In recent months, several competition authorities have declared that they would seek to use competition law for forcing companies to give third parties access to data collected by them. Enforcing such access obligations is, however, challenging where the data in question is personal data. Based on three case studies, Bird & Bird partners, Anne Federle (competition law) and Benoit Van Asbroeck (IT & data protection), are exploring in this article whether and how companies can obtain access to personal data collected by another market player.
Does competition law give a right of access to another company’s data?
The fact that data collected by a company can be an indispensable input for the business activities of other companies – and thus for the continued existence of effective competition on certain markets - is increasingly being recognized by competition authorities. In particular large multi-sided online platforms such as Amazon, Facebook and Google have been identified as having collected vast volumes of highly valuable consumer data that make it difficult for smaller companies and new market entrants to compete with them. As Commissioner Magrethe Vestager put it: “Data allows you to be competitive. You can develop excellent and innovative technologies but if you do not have access to data at the same time, you will not be able to offer clients good service”. She therefore declared that “Access to data has to be redesigned so that newcomers can compete with big tech giants.”
Competition law offers companies two legal grounds for claiming access to another company’s data.
- A company can rely on the prohibition of anticompetitive agreements (Article 101 TFEU) if the data controller’s refusal is based on an agreement with other companies. That would, for instance be the case when several companies collecting certain types of data were to agree not to share this data with (certain categories of) third parties.
- In the absence of such an agreement a company can seek to rely on the prohibition of the abuse of dominant position (Article 102 TFEU). This prohibition may be violated if a company with a monopoly over certain data refuses access without objective reasons or offers access only under discriminatory or unfair conditions.
In practice, most companies will have to rely on the prohibition of an abuse of a dominant position to obtain access to another company’s data. But obtaining access to data on this basis is challenging.
Firstly, the claimant has to establish that the data controller holds a dominant position. Whether this is the case depends on how the relevant market is defined, which may be an untested and difficult question. A number of national competition laws also prohibit the abuse of a position of dependency. This is for instance the case in Belgium, Germany and France. But also establishing the required degreed of dependency can be very challenging.
Secondly, the claimant has to show that the data constitute an "essential facility", i.e. the data are indispensable for its business activities and there is no other reasonable means of obtaining the data. Where the data in question are consumer data, data controllers can often argue that any company with an online offering is able to collect such data.
Thirdly, the claimant needs to demonstrate that the refusal of access to the data would exclude all or most competitors from the market.
Finally, a successful claim requires that the refusal of access is not justified by objective reasons. Possible justifications include the need to protect the investment of the data controller, safety/cyber-security risks or - data protection requirements.
This raises the broader question whether controllers of personal data can reject all access claims by invoking their obligations under data protection law.
What happens if the data are personal data?
Article 6 and 9 of the GDPR provide for a limited number of legal grounds that allow a data controller to share personal data. They include consent of the data subject, legitimate interest, contractual necessity, vital interest of the data subject and legal obligation. In principle, obligations under competition law constitute legal obligations within the meaning of Article 6(1)(c) of the GDPR and thus allow the sharing of data without the data subject’s consent. However, there are two principles that limit the sharing of personal data based on an obligation under competition law:
- Competition authorities must take the right to privacy into account when ordering an organisation to give third parties access to personal data. The right to privacy is a fundamental right protected by Article 8 of the EU Charter. Moreover, authorities must respect the principle of proportionality and thus must carefully weigh the importance of protecting the data subjects’ right of privacy against the competition law concerns that the access obligation seeks to address.
- Even if competition law provides a legal basis for the sharing of personal data, the access must be implemented in compliance with key data protection principles such as purpose limitation, transparency and the right of the data subject to have the data corrected.
This means that protection rules can very well be used as a defence against data access requests based on competition law.
We have put together three short case studies to illustrate how these principles work in practice.
Three case studies
Case study 1:
Company A recently entered the French gas market, where the former monopolist Gaz de France Suez (“GdF”) continues to hold a share of well over 50%. GdF has detailed data (including consumption data) on nearly all consumers in France, which it has gathered over many years. Company A requests access to customer data held by GdF, arguing that this is the only way in which it will be able to compete with GdF.
Does A have a right of access under competition law?
Given its high market share, there can be little doubt that GdF holds a dominant position on the French gas market. The data held by GdF are likely to be viewed as an essential facility since there is no other database providing the data necessary for developing competitive offers to consumers. A refusal of GdF to share the data would not allow other gaz suppliers to compete effectively with GdF. In principle, a refusal to grant Company A access to the data constitutes an abuse of GdF’s dominant position. But does data protection law provide GdF with an objective justification for refusing to share the data?
Can GdF refuse access based on data protection law?
GdF does not have the required consent of its customers for sharing their data with a third party. Given that a refusal to give access in principle violates competition law, there is however a legal obligation justifying the sharing of data.
But as mentioned earlier, the way in which the personal data are shared with Company A must comply with the data protection rules. Ordering GdF to ask each customer for consent would address data protection concerns but would not solve the competition law problem since it would not give Company A access to sufficient volumes of customer data.
It is therefore interesting to see the solution adopted by the French Competition Authority in its decision of 9 September 2014 in the Direct Energie/GDF Suez case, on which this case study is based. After consulting the French Data Protection Authority CNIL, the French authority ordered GdF to disclose parts of its consumer database to the market entrant Direct Energie. But in line with the recommendation of CNIL, the authority required GdF to inform all customers of the envisaged transfer and offer them the opportunity to opt out.
What happens if the legal obligation falls away subsequently?
The fact that GdF challenged the French Competition Authority’s decision before the courts raises the interesting question: what happens if the finding of a dominant position and/or an abuse is not upheld by the courts? In that case, a legal obligation for sharing the customer data with Direct Energie would have never existed. This illustrates why the solution devised by the French competition and data protection authorities is truly smart. It ensured that, even in case the competition law obligation fell away, GdF could rely at least on some kind of tacit consent of all customers who had not opted out. Such tacit consent does not meet the requirements for consent under the GDPR. However, it certainly reduced significantly the risk of GdF being fined if the competition law obligation had fallen away at a later stage.
Case study 2:
Immo2020 has become Belgium’s largest and by far most used online platform for the sale and rental of industrial and private real estate. The platform has also developed a successful business selling advertising space.
Despite repeated demands by advertisers, Immo202 refuses to share user data with advertisers, making it impossible for them to serve targeted ads. A group of advertisers that are frustrated by Immo2020’s position threatens to file a complaint with the European Commission and the Belgian Competition Authority.
Do the advertisers have a right of access under competition law?
Immo2020 is likely to be viewed as holding a dominant position. Given that user data are indispensable for targeted advertising, the advertisers may also be able to show that only access to data collected by Immo2020 allows them to successfully sell their services and that the data thus are an “essential facility”.
However, it appears debatable whether the refusal by Immo2020 effectively excludes competition on the relevant market. It is likely that advertising on Immo2020 is only one of many different options available to the advertisers in question.
Can Immo2020 refuse access based on data protection law?
The information to which the advertisers are claiming access is personal data (IP address, location, language, device type etc.). There is increasing consensus among data protection authorities that the only lawful basis for sharing personal data with advertisers is consent. This is, for instance, the view stated by the UK Data Protection Authority (ICO) in its “Update report into adtech and real time bidding” of 20 June 2019. This suggests that a competition law obligation is not a sufficient legal basis in itself for granting the advertisers access to Immo2020’s data.
Is there room for a solution similar to that in the Direct Energie/GdF case? For consent to be valid under the GDPR, the user must have prior information about each data controller that may get access to his/her data. This is impossible in practice where data are used for advertising purposes, in particular if this involves real-time bidding for advertising space.
Immo2020 therefore has strong arguments to justify its refusal to give advertisers access to its user data.
Case study 3:
Company C has developed a suite of innovative services for the management of vehicle fleets. Most of its target customers have fleets of light commercial Toyota vehicles. Company C therefore wishes to obtain direct real-time access to certain data collected by such Toyota vehicles (location, n° of km driven, fuel level/consumption, required repair/maintenance etc.).
Toyota, which equally offers fleet management services, refuses access to the data, citing safety, security and data protection concerns.
Does C have a right of access under competition law?
In principle, each car manufacturer holds a dominant position on the market for data gathered by its vehicles. The data to which Company C seeks to get access are also likely to be considered as an essential facility. The data held by Toyota give it a significant advantage over Company C and may foreclose competing providers of fleet management services. Moreover, there is no other way to obtain the requested data. Company C may also be able to show that the refusal by Toyota would exclude effective competition on the market for fleet management services for Toyota vehicles (even though it is debatable whether this is a separate relevant market).
Can Toyota refuse access based on data protection law?
Toyota obviously can use data protection arguments only if the requested data are personal data. The information to which C is claiming access is linked to the status of a vehicle and thus, in principle, constitutes non-personal data. However, data collected by connected vehicles qualify as personal data if they can be linked to one or more individuals. This means that the qualification of the data as personal or non-personal depends on the way C’s target customers organize their vehicle fleets. If the vehicles are used by different drivers, the data are not personal. By contrast, if the vehicles have dedicated drivers (e.g. vehicle leased for employees of the customer), the data are personal data.
Even if the requested data are personal data, Toyota is required to give Company C access since competition law creates a legal ground for sharing the data. However, the way in which access to the personal data is granted must comply with the key data protection principles, including transparency, information of the data subjects and data minimization.
Moreover, competition law does not require Toyota to make the data available for free but allows Toyota to charge a reasonable fee.
We conclude with a few thoughts on elements you should take into account when your company is faced with a data access claim or considers bringing a data access claim.
- If you use data protection rules as a defence against a data access claim, it is important to consider the potential negative consequences of doing so. For instance, by making the argument you may be admitting that certain practices of your company violate data protection law.
- If you are faced with request of access to personal data, consider involving data protection authorities in the administrative or court proceedings to support your position.
- If you are seeking access to personal data, consider proposing solutions that address possible data protection concerns.