On July 4, 2023, the Court of Justice delivered its judgment in Meta Platforms Inc. v. Bundeskartellamt, following a request for a preliminary ruling from the Düsseldorf Higher Regional Court (“Düsseldorf Court”) on the validity of the German Federal Cartel Office (“FCO”) 2019 decision finding that Meta Platforms (“Meta”) abused its dominant position by collecting and processing data without users giving their consent freely. The Court of Justice confirmed that competition authorities can find breach of data protection rules under the General Data Protection Regulation (“GDPR”) where that finding is necessary to establish the existence of an abuse of dominance under Article 102 of the Treaty on the Functioning of the European Union (“TFEU”). The Court of Justice however emphasized that competition authorities are required to consult and cooperate with national supervisory authorities in charge of GDPR enforcement (“GDPR authorities”).
On February 6, 2019, the FCO found that Meta had exploited its dominant position on the German market for social networks by making the use of Facebook conditional upon the collection and aggregation of user data from Facebook, other online services belonging to the Meta group (such as Instagram and WhatsApp), and third-party websites and apps with embedded Facebook interfaces. The FCO concluded that this practice violated the GDPR as: (i) user’s consent was not freely given; and (ii) the amount of data Meta collected (including outside Facebook) and combined into user profiles was not necessary. As a result, the FCO ordered Meta to adapt its terms of service and combine the data it collects from other sources with Facebook user profiles onlyif users have freely given consent.
Meta appealed the decision to the Düsseldorf Court, which, on March 24, 2021, decided to stay the proceedings and to refer seven questions to the Court of Justice for a preliminary ruling. In terms of the interplay of competition law with GDPR rules, the Düsseldorf Court asked whether a national competition authority can find, in the context of an abuse of dominance investigation, that an undertaking’s data processing rules and the implementation thereof are not consistent with the GDPR, and, in the affirmative, whether such finding by the competition authority is also possible where the same rules are being simultaneously investigated by the competent GDPR authorities. The remaining questions sought clarifications on the interpretation of certain GDPR provisions.
In his opinion delivered on September 20, 2022, Advocate General Rantos concluded that a competition authority may examine, as an incidental question, the compliance of the practices under investigation with the GDPR rules, while taking into account relevant GDPR precedents, informing, and, where appropriate, consulting the competent GDPR authorities.
In its judgment, the Court of Justice held that a dominant undertaking’s non-compliance with the GDPR could be a “vital clue” indicating a breach of Article 102 TFEU. The Court of Justice further noted that access to and the use of personal data are “of great importance” and a “significant parameter of competition” in the digital economy, in particular for online advertising.
At the same time, the Court of Justice clarified that national competition authorities do not replace GDPR authorities, and should cooperate with them to avoid divergences of interpretation. The Court of Justice set out detailed guidance for the cooperation process, clarifying that competition authorities must comply with prior decisions from the competent GDPR authorities concerning the lawfulness of the conduct in question or similar conduct. The Court of Justice further explained that competition authorities should consult and seek the cooperation of GDPR authorities where: (i) there are doubts as to the scope of the GDPR authorities’ prior assessment; (ii) the competition and GDPR authorities are simultaneously examining the conduct in question or similar conduct; or (iii) the relevant GDPR authorities have not started an investigation. GDPR authorities must in turn respond to requests from competition authorities within a reasonable period of time.
In this case, the Court of Justice considered that the FCO contacts with data protection authorities in Germany and Ireland, and their confirmation of the absence of parallel investigation, was sufficient to meet its cooperation obligations.
The Court of Justice judgment confirms the Bundeskartellamt’s reasoning, recognizing the relevance of data protection compliance in abuse of dominance investigations. It is part of a wider European enforcement strategy in the digital economy. The FCO’s case inspired Article 5(2) of the Digital Markets Act (“DMA”), which formulates consent obligations for cross-service processing of personal data by gatekeeper platforms, irrespective of whether that processing complies with the GDPR. Future antitrust enforcement, in particular by the Commission, would therefore be related to data protection infringements which are not covered by the DMA, but distort competition in the internal market.
Dominant companies should carefully review their data processing policies from a competition law angle, given the possibility of investigations related to their GDPR compliance by competition authorities, in addition to investigations initiated by GDPR authorities.
 Meta Platforms Inc. v. Bundeskartellamt (Case C-252/21) EU:C:2023:537.
 Formerly Facebook Inc.
 Decision of the Bundeskartellamt (6th Decision Division) in Case B6-22/16. For additional information, see our January-February 2019 German Competition Law Newsletter.
 Potential users wishing to join Facebook had to either agree to the data collection/processing practice or refrain from using Facebook entirely.
 Meta Platforms Inc., v. Bundeskartellamt (Case C-252/21), opinion of Advocate General Rantos, EU:C:2022:704. For additional information on the opinion, see our Cleary Antitrust Watch post of September 20, 2022.
 Meta Platforms Inc. v. Bundeskartellamt (Case C-252/21), para. 47.
 Ibid, paras. 50 and 51.
 Specifically the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) (Federal Commissioner for Data Protection and Freedom of Information, Germany), the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (Commissioner for Data Protection and Freedom of Information, Hamburg, Germany) and the Irish Data Protection Commission (“DPC”).
 The Court of Justice judgment was handed down shortly after the Irish DPC imposed a €1.2 billion fine on Meta regarding processing, including storage, in the US of personal data of EEA users. See DPC’s press release of May 22, 2023, available here.