The Federal Cartel Office in Germany has prohibited Facebook from combining data from its internal and external services with each user’s account, on the grounds that such processing infringes the GDPR and, as a result, the social network was abusing its dominant position. The decision is part of a trend to abandon the competition law criteria related to the functioning of the market. In data protection, the dominant position of the company is used to exclude any legal ground justifying a particular type of processing. Our article, therefore, examines the arguments in the Facebook decision, focusing on the possible impact of such arguments on competition law and data protection law.
The main suggestion of the Facebook decision is to integrate fundamental rights as a controlling mechanism of dominant companies. The government can thus freely restrict the freedoms of one party on the basis of the fundamental rights of the others, without having to apply the usual assessment criteria in competition law. In a context of increasing regulatory density, the question arises as to what the contribution of competition law to the fundamental right of individuals to data protection is. Should it be used to ensure compliance with the GDPR or other rules?
Facebook decision integrates the conditions for the application of another regulation (in this case the GDPR) to establish the violation of competition law, and that instead of its own conditions, a violation of the GDPR becomes a violation per se of competition law. In doing so, this approach offers to significantly expand the powers of competition authorities. Overall, such an approach risks delegitimising the work of competition and data protection authorities.
At the same time, the decision’s rationale incorporates dominance as a separate criterion for the application of the GDPR, giving it a new dimension with respect to dominant undertakings. The approach followed in the Facebook decision is likely to have an influence on the application of data protection and privacy laws to dominant companies by data protection authorities. Including dominance amongst the criteria for assessing a breach of the GDPR would allow data protection authorities to intervene more actively against data processing by dominant companies, for example, by limiting the legal grounds that would make such processing lawful. The question arises as to the function and added value of the dominant position test in protecting personal data and the fundamental rights of individuals with regard to it. We conclude that dominance is not relevant to assess the legal grounds of consent, contract or legitimate interest. The result is an unjustified limitation on companies that may be in a dominant position in a particular market, without improving user protection.