/decisions/m6314_20120904_20682_2898627_EN.pdf.
40 M.4731, Google/DoubleClick, http://ec.europa.eu/competition/mergers/cases/decisions/m4731_20080311_20682_en.pdf.
41 AT.40099, Android, unpublished.
42 Charter of Fundamental Rights of the European Union, 2000 OJ C 364/10, art. 8.
43 Preliminary Opinion of the European Data Protection Supervisor, Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy, (March 2014), https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-03-26_competitition_law_big_data_EN.pdf.
44 Alec Burnside, No Such Thing as a Free Search: Antitrust and the Pursuit of Privacy Goals, Competition Policy International [CPI] 2 (2015).
45 Ibid.
46 Khushita Vasant, German Facebook decision reverberates through European antitrust agencies, PaRR, February 8, 2019, https://app.parr-global.com/intelligence/view/prime-2782635.
The FCO’s Facebook Decision: Putting Privacy Before Competition – By Dirk Auer (International Center for Law & Economics)1
Click here for a PDF version of the article
On February 6, 2019, the German Bundeskartellamt (“FCO”) concluded that Facebook had infringed German competition law by violating the European General Data Protection Regulation (“GDPR”).2 The decision, a Russian doll of sorts, uneasily straddles the line between competition policy and data protection (which lies outside of the FCO’s competence). It ultimately pushes competition law far beyond its natural confines and takes an unduly restrictive view of various provisions contained in the GDPR.
The FCO’s Convoluted Theory of Harm
The FCO’s decision rests on three necessary findings (in addition to the usual requirements of market definition, market power, etc.):
First, Facebook combines personal data from third-party websites with user profiles generated on the Facebook platform. This interweaving notably occurs when users visit a website that has embedded Facebook’s “Like” or “Share” buttons, and when users register or login to these sites using their Facebook credentials.3 Doing so allowed Facebook to track users’ behavior to and from these sites, though the extent of this monitoring is not entirely clear.4
Second, this practice allegedly violated Europe’s GDPR.5 Article 6 of the GDPR sets out a limited number of grounds upon which companies may lawfully process data. These notably include “user consent” and “necessity for the performance of the underlying contract.”6 According to the FCO, Facebook’s behavior did not fall within one of these limited justifications. Of these requirements, Facebook’s alleged failure to obtain users’ consent is perhaps most surprising. Though Facebook’s terms of service did provide for this eventuality, the FCO argued that “take it or leave it” offers could not be equated with consent.7 In other words, users’ consent was only valid if they could opt-out of some terms while maintaining access to the Facebook platform. According to the FCO, this was not the case here.
Third, Facebook’s behavior was found to be a “manifestation of market power.”8 This condition is critical. Without it, Facebook’s conduct would not be relevant as far as German competition law is concerned.9 It would thus fall exclusively to data protection authorities. But therein lies one of the case’s most problematic aspects. It is relatively uncontroversial that market power is not necessary to enforce the type of contractual terms which Facebook implemented. Sensing this weakness, the FCO argued instead that Facebook’s behavior “impedes competitors because Facebook gains access to a large number of further sources by its inappropriate processing of data and their combination with Facebook accounts.” This interpretation seems hard to square with German competition law. “Manifestation of” is clearly not synonymous with “impedes competitors.”
What Next?
Failure to successfully appeal the decision would have important ramifications for Facebook’s business in Germany. In order to comply with the decision, Facebook must either refrain from combining data from third-party websites with user profiles, or obtain users’ “consent” to do so (presumably by giving them the option to opt out of this specific processing). The latter option seems far more likely.
One solution would be for Facebook to allow users to opt out of this type of processing via its Privacy Settings page (and allow them to continue using its services when they exercise that option). This is, for instance, what Twitter has done.10 Another option would be for Facebook to seek users’ consent at the source of these “likes,” “shares,” and “logins.” Using these functions currently causes a Facebook window to pop up on third-party websites. It would not be particularly difficult to ask for users’ consent at that point (and only then merge their data). This could potentially alleviate the FCO’s concerns. Users’ potential refusal would only prevent them from using a specific function of the Facebook platform (which is inherently linked to the collected data), rather than the entire platform. Facebook will have to figure out which of these options (or other alternatives) produces the best results in terms of user consent and data generation.
Given the potential impact of these design choices on Facebook’s business model and profitability, it is no surprise that it has decided to appeal the FCO’s decision.11 In that respect, Facebook has a key advantage. Because the FCO’s decision rests on both German competition law and the GDPR, Facebook will be able to rely on both sets of provisions to sustain its appeal.
The FCO Overshot the Mark
The late Justice Scalia famously warned that it is wrong to conflate the goals of regulation and those of antitrust enforcement.12 The FCO’s Facebook decision is proof, if any were need, that he was onto something. Not only does the case extend German competition law far beyond its natural limits, it also marks a wholly unnecessary foray into the intricacies of data protection regulation (which should have been left to competent data protection authorities).
For a start, the decision is bad as a matter of competition policy. There is tremendous value in being able to integrate services, such as Facebook’s, within third-party websites (notably via “like,” “share,” and “login” buttons). For instance, functions like Facebook’s secure login makes it much faster to register on third-party websites, potentially increasing competition to the benefit of consumers. It is thus eminently desirable that Facebook be allowed to earn something in return for this valuable product (potentially in the form of data).
Critics may retort that users are insufficiently informed to make these decisions, and they may well be right. But assessing whether companies’ data policies are clear and transparent is the mission of Europe’s data protection authorities, not the FCO.13 The GDPR notably requires that every member of a national supervisory authority has “the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.” This is simply not the case for the FCO. In other words, the FCO is only competent to review data protection issues insofar as they have anticompetitive effects.
Which brings us to the next problem with the FCO’s decision. Though exploitative abuses (such as the one in this case) are undeniably a part of the European legal landscape, they are usually confined to behavior that is made possible by a firm’s market power. The FCO saw fit to ditch this rule in favor of a much looser requirement that Facebook’s alleged infringement of the GDPR “impedes competitors.”14 But that is true of virtually all violations of law. If one believes – as argued by Gary Becker15 – that firms disobey the law because it increases their profits, then infringements systematically affect their competitive position vis à vis rivals who abide by the law. The German FCO’s stance would mean that virtually every legal infringement by a dominant company could amount to abusive behavior. This in turn would threaten the delicate balance that these legal instruments have achieved between over and under-deterrence.16 Not to mention the fact that competition authorities are obviously not well placed to judge whether firms have violated other legal provisions.
Finally, even if Facebook’s behavior was enabled by its market position, the FCO takes an extremely narrow view of “consent.” The GDPR provides that consent must be “freely given” and that this is not the case “if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”17 In other words, it does not explicitly preclude “take it or leave it” offers, but leaves them to the appreciation of relevant data protection authorities (who must notably determine whether data processing is “necessary” in a given case). Letting competition authorities take point on such matters threatens the coherent application of the GDPR. The FCO’s conclusion that users have not freely consented to Facebook’s terms of service, because they have no alternatives to the Facebook platform, is equally dubious. Users can share photos on Tumblr, Flickr, Snapchat, or Pinterest. They can read newsfeeds on Twitter and Google News. And they can send instant messages on Snapchat, WeChat, Telegram, Google Hangouts, Signal, and even SMS. This is not to say that these are necessarily in the same relevant market as Facebook. But it does undermine the idea that consumers are somehow coerced into joining the Facebook platform, and that this invalidates their consent to Facebook’s terms of service.
To summarize, the FCO is acting as a self-appointed enforcer of data protection rules. In doing so, it seems to have forgotten that its mission is not to monitor firms’ data collection policies but to preserve competition. Although it goes to great lengths in order to establish that these are one and the same, its decision is ultimately unconvincing. We may not like Facebook’s data processing practices, and they might plausibly infringe the highly restrictive GDPR, but it was not up to the German competition authority to make that call.
1 Dirk Auer is a Senior Fellow in Law & Economics at the International Center for Law & Economics (ICLE), and a Guest Lecturer at UC Louvain and EDHEC Business School. ICLE is a nonprofit, nonpartisan research center based in Portland, OR. ICLE has received financial support from numerous companies and individuals, including Facebook, as well as several of its competitors. Unless otherwise noted, all ICLE support is in the form of unrestricted, general support. The ideas expressed here are the author’s own and do not necessarily reflect the views of ICLE’s advisors, affiliates or supporters. Please contact the author with questions or comments at dauer@laweconcenter.org.
2 See German Bundeskartellamt, Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate
data processing, Feb. 6, 2015, case summary available at https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__blob=publicationFile&v=3 (the full decision has yet to be published).
3 See Facebook, case summary, p.2-3. This functionality is sometimes referred to as “Facebook Business Tools.” https://www.facebook.com/help/analytics/1474296822878427. Facebook also obtained data from a tool called “Facebook Analaytics,” the functioning of this tool is not made clear in the decision.
4 See Facebook, FAQs, p.3 available at https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2019/07_02_2019_Facebook_FAQs.pdf;jsessionid=34DA54FD65BDB5B83BAF8B47F20C9ADF.1_cid362?__blob=publicationFile&v=6.
5 See Facebook, case summary, p.7.
6 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), O.J. L. 119/1 (hereafter “GDPR”), art. 6, 1. (a) and (b).
7 See Facebook, case summary, p.1.
9 Id. p.7.
9 Id.
10 See Twitter Cookie policy, available at https://help.twitter.com/en/rules-and-policies/twitter-cookies (last viewed Feb. 27, 2019).
11 See Karin Matussek & Stephanie Bodoni, “Facebook to appeal Germany crackdown,” The Independent, Feb. 8, 2019, available at https://www.independent.ie/business/world/facebook-to-appeal-germany-crackdown-37794625.html.
12 Verizon Communications Inc. v. Law Offices of Curtis V. Trinko, LLP, 540 U.S. 398 (2003).
13 See GDPR, art. 51.
14 See Facebook, case summary, p. 11.
15 See Gary S. Becker, Crime and Punishment: An Economic Approach, 76 Journal of Political Economy, 169-217 (1968).
16 For a discussion of optimal deterrence, see, e.g. William M. Landes, Optimal Sanctions for Antitrust Violations, 50 University of Chicago Law Review, 652 (1983).
17 See GDPR, recitals 42 & 43.
Privacy and Antitrust: Searching for the (Hopefully Not Yet Lost) Soul of Competition Law in the EU after the German Facebook Decision – By Renato Nazzini (King’s College London)1
Click here for a PDF version of the article
Introduction
On February 6, 2019, the Bundeskartellamt (“BKA”) decided that certain companies belonging to the Facebook group (“Facebook”) had abused their dominant position.2 The abuse consisted in making the use of Facebook’s social network (“Facebook.com”) by private users residing in Germany conditional upon their consent to Facebook obtaining private users’ data generated on the other Facebook’s services WhatsApp, Oculus, Masquerade, and Instagram, and on third-party websites and mobile apps that use Facebook’s programming interfaces (“Facebook Business Tools”) for the purpose of combining them with data generated on Facebook.com and using them for advertising and profiling.3
Facebook was found to be dominant on the German social network market for private users.4 The abusive conduct consisted in a breach of the European General Data Protection Regulation (“GDPR”)5 in that Facebook did not have a legal basis for processing the data in question.6 The BKA further determined that, while it was not necessary that the conduct was possible only because of market power, it was a “manifestation” of market power.7 This appears to be the crux of the theory of harm in the case and will be discussed later in this article. No fine was imposed but Facebook was ordered to bring the abusive conduct to an end.8
The BKA’s decision was highly anticipated as the first major abuse of dominance case addressing the interface between data protection and competition law. As it is adopted purely under German law, this article will focus on the wider EU law and competition policy implications of the approach adopted by the BKA.9 In doing so, it will tackle the fundamental question as to whether privacy standards are relevant to the competitive assessment of unilateral conduct under Article 102 TFEU, discussing, first, exploitative theories of harm, and, then, exclusionary theories of harm. Finally, conclusions will be drawn.
Exploitative Theories of Harm
The BKA states that “Using and actually implementing Facebook’s data policy, which allows Facebook to collect user and device-related data from sources outside of Facebook and to merge it with data collected on Facebook, constitutes an abuse of a dominant position on the [German] social network market in the form of exploitative business terms.”10 The very title of the Case Summary published by the BKA is “Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate data processing.” It seems, therefore, that the abuse in question has been categorized as exploitative. The exploitation would consist in applying terms and conditions that are a “manifestation of market power or superior power” or are inappropriate given the constitutional rights involved, which include the “fundamental right to informational self-determination.”11
It is often said that Article 102 TFEU explicitly prohibits exploitative abuses and that, therefore, this is the law in the European Union.12 This is, of course, not the case. The text of Article 102 allows for an interpretation of the prohibition of abuse of dominance that includes exploitative abuses but does not so require. The case law has interpreted the prohibition of “unfair” prices or trading conditions as including exploitative abuses13 but, equally, the case law considers predatory pricing as a form of “unfair” prices.14 A price or a trading term may be “unfair” because of its effect on competitors rather than unfair because of its effect on customers. In any event, the case law is now clear that so-called excessive prices or excessively onerous trading conditions can be an abuse of dominance purely because of their effect on customers.15 The category of exploitative abuses has thus been created in EU law.
An exploitative abuse can consist not only in the charging of excessive high prices16 but also in the application of abusive terms and conditions.17 The case law on exploitative trading conditions is scarce and fairly old. In BRT v. SABAM, the Court of Justice was asked to rule on whether the Belgian collecting society SABAM was abusing its dominant position by requiring authors to assign to it all categories of copyright in respect of current and future works and to give to it the power to exercise the assigned rights for five years after the withdrawal of a member.18 The Court said that, in assessing the “fairness” of the clause, all relevant interests had to be taken into account “for the purpose of ensuring a balance between the requirement of maximum freedom for authors, composers, and publishers to dispose of their works and that of the effective management of their rights” by the collecting society.19 The test resembled closely a proportionality assessment whereby the Court considered, first, the objective of the clause,20 and then whether there were any less restrictive alternatives to achieving the objective pursued.21
In Tetra Pak II, the Commission considered a number of clauses in the sale and leasing of Tetra Pak’s machines and cartons abusive.22 The overall purpose of the clauses in question was exclusionary23 and, therefore, the infringement cannot be analyzed as a purely exploitative abuse. However, the case is an interesting illustration of the types of clause that have been found to be exploitative in application of the proportionality test. Such clauses included, for instance, clauses in sale contracts prohibiting any additions or modifications to Tetra Pak’s machines and prohibiting the customer from even moving the machines, which were held to be “additional obligations which have no connection with the purpose of the contract and which deprive the purchaser of certain aspects of his property rights.”24 In DSD, the dominant undertaking made available facilities for the collection of sales packaging and managed the recovery process. It held a trademark, der Grüne Punkt (literally, the green dot), which, when affixed on packaging, signaled to consumers that they could dispose of the waste through DSD’s systems. Distributors using the DSD’s system were required to pay a fee, which depended on the packaging on which the distributor affixed the trademark. The distributor was under an obligation to affix the trademark to all registered packaging for domestic consumption. Therefore, the fee was payable also in respect of packaging that was collected either by the customer directly under a self-management solution or by a competitor of DSD.25 The Commission held that DSD was imposing unfair trading terms on its customers because it failed to comply with the principle of proportionality,26 which was interpreted as requiring the balancing of all the relevant interests.27 The Commission held that DSD did not have “any reasonable interest in linking the fee payable by its contractual partners not to the… service actually used but to the extent to which the mark is used.”28
This case law and Commission practice are capable, in theory, of supporting a finding of abuse by a dominant social network if its privacy policy is “unfair” under Article 102(a) because it is disproportionate or has no connection with the purpose of the contract with the end user. Superficially, there is a parallel between cases like BRT v. SABAM, Tetra Pak II, and DSD, on the one hand, and Facebook, on the other. In Facebook, the BKA has also concluded that Facebook’s privacy policy was “neither required for offering the social network as such nor for monetizing the network through personalized advertising, as a personalized network could also be based to a large extent on the user data processed in the context of operating the social network.”29 It also applied a broad proportionality test, balancing all relevant interests, including constitutional rights.30 The question is, however, not one of superficial similarity of the tests, as clearly “unfairness” or “proportionality” are principles applied across very many legal fields, for purposes as different as assessing self-defense at a murder trial or implying a price into a contract for the sale of soya beans. The issue is not, therefore, one of the forms of the tests but whether the harm addressed under whatever test for exploitative abuses is applied is a harm that competition law aims at protecting. Article 102 cannot be used to pursue objectives other than the protection of competition. If an EU institution were to use Article 102 to pursue extraneous objectives, this would be a misuse of power under Article 263 TFEU.
This is true of exclusionary abuses as it is true of exploitative abuses. An exploitative abuse does not, technically, involve a restriction of the process of competition but is still the result of the exercise of market power unconstrained by effective competition. While there is no restriction of competition as such, the harm addressed is still competitive harm in the form of prices significantly and persistently above the competitive level or, more rarely, trading conditions significantly and persistently more onerous than those that would prevail under conditions of effective competition.31 Whereas as regards exclusionary conduct it may be argued that the behavior of the dominant undertaking can be behavior that a non-dominant undertaking can also engage in, the same cannot be said as regards exploitative abuses.
For example, pricing below cost to harm a rival is conduct that may be carried out by a non-dominant firm. This does not mean that predation cannot be an abuse of dominance when carried out by a dominant undertaking. On the other hand, an exploitative abuse can, by definition, only be carried out by a dominant undertaking because the exploitation that Article 102, as interpreted by the case law, prohibits is not any exploitation of customers by a business but only the exploitation consisting in a particularly severe form of exercise of market power. Therefore, exploitative conduct caught by Article 102 is only exploitation caused, or made possible, by the fact that the undertaking engaging in such conduct is dominant.32 A non-dominant undertaking must be, therefore, unable to carry out that very same conduct – or at least unable to carry it out profitably. If a price for a given product can be profitably charged by a non-dominant undertaking, that price cannot be exploitative within the meaning of Article 102. By the same token, a mere breach of the GDPR, however serious and however extensive, that can be profitably committed by any firm, can never be an exploitative abuse.
This does not mean that a breach of the GDPR or, more broadly, substandard levels of data protection, can never be an exploitative abuse. For example, in the Facebook case, it can be argued that, when the basis for the processing of data is the data subject’s consent, a dominant undertaking is capable of extracting consent of such a scope that a non-dominant undertaking would not be able to obtain. This is, of course, a matter of evidence in each individual case. However, it is significant that Article 7(4) of the GDPR provides that, “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” This suggests that the fact that the performance of a contract is conditional on unnecessary consent is considered problematic regardless of the dominant position of the data controller. Whether or not the data controller is dominant, making the performance of a contract conditional on unnecessary consent is an indication that consent is not freely given.
It is also a type of harm that the GDPR considers as constituting a defect in the giving of consent that invalidates the legal basis for the processing of data under Article 6(1)(a) of the GDPR. This strongly suggests that this is not, in itself, competitive harm. For this type of defect in the giving of consent to be turned into competitive harm it would have to be established that: (a) only a dominant firm would be capable of extracting the consent in question and no other firm could profitably do so; and (b) the consent extracted by the dominant firm is significantly and persistently more onerous than that which would prevail under conditions of effective competition. The Case Summary published by the BKA does not allow for a full analysis of the decision, but the reasons set out therein do not appear to support the conclusion that Facebook’s conduct: (a) was only made possible by dominance and (b) consisted in the application of a privacy policy significantly and persistently more onerous than that which would have prevailed under competitive conditions. The only reason the BKA offers to support an exploitative theory of harm from a causation perspective refers to a doctrine of “normative causality” in that “data protection law considers corporate circumstances like market dominance, the concrete purpose and the amount of data processed in its justifications, i.e. Facebook’s market position is significant when assessing the violation.”33 It is not easy to understand the precise meaning of this reasoning but it appears that it falls short of the test highlighted above.
In conclusion, an exploitative abuse theory such as that apparently applied in the Facebook case would not have a solid basis under EU competition law. While, at first sight, it might appear that the case law and the Commission have applied a broad proportionality test to the assessment of trading conditions under Article 102, what is always necessary under EU law is that the harm caused by such trading conditions is competitive harm in the form of a particularly severe form of exercise of market power. In light of the published material, it does not appear that the BKA has met this test.
Exclusionary Theory of Harm
In the section titled “Manifestation of market power” of the Case Summary, the BKA points out that:
Facebook’s conduct … impedes competitors because Facebook gains access to a large number of further sources by its inappropriate processing of data and their combination with Facebook accounts. It has thus gained a competitive edge over its competitors in an unlawful way and increased market entry barriers, which in turn secures Facebook’s market power towards end customers.34
It is not clear whether this exclusionary theory of harm does translate, in the decision, in a finding of exclusionary abuse. In light of the published Case Summary, FAQ, and Press Release, probably not. If it did, however, this would be a solid basis for intervention under EU competition law.
First, at the most general level, Facebook’s conduct would fall within the definition of exclusionary abuse in Post Danmark I as:
conduct of a dominant undertaking that, through recourse to methods different from those governing normal competition on the basis of the performance of commercial operators, has the effect, to the detriment of consumers, of hindering the maintenance of the degree of competition existing in the market or the growth of that competition.35
Obtaining data in breach of the GDPR cannot be described as normal competition or competition on the merits. And if the effect of such unlawful conduct is to foreclose actual and potential competitors from the relevant social network or online advertising markets to the detriment of consumers, then the conduct under review can, in principle, be abusive.
Second, unlawful conduct that strengthens or protects a dominant position is, again in principle, likely to cause consumer harm. Consumer harm is not only direct harm to consumers but also harm that results from a restriction of an effective competitive process.36 The foreclosure of competitors on the relevant social network or online advertising markets, thereby protecting or strengthening Facebook’s market power on either or both markets, is likely to cause consumer harm. Such consumer harm is distinct from the harm caused by a possible breach of the GDPR. The harm caused by a breach of the GDPR is the processing of data without the required legal basis and, in particular, without a freely given consent. The harm caused by foreclosure, on the other hand, would consist in the higher prices, lower quality, and reduced innovation resulting from Facebook’s dominance. An element of such competitive harm may well be substandard levels of privacy protection. But then this harm would still be different for a mere breach of the GDPR because it would have been caused by foreclosure rather than simply by Facebook’s breach of the GDPR. A parallel with the analysis of prices may be instructive. Unless they are a means to exclusion, like in a constructive refusal to supply scenario, high prices under Article 102 could be one of three things: (a) purely manifestation of dominance, which is not prohibited; (b) in exceptional circumstances, an exploitative abuse if they are significantly and persistently above the competitive level; (c) consumer harm resulting from an exclusionary abuse. Under an exploitative theory of harm, substandard levels of privacy protection would fall under (b). Under an exclusionary theory of harm, they would fall under (c).
Third, conduct that is unlawful under other legal rules may well constitute abusive exclusionary conduct. In AstraZeneca, the dominant undertaking had made misleading representations to patent offices in Belgium, Denmark, Germany, the Netherlands, the United Kingdom, and Norway, and before national courts in Germany and Norway.37 These representations led, in certain circumstances, to the granting of exclusive rights to which the dominant undertaking was not entitled (at all or for the period for which they were granted).38 It was clear that, by its conduct, the dominant undertaking had obtained the grant of exclusive rights to which it was not entitled and which could be annulled.39 This means that conduct that brings about an unlawful consequence40 for which there is an alternative remedy under EU (or national law), can still be an abuse of dominance. A fortiori this applies to conduct that misleads or forces data subjects into providing too much data to a dominant undertaking. Such conduct not only brings about an unlawful consequence (personal data is acquired in breach of the GDPR) but the conduct itself (not obtaining valid consent as a legal basis for the processing of the data) is unlawful. Indeed, it is surprising that it is sometimes disputed that conduct unlawful under other rules can also amount to an abuse of dominance. Of course, conduct unlawful under other rules cannot automatically, as a general principle, be also an abuse of dominance. All the ingredients of the abuse must be present, including not only dominance but also the anti-competitive effect (for example, foreclosure of as efficient competitors). But it seems obvious that if the behavior of the dominant undertaking also breaches other rules, such as the GDPR, this is a strong indication, or perhaps even conclusive evidence, that such behavior is not competition on the merits.
Fourth, it is conceivable – although this is a matter of proof in each individual case – that unlawfully obtaining data that actual or potential competitors are unable to obtain, by reason of their smaller scale, their more limited or no “vertical” or “lateral” integration, and, last but not least, their compliance with the law, could make entry more difficult or impossible. This does not depend on whether data are an “essential facility” – a concept that is quite difficult to apply to data, save perhaps in very exceptional circumstances. It is sufficient, in light of the general foreclosure test, that the “data asymmetry” that the unlawful conduct creates hinders “the maintenance of the degree of competition existing in the market or the growth of that competition,” that is, that the “data asymmetry” has a likely foreclosure effect.
Fifth, this exclusionary theory of harm has the advantage that it does not encroach upon the powers of data protection regulators and does not “merge” competition law into data protection law, thus keeping the two legal tools, and enforcement mechanisms, distinct and complementary, as they should be as a matter of policy and as they have been envisaged by the EU Legislature. While the conduct reviewed under Article 102 and under the GDPR would still be partially the same, the overlap is limited to an element of the anti-competitive behavior, that is, the failure to obtain a valid consent from end users. However, Article 102 TFEU would require, in addition, not only proof of dominance but also proof of foreclosure detrimental to consumers. And the consumer harm addressed would be – as explained earlier – clearly distinct from the harm that the GDPR aims at addressing.
Conclusion
The Facebook decision of the BKA could have brought some clarity to the role that privacy standards play in competition analysis. Instead, at least on the basis of the limited material published so far, it does precisely the opposite. It blurs the boundaries between competition enforcement, data protection and consumer law, depriving competition policy of its distinct identity. Some commentators will say that data protection and privacy standards should be a competition concern and that competition policy should evolve to be able to deal with the challenges posed by the digital economy. Put in this way, the argument is convincing.
This article shows that privacy standards can indeed be relevant to the competitive assessment of unilateral conduct, both under an exploitative theory of harm (in those jurisdictions that adopt this approach) and under an exclusionary theory of harm. However, the “harm” that competition law can address is only harm to “competition.” A mere breach of the GDPR by a dominant undertaking is not harm to competition even if the firm in question has a stronger bargaining power vis-à-vis the end users than other firms that could commit similar breaches.
The remedies for breaches of the GDPR are at hand and equivalent to competition remedies. A supervisory authority established under the GDPR has the power, inter alia, to order firms to bring their operations into compliance with the GDPR41 and to impose fines of up to 4 percent of the total worldwide annual turnover of the preceding financial year.42 If dominant undertakings, as well as breaching the GDPR, also manipulate privacy standards in a way that is either a particularly severe form of exercise of market power amounting to an exploitative abuse or exclusionary of actual or potential competitors so as to constitute an exclusionary abuse, then, subject to the principle of ne bis in idem,43 they would also breach competition law but not simply because they are dominant and they breached the GDPR but because, by breaching the GDPR or manipulating privacy standards, they have brought about the district, specific harm to competition that Article 102 prohibits.
1 Professor of Law, King’s College London.
2 The decision is adopted only under Section 19(1) of the German Competition Act (“GWB”) and not under Article 102 TFEU. Section 19(1) prohibits “the abuse of a dominant position by one or several undertakings.” Section 19(2) sets out an illustrative list in terms that are different to Article 102(a) – (d). It may be doubted whether the conduct would not have an effect on trade between Member States so that the BKA was under an obligation to apply Article 102 as well. In any event, since national competition law may prohibit conduct that is not an abuse under Article 102, the issue is largely theoretical in the actual case. This approach, however, may raise significant issues in terms of consistency of application of EU competition law as Article 3 of Regulation 1/2003 was enacted precisely for the purpose of preventing Member States from applying their national competition law only in order not to take a position under EU law, thus escaping the safeguards applicable when a national competition authority adopts a decision under EU competition law.
3 Case Summary, Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate data processing, B6-22/16, February 15, 2019, https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__blob=publicationFile&v=3, accessed on 6 March 2019, p. 7 (“Case Summary”), p. 1.
4 Case Summary, pp. 5 – 7.
5 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1 (“GDPR”).
6 Case Summary, pp. 10 – 11.
7 Case Summary, pp. 11 – 12.
8 Case Summary, p. 12.
9 At the time of writing, the text of the decision had not been published. This article is based on the Case Summary, as well as on the BKA’s Press Release of 7 February 2019 and on a document titled “Facebook FAQ’s,” of the same date, all available at the BKA’s website, accessed on 6 March 2019. The author is aware that without the benefit of reading the full text of the decision, it is not possible to engage in full with the analysis of the BKA in what is, clearly, a complex and novel case. This is why this article looks at the broader implications of this type of approach and is not a comment on the decision itself or the actual analysis of the BKA in the case.
10 Case Summary, p. 7.
11 Case Summary, p. 8.
12 See, e.g. V. Rose & D. Bailey (eds.), Bellamy & Child, European Union of Competition Law (Oxford, OUP, 7th edition, 2013) 815-816.
13 Case 27/76 United Brands Company and United Brands Continentaal BV v. Commission, [1978], ECR 207, para 248; Case 66/86 Ahmed Saeed Flugreisen and Silver Line Reisebüro GmbH v. Zentrale zur Bekämpfung unlauteren Wettbewerbs e.V., [1989] ECR 803, para 43; Case 127/73 Belgische Radio en Televisie e société belge des auteurs, compositeurs et éditeurs (BRT) v. SV SABAM e NV Fonior, [1974] ECR 313, para 15; Case 395/87 Ministère public v. Jean-Louis Tournier, [1989] ECR 2521, para 34; Joined cases 110/88, 241/88 and 242/88 François Lucazeau and others v. Société des Auteurs, Compositeurs et Editeurs de Musique (SACEM) and others, [1989] ECR 2811, para 25.
14 Case 62/86 AKZO Chemie BV v. Commission, [1991] ECR I-3359, paras 70 – 72; Case C-333/94P Tetra Pak International SA v. Commission (Tetra Pak II), [1996] ECR I-5951, paras 41 and 44.
15 Case 27/76 United Brands, para 183.
16 Case 27/76 United Brands, para 250; Case C-52/07 Kanal 5 Ltd and TV 4 AB v. Föreningen Svenska Tonsättares Internationella Musikbyrå (STIM) upa, [2008] ECR I-9275, para 28; Case 26/75 General Motors Continental v. Commission [1975] ECR 1367, para 12. See also R. Nazzini, The Foundations of European Union Law: The Objective and Principle of Article 102, pp. 275-282 and R. Nazzini, “Abuse Beyond Exclusion: Exploitation and Discrimination Under Article 102 TFEU,” in B. Hawk (ed.) 2012 Fordham Competition Law Institute (Huntington NY, Juris 2013) 459-472.
17 Case 127/73 BRT v. SABAM, para 6; Case 395/87 Tournier, para 34.
18 Case 127/73 BRT v. SABAM, paras 3 – 4.
19 Ibid. para 8.
20 Ibid. paras 9 – 10.
21 Ibid. para 11. See also Case 395/87 Tournier, para 43.
22 Tetra Pak II [1992] OJ L72/1, recitals 106 – 145, upheld on appeal in case T-83/91, Tetra Pak International v. Commission, [1994] ECR II-755, paras 210 – 214 (further appeal dismissed in Case C-333/94P Tetra Pak II).
23 Tetra Pak II, recital 146 and Case T-83/91 Tetra Pak International, para 135.
24 Tetra Pak II, recital 106 – 107.
25 Der Grüne Punkt – Duales System Deutschland [2001] OJ L166/1.
26 Ibid. recital 112.
27 Ibid. recital 112.
28 Ibid. recital 112.
29 Case Summary, p. 10.
30 Case Summary, p. 8.
31 R. Nazzini, The Foundations of European Union Law: The Objective and Principle of Article 102 (Oxford, OUP 2011), pp. 97 – 100. In relation to prices, see Case C-177/16 Biedrība ‘Autortiesību un komunicēšanās konsultāciju aģentūra – Latvijas Autoru apvienība’ v. Konkurences padome ECLI:EU:C:2017:689, para 61 and Whal’s opinion in the same case ECLI:EU:C:2017:286, para 106.
32 On the argument that exploitative abuses need strong limiting principles if they are not to become an unstructured form of random market intervention, see R. Nazzini, The Foundations of European Union Law: The Objective and Principle of Article 102, pp. 275-282 and R. Nazzini, “Abuse Beyond Exclusion: Exploitation and Discrimination Under Article 102 TFEU,” in B. Hawk (ed.) 2012 Fordham Competition Law Institute (Huntington NY, Juris 2013) 459-472.
33 Case Summary, p. 11.
34 Case Summary, p. 11.
35 Case C-209/10 Post Danmark A/S v. Konkurrencerådet ECLI:EU:C:2012:172 (Grand Chamber), para 24.
36 Case 6/72 Europemballage Corp and Continental Can Co Inc v. Commission [1973] ECR 215, para 26; Case C-280/08 P Deutsche Telekom v. Commission [2010] ECR I-9555, para 176; Case C-52/09 Konkurrensverket v. TeliaSonera Sverige AB [2011] ECR I-527, para 24.
37 Case C-457/10 P AstraZeneca v. Commission ECLI:EU:C:2012:770, paras 18, 93 and 96.
38 Ibid. paras 105 – 112.
39 As had happened in Germany: ibid. para 109.
40 Ibid. paras 96 and 111.
41 GDPR, Art 58(2)(d).
42 GDPR, Art 83(5).
43 Which may be relevant in certain circumstances although, if the approach suggested in this article is adopted, data protection infringements and competition infringements should be quite distinct both in law and in fact, as the harm addressed by competition law and the ingredients of an competition infringement would be clearly different from the harm and the ingredients of a data protection breach: see R. Nazzini, “Parallel Proceedings in EU Competition Law: Ne Bis in Idem as a Limiting Principle,” in B. van Bockel, Ne Bis in Idem in EU Law (Cambridge, Cambridge University Press, 2016) 131 – 166 and R. Nazzini, “Fundamental Rights beyond Legal Positivism: Rethinking the Ne Bis in Idem Principle in EU Competition Law,” (2014) 2 Journal of Antitrust Enforcement 1 – 35.