Competition authorities can assess GDPR violations

The Bundeskartellamt vs. Facebook saga has now been rumbling on for several years. As a reminder, the case relates to the German competition authority's decision that: 

1. Facebook held a dominant position in the German market for social networks; and 
2. Facebook had infringed competition law by abusing this dominant position through its data collection practices (which the authority said did not comply with the GDPR).   

We wrote about the original decision back in 2019. After Facebook's appeal and a CJEU reference, we also discussed in some detail the Opinion of AG Rantos that a national competition authority did have the competence to examine the conduct of an undertaking under the GDPR in assessing a potential breach of competition law.

The CJEU has now confirmed that a "national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed". Although the judgment is currently only available in German and French, a press release in English also reveals that: 

• When assessing a potential abuse of dominance, it may be necessary for a competition authority to examine whether the undertaking’s conduct complies with rules other than those relating to competition law, such as the GDPR.
• The sole purpose of the assessment of compliance with the GDPR is merely to establish an abuse of a dominant position.
• National competition authorities are required to consult and cooperate sincerely with the authorities monitoring the application of the GDPR.
• National competition authorities must also ascertain whether that conduct (or similar conduct) has already been the subject of a decision by the competent supervisory authority or the Court, and cannot depart from such a decision. 

There are also some potentially useful findings about data processing. For example, the CJEU notes that "the mere fact that a user visits websites or apps that may reveal such information does not in any way mean that the user manifestly makes public his or her data". The CJEU also clarifies that a dominant operator is still able to obtain consent from users for data processing, but must prove that the consent was validly and freely given.

There will be more to unpack once an English translation of the judgment is available. However, this does appear to be a green light for competition authorities to assess data protection principles in competition law investigations.