In the constantly expanding digital environment, personal data has become a crucial resource for the survival and success of a tech company, as it can be used to better personalise the experience of users and to develop novel services.
Given the economic advantages associated with broad access to personal data, it has become increasingly clear that unregulated access to it may pose serious questions from a competition law perspective. In that regard, the CJEU ruled in Meta v Bundeskartellamt that “it may be necessary for the competition authority (…) also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law, such as the rules on the protection of personal data laid down by the GDPR” (1).
This decision opened up the avenue for a wide range of national authorities (overseeing, for example, competition, telecom, finance, or consumer protection) to examine compliance with the GDPR as part of their investigations. The judgment highlights that both national Data Protection Authorities (DPAs) and other authorities are bound by the principle of sincere cooperation and that the latter should ask for the opinion of the DPAs when considering GDPR compliance (2). As such, the national authorities must assist each other, in full mutual respect, in carrying out tasks which flow from the Treaties, taking any appropriate measure to ensure fulfilment of the obligations arising from EU law and refraining from any measure which could jeopardise the attainment of the European Union’s objectives (3). However, the judgment also establishes that the national authorities may continue their investigation without input from the DPAs, should the latter not reply to a request for cooperation or have no objection to the investigation (4). This caveat allows for situations in which various national authorities can effectively review the application of the GDPR by themselves, giving rise to the possibility of inconsistent interpretations and applications of the data protection regime.
In parallel to the Court’s novel decision, the the EU has been carefully considering an update of the GDPR, meant to streamline the enforcement mechanism and induce better cooperation between the DPAs. To that end, the Commission has proposed a new GDPR Procedural Regulation (5). However, this document does not address the potential for collaboration between DPAs and other national authorities, despite vehement calls from the industry and civil society. An amendment has been proposed in the LIBE committee of the European Parliament, which entails that the DPAs ‘shall strive to communicate the information obtained in the context of the procedures set out in this Regulation to national and Union supervisory authorities competent in data protection and other areas, including competition, financial services, energy, telecommunications and consumer protection authorities, where the information is deemed relevant to the tasks and duties of those authorities’(6).
However, this amendment still confers broad discretion, as a DPA may share this information only where it deems so relevant. This discretion may give rise to a degree of dissonance between the national authorities: the DPA may not be privy to certain aspects of other authorities’ investigations to the degree necessary to assess the relevance of that information. Moreover, this approach only addresses the relationship between DPAs and other national authorities unidirectionally, failing to establish any procedural rules for collaboration from the perspective of the latter, similar to those briefly described in the Court’s judgment.
A harmonised European approach to the matter of inter-institutional collaboration between DPAs and other national administrative authorities is however crucial, as the authorities in multiple Member States have already signalled their intention to work closely with their data protection counterparts. For example, following the exemple of the Bundeskartellamt in Germany, the French competition and data protection authorities have also issued a joint declaration on their future collaboration (7).
These national initiatives signal an interest that is bound to resonate at European level soon – at Spark, we are closely monitoring any developments in the regard. We look forward to observing how this endeavour will unfold, both at national and European levels!
(1) Case C-252/21 Meta v Bundeskartellamt EU:C:2023:537, paragraph 48.
(2) ibid paragraphs 54-58.
(3)ibid paragraph 53.
(4) ibid paragraph 59.
(5) European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679’ COM(2023) 348 final.
(6) Committee on Civil Liberties, Justice and Home Affairs, ‘Amendments 219-454’ 2023/0202(COD), amendment 311.
(7) CNIL, ‘Protection des données et concurrence : la CNIL et l’Autorité de la concurrence signent une déclaration conjointe’ (12 December 2023, CNIL), https://www.cnil.fr/en/node/164651.