1 Introduction

This submission argues that in those situations where the market dominance of an undertaking is based to a significant extent on personal data processing, EU competition and data protection law should be applied in a coherent and consistent manner. In other words, the enforcers of these legal regimes should take into account the normative values and objectives underlying the respective other legal regime as much as possible.Footnote 1 Such an interpretation and application of these legal regimes is not only reasonable, but necessary to adequately assess and deal with the conduct of market dominant digital platforms. As will be seen, recent case law and other developments have shown that competition law and data protection law are sometimes inextricably interwoven. A consistent and coherent interpretation and application should thus be pursued in suitable constellations in order to cater for all interests concerned.

This Opinion is based on an analysis of the recent investigations undertaken by the French competition authority Autorité de la Concurrence concerning Apple’s “App Tracking Transparency framework”. Apple implemented a significant de facto obstacle to third-party tracking through apps available in the Apple App Store which could result in financial losses for app producers who can no longer engage in efficient personalized advertising. This case is a textbook example of a situation where data protection and competition policy considerations are intrinsically linked.

With this case as its inspiration the paper then provides a dogmatic example of how a coherent and consistent approach can be realized by means of the interpretation of already existing statutes. It will be argued that a normative and dogmatic link between the General Data Protection Regulation (GDPR)Footnote 2 and competition lawFootnote 3 is given in cases where a business model is based on or closely related to a large-scale consent-based processing of personal data. The Apple case referred to above would be such a case, as well as the business models of Facebook and Google. The link between data protection and competition law is apparent when these cases are seen against the backdrop of their joint objective of protecting consumer autonomy (which includes, in particular, the provision of consumer choice). Consumer autonomy here is understood as the possibility to decide freely whether and how to participate in a market. It will be shown that both legal regimes pursue this objective. From a competition law perspective, the protection of consumer autonomy is necessary to protect the competitive process. From a data protection law perspective, consumer autonomy is a fundamental aspect of the data subjects’ right to informational self-determination. The GDPR provides for a normative framework in the context of consent as a legal basis for the processing of personal data by providing guidance on when consent is “freely given” or not. This “freedom to choose”, granted by the GDPR to users whose personal data are monetized, shares significant overlaps with the economic freedom acknowledged in the relevant competition law jurisprudence.

Section 4 provides an overview of some recent developments in the field of competition law, which show that there seems to be a general trend in line with the approach argued for within this submission.

2 The Apple ATT Case

2.1 Factual Background

In April 2021, Apple released an updateFootnote 4 for its iPhones, iPads and TV boxes which implemented its “App Tracking Transparency framework” (ATT framework). Since then, apps wanting to track users across apps and websites must show a tracking permission prompt and ask them for consent.Footnote 5 The design and wording of this pop-up is predefined. It reads: “Allow [the App you are currently using] to track your activity across other companies’ apps and websites?” Below that question, the app developer is supposed to provide an explanation why they would like to track the user, such as “Your data will be used to deliver personalized ads to you.” The user must select either “Ask App Not to Track” or “Allow”.Footnote 6 Use of an app must not be made dependent on the user’s granting of consent; otherwise, it will not be admitted to the Apple App Store.Footnote 7 App developers can provide users with additional information on the purposes of tracking. If users do not grant consent, then apps will not be able to access the Identifier for Advertisers (IDFA). The IDFA is a unique identifier assigned to every Apple device, allowing for effective personalized advertising. Not only does it allow advertising networks to track users across websites and apps in order to create profiles and target them with personalized advertising, it also helps determine the conversion rate. For instance, a user might be shown an ad for a certain product offered by a specific store in their Facebook newsfeed. A few days later, they buy this product online at this store. The IDFA assigned to their Apple device allows the parties involved (Facebook, advertising network, store, etc.) to discover that they had seen the ad and then bought the product.

The new tracking permission prompt is to be implemented by the app developers on top of the privacy policy that they have to provide anyway. These policies usually already contain a request for consentFootnote 8 to the processing of personal data for the purpose of tracking. As they have to provide a variety of information in order to comply with the transparency standards set by the GDPR,Footnote 9 these policies are significantly longer and more complex than the tracking permission prompt implemented with the ATT framework. The latter is a pointed, somewhat blunt way of guaranteeing that users take a deliberate decision whether or not they would like to be tracked.

As was to be expected, opt-in rates were low. In the first three weeks after implementation of the updates, only between 13 and 14 % of US Apple users allowed tracking when the tracking permission prompt was presented to them.Footnote 10 This is remarkable, as users were already able to block access to the IDFA in their devices’ settings before the ATT framework was introduced. Yet, the majority of users did not do so. One can only speculate why this was the case. Perhaps users simply did not know that they could block tracking so easily, or they did not care, or both.Footnote 11 In any case, when users must take an immediate decision on tracking, they are prone to deny it.

2.2 Abuse-of-Dominance Proceedings by the Autorité de la Concurrence

2.2.1 Nature of the Allegations

In October 2020, several associations representing a variety of players of the French online advertising sector lodged a complaint with the Autorité de la Concurrence (Autorité). The complainants requested a halt to the roll-out of the updated operating system during interim proceedings in order to block the implementation of the ATT framework.Footnote 12 In summary, their complaint – which is primarily based on Art. 102(a) TFEUFootnote 13 – is two-fold.

Firstly, the complainants argue that Apple’s conduct represents an exclusionary abuse of dominance to their detriment. They claim that Apple introduced the ATT framework in order to dissuade users from granting consent to third-party tracking.Footnote 14 They argue that Apple’s imposition of the ATT framework upon app developers represents unfair trading conditions under Art. 102(a) TFEU. They claim the implementation of the obligatory tracking permission prompt is both redundant and illegitimate, and neither necessary nor proportionate with a view to Apple’s objective of protecting user privacy.Footnote 15Inter alia, they argue that the tracking permission prompt is unnecessary, as consent must be retrieved under the GDPR and the ePrivacy Directive anyway, and users might be subject to a negative user experience due to the additional consent forms they are facing.Footnote 16 The core allegation of the complaint seems to be that Apple de facto cuts off the advertising industry from access to highly valuable personal data relevant for online advertising, which ultimately leads to significant financial losses.

Secondly, the complainants argue that Apple is engaging in anticompetitive self-preferencing: Apple allegedly makes third-party tracking nearly impossible for advertisers yet continues to engage in this conduct itself without using the tracking permission prompt in dispute.Footnote 17

2.2.2 The Autorité’s Decision

The Autorité did not follow the line of argument presented by the complainants. It decided in favour of Apple by not issuing interim measures.

In particular, it found that app developers who have to comply with the ATT framework in order to sell an app through the Apple App Store are not facing unfair trading conditions.Footnote 18 The Autorité argues that Apple (here acting as a dominant platform connecting app developers and users) can define the rules of access to its platform, as long as these rules are neither illegal nor anticompetitive. It refers, inter alia, to United BrandsFootnote 19 and to the proportionality test introduced in BRT-SABAMFootnote 20 and finds that Apple pursues a legitimate objective, as the provision of a high level of personal data protection is part of Apple’s brand image and long-term business strategy.Footnote 21 For various reasonsFootnote 22 the implementation of the ATT framework is also both necessary and proportionate in this regard. For instance, the tracking permission prompt uses a neutral wording that does not nudge users towards a specific choice, and granting or denying consent are equally simple.Footnote 23 Furthermore, the introduction of Apple’s new rules was delayed for several months in order to grant app developers sufficient time to adapt.Footnote 24 The impediment to competition resulting from the ATT framework is thus justified.

The Autorité’s decision is in parts based on a statement received from the French data protection authority Commission Nationale de l’Informatique et des Libertés (CNIL).Footnote 25 This statement paints a positive picture of the ATT framework in terms of data protection law compliance. This has been taken into consideration in favour of Apple. According to the CNIL, even though the tracking permission prompt alone cannot fulfil the GDPR’s transparency requirements, it raises the users’ awareness on how much data is collected about them for the purpose of creating profiles.Footnote 26 The “additional” consent layer prescribed by Apple is in line with the GDPR’s and ePrivacy Directive’s requirements and corresponds to the GDPR’s values and principles (such as “data protection by design and by default”, cf. Arts. 24–25 GDPR).Footnote 27 The tracking permission prompt gives users “more control over their personal data by allowing them to make their choices in a simple and informed manner (…) and by technically and/or contractually preventing app publishers from tracking the user without their consent.”Footnote 28

Finally, the Autorité did not find evidence that Apple engages in illegal self-preferencing, as its own advertising service does not fall under the definition of third-party tracking under the ATT framework.Footnote 29 Still, the authority will continue its investigation in this regard.

2.3 Analysis

The Apple ATT case is novel as it deals with a rare scenario, namely that conduct aimed at being data protection friendly is under competition law scrutiny. It serves as a counterpart to the abuse-of-dominance proceedings conducted by the German Federal Cartel Office (Bundeskartellamt) against Facebook, which deal with the question of whether imposing terms of use in violation of the GDPR represents an exploitative abuse of dominance to the detriment of users.Footnote 30

In Apple ATT, users are “being made aware” by the tracking permission prompt in a very direct and concise manner. As a result, representatives of an industry which regularly confronts users with consent requests contained in (often illegallyFootnote 31) pre-ticked boxes and pop-ups asking users for consent in a way that most of the time represents nudging (due to their design) now complain that Apple wants users to make a choice based on a simple and neutral consent form. The impact of Apple’s conduct on advertising markets is obvious. Many market participants’ business models rely on income generated through online advertising. They might have to adapt to the changes introduced by Apple, depending on how severe the factual impact of the tracking permission prompt will be. Indeed, other methods of financing apps are available. App developers may try to develop new methods of personalized advertising that do not use third-party tracking in the sense of the ATT framework, or resort to non-personalized advertising based on context (which can also be very profitableFootnote 32). Apps can also resort to a variety of payment models (single purchase, subscription model, in-app payments etc.).Footnote 33

Yet the actual problem lies somewhere else. The decision whether someone wants to be tracked eventually lies in the hands of the users – not in Apple’s hands. App developers rightly fear that users confronted with a “yes or no” question in dispute will answer “no” most of the time. This is rational: they neither see an immediate benefit in allowing the privacy invasion nor do they suffer immediate harm when declining. It also shows that users care about tracking and mostly do not appreciate it. At the same time, a severe problem – maybe even a market failure – becomes obvious in the field of digital advertising. The industry is largely based on personalized advertising based on profiling, yet users actually do not want this trade – “free app in exchange for privacy invasions” – when asked. The ATT tracking permission prompt points the finger to this structural deficit embedded in today’s online world. Insofar, Apple’s initiative might also be seen as a means to position itself within the on-going discussion broadly held at the European level – including by a group of MEPs – on whether targeted advertising should be further restricted or banned altogether, for instance within the Digital Services Act.Footnote 34

The ATT framework has the potential to increase the factual level of data protection, as users are made aware of tracking and able to exercise real influence in this regard. It can be expected that the reduction of the data flow towards advertising networks leads to an increase in user privacy.Footnote 35 It makes no difference in this regard whether Apple continues to collect user data itself, as the amount of data collected within the Apple ecosystem is independent of the amount of data advertising networks collect.

One can only speculate about what factors might have made Apple introduce the ATT framework. The most obvious reason is marketing: the tech company wants to be perceived as privacy and data protection friendly. This is in line with a general trend pursued in the tech industry.Footnote 36 Yet, Apple’s data protection friendliness only goes as far as it is lucrative. In 2018, Apple complied with a new Chinese regulationFootnote 37 by moving the cryptographic keys that are needed to unlock Chinese iCloud accounts to China. This de facto enables local authorities to easily access data stored within such accounts without having to go through the US legal system.Footnote 38

Apple may profit financially as well, as more apps may start demanding monetary payments. When an app is sold in the App Store (or in the case of an in-app purchase or a subscription), Apple receives a share of 15 or 30 %. It thus profits when more app developers have to sell their apps.Footnote 39 This argument was brought up by the complainants.Footnote 40 It is also widely distributed by Facebook, which also argues – both online and in print advertisements published in The New York Times, The Washington Post and The Wall Street Journal – that small businesses will in particular suffer greatly as they can no longer reach customers with personalized ads.Footnote 41 The latter claim has been criticized as being wrong or at least misleading.Footnote 42

Also, taking into consideration that Apple itself is engaged in online advertising,Footnote 43 the ATT framework might eventually strengthen its position in this field. The sheer volume of data Apple can collect within the Apple ecosystem (i.e. within its proprietary apps and services, such as Apple TV, Apple Maps, iTunes, etc.) is enough to provide effective personalized advertisements without access to data collected by third parties. Here, the complaint that Apple engages in illegal self-preferencing comes into play. Apple states that tracking “refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. (…)”Footnote 44 Thus, if data sharing takes place within one company only, the tracking permission prompt is not necessary, as this conduct does not fall under the definition.Footnote 45 This benefits Apple and the other (few) companies big enough to collect a sufficient amount of data themselves. It thus is not surprising that Google has announced that its apps will not have to show the tracking permission prompt.Footnote 46

2.4 Further Thoughts and Summary

The Apple App Store is currently the only place where apps for Apple devices can be sold. The rules of access to this multi-sided platform, which connects users and app developers, are solely defined by Apple.Footnote 47 Its role as an intermediary made it possible to introduce the ATT framework, even against the wishes of app developers.

The tracking permission prompt mandated by the ATT framework is in line with the normative values underlying data protection regulation, and is to be welcomed in this regard. The ATT framework grants users control and increases transparency. This holds true not despite the pointed character of the pop-up, but because of it: users must answer a simple but clear question. The long-term impact on app developers’ business models and on Apple’s role in the advertising field remains to be seen. In the future, users may be asked more often whether they would like to pay money for an app or whether they would prefer to be tracked (and receive personalized advertisements) instead. Such an increased amount of choice would be welcome from both a competition policy and a data protection point of view, as will be argued in the following section.

3 Linking the Two Legal Regimes: Consent and Consumer Autonomy

3.1 Introductory Thoughts

In the following, I will show that competition law and data protection law share some joint objectives, even though their primary goals are different. Both legal regimes are flexible, and thus ready to cope with technical developments. Hence, there is dogmatic room to apply them coherently and consistently.

One vivid and topical example where such application of both legal regimes is fruitfulFootnote 48 is consumer autonomy, in particular in the form of providing consumer choice. Apple ATT has shown how crucial the granting of consumer autonomy – in this instance the users’ possibility to decide whether they agree to third-party tracking or not – can be for business models based on personal data processing. A simple tracking permission prompt caused major uproar from the advertising industry and triggered an official investigation. Asking users for consent corresponds to granting them choice. This effect could be perpetuated if the ATT framework indeed leads to the effect that advertisers will offer different payment options to users (e.g. paying with consent/data, subscription or in-app payments, and so on).

With these considerations in mind, I base my argument on the assumption that consumer autonomy is a joint concern of competition and data protection law. Taking this further, I will argue that the role of consent to personal data processing serves as a factual and dogmatic link between the two legal regimes.

3.2 (Joint) Objectives of EU Competition and Data Protection Law

Competition and data protection law share at least three joint objectives.Footnote 49 Firstly, both legal regimes are supposed to protect and foster the internal market.Footnote 50 Secondly, both data protection and competition law aim at protecting consumers in those situations where an imbalance of power and/or unfair (trading) conditions are given.Footnote 51 Thirdly, both regimes protect competition on the merits. In the competition law context, this is established case law and lies in the very nature of its subject matter.Footnote 52 But the GDPR arguably also pursues this objective with its provision on data portability (Art. 20 GDPR).Footnote 53 The latter has two objectives. The first one is set within the classical ambit of data protection regulation, in that it aims at strengthening the level of control data subjects have over their personal data.Footnote 54 Secondly, data portability aims at reducing lock-in-effects, which in turn fosters competition.Footnote 55 This pro-competitive effect was taken pretty seriously by the European Commission in its Google-Sanofi merger decision.Footnote 56 The joint venture planned to engage in the data-based treatment of diabetes patients. The authority found that there was no serious risk of anticompetitive lock-in effects, as “the Parties would lack the ability to lock-in patients by limiting or preventing the portability of their data given that, according to the draft [GDPR], users will have the right to ask for data portability of their personal data.”Footnote 57

3.3 Consumer Autonomy and Competition Law

Rupprecht Podszun convincingly argues that European competition law contains a “principle of autonomy of economic actors”.Footnote 58 This means that independent and autonomous decision-making of market participants, including consumers, can and should be seen as a key concept of European competition law. A “requirement of independence” has been defined by a variety of decisions of the European Court of Justice on Art. 101 TFEU [Art. 81 TEC], starting with Suiker Unie.Footnote 59 The Court found that

[t]he criteria of coordination and cooperation laid down by the case-law of the Court (…) must be understood in the light of the concept inherent in the provisions of the Treaty relating to competition that each economic operator must determine independently the policy which he intends to adopt on the common market including the choice of the persons and undertakings to which he makes offers or sells.Footnote 60

This formula has become established case law in Art. 101 TFEU cases, i.e. in the context of anticompetitive horizontal agreements.Footnote 61 The Court refers to it as a concept, and in doing so does not provide any indication that only horizontal situations – for example, coordination with competitors – are covered.Footnote 62 The “requirement of independence” can, arguably, be transferred on constellations involving platforms and thus be applied in abuse-of-dominance cases involving horizontal and/or vertical relations. Consumers are “economic operators”, too, and the factual level of independence and autonomy they have when making decisions has direct influence on the competitive process. The more choice and autonomy consumers have when operating on the market, the higher should be the dynamic of the competitive process. Little consumer autonomy, on the other hand, will impede competition and innovation in the long run. Consequently, there is not only a strong economic argument to protect consumer autonomy through competition law – the approach can also be based on the concept of competition inherent in the Treaty.

3.4 Consumer Autonomy and Data Protection Law

The GDPR protects the fundamental rights and freedoms of natural persons, with an express focus on the right to the protection of personal data given under Art. 8(1) of the Charter of Fundamental Rights of the European Union and under Art. 16(1) TFEU.Footnote 63 It is characterized by the notion that data subjectsFootnote 64 have a right to informational self-determination, which can be paraphrased as “informational autonomy”.Footnote 65 In the context of personal data protection, this right stands for

control over one’s personal information, that is, the individual’s right to determine which information about themselves will be disclosed, to whom and for what purpose (…). “Control” also signifies, not so much the ability to decide about the use of one’s data, but at least the right to be aware of its fate, to be informed about who knows what about you and for what purpose.Footnote 66

In the same vein, Recital 7 GDPR states that natural persons “should have control of their own personal data.” The emphasis on “control” is not completely unproblematic, as research suggests that control does not automatically result in a higher protection of privacy.Footnote 67 Also, consumers often engage in irrational decision-making when it comes to the disclosure of their personal data online.Footnote 68

Despite these shortcomings, informational autonomy is a recurring theme inherent in the GDPR and one of its overarching values. As seen above, it is two-fold. Firstly, data subjects have a right to actively exercise a certain degree of control over what happens to their personal data: some decisions are to be taken only by them. Secondly, data subjects have a right to be informed about “who knows what” about them. They should not be in a position where they do not know what information regarding them is processed. Both aspects are intertwined, as meaningful decision-making is only possible when the data subject is informed about all the circumstances relevant for the decision.

Neither facet of the right to informational autonomy is absolute, as the right to the protection of personal data “must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”Footnote 69 Thus, for instance, there are situations where data processing can take place against the wishes of the data subject (e.g. when the controller can base the processing on her overriding legitimate interests under Art. 6(1)(f) GDPR). Also, transparency rights can be restricted on the basis of trade secrets protection and intellectual property rights.Footnote 70

Regarding transparency, the “principle of transparency” (Art. 5(1)(a) GDPR) applies. Chapter III of the GDPR contains the relevant key provisions.Footnote 71 Data subjects must be thoroughly informed by the data controller about the scope of the processing of personal data pertaining to them, including the (potential) consequences for them of the processing.Footnote 72 Data subjects must be provided with a wide array of information the moment their personal data are collected, and they have a wide-ranging right of access.Footnote 73 Even though the extent of these rights is not always clear (e.g. when data controllers use automated decision-making systemsFootnote 74), there is no doubt that the GDPR aims at establishing a regime with a high level of transparency.

The GDPR’s legal bases for personal data processing play a crucial role in the context of informational autonomy as well. According to Art. 6(1) GDPR, the processing of personal data is only lawful if (and to the extent that) the controller can rely on a legal basis. The list given is exhaustive. It contains legal bases that differ significantly, ranging from the consent of the data subject (lit. a), to processing that is necessary for compliance with a legal obligation (lit. c), to a general “legitimate interests” clause necessitating a balancing of the interests concerned (lit. f). Without such a legal basis, the processing is unlawful and subject to a fineFootnote 75 or public or private enforcement.

The legal bases differ significantly when it comes to the question of how much decision-making authority the data subject has. For instance, processing necessary for compliance with a legal obligation (lit. c) can take place no matter if the data subject agrees or not (as with the trader’s obligation to keep personal data for tax purposes, for example). On the other hand, the legal basis “consent” (lit. a) depends on whether the data subject wants the processing of their personal data to take place or not, thereby granting them control and choice.Footnote 76 The processing is legitimized by the data subject’s wishes (at least in theoryFootnote 77) and thus is a manifestation of their informational autonomy.Footnote 78

3.5 Consent: A Dogmatic Link between Competition and Data Protection Law

For many business models, and in particular those where personal data assume the role of a contractual consideration, the right legal basis will be consent under Art. 6(1)(a) GDPR, and Apple ATT is a good example. Advertisers relying on third-party tracking must have the users’ consent. How consent is retrieved – and whether or not Apple can force advertisers to implement its tracking permission prompt – is the main question in dispute.

Consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Art. 4(11) GDPR).Footnote 79 In cases involving dominant platforms, the key question is whether consent is “freely given” or not. This questions links competition and data protection law, as the autonomous, free granting of consent is an expression of consumer choice.

The GDPR provides normative guidance regarding the term “freely given”. First of all, Art. 7(4) GDPR is relevant. It says that when

assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Consent may thus be invalid in certain situations where the controller demands consent for the processing of “too many” personal data. Art. 7(4) GDPR plays a crucial role in the debate on “data as counter-performance”.Footnote 80 Its scope of application is controversial and difficult to define. “How far” can the controller go when demanding personal data as a counter-performance for a service – and when is the demand too excessive? There is no uniform answer to this question. Instead, a case-specific assessment is necessary, taking into consideration not only the data subject’s right to the protection of his or her personal data, but also the freedom of contract both parties can rely on.

In its Recital 43, the GDPR provides further guidance on how to interpret the term “freely given”:

In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case (…).

From an informational autonomy perspective, two relevant lessons can be taken from this Recital when it comes to assessing whether consent was indeed “freely given” or not.

Firstly, with a view to the first sentence of the Recital, if there is a “clear imbalance” between the parties to a contract, one must assess whether valid consent was given. By way of example, Recital 43 refers to a situation where the controller is a public authority demanding consent from a citizen. Judging from the telos and the wording of the Recital, the same assessment is necessary in situations of economic imbalance between two private parties. Thus, the GDPR aims at protecting the weaker party when there is power asymmetry. This must be all the more so if the controller is not only “more powerful”, but a market dominant company under competition law.

Secondly, with a view to the second sentence of Recital 43, the data controller may have to provide data subjects with a range of options to choose from when asking for consent if there are different personal data processing operations taking place. In other words, a granular, nuanced consent option – i.e. consumer choice – must be provided if this is possible and appropriate in the case at hand.

In a similar vein to Apple ATT, a prominent example where “freely given” consent is one of the decisive factors in a competition law case is Facebook.Footnote 81 In interim proceedings, the German Federal Supreme Court found that Facebook must give its users a choice whether they prefer a more or less intensive data-based personalization when registering for the social network.Footnote 82 The decision’s theory of harm is based on competition policy considerations, while data protection regulation was taken into consideration during the balancing of interests.Footnote 83 A purely GDPR-based analysis of the case would arguably have resulted in the same outcome (choice must be provided in order to ensure that consent was “freely given”).Footnote 84 This shows that the interpretation of competition law in this case was in line with those normative values underlying the GDPR.

The nexus between consent and competition law was recently addressed by the German legislature within its newly revised competition act.Footnote 85 If an undertaking has been declared to be “of paramount significance for competition across markets” by the Federal Cartel Office, the latter may prohibit this undertaking from

creating or appreciably raising barriers to market entry or otherwise impeding other undertakings by processing data relevant for competition that have been collected by the undertaking, or demanding terms and conditions that permit such processing, in particular

a) making the use of services conditional on the user agreeing to the processing of data from other services of the undertaking or a third-party provider without giving the user sufficient choice as to whether, how and for what purpose such data are processed (…)Footnote 86

This provision implemented the theory of harm applied in Facebook in national law.Footnote 87

Shortly after it became applicable, the German Federal Cartel Office opened an investigation against Google and its holding Alphabet based on this provision.Footnote 88 It will look at Google’s data processing terms and will assess “whether Google/Alphabet makes the use of services conditional on the users agreeing to the processing of their data without giving them sufficient choice as to whether, how and for what purpose such data are processed (…).” The question of how consent is granted will be looked at, and the Federal Cartel Office “will examine the extent to which the terms provide Google with an opportunity to process data on an extensive cross-service basis.”

These proceedings underline how deeply data protection and competition law are intertwined in digital business models, and how important it is to not only look at the competitive effects of an undertaking’s conduct, but also at the effects on the level of data protection. Also, Apple ATT is not an “odd one out” case, but part of a broader picture of cases dealing with both competition and data protection law.

4 Outlook

The approach argued for within this contribution seems to correspond to a general trend that can be witnessed both in the legislation and in competition law enforcement. The proposed Digital Markets Act contains a provision largely similar to Art. 19a(2)(4)(a) of the German Competition Act, even making express reference to the GDPR and the provision of consumer choice.Footnote 89 While some questions remain,Footnote 90 this normative approach is to be welcome. Also, the UK Competition and Markets Authority (CMA) and the UK Information Commissioner’s Office (ICO) have published a joint statement on competition and data protection in digital markets.Footnote 91 The report paints a positive picture, in that it makes clear that a coherent approach to the two legal regimes is possible and should be pursued. In order to institutionalize such joint work, the “Digital Regulation Cooperation Forum” was formed in 2020.Footnote 92

Finally, it is also to be welcome that the European Court of Justice (ECJ) will pass judgment on the relationship between market power and the GDPR’s regulation of consent. In Facebook, the Düsseldorf Court of Appeal halted the proceedings in March 2021 and referred several questions concerning the intersection of data protection and competition law to the ECJ under Art. 267 TFEU.Footnote 93 The sixth question is “Can consent within the meaning of Article 6(1)(a) and Article 9(2)(a) of the GDPR be given effectively and, in accordance with Article 4(11) of the GDPR in particular, freely, to a dominant undertaking such as Facebook Ireland?” This is a key question for today’s data-driven economy. The ECJ’s answer might have a significant impact on how future cases dealing with certain market dominant online platforms will be looked at.