CYIL vol. 12 (2021)

CYIL 12 (2021) The ROLE OF COMPETITION POLICY IN CYBERSECURITY with data collected on Facebook, constitutes an abuse of dominant position on the social network market in the form of exploitative business terms […]. Taking into account the assessment under data protection law pursuant to the General Data Protection Regulation (GDPR), these are inappropriate terms to the detriment of both private users and competitors . 64 The previous German case law addressing the unbalanced negotiation position concerned breaches of civil law, which amounted to abuse of dominance; 65 the BKA concluded that the same approach is applicable to breaches of data protection law. 66 This puts the case in a specific context, making it a national case, which would not necessarily have an impact on decision making of other competition authorities. 67 4. Partial Conclusions The question discussed in this chapter is, whether competition law is an adequate tool to address data protection concerns; as summarised by other authors: “ it is apparent that the appropriate way to handle the Facebook case would be to conclude that its conduct amounts to an unfair commercial practice. An unfair practice protection would ensure the same outcome in terms of the remedy, without having to overcome the hurdles of an antitrust investigation ”. 68 It is undisputed that the competition law cannot be excluded from cases concerning data privacy, as is apparent from many cases related to on-line advertising, currently under investigation throughout the world. It is only disputed whether the breach of GDPR in itself is capable of triggering an antitrust intervention. We do not question the BKA’s conclusions, as far as they are grounded on a solid German jurisprudence relating to specific cases of abuse of dominance. We only argue that other legal tools might have been employed to address Facebook’s misconduct. This may be the reason why the Commission, as well as other competition authorities, concentrated on other aspects of Facebook’s data-related practices, employing a more traditional antitrust analysis. IV. Conclusions In this article, we have reviewed two scenarios of disputable usage of competition law in cases connected to cybersecurity. As far as cybersecurity itself is concerned, we have argued that the competition law should not prohibit practices that are at first sight anticompetitive, that are however necessary for cybersecurity reasons; the same applies to conduct of public authorities, excluding certain undertakings from competition on cybersecurity reasons. Concerning competition law and data privacy, we have concluded that the application of competition law is not excluded, it shall however only be applied when a clear harm to the competitive process may be demonstrated. As such practices are currently being investigated in numerous jurisdictions throughout the world, we may expect more debate on this topic in the future.

64 Case summary, p. 7. 65 In detail, see e.g., LORENZO-REGO, I. ( op. cit. ), p. 106. 66 BKA Case Summary, p. 8. 67 BECHER, C., ( op. cit. ), p. 121. 68 COLANGELO, G., MAGGIOLINO, M., ( op. cit. ), p. 239.

223