Alba Ribera Martínez

In its ruling issued on July 2023, the Court of Justice resolved the rampant doubts that had truffled the debate revolving around the potential interaction between data protection regulation and EU competition law. It all started in 2019 when the German competition authority put forward its theory of harm to find Meta (formerly Facebook) liable for an abuse of a dominant position under its national competition law regime for forcing users to grant consent so that the social network, in turn, could process great troves of their personal data both within its own services and apps and without its scope of activities. By doing that, the Bundeskartellamt tied the fortune of its antitrust case to its own interpretation of the GDPR regarding the undertaking’s processing of personal data.
In the abstract, the Court of Justice confirmed in substance the German competition authority’s actions by acknowledging that national competition authorities may consider the compliance or non-compliance of an undertaking’s conduct with the provisions of the GDPR within its wider analysis regarding all of the specific circumstances of the case to establish whether that conduct entailed resorting to methods governing normal competition (para 47, by developing the previous case law in Deutsche Telekom, paras 41 and 42).
Although commentators and scholars have rushed to celebrate the Court of Justice’s green light in acknowledging the (narrowly defined) interplay between data protection and competition law, this statement does not stand alone within the ruling. In fact, the Court of Justice produces a myriad of findings regarding the thresholds (and caution) that national competition authorities and data protection supervisory authorities should employ when considering the access and processing of personal data and exercising their corresponding competences and powers.

The Court of Justice’s backing of the FCO’s intervention in its case against Facebook’s processing activities cannot be read in absolute terms. Not every intervention on the side of a competition authority considering the application of the GDPR may be justified on the basis of the ruling. The interplay is only allowed in a narrow set of cases: those where it may be necessary for the competition authority to examine in the context of an abuse of a dominant position whether the undertaking’s conduct complies with rules other than those relating to competition law (para 48). Even in these cases, the competition authority’s decisions do not replace nor bind the investigations and findings of data protection supervisory authorities regarding the same set of facts (para 49).
The CJEU left the limitations on the NCAs’ capacity to consider “other rules” in the antitrust framework adrift. No reference nor explanation is granted within the judgment fleshing out what would differentiate a factual situation where the NCA needs to assess those rules as opposed to the scenario where the same analysis is useful but not essential to the review. The lack of reference to the principle of necessity is inevitably coherent with the Court of Justice’s backing of the FCO’s decision, whereas it falls short of satisfying (and even answering in full) the Higher Regional Court’s preliminary questions (for instance, one cannot yet grasp whether the Bundeskartellamt applied the GDPR only incidentally -borrowing the terms that AG Rantos used in his Opinion, para 24- or as a matter of principle).
Furthermore, the reference to “other rules than those relating to competition law” implicitly recognises that the interplay is not to be understood narrowly with reference to the GDPR, and the data protection regulation only. Instead, the Court of Justice opens the door to the NCAs’ embracing of a much wider stream of acts of Union law that can be observed, analysed, and interpreted under the competition law framework. The most sensible argument would take the statement as far as accepting the NCAs’ analysis of the e-Privacy Directive, whereas others would take the finding as far as the Union’s principles would let them.
Going back to the idea of necessity, the Court of Justice’s response regarding the rest of the questions addressed to it by the Higher Regional Court in relation to the interpretation of the GDPR consider the perspective of necessity as far as the interpretation of data protection regulation is concerned. In the most abstract terms, necessity implies objective indispensability and not practicality (for example, the Court’s interpretation of the legal basis under Article 6(1)(b) of the GDPR follows this same line of reasoning of requiring necessity in its strictest sense, see para 98). Once this threshold has been surpassed, the analysis moves on to assessing whether the same goal may be achieved just as effectively by other means less restrictive to the fundamental rights and freedoms of data subjects, given that the GDPR is a cluster regulation bringing together a rights- and economic-based approach.
If one reverses the argument, it seems as if the same meaning of the principle of necessity cannot be inferred for both fields of law. Data protection regulation may require considering the distribution of the different weights of the fundamental rights involved in the mix of a given conduct regarding the processing of personal data, whereas the same does not ring true for the enforcement of an NCA. Applying the rationale of the former to the latter would entail that NCAs would be held accountable to the highest threshold imaginable when it came to introducing “other rules than those relating to competition law” into the antitrust framework. In that hypothetical case, the interpretation of the GDPR should be completely indispensable to the finding of an abuse and the securing of the same result (the infringement of competition law) could not derive from a less demanding alternative in terms of rules and standards.
Such a high threshold cannot be understood to hold in this particular case, insofar as the GDPR’s interpretation is framed, according to the Court of Justice words, as a “vital clue among the relevant circumstances of the case” to establish whether conduct is not based on competition on the merits. That is to say, appraising data protection regulation in the antitrust framework may be the straw that breaks the camel’s back, but that straw may not be decisive in causing the collapse. Notwithstanding, the Court of Justice has compromised, at least semantically, to the threshold of necessity. If that concept might entail a different meaning than in data protection, then it falls within the hands of the Higher Regional Court to establish its limits when benchmarking the FCO’s analysis to that standard.