What’s this about?
The recent European Court ruling about Meta Platforms and Others has highlighted the interplay between data protection/privacy law and competition/anti-trust law. This article takes a look at the key issues.
A finding of data protection non-compliance can establish an anti-competitive infringement
Meta Platforms Ireland operates Facebook in the EU. When users registered with Facebook they accepted the general terms and, consequently, the respective data and cookies policies. According to those policies, Meta Platforms Ireland collected data about user activities on and off the social network and linked them with the Facebook accounts of the users in question. The latter data, also known as “off-Facebook data”, are data concerning visits to third-party webpages and apps as well as data concerning the use of other online services belonging to the Meta group (including Instagram and WhatsApp). The collected data served, amongst other things, to create personalized advertising messages for Facebook users.
The German Bundeskartellamt (the Federal Cartel Office) brought proceedings against Meta Platforms, Meta Platforms Ireland, and Facebook Deutschland following which the Bundeskartellamt prohibited, in particular, the use of the Facebook by private users resident in Germany from being subject, in the general terms, to the processing of their off-Facebook data and those data from being processed without their consent. The Bundeskartellamt based its decision on the fact that since that processing was not consistent with EU GDPR, it constituted an (exploitative) abuse of Meta Platforms Ireland’s dominant position on the German market for online social networks i.e. a competition/anti-trust law infringement.
Meta Platforms, Meta Platforms Ireland, and Facebook Deutschland brought legal action against that decision and the local German court in question made a preliminary reference to the European Court of Justice asking, amongst other things, whether national competition/anti-trust authorities may review whether a data processing operation complies with the requirements set out in EU GDPR.
The European Court ruled that:
- In view of this duty of sincere cooperation, the national competition authority cannot depart from a decision by the competent national supervisory authority [the data protection regulator] or the competent lead supervisory authority concerning those general terms or similar general terms. Where it has doubts as to the scope of such a decision, where those terms or similar terms are, simultaneously, under examination by those authorities, or where, in the absence of an investigation or decision by those authorities, the competition authority takes the view that the terms in question are not consistent with [EU GDPR], it must consult and seek the cooperation of those supervisory authorities in order to dispel its doubts or to determine whether it must wait for them to take a decision before starting its own assessment. In the absence of any objection on their part or of any reply within a reasonable time, the national competition authority may continue its own investigation.”
The key issue here is that an EU competition/anti-trust regulator can determine that an organization is non-compliant with EU GDPR where that finding is necessary to establish a breach of competition/anti-trust law.
A possible future development in private enforcement against organizations for breaches of competition/anti-trust law (which are more prevalent now) may be that, in a competition/anti-trust matter which involves EU GDPR non-compliance, such EU GDPR non-compliance also plays a role, for example, with regard to determining damages.
Class-action litigation concerning competition law issues and data protection are a phenomenon that has already started, in the UK at least. For example, the UK matter of Dr. Liza Lovdahl Gormsen v Meta Platforms, Inc. and Others concerned an application to the UK Competition Appeal Tribunal by Dr. Liza Lovdahl Gormsen, as a so-called “proposed class representative” (“PCR”), for a so-called “collective proceedings” order (“CPO”) pursuant to the UK Competition Act 1998.
This application sought permission to bring a “standalone” claim alleging an abuse of a dominant position by three corporate members of the Meta group in breach of (the relevant provisions of) the UK Competition Act 1988. The allegation was that Facebook had abused its dominant position by making its users’ access to the social media platform contingent on their provision of personal data, which Facebook then aggregated and profited from through advertising revenues.
In brief, in February 2023, the Competition Appeal Tribunal found) significant problems with the claims in the CPO application (along with the methodology proposed in support of the application). So, the Tribunal stayed the CPO Application for six months to enable the PCR to file additional evidence setting out a new and better blueprint for a trial. If there is no new and better blueprint the Tribunal would lift the stay and reject the CPO Application. If a new and better blueprint were to be found the Tribunal would provide directions for the determination of the renewed application.
It should be noted that in the UK, this “collective proceedings” mechanism is currently only available in competition law claims. This system involves so-called “opt-out”, which in simple terms means that a claim is brought on behalf of every individual falling within a class unless they expressly opt out, and, although the UK government did undertake an official review to consider whether to move to a system of opt-out proceedings in the courts for infringements of data protection legislation, it concluded to not do so, for now at least.
Fines – mitigation and aggravation
EU GDPR and UK GDPR set out various conditions for the imposition of fines for infringements of EU GDPR and UK GDPR respectively. Fines are determined by national data protection regulators in each individual case, taking into account all relevant circumstances of the specific situation and other factors. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, EU GDPR and UK GDPR set out a number of aggravating and mitigation factors, including the following:
- The nature, gravity and duration of the infringement, having regard to the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- The intentional or negligent character of the infringement;
- Any action taken by the data controller or data processor to mitigate the damage suffered by data subjects;
- The degree of responsibility of the data controller or the data processor having regard to technical and organizational measures implemented by them;
- Any relevant previous infringements by the data controller or the data processor;
- The degree of co-operation with the national data protection regulator, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- The categories of personal data affected by the infringement;
- The manner in which the infringement became known to the national data protection regulator, in particular whether, and if so to what extent, the data controller or the data processor notified the infringement; and,
- Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Note also that the European Data Protection Board has also issued guidance entitled “Guidelines on the calculation of administrative fines following public consultation” in order to harmonize the methodology national data protection regulators use to calculate fines, which includes a section on aggravating or mitigating factors.
This approach of applying aggravating and mitigating factors is very much inspired by the approach taken in competition law when fines are imposed for competition law infringements, which has been tried and tested for a number of years now. Therefore, experience in this area should be considered with regard to the imposition of fines for data protection infringements – it should be noted that imposing a fine is not a science but an art, and often an imperfect one at that.
Fines – group revenue
EU GDPR and UK GDPR specify two tiers of fines depending on the provisions infringed:
- Lower level = UK GDPR: up to £8.7m or, in the case of an “undertaking”, up to 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher); EU GDPR: up to €10m, or in the case of an “undertaking”, up to 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher); and,
- Higher level = UK GDPR: up to £17.5m or, in the case of an “undertaking”, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher); EU GDPR: up to €20m, or in the case of an “undertaking”, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher).
The issue in question here is what amounts to a so-called “undertaking”. Recital 150 of EU GDPR and UK GDPR states that: “Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU [the Treaty on the Functioning of the European Union] for those purposes”. Articles 101 and 102 of the TFEU are the two key EU competition law provisions.
What an “undertaking” means has been the subject of much interpretation by the European Court of Justice in cases concerning fines imposed on organizations for competition/anti-trust law infringements. Generally-speaking, following European Court case-law, it can said that where a company exercises “control” over another company they form a single economic entity and are therefore part of the same “undertaking”, and, “control” is the ability to exercise decisive influence over another entity, meaning that the latter entity doesn’t have any autonomy in determining its commercial affairs on the market. Each case has to be decided on its own facts when looking at this issue.
The upshot is that, depending on the circumstances, an organization made up of a large and/or complex corporate structure, such as a multi-national company, could find that, in a data protection infringement matter concerning the organization, the national data protection regulators will likely impose a fine based on the corporate group’s revenue. Given the potential high fines under GDPR referred to above, a fine on a group’s revenue could amount to a very significant fine.
Therefore, experience in the area of competition law fines and large and/or complex corporate structures should be considered with regard to the imposition of fines for data protection infringements – again, as this experience has shown, imposing a fine in this context is not a science but an art, and often an imperfect one at that.
What are the takeaways?
- Ensure that there is more awareness internally about the interplay between competition/anti-trust law and data protection/privacy law, including at Board level, notably as regards the fact that a fine could be particularly significant if it hits group revenue;
- Ensure that they have the capacity to deal internally with what might be a double whammy of a competition/anti-trust law issue and a data protection/privacy law issue – if not, then consider outsourcing the handling of this;
- Update and/or revise policy documentation, and, review procedures to address risk assessment, response management, internal investigation, and, incident reporting to deal with a combined competition/anti-trust law and data protection/privacy law issue; and,
- Undertake training to create understanding about the possibility of a combined competition/anti-trust law and data protection/privacy law issue – think about creating do’s and don’ts for staff.
We have written about data protection breaches and compensation/litigation issues here: https://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/.
We have written about setting fines under EU GDPR here: https://www.corderycompliance.com/eu-dpb-gdpr-fines/.
We write about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The European Court of Justice judgment in the case of Meta Platforms and Others (C-252/21) can be found here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=275125&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=72320.
The UK Competition Appeal Tribunal judgment in the case of Dr Liza Lovdahl Gormsen v Meta Platforms, Inc. and Others can be found here: https://www.catribunal.org.uk/judgments/14337722-dr-liza-lovdahl-gormsen-v-meta-platforms-inc-and-others-judgment-cpo-application.
The UK government official review to consider whether to move to a system of opt-out proceedings in the courts for infringements of data protection legislation can be found here: https://www.gov.uk/government/publications/call-for-views-and-evidence-review-of-representative-action-provisions-section-189-data-protection-act-2018/uk-government-response-to-call-for-views-and-evidence-review-of-representative-action-provisions-section-189-data-protection-act-2018
The European Data Protection Board “Guidelines on the calculation of administrative fines following public consultation” can be found here: https://edpb.europa.eu/news/news/2023/edpb-adopts-final-version-guidelines-calculation-administrative-fines-following_en#:~:text=These%20guidelines%20aim%20to%20harmonise,the%20turnover%20of%20a%20business.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 347 2365