The interplay of data protection and competition law - issues beyond the Facebook case

• Can codes of conduct or other agreements between competitors on data protection and privacy policies violate competition law?
• Can a dominant undertaking justify its refusal to grant access to data collected by it by invoking its obligations under data protection law?
• Do the data protection rules limit the collection of information during investigations by competition authorities or internal investigations?

1. Codes of conduct and ANTICOMPETITIVE AGREEMENTS ON data protection & privacy policies

On 12 February 2019 the European Data Protection Board ("EDPB") published Guidelines on Codes of Conduct and Monitoring Bodies under the General Data Protection Regulation ("GDPR")[1]. Article 40 of the GDPR provides that companies can sign up to an industry code of conduct as a practical and cost-effective way to show regulators they comply with the law.

Such codes of conduct will necessarily result in an alignment of the participating companies' privacy policies. This raises the question whether and in which circumstances such an alignment may result in an illegal restriction of competition.

There is a growing consensus that the level of privacy protection can constitute an important parameter of competition. In an article on the Facebook/WhatsApp merger control case'[2], the EC pointed out that privacy policies constitute a non-price parameter of competition. It explained that the degradation of privacy policies could affect other aspects of product quality, or amount to an increase in the “price” paid by consumers for the product (e.g. in terms of requiring more personal data to be provided). The EC noted, however, that this would only be likely to affect competition where privacy was a key parameter of competition between substitutable products. It considered that this was not the case for consumer communications apps, where other factors such as price, reliability of service, user base and popularity were more important.

The EC further affirmed this stance in its Microsoft/LinkedIn decision[3], where it held that data privacy is ‘a significant factor of quality’ in the market for Professional Social Networks. Similarly, in Google/DoubleClick[4], the US Federal Trade Commission ("FTC") acknowledged that mergers can ‘adversely affect non-price attributes of competition, such as consumer privacy’.

There can be little doubt that the importance of data protection as a parameter of competition has increased significantly during the last years. Consumers are more aware of the way in which their data are being used and are increasingly taking steps to protect their personal data.  This means that companies that collect such data will increasingly compete with their rivals also on the degree of privacy protection they offer.

If competitors were to agree to reduce or limit the level of protection for users' personal data, their conduct could therefore fall under the prohibition of anti-competitive agreements in Article 101 of the Treaty on the Functioning of the European Union ("TFEU"). The arrangement would be similar to an agreement to reduce or limit the quality of the parties' products. For instance, in the Belgian Association of Pharmacists case[5], an agreement to restrict suppliers from producing products of a different, inferior, standard (thus limiting the variety of products supplied) has been found to infringe Article 101(1).

Similarly, the exchange of information between competitors about planned changes to their privacy policies may violate competition law since it would remove the uncertainty as to their future conduct and, thereby, eliminate a large part of the risk usually inherent in any independent change of conduct on a market[6].

However, codes of conduct and agreements between companies in the same industry regarding data protection policies can also have significant benefits. They can enhance compliance with the data protection rules by clarifying how the Regulation's generic rules apply to the handling of data in a specific industry. They may also allow the setting up of systems or processes that make companies' data protection efforts more efficient and cost-effective. In this case, conduct that restricts competition and therefore falls under Article 101(1) TFEU may be exempted (and thus permitted) under Article 101(3) TFEU on the basis that the benefits resulting from the conduct outweigh the adverse impact on competition.

In particular agreements that set a minimum level of protection have good chances of qualifying for an exemption. For instance, in CECED[7]the EC granted an individual exemption for an agreement between virtually all European producers and importers of washing machines to stop producing/importing the least energy-efficient machines (energy categories D to G). The Commission noted that the agreement would restrict competition, but acknowledged that it would lead to environmental benefits and reduce purchasers' electricity bills, thus achieving a higher degree of consumer protection.

2. Data Protection & Access Rights under competition law

A dominant company is required to grant third parties access to data it has collected if (i) the data constitute an "essential facility" to the activity of the third party asking for access (i.e. the data is indispensable for the business activities of the third party), (ii) there are no objective considerations that would justify a refusal to grant access and (iii) it is likely that a refusal would exclude all competition in the other market[8].

If the data to which a company claims access under the essential facilities doctrine include personal data this raises the question whether a dominant undertaking can justify its refusal to grant access by invoking its obligations under data protection law.

The French Autorité de la concurrence had to deal with this issue already in 2014, when it received a complaint against GDF Suez. The measures requested by the complainant included ordering GDF Suez to give competing suppliers of natural gas access to certain customer data including the customers' names, addresses, telephone numbers and consumption profiles.[9] The fact that such data were protected under the French Loi Informatique et Libertés did not prevent the Autorité from ordering GDF Suez to grant access to this data. In line with the recommendations made by CNIL (the French data protection authority), the Autorité merely required GDF Suez to inform its customers that competitors would be able to request access to their personal data and that they had the possibility to refuse such access.

The question is also of significant importance in the automotive industry. Modern motor vehicles (in particular connected and autonomous vehicles) generate a huge amount of data ("in-vehicle data") that are of significant interest to a large number of players, including independent repair & maintenance providers, insurance companies, car-sharing companies, software companies developing apps for drivers etc. There is an ongoing debate between the industry associations representing the different stakeholders on the extent and the way in which car manufacturers should grant access to in-vehicle data. Since it is uncertain whether these discussions will result in a solution that will be satisfactory to all parties, the question has arisen whether companies seeking to get access can rely on competition law and in particular the essential facilities doctrine.

Most in-vehicle data constitute personal data since they are linked to the owner of the vehicle through the Vehicle Identification Number (VIN) or the license plate. This means that not only motion and position data, data entered into/transferred to the vehicle by its user (such as device settings, destination data or telephone numbers) are personal data but also purely technical data such as fill and consumption levels, mileage, sensor, engine and event data. Given the very large volume of this data, granting access subject to the consent or an opt-out right of the data subjects does not seem a realistic option.

One solution could be to grant a right of access to anonymised data, which fall outside the scope of the GDPR,[10]or to pseudonymised[11] data. For many of the applications for which service providers seek to obtain in-vehicle data anonymised (or pseudonymised) will be sufficient. This is, for instance the case for applications using "swarm data" (i.e. data collected by a large number of cars) such as notification services regarding traffic jam, fog, road conditions or free parking lots. In certain cases, service providers may also be able to invoke other grounds under Article 6 GDPR to be able to access in-vehicle data without the data subject’s consent. For instance, insurance companies may be able to rely on the necessity of the data for the "performance of a contract" with another data subject.

A set of in-vehicle data for which the EU legislator is likely to create specific rules is data required for communication between vehicles and traffic infrastructure in intelligent traffic systems (“Cooperative Intelligent Transport Systems”, "C-ITS"). The Article 29 Working Party has recommended the adoption of sector-specific EU legislation on the collection and processing of location data for C-ITS applications,[12] which would create a “legal obligation" to allow the use of personal data within the meaning of Art 6(1)c GDPR.

3. Data Protection & Competition Law Investigations

Since the entry into force of the GDPR in May 2018, various EU institutions and agencies were faced with claims from companies that the GDPR prevents them from cooperating with their investigations. Some companies claimed in particular that:

• the GDPR prevents them from disclosing personal data in reply to information requests or during inspections;
• if they were to disclose personal data in reply to such information requests or during inspections, they would have to inform the data subjects affected;
• the GDPR prevents them from committing to audit/inspection clauses in funding agreements.

The EC’s Directorate-General for Competition (DG COMP) as well as other EU bodies therefore asked the European Data Protection Supervisor (EDPS) for guidance. In an eight-page letter to these institutions dated 22 October 2018[13], the EDPS explained that “the GDPR is not an obstacle to obtaining the personal data you need for your tasks”. The letter stresses that also the EU institutions are required to observe a high standard of data protection on the basis of Regulation (EC) 45/2001, which applies specifically to the EU institutions and is referred to in Article 2(3) GDPR. This Regulation was replaced by a new regulation[14] the content of which has been adapted to the GDPR in October of last year.

According to the letter, two situations can be distinguished:

a) If a company is under an obligation to provide information to EU institutions which includes personal data (e.g. in case of an on-site inspection or a formal information request by DG COMP), this creates a legal obligation for the data controller within the meaning of Article 6(1)(c) GDPR, which authorizes the company to disclose the personal data.

Interestingly, in November 2017 the District Court of The Hague came to the same conclusion but based on a different legal reasoning with regard to the powers of the Netherlands Authority for Consumers and Markets ("ACM"). During a competition law dawn raid, the ACM had made extensive copies of data on mobile phones of employees, which also included private information. In summary proceedings regarding the legality of the ACM's investigative measures, the Court held that the interest of the ACM in conducting the investigation outweighed the data subject’s right to privacy since the investigation could not reasonably be conducted without copying the personal data.

b) If a company voluntarily provides information to EU institutions which includes personal data (e.g. response to an informal information request of DG COMP or whistleblowing to DG COMP about the company’s involvement in a cartel), this may be lawful on the basis that the disclosure is necessary to pursue the company’s legitimate interest and these interests are not overridden by the interests of fundamental rights of the data subject (Article 6(1)(f) GDPR).

Similar principles apply where a company provides information to a competition authority of a non-EEA country. However, in that case, it is important to verify in addition whether the transfer of personal data to a country outside the EEA benefits from a lawful data transfer mechanism (Art 44 and seq. GDPR). In many cases, companies will be able to show that the export is necessary for the "establishment or defence of legal claims" (Article 49(1)(e) GDPR). Recital 111 GDPR[15] makes clear that the term "establishment or defence of legal claims" includes not only court proceedings but also proceedings before a competition authority.

The letter of the EDPS also rejects the allegation by companies that Article 14 GDPR requires them to individually notify the data subjects affected by the investigation and inform them that their personal data have been made available to the EC for the purpose of an investigation. Such a notification could obviously disrupt the investigation since it may “tip off” suspects, who may then seek to destroy or hide evidence. It is true that Article 14(1)(e) GDPR obliges data controllers to inform data subjects about the “recipients or categories of recipients” of their personal data. However, Article 4(9) GDPR specifies that “public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients”. This means that companies providing personal data of employees to the EC or a national competition authority in the EU in response to an information request, or voluntarily in view of a (pending or future) investigation are not required to inform the employees concerned about the disclosure of their personal data.

Similar questions arise when a company carries out an internal audit to determine whether certain employees have been involved in illegal activities (e.g. following a report from a whistle-blower or a customer complaint). Such audits typically involve a review of emails and other correspondence, which constitute personal data. Seeking the consent of the employees concerned is typically not an option. This would make them aware that their activities are being investigated and thus could defeat the very purpose of the audit. Moreover, given the imbalance of power in the employer-employee relationship, it is unlikely that the company would be able to rely on the consent. Organisations therefore generally have to rely on legitimate interest as the basis for reviewing personal data as part of the audit. Moreover, in order to comply with the GDPR transparency requirements it is advisable to stipulate in employment contracts and/or applicable collective agreements that employees' personal data may be accessed during internal audits.