CYIL vol. 12 (2021)

CYIL 12 (2021) The ROLE OF COMPETITION POLICY IN CYBERSECURITY account the fact that the EU institutions have so far treated data privacy and competition policy as separate issues. As clearly expressed by the Court of Justice in the Asnef-Equifax case: “[A]ny possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection ”. 52 The same approach is shared by the Commission, as is apparent in its merger-review decisions concerning digital markets; in particular, in case Facebook/WhatsApp , the Commission followed the Court of Justice, declaring that “ Any privacy-related concerns flowing from the increased concentration of data within the control of Facebook as a result of the Transaction do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules ” . 53 The same is true for Commission’s policy statements. Margrethe Vestager, the Commissioner responsible for competition policy and currently the Vice-President of the Commission, summarised the same idea on a conference in 2016; 54 it has also been recently acknowledged on another conference in 2020 by Thomas Kramler, head of European Commission’s Directorate-General for Competition’s digital single market task force, who declared that competition authorities should be wary of combining antitrust and privacy goals as the two areas of law have fundamentally different purposes. 55 Still, this division between data protection and competition policy is far from being universally accepted. It may be argued that both these policies aim to achieve market integration and share a concern for the welfare of the individual; thus, data protection law can act as an internal influence on substantive competition law assessments. 56 It can be argued that services provided by search engines, social networks and others co consumers for no remuneration are not actually for free but paid for with the data and the privacy of users. From that perspective, excessive data collection could be challenged directly as being exploitative ‘price’ abuse; failure to ensure adequate transparency about data collection, and insufficient privacy options can also be considered as abusive behaviour. 57 Thus, the simple fact that data protection rules have been breached cannot rule out the application of competition law; as the French and German competition authorities have summarised in their joint position paper: Decisions taken by an undertaking regarding the collection and use of personal data can have, in parallel, implications on economic and competition dimensions. Therefore, 52 CJ EU judgement of 23 November 2006 C-238/05 Asnef-Equifax , ECLI:EU:C:2006:734, par. 63. 53 Commission Decision of 3 December 2014 Facebook/WhatsApp (COMP/M.7217), par. 164. 54 In her speech from17 January 2017, the Commissioner mentioned that: “ I don’t think we need to look to competition enforcement to fix privacy problems. But that doesn’t mean I will ignore genuine competition issues just because they have a link to data ” . The transcript is available at: https://wayback.archive-it.org/12090/20191129204050/ https://ec.europa.eu/commission/commissioners/2014-2019/vestager/announcements/competition-big-data- world_en (accessed 1 September 2021). 55 MASSON, J. DG Comp Official: privacy and antitrust are fundamentally different. Global Competition Review , 1 May 2020, available at: https://globalcompetitionreview.com/dg-comp-official-privacy-and-antitrust-are- fundamentally-different (accessed 1 September 2021). 56 In detail, see COSTA-CABRAL, F., LYNSKEY, O. Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review , 2017 (1), p. 14. 57 In detail, see KERBER, W. Digital Markets, Data and Privacy: Competition Law, Consumer Law and data Protection. Journal of Intellectual Property Law & Practice , 2016 (11), p. 861.

221