CYIL vol. 12 (2021)

CYIL 12 (2021) The ROLE OF COMPETITION POLICY IN CYBERSECURITY We thus conclude that similarly to the EU competition law, the Czech completion law, despite its specific provisions on the conduct of public authorities, cannot be relied on against the measures of the Czech Cybersecurity Agency. 3. Partial conclusions As argued above, competition law, both the EU and – in principle – a national one, cannot be relied on by undertakings that have been excluded from competition on cybersecurity reasons. We believe that this approach is justified. Competition law cannot be employed only to secure cybersecurity, but at the same time, it cannot override the security concerns either. We put forward that competition policy and cybersecurity constitute independent policies that complement each other, and it would not be advisable for one to take precedence over the other. III. Competition Law and Data Privacy As the antitrust authorities throughout the world increasingly focus on digital technologies, the question of consumer data becomes more and more important for competition law enforcement; thus, many internet giants are investigated throughout the world for the advantage they gained in internet advertising thanks to the data they are able to collect. 1. The Facebook case We would however discuss in this Article a novel approach to antitrust enforcement with regard to data privacy. In February 2019, the German Competition Authority (BKA – Bundeskartellamt ) issued a decision declaring that Facebook abused its dominant position in the German market for social networks, in principal, by making the access to the services of Facebook conditional upon the users’ consent to collect and use data generated by other services owned by Facebook (in particular, WhatsApp and Instagram), as well as third-party websites using “Facebook Business Tools”, e.g., the “Like” button or “Facebook login”, and merge them with data generated by Facebook itself for the purposes of customer profiling. 41 The decision was ultimately taken only on the basis of German competition law, not the EU’s ; the BKA nonetheless “closely liaised with the European Commission and other competition authorities in the course of the proceeding”. 42 The fact that only the German competition law, with a specific case law concerning abusive business terms, might have had a significant impact on the case assessment, as will be discussed below. No fine was imposed on Facebook, the BKA only prohibited the practice to continue. It is not really disputed that Facebook’s practices were not in line with the General Data Protection Regulation (GDPR); 43 as the BKA itself summarised it: 41 The BKA published in English detailed background information (hereinafter referred to as “BKA Background Information”), available at: https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/ 2019/07_02_2019_Facebook_FAQs.pdf?__blob=publicationFile&v=5(accessed1September2021),andacase summary ()hereinasfter referred to as “BKA Case Summary”, available at: https://www.bundeskartellamt.de/ SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__blob=publication File&v=4 (accessed 1 September 2021). In detail to the decision, see e. g. LORENZO-REGO, I. The Perspective of the Bundeskartelamt in the Evaluation of Facebook’s Behaviour: Prior Considerations and Possible Impact. European Competition and Regulatory Law Review , 2019 (2), p. 100. 42 BKA Background Information, p. 6. 43 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection

219