The two areas in which tech companies face major regulatory scrutiny are antitrust law and data privacy. These are generally thought of as different worlds subject to different legal processes; that was, at least, the position of Meta in its defense against a 2019 investigation by the German “Bundeskartellamt” competition agency.
Meta has now lost that case in the EU’s highest court, opening the door for other antitrust investigations in the bloc to incorporate data privacy violations and frame them as part of a systemic abuse of market position. The Court of Justice of the European Union (CJEU) said that antitrust regulators are required to take into consideration any extant investigations or decisions made by more direct regulatory authorities on data privacy issues, but that they were not strictly limited in examining conduct that falls outside the usual bounds of competition law.
Antitrust law decision creates stronger ties between competition law and GDPR
The case stems from a 2019 order by the German antitrust authority to Meta, requiring the company to cease collecting user data in the country without consent. That’s not an unusual occurrence for Meta, which has been fined or restricted numerous times throughout the EU in recent years. However, those actions are usually undertaken by data protection authorities directly responsible for investigating GDPR violations. What was unusual here was a competition authority using antitrust law to directly regulate an issue involving personal data collection.
Meta challenged the order on the grounds that the German authority had overstepped its bounds. The case went to the CJEU, where judges found in the German regulators’ favor. The court took the side of regulators in viewing the use of consumer personal data by “very large” internet companies as a potential abuse of antitrust law, establishing a firm legal precedent that had not previously existed.
In terms of impact on Meta, the antitrust law ruling may further crimp its ability to gather data for targeted advertising within the bloc. Meta is already struggling with the ability to ship EU data overseas to its servers in the US, with rulings and complaints flowing from the Schrems II case also going against it. Now it may have to retool its services to obtain even more explicit permission from users to collect the personal data it uses to fuel its massive advertising network.
The original complaint was about the scope of data collection amidst Meta’s breadth of services (such as Facebook, WhatsApp, and Instagram). It alleged that Meta (then Facebook) was not only combining data from all of these different services without proper user consent, but that it was also intermingling it with third party apps and data sources. The initial ruling ordered Facebook to stop combining data in this way. Antitrust law was invoked as the regulator argued that some of these services are too large to reasonably avoid using in many sets of circumstances, and that consumers were being unfairly pressured into either handing over extensive personal data or being locked out of this digital ecosystem.
Large digital platforms in EU facing major rule changes in 2023
This precedent does not just apply to Meta; other major platforms, such as Twitter and TikTok, and other major retailers and affiliate marketers that gather comparable data for targeted advertising, such as Amazon and Google, will also likely have to make similar tweaks to consent processes and keep EU antitrust law in mind when making data-handling decisions.
Regardless of how the CJEU ruling ends up playing out as a legal precedent, big tech companies and major online retailers are about to be subject to new antitrust laws when the Digital Markets Act takes effect later this year. Passed in September of last year, the new law goes into force on November 1. The new rules assign a special “gatekeeper” status to online platforms of a certain size, applicable to companies that have an “entrenched and durable position” in the EU market and that have annual turnover of at least €7.5 billion within the bloc. Gatekeeper status will be assigned by the European Commission, and companies will have two months after reaching the applicable thresholds if they want to contest the status.