Hostname: page-component-78c5997874-lj6df Total loading time: 0 Render date: 2024-11-14T06:02:04.109Z Has data issue: false hasContentIssue false

Towards Smarter Regulation in the Areas of Competition, Data Protection and Consumer Law: Why Greater Power Should Come with Greater Responsibility

Published online by Cambridge University Press:  12 November 2020

Inge GRAEF
Affiliation:
Associate Professor of Competition law at Tilburg University, Tilburg, The Netherlands, affiliated to the Tilburg Institute for Law, Technology and Society (TILT) and the Tilburg Law and Economics Center (TILEC); email: I.Graef@tilburguniversity.edu.
Sean VAN BERLO
Affiliation:
Research assistant at Tilburg University, Tilburg, The Netherlands.
Rights & Permissions [Opens in a new window]

Abstract

Based on a mix of conceptual insights and findings from cases, this paper discusses three ways in which the effectiveness of regulation in the areas of competition, data and consumer protection can be improved by tailoring substantive protections and enforcement mechanisms to the extent of market power held by firms. First, it is analysed how market power can be integrated into the substantive scope of protection of data protection and consumer law, drawing inspiration from competition law’s special responsibility for dominant firms. Second, it is illustrated how more asymmetric and smarter enforcement of existing data protection rules against firms possessing market power can strengthen the protection of data subjects and stimulate competition based on lessons from priority-setting and cooperation by consumer authorities. Third, it is explored how competition law’s special responsibility for dominant firms can be further strengthened in analogy with the principle of accountability in data protection law. Similarly, it is discussed how positive duties to ensure fair outcomes for consumers are developed in consumer law. The analysis offers lessons for improving the ability of the three regimes to protect consumers by imposing greater responsibility on firms with greater market power and thus posing greater risks for consumer harm.

Type
Articles
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.
Copyright
© The Author(s), 2020. Published by Cambridge University Press

I. Introduction

Debates about the protection of consumers are often dominated by concerns relating to the practices of powerful firms whose activities reach large groups of consumers and thereby create particularly high risks of consumer harm. This is also reflected in current policy discussions at the European Union (EU) level where the introduction of asymmetric regulation only applicable to “gatekeeping platforms” is considered within the context of the Digital Services Act.Footnote 1 According to the European Commission, additional rules may be needed to ensure fairness and innovation and to protect public interests going beyond competition or economic considerations.Footnote 2 The need for such new ex ante regulation has so far been mainly determined on the basis of alleged limits of EU competition law.Footnote 3 This paper starts from the insight that the ability of EU data protection and consumer law to address concerns should also be considered when determining possible gaps in the current EU legal framework to adequately protect consumers vis-à-vis conduct of powerful players.Footnote 4

While EU competition law imposes additional restrictions on the behaviour of dominant firms through the abuse of dominance prohibition of Article 102 of the Treaty on the Functioning of the European Union (TFEU), the regimes of EU data protection and consumer law apply to all firms without tailoring their obligations to a firm’s market share or scope of activities. Based on an analogy with the role of the special responsibility applicable to dominant firms in EU competition law, this paper explores to what extent stricter obligations for stronger market players can already be derived from current data protection and consumer law. We submit that a more asymmetric interpretation and enforcement of data protection and consumer law is necessary to reflect market reality where the behaviour of powerful firms is less constrained by competitive forces. By interpreting and enforcing data protection and consumer law uniformly irrespective of the market position of a firm, customers of powerful market players suffer from less effective protection. To address this, we suggest ways to impose a greater level of responsibility on firms possessing greater power, not only under competition law, but also under data protection and consumer law.

Based on a mix of conceptual insights and findings from concrete cases, the paper discusses three ways in which the effectiveness of regulation can be improved by tailoring enforcement approaches to the extent of market power held by firms. Section II analyses how market power can be integrated into the substantive scope of data protection and consumer law, drawing inspiration from competition law. Section III illustrates how smarter enforcement of existing data protection rules against firms possessing market power can strengthen the protection of data subjects, as well as stimulate competition, based on lessons from priority-setting and cooperation by consumer authorities. While market power is incorporated into the very design of competition law, Section IV shows how the latter’s notion of special responsibility can be further strengthened in analogy with the principle of accountability in data protection law. Similarly, it is discussed how positive duties to ensure fair outcomes for consumers are being developed in consumer law. Section V concludes by offering lessons to improve the ability of the three regimes to protect consumers in terms of both the substantive scope of protection and enforcement mechanisms.

II. Integrating market power into the substantive scope of protection

The special responsibility of dominant firms is a well-established but not entirely uncontroversial concept in EU competition law. After exploring the development of the notion of special responsibility in decisions of the European Commission and case law of the EU Courts, this section shows how a form of special responsibility can also be incorporated into data protection and consumer law by interpreting their rules in a way that would result in stricter requirements for larger firms. While the existing frameworks of data protection and consumer law both offer room to do so, the risk-based approach of the General Data Protection Regulation (GDPR) provides a particularly promising starting point to integrate a notion of market power into the substantive interpretation of the data protection rules.

1. Competition law

a. Origins of special responsibility

Article 102 TFEU prohibits the abuse of a dominant position by an undertaking. The case law has emphasised that Article 102 TFEU does not prohibit companies from holding a dominant position per se. Instead, it places a “special responsibility” on a dominant firm not to allow its conduct to impair genuine competition. Dominant companies therefore have additional obligations placed upon them when compared to non-dominant companies: in specific circumstances, a dominant firm may not be allowed to engage in practices that are not in themselves abuses or practices that would be unproblematic if adopted by a non-dominant firm.Footnote 5

The notion that undertakings have a special responsibility under Article 102 TFEU can be found first in Michelin I, where the Court stated that “the [dominant undertaking] has a special responsibility not to allow its conduct to impair genuine undistorted competition on the common market”.Footnote 6 In this formulation, the Court expanded on a point it made in Hoffman-La Roche, where it found that the sheer presence of a dominant firm is enough to assume a weakened state of competition.Footnote 7 Therefore, a dominant firm has a special responsibility not to distort competition because its market power provides it with greater (and perhaps unique) opportunities to damage the competitive process.Footnote 8 The Court has chosen to interpret the scope of this responsibility in a broad manner, potentially covering all conduct of a dominant undertaking that hinders the maintenance or growth of remaining competition.Footnote 9 It has also emphasised repeatedly that there is no single test for the scope of special responsibility and that it instead “must be outlined in light of the specific circumstances of each case”, such as the degree of dominance and the special characteristics of the market.Footnote 10

The Court has been quick to point out that the special responsibility of a dominant undertaking does not prohibit a firm from competing altogether. In Hoffman-La Roche, the Court stated already that only “methods different from those which condition normal competition” are problematic.Footnote 11 However, while the Court has emphasised that dominant undertakings have a right to protect their own interests or otherwise meet competitors, it has historically interpreted this margin narrowly, repeatedly rejecting claims to this effect where it found that an undertaking had the “actual” purpose of strengthening a dominant position.Footnote 12

b. Link with the notion of competition on the merits

Despite the fact that the existence of a special responsibility has often been mentioned in the case law, the exact implications and duties attached to it are not really clear.Footnote 13 For a long time, a reference to a dominant undertaking’s special responsibility by the Court would inevitably signal the finding of an abuse, even though the exact relationship between the two was not explored.Footnote 14 The EU Courts paid lip-service to the notion of special responsibility without thoroughly examining the margin between an undertaking being dominant and an undertaking abusing this dominance.Footnote 15 The Court of Justice seems to have attempted to address this criticism by stating that special responsibility means “only that a dominant undertaking may be prohibited from conduct which is legitimate where it is carried out by non-dominant undertakings”.Footnote 16 In doing so, it has in a way denoted special responsibility more as a descriptive element that is intrinsic to Article 102 TFEU (treating it indeed as a “statement of the obvious”)Footnote 17 rather than as an element on the basis of which abusive behaviour can be determined in and of itself.

Because of this, more concrete inferences about the duties imposed by the special responsibility of dominant undertakings can only be retrieved by looking further at the specific tests utilised by the EU Courts and the Commission in abuse of dominance cases.Footnote 18 These tests have been substantially sharpened in recent decades due to criticism that Article 102 TFEU imposes restrictions on dominant undertakings that were unlikely to improve the competitiveness of the market, and instead were merely protecting weaker competitors.Footnote 19 Both the Court and the Commission have clarified that a dominant undertaking is allowed to “compete on the merits”.Footnote 20 The Commission qualifies this as competition on “prices, better quality, and a wider choice of new and improved goods and services”.Footnote 21 In practice, this has limited the additional duties flowing from the notion of special responsibility. As stated by the Court, “not every exclusionary effect is necessarily detrimental to competition”, and “[c]ompetition on the merits may, by definition, lead to the departure from the market or the marginalisation of competitors that are less efficient and so less attractive to consumers from the point of view of, among other things, price, choice, quality or innovation”.Footnote 22 It is no coincidence that the first ever case wherein an undertaking was stated to have a special responsibility without the Court subsequently finding an abuse (Post Danmark I) focused heavily on the undertaking competing on the merits.Footnote 23

At the same time, both the Commission and the Court have acknowledged that the special responsibility of dominant firms can also apply towards less efficient competitors in certain circumstances. In the context of rebates, the Court argued in Post Danmark II that “applying the as-efficient-competitor test is of no relevance inasmuch as the structure of the market makes the emergence of an as-efficient competitor practically impossible”.Footnote 24 And in its Guidance Paper on enforcement priorities of Article 102 TFEU, the Commission recognised that a less efficient competitor may sometimes also exert a constraint that should be taken into account to determine whether there is anti-competitive foreclosure.Footnote 25 The scope of the special responsibility of dominant firms in relation to the protection of competitors is becoming more relevant again, as recent competition cases at the EU level focus on the anti-competitive effects that the conduct of dominant platforms can have on the position of businesses in downstream markets. Examples are the self-preferencing behaviour at stake in the Google Shopping decision,Footnote 26 the issue of preferential access to data in the ongoing Amazon investigationFootnote 27 and the impact of restrictions applicable to businesses in the App Store and Apple Pay in the Apple investigations.Footnote 28

c. Super-dominance and new notions of power

A similar development can be seen when we examine the concept of “super-dominance” under Article 102 TFEU. Super-dominance (or “quasi-monopoly” in the terminology of the Court) had been introduced as a way to acknowledge that even among dominant undertakings there are different degrees of market power.Footnote 29 It is closely related to the concept of special responsibility, with Advocate General Fennelly arguing that undertakings that are super-dominant have a “particularly onerous special responsibility” resting upon them.Footnote 30 Expressed differently, super-dominance is a way to establish an extended scope of special responsibility for an undertaking that goes even beyond that of a “normal” dominant undertaking.Footnote 31 At first glance, this concept seems compatible with the case law requiring special responsibility to take into account the “degree of dominance and the special characteristics of the case”. Some commentators have argued that super-dominance might simply acknowledge the reality that undertakings with overwhelming market power have a greater capacity to abuse that position.Footnote 32

Nonetheless, the concept has come under fire, with commentatorsFootnote 33 arguing that super-dominance de facto ends up punishing undertakings for their size as opposed to their abusive behaviour.Footnote 34 In its Microsoft judgment, the General Court paid attention to the “extraordinary features” that Microsoft’s dominant position in the market for PC operating systems exhibited, which may have formed a reason for the lowering of the conditions under which a refusal to supply interoperability information was held abusive as compared to earlier refusal to deal cases.Footnote 35 In TeliaSonera, the Court of Justice clarified in the context of the assessment of margin squeezes that the degree of dominance does not play a role in determining whether abuse exists, but is significant in relation to the extent of the effects of conduct.Footnote 36 In this regard, the degree of dominance can thus be a relevant factor in the assessment of the gravity of abusive conduct under competition law. The notion of super-dominance is gaining relevance again, but under a different name. Competition policy reports published in 2019 mentioned concepts of market players with “significant market status” and undertakings in a position to exercise market power over a gateway or bottleneck as triggers for new regulation beyond competition law.Footnote 37 The upcoming Digital Services Act is now indeed expected to introduce rules for “gatekeeping platforms”,Footnote 38 and the UK Competition and Markets Authority (CMA) suggested a number of interventions targeted at platforms with “strategic market status” in its July 2020 final report on online platforms and digital advertising.Footnote 39

2. Data protection law

a. GDPR’s risk-based approach

A link between competition law’s notion of special responsibility and data protection is already present in the investigation of the German Bundeskartellamt against Facebook. In its 2019 decision, the Bundeskartellamt explicitly found that Facebook holds a “quasi-monopolist” position that threatens to “tip” into a monopolist one.Footnote 40 The Bundeskartellamt built its findings around a number of parameters that show how and why the position of super-dominance exists and why it is especially relevant in markets like the one for social networks.Footnote 41 From this finding of super-dominance, the Bundeskartellamt went on to impose a broadly defined special responsibility on Facebook, arguing that Facebook had abused its dominant position by infringing data protection law. The Facebook decision brings up the question whether dominant firms can be argued to carry a higher responsibility than non-dominant firms as regards compliance with data protection law. The Bundeskartellamt explored this issue by using data protection rules as a benchmark to establish an exploitative abuse in competition law, where market power and special responsibility are inherent parts of the analysis. However, one can also take a purely data protection perspective and try to incorporate a special responsibility within data protection law itself by drawing inspiration from the role of the concept in competition law, as the next paragraphs illustrate.

EU data protection law and the GDPR,Footnote 42 as the main secondary legislative instrument, apply to all forms of processing of personal data regardless of the market position of the data controller and the scope of the data processing. This means that the GDPR does not impose additional obligations on dominant firms that do not apply to non-dominant firms, as is the case under the abuse of dominance prohibition of EU competition law. All data controllers have to comply with the same duties set out in the GDPR, irrespective of their size.

At the same time, the GDPR does take into account the level of risk in terms of the scale of the obligations applicable to controllers. When the risk of processing is higher, more detailed obligations will apply to controllers.Footnote 43 For example, “the risks of varying likelihood and severity for the rights and freedoms of natural persons” play a role in determining to what extent the controller must implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the rules.Footnote 44 The GDPR makes similar references to risks of processing in the context of data protection by design, security of processing and data protection impact assessments.Footnote 45 In addition, the Court of Justice referred to the ubiquity of online search engines in Google Spain. In the case, the data subject invoked a right to have information relating to him personally no longer be linked to his name in a list of results displayed in a search engine following a search made on the basis of his name. The Court argued that “the important role played by the internet and search engines in modern society, which render the information contained in such a list of results ubiquitous”, heightened the effect of the interference caused by Google’s processing of personal data with the fundamental rights to privacy and data protection of the data subject.Footnote 46

Even though scale or size do not act as triggers for obligations of data controllers under EU data protection law, the risk that particular processing activities may bring about and the ubiquitous nature of a data controller can thus be considered as relevant factors in establishing, respectively, the scale of its obligations and the impact of its processing activities on the rights of the data subject.Footnote 47 Against this background, Lynskey introduced the term “data power”, referring to the power exercised by firms arising from the control over the data they hold, enabling them to profile users and to influence opinion formation. In her view, the GDPR’s risk-based approach could provide a normative foundation for the imposition of a special responsibility on controllers holding data power, in analogy with the special responsibility that competition law imposes on dominant firms.Footnote 48 Similarly, the European Data Protection Supervisor (EDPS) argued in its 2014 Preliminary Opinion on “Privacy and competitiveness in the age of big data” that the scalability of data protection provisions in relation to the volume, complexity and intrusiveness of data processing activities can be regarded as analogous to the special responsibility of dominant firms under competition law.Footnote 49 The EDPS also referred to case law of the European Court of Human Rights, which notes that: “The greater the amount and sensitivity of data held and available for disclosure, the more important [is] the content of the safeguards to be applied at the various crucial stages in the subsequent processing of the data”.Footnote 50 Because data protection has the status of a fundamental right in the framework of the Council of EuropeFootnote 51 and the EU,Footnote 52 a special responsibility could also be based on the horizontal effect of fundamental rights, going beyond data protection and applying to other constitutionally guaranteed rights, too. In this regard, the Federal Court of Justice argued in its June 2020 judgment in the German Facebook case that Facebook as a dominant social network provider that has taken over the framework conditions for communication is also bound by fundamental rights, in a similar way as the state.Footnote 53

In more general terms, the 2019 report on “Competition Policy for the Digital Era” commissioned by EU Commissioner Vestager argued that the interpretation and implementation of the GDPR should take the implications for competition into account and referred to the relevance of a firm’s market power under the GDPR’s risk-based approach.Footnote 54 This would seem to be particularly relevant for the interpretation of key data protection concepts such as the fairness of data processing and the accountability of data controllers. When a data controller is dominant or holds market power, we submit that it is desirable to apply stricter standards towards the principles of fairness and accountability in order to better protect data subjects, considering that they are less able to switch to another controller.Footnote 55

A concrete example where the impact and scale of the data controller’s activities seems to have been implicitly taken into account in the interpretation of the GDPR’s obligations is the decision of the French Commission nationale de l’informatique et des libertés (CNIL) fining Google in January 2019 for a lack of transparency, inadequate information and a lack of valid consent regarding personalisation of advertising. The French Council of State confirmed the decision of the CNIL in June 2020.Footnote 56 When assessing Google’s compliance with the requirements of transparency and information provision to data subjects, the CNIL paid attention to the “particularly massive and intrusive” character of the processing operations, considering the number of services offered and the amount as well as the nature of the data processed and combined by Google.Footnote 57 While the GDPR does not lay down a notion of special responsibility as has been developed by the EU Courts in competition law, the GDPR’s risk-based approach does offer room to take into account the relative size of data controllers and their processing activities. Even though small data controllers may also engage in far-reaching data processing activities and violations of the GDPR can take place irrespective of the size of the controller, there is reason to be particularly concerned about data controllers holding market power (which could be determined in the way that is common in competition law) whose behaviour is less constrained by market forces.

b. Relevance of market power to assess freely given consent

Beyond the GDPR’s risk-based approach as a high-level mechanism, there are more specific instances where a data controller’s market power can be a relevant part of a data protection analysis. For instance, the Article 29 Working Party referred to the existence of a dominant market position as a relevant piece of information for assessing whether a data controller’s legitimate interest in data processing is overridden by the fundamental rights or interests of data subjects in the context of establishing a lawful ground for data processing under Article 6(1)(f) GDPR.Footnote 58

Similarly, the existence of market power can be a relevant factor in the analysis of whether the consent of a data subject is freely given. Recital 43 of the GDPR states that consent is not freely given where there is a “clear imbalance” between the data subject and the data controller, in particular when the controller is a public authority. However, in its interpretation of the notion of freely given consent, the Article 29 Working Party stated explicitly that imbalances of power are not limited to public authorities. According to the Article 29 Working Party, consent is valid only if the data subject can exercise a real choice and there is no risk of deception, intimidation, coercion or significant negative consequences if he or she does not consent. More specifically, the Article 29 Working Party argued that consent is not free in situations where an element of compulsion, pressure or inability to exercise free will is present.Footnote 59 The existence of market power can act as a good indicator to determine whether such a “clear imbalance” between the data subject and the data controller is present.

A data subject is usually in a weaker position than the data controller, so that situations without any imbalance are hard to imagine. In this regard, data protection law has similarities with consumer law in that both regimes are motivated by addressing power asymmetries. As a well-established concept in competition enforcement, an analysis of the market power of a data controller can act as a threshold to determine whether the extent of the imbalance in the circumstances of the case is such that the data subject’s consent can no longer be regarded as freely given.Footnote 60 Such an interpretation would imply that advertising-based companies such as Google and Facebook, which arguably hold a dominant position in their respective markets of online search and social networking, have limited ability to rely on data subject consent as a lawful ground for data processing. This would increase the importance of other lawful grounds such as the performance of a contract and the legitimate interests of the data controller. The 2019 Facebook decision of the Bundeskartellamt is instructive in this regard.

The Bundeskartellamt found that Facebook had abused its dominant position in the market for social networks by making the use of its social network dependent on users agreeing to the combination of data aggregated through Facebook’s different services and from third-party sources into a user’s Facebook’s account. In doing so, Facebook exploited its users in the view of the Bundeskartellamt by imposing “abusive business terms” that infringe data protection principles.Footnote 61 The Bundeskartellamt worked closely together with data protection authorities in coming to its conclusions (who it notes in a press statement “explicitly supported” the effort), providing a primary example of the ways in which these areas can be connected where they overlap in terms of substantive principles.Footnote 62 The way in which the Bundeskartellamt builds this connection is worth examining in more detail.

Firstly, it is important to note that the German Federal Court of Justice has ruled that the Bundeskartellamt can apply certain civil law concepts when assessing abusive practices, as well as that the Bundeskartellamt can intervene where market power leads to an interference with constitutional rights in contractual negotiations.Footnote 63 This allows the Bundeskartellamt to perhaps more easily justify the combined application of principles from different fields of law than would be possible on an EU level. The Bundeskartellamt notes that the GDPR already incorporates elements of market power, either indirectly or directly. In particular, the Bundeskartellamt states that the GDPR can be read to integrate market power in its assessment of certain areas, notably through its recitals stating that consent is not “freely given” where consumers have no alternative options or where there are clear power imbalances, such as in the case of a quasi-monopolist.Footnote 64

Therefore, the Bundeskartellamt argues, this is not only an instance of a dominant undertaking violating competition law through its breaking of data protection legislation, but inversely also a case of an undertaking violating data protection legislation because it holds a dominant position.Footnote 65 The company was only in the possibility to violate data protection law in the way it did because of its dominant position, invoking the notion of special responsibility and extending it to compliance with data protection law through the finding of an exploitative abuse under German competition law. In fact, the Bundeskartellamt outright states that: “Just because other Internet companies such as Yahoo, Bing Oracle or Google collect data via interfaces does not mean the same conduct by Facebook is permissible under data protection law”.Footnote 66

In formulating this two-way interaction between data protection law and competition law, the Bundeskartellamt has not only incorporated data protection principles into its competition analysis, but similarly transferred elements of competition law into data protection. Under such an approach, a case such as this could have been taken up by a data protection authority and have led to a very similar outcome: the data protection authority could integrate the market position of Facebook into its analysis and find certain data processing practices to be in violation of data protection principles, even where companies without market power might be allowed to carry out the same practices.Footnote 67

The Facebook decision also illustrates the difficulties in attempting to marry different legal disciplines, however. Facebook challenged the decision and the Higher Regional Court in Düsseldorf ruled in favour of the social media platform in the interim proceedings. In its August 2019 judgment, the Düsseldorf Court specifically chastises the Bundeskartellamt for straying too far from a traditional competition analysis, noting that data protection violations are not competition law problems when the Bundeskartellamt does not convincingly carry out a counterfactual and a consumer harm analysis.Footnote 68 In June 2020, the judgment of the Düsseldorf Court was overturned by the Federal Court of Justice. While the Federal Court of Justice sided with the Bundeskartellamt in qualifying Facebook’s conduct as abusive, the decisive issue in the view of the Federal Court of Justice is not whether Facebook violated the data protection rules. This was the reasoning at the heart of the Bundeskartellamt’s decision. Instead, the Federal Court of Justice argued that Facebook’s behaviour violated German competition law by restricting its users’ freedom of choice and right to self-determination as protected by the German constitution.Footnote 69 The case will now have to be decided on the merits by the Düsseldorf Court, so that it remains to be seen whether the decision of the Bundeskartellamt will remain in place.Footnote 70 Irrespective of whether the competition analysis in the Facebook case will be upheld, the GDPR’s risk-based approach provides room to tailor the interpretation of data protection law’s substantive protections to the market power of data controllers.

3. Consumer law

a. Consumer law’s lower thresholds as a regulatory advantage

Consumer law and competition law ostensibly share an overlapping goal: both aim to protect consumers from harm. Both fields, however, carry out their analysis on a different scale: consumer law examines the individual transaction between a consumer and a trader, whereas competition law concerns itself with the competitive process of the market as a whole.Footnote 71 Although consumer law is inherently concerned with addressing power asymmetries, its application does not diverge in accordance with the market power of the involved undertaking. Aside from some notable exceptions, consumer authorities do not consider market power or any special responsibility flowing therefrom in their substantive interpretation of the consumer rules.

For instance, when considering the findings of collective enforcement actions taking place at the EU level in the Consumer Protection Coordination Network (CPC), we see that the notion of market power plays no role in these conclusions, and nor is any market analysis performed. Consumer authorities do not differentiate between undertakings that have a large market share and those that have a small market share when finding violations: consumer law is applied uniformly regardless of the size of an undertaking. One example of this is the collective enforcement action against social network platforms by the CPC, in which uniform requirements have been imposed on the examined social networks (Facebook, Twitter and Google+) without taking into account any significant differences in market position and market share between the involved players.Footnote 72

The consequences of the different focuses of the two fields can be best illustrated by looking at cases where competition and consumer law investigations have been conducted in parallel. Both Dutch and UK enforcement agencies have carried out investigations (for online video platformsFootnote 73 and cloud storage services,Footnote 74 respectively) of this nature. In these investigations, no market power (and subsequently no reason to pursue further investigation) was established in the competition analysis, whereas the analysis under consumer law was not dependent on a finding of market power to identify concerns. For example, the competition analysis by the Netherlands Authority for Consumers and Markets of the online video platform market explored possible risks to competition; however, all of these risks were deemed unlikely to manifest. The reasons given for this were, among others, the absence of one single dominant player, the low barriers to entry and the non-rivalrous nature of data collected by these platforms.Footnote 75 Conversely, the different scope and approach of consumer law is apparent in that part of the analysis. The Authority compared the Unfair Contract Terms (UCT) DirectiveFootnote 76 to the terms utilised in contracts by these video platforms and subsequently found that all video platforms included terms that were undesirable from a consumer law standpoint.Footnote 77 Because this analysis focuses on the individual transaction between consumer and trader, one looks for behaviour that is deemed undesirable in and of itself instead of having to analyse behaviour within the context of the competitive process as a whole. This is also reflected in the length of each respective review: the competition analysis is about twelve times longer than the consumer law one.

Nonetheless, one might say that the “threshold” for finding violations under consumer law is significantly lower than that of competition law, reflecting the focuses of their respective analyses. When analysing cases under consumer and competition law in parallel, a strategic choice may therefore be to pursue investigations under consumer law because the latter does not require an analysis of the market to establish abuse of dominance. This may be especially interesting for cases concerning digital markets, as competition authorities have struggled with conducting market analyses and establishing theories of harm in these instances.Footnote 78 Conversely, the European Commission stated in its 2016 Guidance on the application of the Unfair Commercial Practices (UCP) Directive that the fact that practices infringe the competition rules does not automatically qualify them as unfair under the UCP Directive as well. However, the breach of competition law should be taken into account when assessing their unfairness under the Directive.Footnote 79

b. Usefulness of incorporating a notion of special responsibility

Concerns have been raised about the effectiveness of consumer law’s focus on the protection of consumers in individual transactions. Consumer law places the burden of decision-making on the consumer and remedies are often geared towards fine-tuning (often by increasing) the information that is made available to a consumer prior to a transaction. The criticism of this approach is that it is ineffective in addressing the power and information asymmetries that often occur in complex markets because it does not reflect economic realities of bounded rationality and the imbalances in the bargaining position of a consumer vis-à-vis a trader.Footnote 80 While there is no all-encompassing solution to such a structural problem, we submit that the recognition of a special responsibility for traders that hold market power can help address this problem.

An avenue that can be explored within consumer law in general is to incorporate a trader’s market power into the assessment of the fairness of contract terms and commercial practices. To determine whether a contract term causes a significant imbalance in the parties’ rights and obligations to the detriment of the consumer under the UCT Directive,Footnote 81 a more critical stance towards traders holding market power indeed seems valid, as consumers have less ability to switch to other providers. Similarly, commercial practices imposed by traders with market power may need to be assessed more strictly under the UCP Directive as to their ability to materially distort the economic behaviour of the average consumer.Footnote 82

The Italian Competition Authority (Autorita’ Garante della Concorrenza e del Mercato) indeed seems to have taken such an approach in its 2017 decision qualifying WhatsApp’s updated terms as unfair. The Italian Competition Authority found that WhatsApp de facto forced users to accept its new terms of service, and in particular the provision to give consent to share personal data with Facebook, by letting users believe that without granting such consent they would no longer be able to use the service.Footnote 83 According to Zingales, the position of WhatsApp as a market leader in consumer communications services has played a key role in the decision of the Italian Competition Authority, both in terms of the substance of the analysis and the quantification of the fine. Among other indications, he refers to the extent of “undue influence” exerted on consumers by WhatsApp that is defined by reference to WhatsApp’s market position, where the Italian Competition Authority concludes that consumers use WhatsApp daily, even replacing regular telephony, and therefore hardly have a choice to abandon the service. In addition, according to Zingales, the Italian Competition Authority argued that WhatsApp “leveraged” the dependence of its users on the service to obtain a “consent that is broader than necessary to continue using the application”.Footnote 84

Based on these elements in the reasoning of the Italian Competition Authority, one can indeed observe that higher standards have been applied to WhatsApp because of its position as a market leader. Botta and Wiedemann note that this decision concerns many of the same issues (combining concepts of market power, unfair terms and conditions and personal data protections) as covered by the German Facebook decision.Footnote 85 However, the Italian case was decided under consumer law instead of under competition law’s abuse of dominance prohibition.Footnote 86 In this regard, these cases are not only exemplary of the increasing convergence of data protection, consumer and competition law enforcement, but also of the different approaches taken by national authorities.

A more explicit recognition of a special responsibility in consumer law, in analogy with how the concept is applied in competition law, would in our view better reflect market reality in the enforcement of existing consumer rules. Criticism on such an approach may be that this leads to a situation where consumers of dominant firms benefit from a higher level of protection than consumers of non-dominant firms, going against the general applicability of the consumer rules. The same argument can be made in relation to the GDPR, which as one of its objectives promotes the fundamental right to data protection that needs to be respected irrespective of the size or impact of data processing activities. However, due to their market power, dominant firms have a stronger ability to cause harm to consumers and data subjects because of the lack of alternative providers to which they can switch. Dominant firms are therefore unlike non-dominant firms not constrained by the competitive forces of the market. In a way, one could thus argue that consumers and data subjects of dominant firms are less protected if the regimes of consumer and data protection law do take into account market power in the substantive interpretation of their rules. Important to note here is that the integration of a special responsibility in consumer and data protection law would serve as a tool to impose stricter requirements on powerful businesses and not to provide small businesses with an opportunity to ignore the rules. In particular, our suggestion to take inspiration from Article 102 TFEU’s notion of special responsibility for consumer and data protection law should be distinguished from the approach under Article 101 TFEU where restrictions of competition only violate the competition rules when they have an appreciable effect on competition (with the exception of by object restrictions that are considered per se harmful), and a “safe harbour” applies for minor restrictions of competition by companies below certain market share thresholds. In this sense, our proposal does not go as far as claiming that violations of consumer and data protection law by small businesses should be tolerated.

One of the findings of the Netherlands Authority for Consumers and Markets in its investigation into online video platforms confirms the need to be more wary about the behaviour of dominant platforms under consumer law. The Authority established a link between platform size and the range of possibly unfair terms under consumer law, as it found that platforms with the largest user base and a wider range of (integrated) digital services have more (possibly) unfair terms.Footnote 87 It thus seems worthwhile to explore how a special responsibility can be integrated within consumer law in order to better protect consumers against unfair terms and unfair commercial practices of dominant firms.

III. Towards more asymmetric and smarter enforcement

Apart from differentiating based on market power in the application of the law, the existence of market power can also be used as an indicator to set enforcement priorities. With regard to competition enforcement, the current policy debates display an interesting dichotomy. On the one hand, the European Commission is exploring the introduction of a “New Competition Tool” to be used by competition authorities to impose remedies on firms in case of structural problems without the need to establish a violation of the competition rules and potentially even without having to assess dominance.Footnote 88 The idea behind this tool is that intervention may come too late in certain markets where characteristics such as network effects, economies of scale and scope and the role of data lead markets to tip to a few players even before they reach the stage of dominance. With the adoption of the New Competition Tool, the reach of possible remedies imposed by competition authorities may thus extend to non-dominant firms. On the other hand, the Commission is exploring additional ex ante regulation for gatekeeping platforms as a complement to competition enforcement.Footnote 89 This illustrates the need expressed by policymakers for stricter rules for a certain class of especially strong players, beyond dominance as such. In this sense, competition law is thus being strengthened in both directions.

This section focuses on the enforcement of data protection and consumer law and makes suggestions for developing a more asymmetric enforcement approach, where cases are prioritised based on the market position of the firm under investigation. It is illustrated how consumer authorities indeed prioritise investigations based on the scale and expected impact of commercial practices on consumers. Within data protection, no such prioritisation is taking place yet in a systematic way. This section shows how the current lack of enforcement of existing GDPR requirements such as purpose limitation provides larger firms with the ability to continuously expand their control across services and markets. We illustrate how a more asymmetric approach would lead to a smarter and more focused enforcement of data protection law to the benefit of individual data subjects and overall competition.

1. Enforcement priorities in consumer law

While consumer law is applied uniformly regardless of market power, this does not mean that there is no consideration of market power at all within consumer law enforcement. In particular, market power does play a role in setting enforcement priorities. Enforcement actions taking place collectively at the EU level will often focus on parties that have large market shares. For example, CPC joint actions have targeted only the five largest car rental companies and the three largest social media platforms on their respective markets, and have even focused on single large players (Airbnb).Footnote 90 Rather than a substantiated effort by consumer authorities to target players holding market power with stricter obligations, this seems indeed more a reflection of the practical reality of enforcement and the selection of enforcement priorities. In fact, the CPC has carried out collective enforcement actions that focused on large quantities of players, such as when it analysed 560 digital vendors.Footnote 91 These enforcement actions are exceptional in nature though, perhaps due to the effort that is required to carry them out.

On the national level, we can also see such a development. For example, the UK CMA has explicitly noted that it prioritises enforcement for “systemic market issues”.Footnote 92 This denotes that there is at least consideration of the market structure in decisions on how to use resources for enforcement, even where the substantive interpretation of the consumer rules rarely considers this aspect. Such an approach offers lessons for data protection enforcement, where authorities do not yet systematically prioritise cases in accordance with market power. The next section illustrates how such an asymmetric enforcement of the data protection rules would create more effective protection.

2. Impact of effective enforcement of GDPR’s principle of purpose limitation

Beyond a possible integration of the competition law notions of market power and special responsibility into the interpretation of data protection law to impose stricter obligations on dominant data controllers, it is also important to realise that certain requirements of the GDPR inherently limit the data processing activities of dominant firms to a greater extent than those of non-dominant firms. These situations result automatically from applying the GDPR and therefore do not require an active tailoring of obligations to the market position or scope of data processing of a data controller. However, there is currently a lack of effective enforcement of the data protection rules that would pose limits to the data processing activities of dominant firms.Footnote 93

In its response to the publication consultation of the UK CMA on online advertising, the private web browser Brave called upon data protection authorities to enforce the purpose limitation principle in order to prevent “privacy policy tying”, whereby big tech firms ask users for their consent to combine all data from many services.Footnote 94 The purpose limitation principle requires personal data to be collected for specified, explicit and legitimate purposes and not to be further processed in a manner that is incompatible with those purposes.Footnote 95 A bundling of consent where companies offering multiple services ask data subjects for their consent only once for all services at the same time does not comply with this principle. Recital 32 of the GDPR explains that consent should cover all processing activities carried out for the same purpose and that consent should be given for all of them separately when the processing has multiple purposes. Similarly, the European Data Protection Board requires consent to be granular to prevent data subjects being left no choice but to consent to a bundle of processing purposes.Footnote 96

Based on these arguments, Brave argued that the bundling of consent by companies such as Google and Facebook violates several requirements of the GDPR, including the purpose limitation principle, and that their data advantage stems from a lack of data protection enforcement.Footnote 97 The enforcement of purpose limitation would restrict the combination and cross-use of personal data among services offered by the same firm, because of the requirement to separate consent for each purpose of data processing. Even though purpose limitation applies to all data controllers irrespective of their size, it inherently leads to more limitations for firms processing personal data within different services for multiple purposes at the same time. We submit that strict enforcement of purpose limitation would not only give data subjects more control over how their personal data are used, but may also help address concerns arising from the expansion of market power through the leveraging of personal data across services. Enforcement of data protection law would thus at the same time achieve results that foster more competition-orientated interests.Footnote 98

A more effective enforcement of the GDPR is thus key. One of the core aspects of the GDPR’s enforcement system is that the national data protection authority of the main establishment of the data controller is automatically competent to act as the lead supervisory authority, whose investigation is effective in the entire EU. Footnote 99 According to consumer organisation BEUC, the concentration of complaints against big tech players in the hands of one single national authority has led to an “enforcement bottleneck effect”.Footnote 100 In its June 2020 Communication evaluating the two years of application of the GDPR, the European Commission similarly pointed at the fact that the largest big tech multinationals are established in Ireland and Luxemburg so that these data protection authorities, as lead authorities in many important cross-border cases, need larger resources than their populations would otherwise suggest. In addition, the Commission argued in its evaluation that data protection authorities have not yet made full use of the tools that the GDPR provides to handle of cross-border cases more efficiently, such as through joint investigations.Footnote 101

The enforcement approach within EU consumer law, organised in the CPC, to let the national consumer authorities concerned by a widespread consumer infringement select the authority that is best placed to coordinate the case is particularly instructive.Footnote 102 The latter approach offers possibilities for burden sharing among authorities and avoids problems in situations where firms have their main establishment in Member States that do not have a strong enforcement authority with enough resources to investigate cross-border cases. To ensure the effectiveness of data protection enforcement in the future, lessons can therefore be drawn from the enforcement system within consumer law that relies much more on cooperation between national authorities.

IV. From negative duties to refrain from behaviour to positive duties to show compliance

The previous section has shown that there is a difference between the “law on the books” and the “law in action”Footnote 103 when effective enforcement is lacking. A way to address this problem is to shift the focus from the imposition of negative duties to refrain from certain problematic behaviour to positive duties to show compliance with the rules. In such cases, the burden of proof still lies with the regulatory authority to establish a violation of the rules. However, the ability to request firms to show what measures have been taken to comply with the law allows authorities to engage in more proactive monitoring against lower enforcement efforts. The GDPR’s principle of accountability can serve as an example here.

The principle of accountability implies that the controller is responsible for and able to demonstrate compliance with EU data protection rules. For instance, Article 5(2) GDPR requires controllers to demonstrate compliance with the data quality requirements, including the need for a lawful ground of data processing and the principles of data minimisation and purpose limitation. Another example can be found in Article 24(1) GDPR, which requires controllers to implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the rules. Controllers thus have to be ready to show the data protection authority upon request that adequate measures are in place to ensure that their processing activities comply with EU data protection law.

This section explores how approaches similar to the GDPR’s principle of accountability can be implemented in competition law, where further expansions of the reach of the special responsibility of dominant firms are already being considered. Within consumer law, a move towards positive duties is visible as well as illustrated by the guidelines on the protection of the online consumer that the Netherlands Authority for Consumers and Markets adopted in February 2020,Footnote 104 and by the suggestion of the UK CMA in its July 2020 final report on online platforms and digital advertising to introduce a duty of “fairness by design”.Footnote 105

1. Expanding competition law’s special responsibility

Recent developments in scholarly and policy discussions indicate a renewed interpretation, and perhaps even expansion, of competition law’s concept of special responsibility, particularly for the digital era. Digital markets have been considered to possess certain key characteristics (including extreme scale advantages, network effects, and competitive advantages relating to data) that result in large or dominant undertakings retaining their market position even where superior competitors might exist.Footnote 106 It has been argued that some of these characteristics could trigger a special responsibility or even a finding of super-dominance that comes with additional obligations to ensure the competitiveness of these markets.Footnote 107

In this context, reference can be made to the suggestion in the 2019 report on “Competition Policy for the Digital Era” as commissioned by EU Commissioner Vestager to reverse the burden of proof for certain abusive practices by dominant firms. In the report, the three experts appointed by the Commissioner argued that in the context of highly concentrated markets characterised by strong network effects and high barriers to entry, one may rather want to err on the side of banning certain practices that are potentially anti-competitive and to impose the burden of proof for showing pro-competitive effects on market players.Footnote 108 In particular, the experts proposed to apply a presumption in favour of a duty to ensure interoperability and to reverse the burden of proof for practices of self-preferencing in certain circumstances.Footnote 109 In 2017, the European Commission held Google liable for abusing its dominance in the market for general search by displaying its own comparison shopping service more prominently in its general search results to the detriment of rival comparison shopping services. Footnote 110 While the Commission decision was under appeal at the General Court at the time the report was finalised, the experts suggested that vertically integrated dominant digital platforms performing a regulatory function should bear the burden of proving that self-preferencing “has no long-run exclusionary effects on product markets”.Footnote 111 Because of the quasi-criminal character of competition law and the presumption of innocence, a reversal of the burden of proof is not without controversy. Beyond the application of the competition rules, upcoming ex ante regulation in the Digital Services Act may ban self-preferencing as a prohibited practice for gatekeeping platforms.Footnote 112

Without going as far as to reverse the burden of proof for certain practices in competition law, inspiration can be taken from the GDPR’s principle of accountability, such as by requiring a dominant firm to show what measures have been taken to prevent violations of the competition rules. An analogy can also be made with the notion of “antitrust compliance by design” that Commissioner Vestager used in a speech to indicate that businesses need to build pricing algorithms in a way that does not allow them to collude.Footnote 113 She referred to the concept of “data protection by design” of the GDPR by way of analogy, requiring data controllers to build privacy into the design of services from the very start.Footnote 114 One should note that the expansion of competition law’s special responsibility as proposed here goes beyond the role that some jurisdictions have given to antitrust compliance programmes. A number of national competition authorities (but not the European Commission)Footnote 115 consider such programmes as a mitigating circumstance when calculating the fine for a competition law infringement.Footnote 116 The integration of a notion of accountability within the special responsibility held by dominant firms will be more far-reaching, because it would give rise to a positive duty for dominant firms to show what steps have been taken to ensure compliance. While the existence of antitrust compliance programmes can lead to a reduction of the fine once an infringement has been established, a notion of accountability as suggested here would impact the very issue of whether the competition rules have been violated and what the threshold for intervention will be.

Beyond capturing exclusionary effects on a dominant firm’s rivals, Sauter has argued that the original open-ended nature of competition law’s special responsibility also offers an opportunity to extend the notion to the way a dominant firm interacts with its consumers. This would facilitate the establishment of a duty of care towards consumers in the form of a duty to take positive steps to protect consumers by upholding norms of “fairness” and avoiding exploitation.Footnote 117 In other words, undertakings that are found to be dominant would have additional positive obligations that have their roots outside of competition law – in this case, consumer law.Footnote 118 At the same time, one can wonder whether such a duty cannot be better established within consumer law itself.

2. Positive duties in consumer law

There are indeed developments towards advancing consumer protection in the form of positive duties. In its February 2020 Guidelines on the protection of the online consumer, the Netherlands Authority for Consumers and Markets makes clear that it is for traders to ensure that the design of an online choice architecture is fair and that any default settings must be favourable to consumers. Consumers should not be misled by the design and should not be tricked into a decision that they would not have taken otherwise.Footnote 119 Such a responsibility of the trader may be based on the notion of “professional diligence”, which is one of the elements included in the general unfairness clause of Article 5(2) of the UCP Directive. As indicated by the Netherlands Authority for Consumers and Markets, the requirements of professional diligence can be interpreted as meaning “good business conduct” in line with a professional standard of “good faith”.Footnote 120 Based on this line of reasoning, we submit that the notion of professional diligence in consumer law could serve a similar role as the principle of accountability in the GDPR and be interpreted as requiring traders to take active steps to help consumers in taking an informed decision.

In its 2020 final report on online platforms and digital advertising, the UK CMA goes a step further by proposing the imposition of a duty of “fairness by design” on platforms with strategic market status. Although wider application of the duty may be considered later on, the UK CMA justifies the choice for asymmetric regulation because platforms with strategic market status are the ones possessing market power, holding the largest amount of consumer data and are the most difficult for consumers to avoid using.Footnote 121 The duty of fairness by design would require platforms to design their choice architecture in a way that encourages free and informed consumer choices. An analogy can again be made with the GDPR’s concept of data protection by design, thereby indicating the move towards positive duties in consumer law as well. These developments fit with the underlying idea of this paper to consider the imposition of a special responsibility on dominant firms, which may not only involve negative duties to refrain from behaviour, but also positive duties to ensure compliance and create fair outcomes for consumers.

V. Conclusion

The notion of special responsibility is a well-accepted part of EU competition law. Although the exact implications of a dominant firm’s special responsibility are unclear, the concept is attracting renewed attention as a mechanism to make competition enforcement more effective through proposals for reversing the burden of proof or for imposing a duty of care towards consumers. EU data protection and consumer law are regimes of general application, whose obligations apply to all data controllers or traders without differentiating based on their market position. Nevertheless, as our analysis has shown, the substance of their provisions leaves room to integrate a special responsibility as well (see a summary of our findings in Table 1).

Examples in data protection law relate to the relevance of a data controller’s market power to determine whether consent is freely given. The German Facebook case indicates how this could work in practice, although the approach of the Bundeskartellamt is not without controversy. In addition, stricter enforcement of principles such as purpose limitation is desirable, as this would inherently lead to stronger limitations for data controllers that process personal data for multiple purposes and within various services at the same time.

In consumer law, the interpretation of the “fairness” of contract terms and commercial practices would benefit from a consideration of the market power of a trader. Consumers will be less able to switch to other providers if the market leader imposes problematic terms or practices. In its 2017 investigation against WhatsApp, the Italian Competition Authority indeed seems to integrate elements of a special responsibility for compliance with consumer rules into its reasoning.

We submit that a more explicit recognition of the market position of a data controller or trader within data protection and consumer law would make these regimes more effective at protecting data subjects and consumers. To reflect current realities, a greater level of responsibility should be imposed on firms possessing greater power whose practices are less constrained by market forces and thereby risk creating greater consumer harm. Our analysis has shown that the substantive provisions of the two legal fields leave the respective regulatory authorities sufficient room to acknowledge the existence of such a special responsibility, in analogy to competition law. However, this also has to be coupled with effective enforcement. We have illustrated that steps can already be taken in this regard without the need to make any institutional changes. By integrating market power as an element in priority-setting, one can create more asymmetric and focused enforcement towards cases or areas of particular concern where the benefits to consumers of interventions would be highest. Such an approach would especially strengthen compliance with data protection law, where enforcement of existing requirements such as purpose limitation is lacking, to the detriment of data subjects and overall competition. To make the enforcement of data protection law more effective, data protection authorities can learn from how consumer authorities cooperate in cross-border cases and share the burden of investigation.

Competition law, in its turn, can take inspiration from the rise of positive duties to show compliance in data protection law in line with the principle of accountability in the GDPR. A move towards positive duties is also visible in consumer law. While a notion of market power has so far been rarely integrated into the substantive scope of consumer law, the introduction of positive duties will provide room for more proactive enforcement. In addition, priority-setting based on market power is already more well-accepted in consumer law than in data protection law.

Although the three regimes analysed here differ in terms of objectives and scope,Footnote 122 they can inspire and strengthen each other in terms of substantive interpretation and enforcement approaches. Whereas the examples to support the reasoning in this paper largely relate to digital platforms and online services, our plea for more asymmetric interpretation and enforcement of data protection and consumer law applies more generally, irrespective of the type of service or the industry at stake. Apart from bolstering the individual regimes, cooperation between regulatory authorities from different fields is desirable and logical in areas where these regimes overlap. However, care should be taken to do so in a way that protects the individual goals of the regimes and does not result in an event where enforcement in one field undermines enforcement in other areas. Finding the appropriate balance will require cooperation on both the national and EU level.

Table 1. Overview of recognised and possible further uses of the notions of market power and special responsibility.

GDPR = General Data Protection Regulation; UCP = Unfair Commercial Practices; UCT = Unfair Contract Terms.

Footnotes

This research has been conducted in the framework of the Digital Clearinghouse project that is funded by grants from the Open Society Foundations, the Omidyar Network and the King Baudouin Foundation.

References

1 See Commission, “Inception Impact Assessment of the Digital Services Act Package” Ares(2020)2877686, 2 July 2020. The idea of a separate regulatory regime for gatekeeping platforms is currently also being raised at the national level, such as the UK and Germany. See UK Digital Competition Expert Panel, “Unlocking Digital Competition” (2019) <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/785547/unlocking_digital_competition_furman_review_web.pdf> (last accessed 15 July 2020); and Commission Competition Law 4.0 “A New Competition Framework for the Digital Economy” (September 2019) <https://www.bmwi.de/Redaktion/EN/Publikationen/Wirtschaft/a-new-competition-framework-for-the-digital-economy.pdf?__blob=publicationFile&v=3> (last accessed 15 July 2020).

2 Commission, “Shaping Europe’s Digital Future” COM(2020) 67 final, 19 February 2020, 9–10.

3 J Crémer, A-Y de Montjoye and H Schweitzer, Competition Policy for the Digital Era (Luxembourg, Publications Office of the European Union 2019) <https://ec.europa.eu/competition/publications/reports/kd0419345enn.pdf> (last accessed 15 July 2020); UK Digital Competition Expert Panel, supra, note 1; and Stigler Committee on Digital Platforms (2019) <https://research.chicagobooth.edu/-/media/research/stigler/pdfs/digital-platforms---committee-report---stigler-center.pdf?la=en&hash=2D23583FF8BCC560B7FEF7A81E1F95C1DDC5225E> (last accessed 15 July 2020).

4 See also the pioneering work of the European Data Protection Supervisor (EDPS) in analysing synergies between the areas of data protection, competition and consumer law: Preliminary Opinion of the EDPS, “Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy” (March 2014) <https://edps.europa.eu/sites/edp/files/publication/14-03-26_competitition_law_big_data_en.pdf> (last accessed 15 July 2020); and EDPS Opinion 8/2016 on “coherent enforcement of fundamental rights in the age of big data” (September 2016) <https://edps.europa.eu/sites/edp/files/publication/16-09-23_bigdata_opinion_en.pdf> (last accessed 15 July 2020).

5 Case T-111/96 ITT Promedia v Commission [1998] ECLI:EU:T:1998:183, para 139.

6 Case 322/81 Michelin v Commission [1983] ECLI:EU:C:1983:313, para 57.

7 Case 85/76 Hoffman-La Roche v Commission [1979] ECLI:EU:C:1979:36, para 91.

8 K McMahon, “Interoperability: Indispensability and Special Responsibility in High Technology Markets” (2007) 9 Tulane Journal of Technology and Intellectual Property 123, 162.

9 Case T-83/91 Tetra Pak v Commission [1994] ECLI:EU:T:1994:246, para 114.

10 Joined Cases C-395/96, C-396-96 Compagnie Maritime Belge v Commission [2000] ECLI:EU:C:2000:132, para 111.

11 Hoffman-La Roche, supra, note 7, para 91.

12 For example, Case 27/76 United Brands v Commission [1978] ECLI:EU:C:1978:22, para 189; Case T-228/97 Irish Sugar v Commission [1999] ECLI:EU:T:1999:246, para 112.

13 K McMahon, “A Reformed Approach to Article 82 and the Special Responsibility not to Distort Competition” in A Ezrachi (ed.) Article 82 EC: Reflections on its Recent Evolution (Oxford, Hart Publishing 2009) ch 7, p 125.

14 A Jones and B Sufrin, EU Competition Law (4th edn, Oxford, Oxford University Press 2011) p 366.

15 E Rousseva and M Marquis, “Hell Freezes Over: A Climate Change for Assessing Exclusionary Conduct under Article 102 TFEU” (2012) 4(1) Journal of European Competition Law & Practice 32, 42–44.

16 T-191/98, T-212/98 to T-214/98 Atlantic Container Line AB v Commission [2003] ECLI:EU:T:2003:245, para 1460.

17 R Whish and D Bailey, Competition Law (9th edn, Oxford, Oxford University Press, 2018) p 198.

18 FE Gonzalez-Diaz and R Snelders EU Competition Law, Volume 5: Abuse of Dominance Under Article 102 TFEU (Deventer, Claeys and Casteels Law Publishing 2013) p 138.

19 McMahon, supra, note 8, 164.

20 See, for instance, Case C-475/10 AstraZeneca v Commission [2012] ECLI:EU:C:2012:770, para 75; Case C-413/14 P Intel [2017] ECLI:EU:C:2017:632, para 136.

21 Commission, “Guidance on the Commission’s Enforcement Priorities in Applying Article 82 of the EC Treaty to Abusive Exclusionary Conduct by Dominant Undertakings” [2009] OJ C 45/02, para 5.

22 Case C-209/10 Post Danmark I [2012] ECLI:EU:C:2012:172, para 22.

23 K Rousseva and M Maquis, supra, note 15, 43.

24 Case C-23/14 Post Danmark II [2015] ECLI:EU:C:2015:651, para 59.

25 Commission, “Guidance on the Commission’s Enforcement Priorities in Applying Article 82 of the EC Treaty to Abusive Exclusionary Conduct by Dominant Undertakings” [2009] OJ C 45/02, para 24.

26 Case AT.39740 Google Search (Shopping), 27 June 2017.

27 Press release European Commission “Antitrust: Commission opens investigation into possible anti-competitive conduct of Amazon” (17 July 2019) <https://ec.europa.eu/commission/presscorner/detail/en/IP_19_4291> (last accessed 15 July 2020).

28 Press release European Commission “Antitrust: Commission opens investigations into Apple’s App Store rules” (16 June 2020) <https://ec.europa.eu/commission/presscorner/detail/en/ip_20_1073> (last accessed 15 July 2020); and press release European Commission “Antitrust: Commission opens investigation into Apple practices regarding Apple Pay”(16 June 2020) <https://ec.europa.eu/commission/presscorner/detail/en/IP_20_1075> (last accessed 15 July 2020).

29 L Ortiz Blanco, Market Power in EU Antitrust Law (Oxford, Hart Publishing 2011) p 43.

30 Joined Cases C-395/96, C-396-96 Compagnie Maritime Belge v Commission [1998] ECLI:EU:C:1998:518, Opinion of AG Fennelly, para 137.

31 A Jones and B Sufrin, supra, note 14, p 358.

32 R O’Donoghue and AJ Padilla, The Law and Economics of Article 82 (Oxford, Hart Publishing 2006) p 167.

33 JF Appeldoorn “He who Spareth His Rod, Hateth His Son? Microsoft, Super-Dominance and Article 82 EC” (2005) 26(12) European Competition Law Review 653, 655.

34 This argument was part of a larger push for EU competition law to focus more on developing methods that substantiated economic harm instead of relying on “form-based” enforcement that deems certain behaviours and outcomes abusive without thoroughly examining their economic effect. This approach would largely reject the earlier-mentioned link between size and capacity for harm as overly formalistic. For a succinct argument in favour of this more economics-based approach, see J Vickers “Abuse of Market Power” (2005) 115(504) Economic Journal 244–61.

35 P Larouche “The European Microsoft Case at the Crossroads of Competition Policy and Innovation” (2008) 75(3) Antitrust Law Journal 933, 941.

36 Case C-52/09 Konkurrensverket v TeliaSonera Sverige AB, [2011]ECLI:EU:C:2011:83, paras 79–81; this was confirmed in the context of rebates in Case C-549/10 P Tomra and Others v Commission [2012] ECLI:EU:C:2012:221, para 39.

37 See, respectively, UK Digital Competition Expert Panel, supra, note 1; Crémer et al, supra, note 3.

38 See Commission, supra, note 1.

39 UK CMA, “Online platforms and digital advertising Market study final report” (1 July 2020), 22 <https://assets.publishing.service.gov.uk/media/5efc57ed3a6f4023d242ed56/Final_report_1_July_2020_.pdf> (last accessed 15 July 2020).

40 Bundeskartellamt, “Facebook Decision” B6-22/16, 6 February 2019, para 387 <https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.html?nn=3600108> (last accessed 15 July 2020).

41 ibid, para 422.

42 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons With Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) [2016] OJ L 119/1.

43 Some have pointed out the tensions in attempting to maintain a uniform “rights-based” regime that contains flexible obligations; however, both the Court of Justice and the EDPB seem to have embraced the practice of “scalable” obligations based on risk assessments. See C Quelle “The ‘Risk Revolution’ in EU Data Protection Law: We Can’t Have Our Cake and Eat it, too” in R Leenes, R van Brakel, S Gutwirth and P de Hert (eds), Data Protection and Privacy: The Age of Intelligent Machines (Oxford, Hart Publishing 2017) ch 1.

44 Art 24(1) GDPR.

45 Arts 25(1), 32(1) and 35(1) GDPR.

46 Case C-131/12 Google Spain [2014] ECLI:EU:C:2014:317, para 80.

47 O Lynskey, “Grappling with ‘Data Power’: Normative Nudges from Data Protection and Privacy” (2019) 20(1) Theoretical Inquiries in Law 189, 207–09.

48 ibid, 189–90 and 197.

49 EDPS (2014), supra, note 4, 14.

50 ECtHR 13 November 2012, 24029/07, M.M. v UK, para 200 as referenced by the EDPS (2014), supra, note 4, 14.

51 Art 8 European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended 4 November 1950. This provision guarantees the right to respect for private and family life, of which the right to protection of personal data is considered to form part.

52 Art 8 Charter of Fundamental Rights of the European Union [2012] OJ C 326/391. Art 51(1) Charter of Fundamental Rights makes clear that the EU institutions are also under a positive duty to respect and promote the application of the rights contained in the Charter.

53 Bundesgerichtshof, KVR 69/19 Facebook, ECLI:DE:BGH:2020:230620BKVR69.19.0 (23 June 2020), para 105. For a discussion of the judgment, see R Podszun, “Facebook Case: The Reasoning” (28 August 2020) <https://www.d-kart.de/blog/2020/08/28/facebook-case-the-reasoning/> (last accessed 11 September 2020).

54 Crémer et al, supra, note 3, 77.

55 See I Graef, D Clifford and P Valcke “Fairness and Enforcement: Bridging Competition, Data Protection, and Consumer Law” (2018) 8(3) International Data Privacy Law 200, 207.

56 French Conseil d’État “Sanction Infligée à Google par la CNIL” (19 June 2020) <https://www.conseil-etat.fr/ressources/decisions-contentieuses/dernieres-decisions-importantes/conseil-d-etat-19-juin-2020-sanction-infligee-a-google-par-la-cnil> (last accessed 15 July 2020).

57 Commission nationale de l’informatique et des libertés “The CNIL’s Restricted Committee Imposes a Financial Penalty of 50 Million Euros Against GOOGLE LLC” (21 January 2019) <https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc> (last accessed 15 July 2020).

58 Article 29 Working Party, “Opinion 06/2014 on the Notion of Legitimate Interests of the Data Controller” 844/14/EN WP 217, 9 April 2014, 55.

59 Article 29 Working Party, “Guidelines on Consent under Regulation 2016/679” 17/EN WP259 rev.01, 10 April 2018, 7.

60 For a more extensive discussion, see D Clifford, I Graef and P Valcke “Pre-formulated Declarations of Data Subject Consent: Citizen-Consumer Empowerment and the Alignment of Data, Consumer and Competition Law Protections” 20(5) German Law Journal 2019, 679, 713–14 and 716–18.

61 Bundeskartellamt, supra, note 40, para 163.

62 Bundeskartellamt, “Background information on the Bundeskartellamt’s Facebook proceedings” (7 February 2019) <https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2019/07_02_2019_Facebook_FAQs.pdf?__blob=publicationFile&v=6> (last accessed 15 July 2020).

63 Bundeskartellamt, supra, note 40, paras 526–27.

64 ibid, para 645.

65 ibid, paras 877–80.

66 ibid, para 880.

67 Kalimo and Majcher remark similarly that one of the goals of the Bundeskartellamt was to emphasise and strengthen the commonalities in concepts and language between the two regimes so as to make it easier for future decisions to incorporate data protection and competition law concepts in this way. See H Kalimo and K Majcher, “The concept of fairness: linking EU competition and data protection law in the digital marketplace” (2017) 42(2) European Law Review 210.

68 Oberlandesgericht Düsseldorf, VI-Kart 1/19 (V), Facebook Inc. gegen Bundeskartellamt, ECLI:DE:OLGD:2019:0826.KART1.19V.00 (26 August 2019), notably paras 25, 47 and 93.

69 Bundesgerichtshof, KVR 69/19 Facebook, ECLI:DE:BGH:2020:230620BKVR69.19.0 (23 June 2020), paras 104–05.

70 In the proceedings on the merits, either the Higher Regional Court or the Federal Court of Justice might still refer the case to the ECJ. Some commentators have noted that this perhaps could provide welcome harmonisation at an EU level. See M Botta and K Wiedemann, “Exploitative Conducts in Digital Markets: Time for a Discussion after the Facebook Decision” (2019) 10(8) Journal of European Competition Law & Practice 465.

71 M Huffman, “Bridging the Divide? Theories for Integrating Competition Law and Consumer Protection” (2010) 6(1) European Competition Journal 7.

72 Consumer Protection Cooperation Network, “Common Position of National Authorities within the CPC Network Concerning the Protection of Consumers on Social Networks” (2017) <http://ec.europa.eu/newsroom/document.cfm?doc_id=43713> (last accessed 15 July 2020).

73 Netherlands Authority for Consumers and Markets, “Report: A closer look at Online video platforms” (2017) <https://www.acm.nl/sites/default/files/documents/2017-10/acm-a-closer-look-at-online-video-platforms-2017-10-16.pdf> (last accessed 15 July 2020).

74 UK CMA, “Consumer Law Compliance Review: Cloud Storage Findings Report” (27 May 2016) <https://assets.publishing.service.gov.uk/media/57472953e5274a037500000d/cloud-storage-findings-report.pdf> (last accessed 15 July 2020).

75 Netherlands Authority for Consumers and Markets, supra, note 73, 3–4.

76 Council Directive 93/13/EEC of 5 April 1993 on Unfair Terms in Consumer Contracts (Unfair Contract Terms Directive) [1993] OJ L 95/29.

77 Netherlands Authority for Consumers and Markets, supra, note 73, 70–74.

78 Crémer et al, supra, note 3, 3.

79 Commission, “Guidance on the Implementation/Application of Directive 2005/29/EC on Unfair Commercial Practices” SWD(2016) 163 final, 25 May 2016, 27.

80 P Siciliani, C Riefa and H Gamper, Consumer Theories of Harm (Oxford, Hart Publishing, 2019) ch 2.

81 Art 3(1) UCT Directive.

82 Art 5(2) of Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 Concerning Unfair Business-to-Consumer Commercial Practices in the Internal Market (Unfair Commercial Practices Directive) [2005] OJ L 149/22.

83 Autorita’ Garante della Concorrenza e del Mercato, “WhatsApp Fined for 3 Million Euro for Having Forced its Users to Share Their Personal Data with Facebook” (12 May 2017) <https://en.agcm.it/en/media/press-releases/2017/5/alias-2380> (last accessed 15 July 2020).

84 N Zingales, “Between a Rock and Two Hard Places: WhatsApp at the Crossroad of Competition, Data Protection and Consumer Law” 33(4) Computer Law & Security Review (2017) 553, 557.

85 M Botta and K Wiedemann “The Interaction of EU Competition, Consumer, and Data Protection Law in the Digital Economy: The Regulatory Dilemma in the Facebook Odyssey” 64(3) The Antitrust Bulletin (2019) 428, 445.

86 Botta and Wiedemann note that the absence of a required and complex market definition may have been a deciding factor for the Italian Competition Authority in choosing this enforcement route; ibid.

87 Netherlands Authority for Consumers and Markets, supra, note 73, 73.

88 See the Inception Impact Assessment of the New Competition Tool, published on 2 June 2020 <https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12416-New-competition-tool> (last accessed 15 July 2020).

89 Commission, supra, note 1.

90 Consumer Protection Cooperation Network “Single Market Scoreboard” (2019), section C <https://ec.europa.eu/internal_market/scoreboard/performance_by_governance_tool/consumer_protection_cooperation_network/index_en.htm> (last accessed 15 July 2020).

91 Commission, “Online Shopping: Commission and Consumer Protection Authorities Call for Clear Information on Prices and Discounts” (22 February 2019) <https://ec.europa.eu/commission/presscorner/detail/en/IP_19_1333> (last accessed 15 July 2020).

92 UK CMA, “CMA Response to Government Consultation” (July 2018), para 51 <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/726169/CMA_response_to_consumer_green_paper.pdf> (last accessed 15 July 2020).

93 See also MS Gal and O Aviv, “The Competitive Effects of the GDPR” (2020) 16(3) Journal of Competition Law & Economics 349, who argue that the GDPR can have harmful effects on competition and innovation in data markets by entrenching the market power of players who are already strong.

94 D Condorelli and J Padilla, “Harnessing Platform Envelopment in the Digital World” (2020) 16(2) Journal of Competition Law & Economics 143.

95 Art 5(1)(b) GDPR.

96 European Data Protection Board, “Guidelines 05/2020 on consent under Regulation 2016/679”, 4 May 2020, 12.

97 Brave, “Response to Consultation Regarding Online Platforms and Digital Advertising” (12 February 2020), paras 9–21 <https://brave.com/wp-content/uploads/2020/02/12-February-2020-Brave-response-to-CMA.pdf> (last accessed 15 July 2020).

98 For an analysis of Brave’s actions against the background of the interaction between data protection and competition law, see also G Monti, “Attention Intermediaries: Regulatory Options and their Institutional Implications”, TILEC Discussion Paper DP 2020-018, 12 and 30 (7 July 2020) <http://ssrn.com/abstract=3646264> (last accessed 15 July 2020).

99 Art 56(1) GDPR.

100 The European Consumer Organisation (BEUC), “GDPR second anniversary – Recommendations for efficient enforcement” (25 May 2020) <http://www.beuc.eu/publications/beuc-x-2020-040_gdpr_second_anniversary_-_recommendations_for_efficient_enforcement_letter.pdf> (last accessed 15 July 2020).

101 Communication from the Commission to the European Parliament and the Council “Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation” COM(2020) 264 final, 24 June 2020, 5–6.

102 Art 17(2) of Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws (CPC Regulation) [2017] OJ L 345/1.

103 See R Pound, “Law in Books and Law in Action” (1910) 44 American Law Review 12.

104 Netherlands Authority for Consumers and Markets, “Guidelines on the Protection of the Online Consumer: Boundaries of Online Persuasion” (11 February 2020) <https://www.acm.nl/sites/default/files/documents/2020-02/acm-guidelines-on-the-protection-of-the-online-consumer.pdf> (last accessed 15 July 2020).

105 UK CMA, supra, note 39, 27.

106 Crémer et al, supra, note 3, 2–3.

107 W Sauter, “A Duty of Care to Prevent Online Exploitation of Consumers? Digital Dominance and Special Responsibility in EU Competition Law” (2020) 8(2) Journal of Antitrust Enforcement 406, 406–427; P Alexiadis and A De Streel, “Designing an EU Intervention Standard for Digital Platforms”, Robert Schuman Centre for Advanced Studies Research Paper No. 2020/14, 8 <https://cadmus.eui.eu/bitstream/handle/1814/66307/RSCAS%202020_14.pdf?sequence=1&isAllowed=y> (last accessed 15 July 2020).

108 Crémer et al, supra, note 3, 51.

109 ibid, 51–52 and 66–67.

110 Google Search (Shopping) Case AT.39740 Commission Decision C(2017) 4444 final [2017].

111 Crémer et al, supra, note 3, 66.

112 See Commission, supra, note 1.

113 M Vestager, European Commissioner for Competition, “Algorithms and Competition” (Speech at the Bundeskartellamt 18th Conference on Competition, Berlin, 16 March 2017) <https://wayback.archive-it.org/12090/20191129221651/https:/ec.europa.eu/commission/commissioners/2014-2019/vestager/announcements/bundeskartellamt-18th-conference-competition-berlin-16-march-2017_en> (last accessed 15 July 2020).

114 See Art 25 GDPR.

115 Guidelines on the method of setting fines imposed pursuant to Article 23(2)(a) of Regulation No 1/2003 [2006] OJ C 210/2.

116 For a discussion see, W Wils, “Antitrust compliance programmes and optimal antitrust enforcement” (2013) 1(1) Journal of Antitrust Enforcement 52, 52–81; and D Geradin “Antitrust compliance programmes and optimal antitrust enforcement: a reply to Wouter Wils” (2013) 1(2) Journal of Antitrust Enforcement 325, 325–46.

117 Sauter, supra, note 107, 410–12.

118 ibid, 423–25.

119 Netherlands Authority for Consumers and Markets, supra, note 104, 3.

120 ibid, 14. See also the definition of Art 2(h) UCP Directive.

121 UK CMA, supra, note 39, 27.

122 Botta and Wiedemann, supra, note 85, 444.

Figure 0

Table 1. Overview of recognised and possible further uses of the notions of market power and special responsibility.