Privacy rules and competition law enforcement

2018 | roadmap

The economic value of data as an input has been considered and acknowledged widely by competition authorities when reviewing concentrations in the digital industry. Several transactions have been assessed against whether the acquirers would derive market power from gaining access to the data troves of the target companies. As to privacy considerations, the EC stated in Facebook /WhatsApp that "even if there might be concerns that the concentration of data within the control of Facebook post-merger might impact privacy, respective concerns are outside the scope of competition law and should be dealt with by [appropriate] protection rules."1  In Asnef Equifax, the ECJ found that "…issues relating to the sensitivity of personal data are not, as such, a matter for competition law, [but] … provisions governing data protection."2

One would be mistaken to conclude that there is no intersection between data protection rules and competition rules. Commissioner Almunia already pointed out in 2012 that "a […] dominant company could […] think to infringe privacy laws to gain an advantage over its competitors."3 The debate over the relevance of data protection for competition law has intensified significantly since then.

Besides data protection being a fundamental right that every competition authority needs to respect, stricter data protection rules are believed to facilitate customer choice and ultimately benefit consumer welfare, which is at the heart of competition policy. Proponents of giving more weight to privacy considerations in antitrust assessments claim that privacy rules are a significant aspect of the quality of (often free) services offered by the digital industry, valued highly by consumers, but treated sluggishly by the dominant players owing to the power imbalance between the former and the latter. The more powerful the company in the digital industry, the more the level of data protection is believed to be at risk, with authorities being ill-equipped to assess these issues with their current economic toolset. Antitrust policy should actively encourage privacy competition, because high entry barriers due to several data-driven network effects and the incumbent's behaviour prevent the emergence of competing service providers that offer better privacy policies.

Those who argue against giving privacy considerations more room in antitrust enforcement point to three aspects:

(i) the relevance of a company's privacy policy as a dimension of the quality of its service is overrated in light of customers' relaxed approach to such policies; (ii) it follows from the decisional practice that customers' claims of being locked-in to a dominant provider to the detriment of alternative providers is invalid as long as switching is feasible, owing to the relevant data being available; and (iii) if competition law would have to ensure effective privacy, this would not only mean a departure from the standard analysis of efficiency, but would open the door for any other fundamental right or public policy having to be considered by antitrust enforcers. Such a result would lead to greater uncertainty over competition law enforcement, whereas the recent legal developments equip data protection authorities with a sufficient deterrent to combat lopsided relationships between individuals and the data controller.

In light of this, there is a lot of anticipation about the outcome of the pending investigation by the German Federal Cartel Office against Facebook over an alleged abuse of dominance. Assuming Facebook is dominant (which the FCO first needs to establish in its investigation, which seems difficult), the authority is looking into the question of whether disregarding customers' privacy interests and making access to the social network conditional upon accepting Facebook's privacy policy constitutes an abuse. It will be fascinating to see whether the authority will deploy an analytical approach based on standard economic efficiency (so that an abuse would only be established if the practice were to lead to an increase in prices or decrease in quality, which is not outweighed by other efficiency gains) or actually opens the door so that violations of data protection rules would be firmly included into the substantive assessment of competition rules.

Further reading
The fundamental right to privacy in competition investigations - effective protection or lip service?
The Delta Pekárny case as a leading example of ineffective protection in an Eastern European Member State?
All Schoenherr Chapters of the International Comparative Legal Guide to: Merger Control 2018


1 COMP/M.7217 – Facebook/WhatsApp, rec 164.

2 Case C238/05, AsnefEquifax v Asociación de Usuarios de Servicios Bancarios, rec 63.  

3 Joaquín Almunia, Competition and personal data protection – Speech at Privacy Platform event on Competition and Privacy in Markets of Data (26 November 2012), available at