1 Introduction

The “Facebook” decision of the German Federal Cartel Office in February 2019 was the first decision by a competition authority in which the protection of privacy was explicitly taken into account in a competition law decision.Footnote 1 The Federal Cartel Office (FCO) argued that forcing users, via its terms of service, to give consent to the merging of personal data that Facebook collects inside and outside of its social media platform is an exploitative abusive behaviour by a dominant firm. This decision has triggered a very intense and controversial international discussion about the unclarified relationship between competition law and data protection (or privacy) law under the new conditions of digital platform markets. Due to the key role of personal data for the market (and gatekeeper) power of large digital platform firms, this discussion is also very relevant for the current competition policy discussion about digital platforms,Footnote 2 and the recent proposal of the Digital Markets Act in the EU.Footnote 3

The objective of this article is to analyse the question of whether the negative effects of the data-collecting behaviour and privacy terms of large digital platform firms on competition and privacy can be considered in competition law, or whether—as the critics of the Facebook decision by the FCO claim—privacy concerns should be exclusively dealt with through data protection law (or consumer law). This so far widely supported position is based upon the concept of a strict separation between competition law, which should focus on competition problems, and data protection law, which has the task of protecting privacy, particularly with respect to market failures through information and behavioural problems of consumers. In this article, we argue that in situations such as the Facebook case, in which we simultaneously have both two market failures in digital markets, such a simple separation into two policies does not work anymore. Due to manifold interaction effects between the two market failures and between the two policies on competition and privacy, competition law and data protection law are becoming deeply intertwined, leading to a complex relationship between the two policies.Footnote 4 Based on a market failure-based theoretical framework, we analyse, in a step-by-step approach, why only competition law (and not data protection law) can deal with the negative effects of competition problems on privacy, but also why competition law, with its remedies, can only insufficiently solve these problems, which are caused by the combination of both market failures. This analysis leads to the conclusion that a more collaborative and integrative policy approach for dealing with the complex interplay between competition and data protection law might be necessary.

Our article is structured as follows. Chapter 2 offers a brief overview of the discussion on the Facebook case and its implications for the relationship between competition and data protection law. Chapter 3 presents, from an economic perspective, a theoretical framework about the two market failures, two policies, and their interaction effects, applied to the effects of data-collection behaviour and privacy terms on competition and privacy. Chapter 4 shows why competition law can consider privacy effects and why, vice versa, data protection law is not capable of protecting consumers against negative effects on privacy through competition problems. Chapter 5 discusses, in close connection with the Facebook case, how privacy concerns can be assessed in the control of abusive behaviour of dominant firms, and analyses, in this regard, the different approaches of the German FCO, the German Federal Court of Justice, and Art. 5(a) in the Digital Markets Act proposal, which would introduce the remedy in the German Facebook case as a general obligation for gatekeepers. Chapter 6 concludes by underlining the need for a more collaborative, integrative policy approach.

2 The controversial debate about the German Facebook case

The relevance of the Facebook case of the German Federal Cartel Office (FCO) is based on the insight in the competition policy discussion that large digital platform firms, such as Google and Facebook, have entrenched market power positions due to their superior abilities to collect huge amounts of personal data, which gives them large competitive advantages compared to their competitors, especially in online advertising markets. They gather data not only through their own services, but also by combining them with personal data from many other sources, especially third-party websites and online tracking.Footnote 5 In its decision, the FCO primarily challenged this aspect of Facebook’s terms of service. To be able to use Facebook’s social media platform service, consumers also had to consent to the collection and use of personal data from Facebook’s other platform services, such as Instagram and WhatsApp, third parties, and other online tracking activities. This "bundling of consent"Footnote 6 allows Facebook to derive comprehensive consumer profiles to offer targeted advertising (and other services) but might also lead to large privacy risks. The decision of the FCO deemed this requirement abusive and stipulated that consumers should have an additional explicit choice about whether they consent to this combination of collected personal data or not.Footnote 7

The legal reasonings in the Facebook case are partly very innovative and can be summarised as follows.Footnote 8 The FCO did not apply Art. 102 TFEU, but rather the German rules for the abuse of dominance (Sect. 19 GWB). After arguing why Facebook is dominant in the market for social media in Germany, the FCO argued that these privacy terms lead to exploitative abuse because they violate the GDPR, i.e. the FCO used the infringement of EU data protection law as a benchmark to determine the abusive character of these terms of service. The market dominance of Facebook facilitates these data protection infringements because the users have to accept these "take-it-or-leave-it" terms. Hence, the FCO claims that through the dominant position, the consent of the users is no longer "voluntary", reflecting widespread concern about consumers’ loss of control over their data.Footnote 9 In addition, the FCO stresses that due to lack of transparency, consumers are not able to understand how their data are collected and used (in particular from outside of Facebook). Since the dominant firm, Facebook, also obtains through these illegal terms of service large competitive advantages more data, this behaviour is also seen as exclusionary abuse with respect to horizontal competition. The remedy of requiring additional consent for combining these datasets ("internal unbundling") is especially innovative.

Regarding the FCO’s Facebook case, a large number of papers have been published with a broad range of critical and supportive opinions. These papers cover both the case and the wider implications for the relationship between competition law and data protection law.Footnote 10 The controversial character of this case has also become apparent in the preliminary court proceedings about the Facebook decision. In August 2019, the Higher Regional Court of Düsseldorf (OLG Düsseldorf) suspended the execution of the Facebook decision in interim legal proceedings, with an unusually harsh, clear rejection of many of the FCO’s reasonings.Footnote 11 However, this court decision was equally clearly rejected by the interim decision of the German Federal Court of Justice (BGH) in June 2020, which fully supported the FCO’s decision, but also developed its own separate reasoning.Footnote 12 That said, the main legal proceedings in this case are ongoing, and a final decision may take years.Footnote 13 In the following analysis of this discussion, we will focus on the question of whether dealing with the privacy effects of data-collecting behaviour should also be a task of competition law, and what role privacy and data protection law might play in this regard.Footnote 14

The main group of critics of the Facebook case defends the traditional approach of a strict separation of competition law and data protection law. From that perspective competition law might be capable of assessing data-collecting behaviour of firms, but only with respect to its effects on competition. Any privacy concerns through mergers or certain behaviour by dominant firms are beyond the scope of competition law and should be dealt with through data protection law (and data protection authorities). Any intermingling of privacy protection with the protection of competition can lead to huge problems and endanger the clarity of competition law. This is the opinion of many competition scholars and the official position in many competition law regimes, such as in the US and in EU competition law.Footnote 15 Nonetheless, many supporters of such a position would not deny that this data-collecting behaviour by large digital platforms may be a big problem for privacy that should be solved; instead, they claim that this should be left entirely up to data protection (or consumer law) because it is the market failure "information and behavioural problems" of consumers that causes this problem.Footnote 16

Against this main counterposition to the Facebook decision of the FCO, several other positions exist in the debate, which all demand a more open application of competition law with regard to privacy effects.Footnote 17 Close to the traditional competition law approach are scholars who think it is possible to consider privacy effects in competition law because privacy can be seen as part of consumer welfare (e.g. as part of the quality of a service). This is a widely accepted position.Footnote 18 It is also uncontroversial that the exclusionary effects of Facebook’s bundling behaviour can have a negative impact on consumers and therefore an exclusionary abuse. Most of the contributions, however, focus on direct exploitative effects, whereby the terms of service of data-collecting practices might be assessed with regard to "excessive data collection" (analogous to excessive prices) or "unfair business terms" as exploitative abuse by a dominant firm (Art. 102 TFEU).Footnote 19 An additional, new option is to use either data protection law or the fundamental value of privacy as normative criteria for helping to decide whether a dominant firm’s behaviour is still acceptable or abusive with respect to its effects on privacy.

A number of competition law scholars support the FCO’s approach to use the violation of EU data protection law as a benchmark for exploitative abuse, and also see possibilities to apply it not only in German, but also in EU competition law (Art. 102 TFEU).Footnote 20 This direct use of data protection law in a competition law proceeding has, however provoked much critique. Beyond concerns about competition authorities’ ability to perform data protection assessments, concerns emerged that this approach could turn competition authorities into enforcement agencies for data protection law.Footnote 21 The decisive question is whether a violation of the GDPR automatically leads to the abusive character of the data-collecting behaviour of dominant firms or whether it is used only – much closer to the traditional approach—as one factor within a broader balancing of interests between the dominant firm and consumers for determining its abusive character. The other possibility is to use privacy as a fundamental value in reasoning about balancing interests for determining abuse (instead of a direct data protection violation).Footnote 22 This is close to the approach of the German Federal Court of Justice in its Facebook interim decision: The court contended that Facebook’s terms, which do not allow users to choose between a more or less personalised service (by forcing them to consent to the merging of different sets of data), violate the "basic right" of informational self-determination of German consumers, which is protected by the German constitution. The court then used this as an argument for qualifying this requirement as "abusive" in competition law.Footnote 23

Additionally, a number of contributions can be found that welcome the Facebook case and its discussion, because it opens a much broader discussion about the need to develop a wider policy perspective on the manifold, complex, interlinked problems of the data economy, in which the market power problems of large digital platform firms (with gatekeeper positions), data concentration, and unsolved privacy problems of consumers might be directly intertwined with each other. These contributions recognise the need to overcome the narrow traditional approaches of competition law and data protection law, and other policies and suggest developing new, more integrated policy approaches.Footnote 24

3 Competition policy and privacy protection: two market failures, two policies, and their interaction

In this chapter, we want to analyse this relationship from an economic perspective, which has not been done thus far. Chapter 2 shows that the main counterposition to the approach of the German FCO in the Facebook case is based on the concept of a strict separation of competition law and data protection law, with a clear "division of labour", which of these policies should deal with what kinds of problems. However, in cases like the Facebook case, and in the general discussion about the relationship between competition law and data protection law, it has become clear that through the key role of digital platforms and personal data in many digital markets, the problems of competition and privacy are often deeply intertwined. This leads to complex interdependencies between both legal regimes. The simultaneous existence of two types of market failure—competition problems on the one hand, and information and behavioural problems on the other—is particularly important.Footnote 25

Hence, we want to demonstrate, from an economic perspective, why in situations of the simultaneous existence of two market failures and of two policies (competition law and data protection law), in digital markets, manifold interaction effects can arise between these policy areas. This requires a much more complex concept of the relationship between both legal regimes than the traditional "strict separation" approach. We will proceed as follows: First, we will briefly analyse the role of competition law, data protection law (and consumer law) for solving market failures, and what economic theory can contribute to policy discussions for situations with two market failures. This will be followed by using a theoretical framework for examining interaction effects between the two policy regimes competition law and data protection law in order to show the manifold interaction effects that exist and are already broadly discussed for digital markets. This will lead to some general preliminary policy conclusions.

From an economic perspective, different policies can fulfil different tasks, i.e. they can solve different market failure problems or achieve different policy objectives. Competition policy addresses market failures through competition problems, especially through mergers, agreements, and abusive behaviour by firms with market power. Although competition policy uses, in its application, the consumer welfare standard and therefore also protects consumers, it is the task of consumer policy (and hence consumer law) to protect consumers against the negative effects of the market failures of information and behavioural problems (e.g. asymmetric and misleading information, exploiting behavioural bias).Footnote 26 In that respect, a clear "division of labour" exists between competition law and consumer law, which, for instance, implies that market power is not seen as a relevant criterion in consumer policy. Data protection (or privacy) policies protect the privacy of individual persons (and their informational self-determination). If we interpret the EU data protection law (GDPR) from an economic standpoint, then it focuses on solving two different problems: On the one hand, it defines and assigns a bundle of rights on personal data to individual persons; on the other, it should help solving information and behavioural problems of these persons with regard to giving consent for allowing firms to process, collect, and use their personal data for certain purposes. Therefore, both data protection law and consumer law can address the market failure "information and behavioural problems" with respect to the collection and use of personal data. Since privacy is a fundamental value in the EU, additional normative aspects may have to be considered that go beyond the economic concept of consumer welfare.Footnote 27

How do we deal in economics with situations in which two or more market failures simultaneously exist? The welfare theoretic approach of market failures is based on the theory that, under the assumptions of the model of perfect competition, markets lead to an efficient allocation of resources (economic efficiency). This theory implies that each deviation from these assumptions, e.g. through competition problems, information problems, rationality problems (resulting in behavioural biases), or technological externalities, can lead to economic inefficiencies and therefore to different types of market failures.Footnote 28 These deviations can then be remedied through different economic policies and their instruments, such as merger reviews in competition policy, mandatory information rules in consumer law, or Pigou taxes in environmental policy. Importantly, in many economics textbooks, e.g. about competition policy, it is usually (implicitly) assumed that only one market failure exists (i.e. policy solutions are analysed under the assumption that otherwise, the markets work perfectly).

Whereas not all small market imperfections should be seen as problematic market failures that require policy remedies, it is certainly not rare for two or more serious market failure problems to emerge simultaneously in the same markets. Then, the question arises as to what the specific effects are, through the simultaneous existence of several market failures, and what the policy implications should be. In general, these questions are underresearched in economics. At a very abstract theoretical level, it has already been shown very early in the so-called "theory of second best" (Lipsey and Lancaster, 1956) in welfare economics that, in the case of a combination of several market imperfections, very complex and, at first sight, counterintuitive effects can arise. For example, it is unclear whether the remedying of one market failure, e.g., a competition problem, leads to more efficiency if other unsolved market failures (e.g. information problems) simultaneously exist, or whether solving the competition issue might even lead to less efficiency.Footnote 29 An important policy implication of the "theory of second best" is that in cases of two market failures, it is necessary to analyse the effects of both market failures to draw conclusions about welfare-increasing policies.

Buchanan clarified this with his example of the simultaneous existence of a monopolistic firm and negative (pollution) externalities: Since a monopoly price leads to an output reduction of the polluting product, it is not clear whether an additional Pigou tax for internalising the externality would increase welfare.Footnote 30 Hence, the effects of one policy also depend on the extent of other market failures and on the effectiveness of other policies that should remedy these other market failures. In environmental policy, there is an extensive debate about an additional layer of analysis that focuses on the combination of policies or "policy mixes" for solving environmental problems better, especially in situations where externality problems exist in combination with other market failures.Footnote 31 This problem has also emerged in the recent competition policy discussion about "competition law and sustainability". With respect to competition law, this has led to questions about whether, at first sight, anti-competitive agreements between firms should be allowed due to their contribution to more sustainability or whether mergers should also be scrutinised with regard to their environmental effects. Competition authorities have recently started to develop policies on how to deal with effects on sustainability.Footnote 32

The most important policy conclusion from the "theory of second best" is that when two (serious) market failures exist simultaneously, it is no longer possible to use the usual ("first-best") policy recommendations, which have been developed for situations with only one market failure, without an additional further assessment of the effects of the second market failure and of the policy that should remedy this additional market failure.Footnote 33 We claim that such a comprehensive analysis, which focuses simultaneously on the effects of competition problems and information and behavioural problems, as well as the effects of competition law and data protection (and consumer) law might also be crucial in digital markets. In the following, we present a pragmatic (simplified) theoretical framework to scrutinise important interaction effects that can emerge through the two market failures and the two policies for the purpose of investigating the complex interdependencies between competition law and data protection law.

Figure 1 shows this framework with a direct application to the problem of data-collecting behaviour of firms and their privacy terms (as in the Facebook case). On the left, we can see the competition market failure and competition law for solving them, while on the right, we find the market failure of information and behavioural problems, with data protection and consumer law for remedying them. Usually, both policy regimes are seen as separate policies that try to solve "their" problems independently from each other. However, a number of interaction effects can occur. At the level of market failures, there might be interaction effects between both market failures. In addition, competition problems can have negative effects on privacy, and information and behavioural problems can have negative effects on competition. Moreover, the combination of both market failures can lead to additional aggregate effects on both competition and privacy. Such interaction effects can also emerge at the policy level. Competition law not only has effects on competition, but can also result in effects on privacy, and data protection (or consumer) law can have effects on competition. In the same vein, the effects of one policy (e.g. competition law) on competition and/or privacy can also depend on the implementation of the other policy (e.g. data protection law). In the following, we demonstrate that, with respect to our problem of collecting and using personal data in digital markets, many of these interaction effects are already intensively discussed and therefore empirically relevant.

Fig. 1
figure 1

Two market failures, two policies, and their interaction effects

Full size image

The information and behavioural problems of consumers regarding their consent to privacy policies (and the ensuing problems for these "notice and consent" solutions) are well researched and broadly accepted as a largely unsolved market failure problem. Due to a lack of transparency about the collection and use of personal data, misleading information, and behavioural manipulation (e.g. through "dark patterns"), consumers are overwhelmed and not capable of making rational well-informed decisions with regard to their personal data.Footnote 34 However, this problem also results in negative effects on competition and raises entry barriers since consumers cannot compare the data-collection practices of competing firms. This is the reason why the expectations about positive effects of competition regarding the development of privacy-friendly products and services have not been fulfilled thus far.Footnote 35 It also makes it easier for the large digital platform firms, such as Google and Facebook, to gather large quantities of personal data, which strengthens their competitive advantages in a multitude of markets. These are some of the already well-discussed effects of information and behavioural problems on competition.

How do competition problems impact information and behavioural problems and privacy? Less competition (e.g. through the existence of a dominant firm, a cartel about data-collecting practices or large lock-in effects of consumers) can lead to less (or even no) choice for consumers between different services, with different levels of data-collection and privacy protection. Lack of choice through market power can lead to lower incentives for consumers to invest in the screening of privacy policies, and might allow for even more intransparent, misleading, and manipulative privacy policies, which again aggravates information and behavioural problems, with negative effects on privacy.Footnote 36 If consumers cannot avoid using the core platform services of certain digital platform firms such as Google or Facebook, then these firms can exploit the situation by forcing their users to accept privacy policies with far-reaching terms regarding the collection and use of their personal data (i.e. these competition problems can have negative effects on privacy). The negative effects on competition and privacy might be especially problematic in this regard through the combination of both market failures, which—as we have seen—might also reinforce each other.Footnote 37 As a consequence, many consumers might resign themselves to not being capable of protecting their privacy by controlling the collection and use of their data with this instrument of individual consent.Footnote 38

There are also well-established discussions about interaction effects at the policy level. One well-known discussion in the EU refers to the data portability right of Art. 20 GDPR, which might be capable of enabling more competition (by reducing switching costs and lock-in problems).Footnote 39 In this case, data protection law would have positive effects on competition. However, the strict EU data protection law might also have negative effects on competition. It has been claimed that the GDPR, with its high requirements for opt-in consent, might lead to advantages for larger and more diversified firms and raise entry barriers; it might even strengthen the economic power of the large digital platform firms since they can obtain consent more easily for the personal data of consumers compared to smaller firms.Footnote 40 This suggests that there might be a conflict between data protection law and competition law. However, an additional aspect must also be considered. Although EU data protection law looks like an advanced and strict data protection regime, it still suffers from significant enforcement problems and legal uncertainty, which significantly impede its effectiveness.Footnote 41 Thus, the expectations about the positive effects of the data portability right of Art. 20 GDPR could not be fulfilled, leading to the current discussion on how to make this data portability right more effective. It is also not clear whether the high requirements for consent lead to the competitive advantages of the large digital firms (as claimed above) or whether these advantages have their cause in a systematic underenforcement of the GDPR vis-a-vis the large digital platform firms Facebook, Google, Apple, and Amazon due to defects in the enforcement regime of EU data protection law.Footnote 42

Again, we can ask, vice versa, about the effects of competition law on privacy. For a long time it has been discussed that data-related remedies in competition law, such as data access rights or data-sharing obligations, can have negative effects on privacy if these data also encompass personal data. However, if these remedies can only be used in a limited way due to data protection law, then this can reduce their effectiveness for solving competition problems.Footnote 43 Another current matter is large digital platform firms’ allegedly privacy-enhancing strategies, which limit the possibilities of other firms to gather personal data through tracking. This might have anti-competitive effects. If competition law prohibits these strategies, then this might have negative effects on privacy.Footnote 44 However, competition law can certainly also have positive effects on privacy. The German Facebook case is one example with respect to the control of abusive behaviour by dominant firms. If merger control would assess also the privacy effects of mergers and prohibits the combination of personal data from merging companies, positive effects on privacy can occur. Competition law can also challenge negative effects on privacy through collusive agreements (e.g. according to Art. 101 TFEU).

The above paragraphs have shown that debates about the competition and privacy problems in digital (platform) markets are already focusing on many effects, which in our theoretical framework can be interpreted as interaction effects between both policy areas (at the levels of market failures and policies).Footnote 45 Since most of these interaction effects did not exist in the same way before the emergence of digital platforms and Big Data applications regarding personal data, it is the technological revolution of digitisation that has created the need for a transition from the traditionally strict separation of both policies to a new and more complex relationship between competition law and data protection law. Thus, this new relationship is a necessary adaptation to the new economic and technological conditions of the digital economy. The manifold effects within this framework of two market failures and two policies can now be used as concrete starting points for a more appropriate design of this new relationship, as well as the specific roles of competition law and data protection law to better achieve the objectives of both legal regimes.

Which problems can emerge if both policies are applied independently of each other? We have seen that some of the interaction effects can lead to trade-off problems and thus conflicts between competition law and data protection law (e.g. negative privacy effects through data-sharing remedies in competition law). Then, a question emerges: How can these trade-off problems be solved or at least mitigated? Both policies might also help each other achieve their objectives (e.g. through the data portability right of Art. 20 GDPR). This implies that there might be synergy effects between the two legal regimes, leading to the question of how both policies can be applied to better exploit the potentially existing synergies between competition law and data protection law.Footnote 46

Economic theory suggests that coordination between both policies (or one integrated policy) might be best capable of taking into account all interaction effects and deriving an optimal combination of these policies for achieving both objectives.Footnote 47 However, such an approach might not be feasible in reality and lead to costs that are too high. Thus, intermediate solutions between strictly separated policies and a fully integrated approach might be more suitable pragmatic solutions.Footnote 48 In the already existing discussion about this relationship, two basic strategies emerge:

  1. (1)

    Unilateral strategies: For example, competition law also tries to consider the effects of competition problems on privacy as part of its own analysis in competition cases (without coordination with data protection law). The still nascent (but currently emerging) discussion in competition law on how to take into account privacy effects in competition cases can be seen as an example of such a unilateral policy strategy for dealing better with the new complexity of this relationship.Footnote 49

  2. (2)

    Coordinated strategies: Since unilateral strategies will be limited in their capacity to mitigate conflicts and exploit the potential synergies between both policies, some form of coordination between these policies might lead to better solutions. As more integrative and coordinated policy approaches might have their own problems and costs, the question arises as to what extent more coordination of both policies would be helpful.Footnote 50 We will come back to this question in Chapter 6.

4 The negative effects of competition problems on privacy: a task for competition law or data protection law?

After having presented this broad theoretical framework on how the relationship between competition law and data protection law can be analysed from an economic perspective, Chapters 4 and 5 will lead, in a step-by-step manner, the analysis back to the question of whether cases such as the Facebook case can and should be dealt with by competition law. To narrow down our examination, we focus on cases in which competition problems have negative effects on privacy (or informational self-determination). In Chapter 4, we ask the general question of whether such cases are a task for competition law (Sect. 4.1) and/or for data protection law (Sect. 4.2). Chapter 5 centres on a more specific question: Using the control of abusive behaviour by dominant firms (e.g. according to Art. 102 TFEU), how can we assess such cases as the Facebook case?

4.1 Competition law

Can competition law deal with the data-collecting behaviour (and the specific "bundling of consent" in privacy terms) of digital firms? It is clear that there is no problem of applying competition law to such practices if there are direct negative effects on competition. Additionally, a behaviour such as colluding on the extent and conditions of data collection (e.g. through agreements on privacy policies) can infringe on competition law provisions against cartels (as Art. 101 TFEU in the EU). Combining datasets can raise problems in merger reviews if doing so can impede competition in a market (e.g. through erecting barriers to entry). In the same vein, a certain data-collecting behaviour of a dominant firm regarding personal data can also be prohibited as abusive (Art. 102 TFEU) if this behaviour has exclusionary effects and hinders competition. It is not necessary that a dominant firm’s data-accumulation behaviour be an exploitative abuse or a violation of data protection law (as in the German Facebook case). If it leads to sufficiently large exclusionary effects (e.g. by raising barriers to entry), then such a conduct can be prohibited as an exclusionary abusive behaviour. The interesting question is whether competition law can also take into account the negative effects of such behaviour on the privacy of consumers.

From an economic angle, all negative effects on privacy can be considered in competition law as long as they can also be interpreted as a reduction of consumer welfare (consumer welfare standard). Hence, economists have no problem agreeing with the widely held view that privacy is part of the "quality" of a service.Footnote 51 However, the relationship between the data-collecting behaviour of digital firms, and consumer welfare is a complex one that needs careful examination (and in fact, far more research). The direct analogy of excessive data-collection with excessive prices is difficult to make because due to the non-rivalrous character of data, consumers do not have less personal data after data-collection (and retain the right to share these data with others). Thus, the collection and use of personal data do not always lead to less consumer welfare.Footnote 52 Notwithstanding, it is still possible for such behaviour to be qualified as "excessive data-collection", but more sophisticated reasoning is necessary. We cannot discuss here, in detail, under what conditions and how the collection and use of more personal data can lead to more harm for consumers.Footnote 53 In the following, we focus only on two economic lines of thinking: privacy risks and privacy preferences.Footnote 54

Data protection law has always argued that the collection of more personal data (or a wider use of data) can lead to higher privacy risks. These are the additional risks that consumers have to bear because these data, which can be combined with many other data for comprehensive consumer profiles, can be used for business practices (or other behaviours) that can harm consumers in the future (behavioural targeting, fraud, extortion, price discrimination, etc.). Thus, revealing more personal data can result in greater objective risks for consumers in terms of getting harmed, and from an economic perspective, it is obvious that these risks reduce consumer welfare.Footnote 55 Consumer welfare also depends on the fulfilment of privacy preferences. We know from empirical studies that consumers have very heterogeneous privacy preferences (i.e. to what extent they wish to allow firms to use certain types of data for certain purposes).Footnote 56 In a well-functioning market, we would assume that there is a broad range of firms with different privacy policies; that is, some firms would offer services with high privacy standards and only a low level of data collection, while others would offer "free" services and a low level of privacy protection (and a large collection of data).Footnote 57 In such a well-functioning market, with a wide range of options for making granular decisions about providing personal data, consumers can increase their consumer welfare by choosing services that fit better with their specific privacy preferences. If such a range of options is restricted in the market through competition problems (e.g. through uniform take-it-or-leave-it privacy terms imposed by a dominant firm), then these competition problems lead to negative effects on consumer welfare (particularly for consumers with strong privacy preferences). Consequently, not having enough choice for consumers can also be seen as reducing consumer welfare.Footnote 58

This leads to an outcome where the negative effects of competition problems on privacy can be taken into account in competition law since they can result in less consumer welfare through larger objective privacy risks and a lower fulfilment of heterogeneous privacy preferences. If competition problems, such as horizontal agreements about privacy policies or the behaviour of dominant firms, have negative effects on consumers’ privacy, then this is also a genuine concern for competition policy in a similar way to higher prices or less innovation.Footnote 59

4.2 Data protection law

Can data protection laws also deal with the negative effects of competition problems on privacy? In the following, we present two arguments on why data protection law is generally not capable of overcoming these challenges.

First, EU data protection law, with its rights for data subjects and rules for allowing the processing of data by giving consent to privacy policies, establishes minimum standards for privacy protection. Within these rules, data subjects and firms are free to agree to what extent, and for what purposes, firms can gather and use personal data. If this market for personal data works well, then competition between firms can be expected to limit the collection and use of personal data if consumers have privacy preferences and want to avoid privacy risks that are too high. Thus, in well-functioning markets, a higher level of privacy protection can be expected than what the minimum standards of the GDPR require.Footnote 60 This implies that any negative effects of competition problems on privacy (e.g. with respect to larger privacy risks due to the excessive collection and use of personal data through firms with market power or through a cartel or merger) cannot be dealt with by the GDPR as long as such firms still comply with these minimum standards. The decisive point is that competition law also protects competition with data-collecting behaviour and privacy terms and therefore also privacy levels above these minimum standards against anticompetitive behaviour and competition problems. This is also why, in general, compliance with the GDPR does not shield firms from competition law violations with regard to their data-collecting behaviour and privacy policies.Footnote 61

The second issue is that EU data protection law focuses on protecting consumers with regard to a different market failure, namely, consumers’ information and behavioural problems with regard to the contractual arrangements about collecting and using personal data ("notice and consent"). In that respect, both data protection law and consumer law can be applied.Footnote 62 However, data protection law is not capable of dealing with the analysis of competition problems and their solutions through appropriate remedies. Since it is an important principle in EU data protection law that all firms are treated equally in terms of their data-collection and privacy terms, data protection law cannot distinguish between firms with and without market power or whether firms are under effective competition or not.Footnote 63 Competition and market power are no criteria for assessing compliance with the GDPR.

Lawyers have debated whether market dominance might also be considered in the GDPR as part of the assessment of the requirements for valid consent (Art. 4(11) GDPR). The argument is that, in the case of a dominant firm, consumers might no longer have the possibility of providing "freely given" consent, which might render their consent invalid.Footnote 64 We can find limited support in the Art. 29 Data Protection Working Party Opinion about the legitimate interests of data controllers, in which the dominant position of a company in the market is also briefly mentioned as a factor that can be considered.Footnote 65 Notwithstanding, the principle of treating all kinds of firms equally with regard to data-collection and privacy terms is, thus far, deeply entrenched in the practice and jurisprudence of EU data protection law.Footnote 66 Since, however, EU data protection law uses a risk-based approach with regard to privacy protection, treating firms differently according to different privacy risks linked to different types of firms would be compatible with such an approach. If the data-collecting behaviour and privacy terms of dominant firms lead to greater privacy risks than those of non-dominant firms, then a different treatment of the privacy policies of firms with market (or gatekeeper) power might also be defendible in EU data protection law.Footnote 67 Nevertheless, such an approach is far away from the GDPR’s current jurisprudence. However, even if market power can be established as such a criterion, there is still a lack of expertise and instruments of data protection authorities for analysing competition problems and implementing appropriate remedies.

This section has shown that data protection law is not capable of dealing with the negative effects of competition problems on privacy because it only protects a minimum standard of privacy protection and focuses its instruments on a different form of market failure. In addition, EU data protection law suffers from underenforcement with respect to the large platform firms, as mentioned in Chapter 3. Consumer law, another policy instrument that can be applied to firms’ data collection and privacy policies, is met with the same problems. It can help to address issues of transparency and misleading terms and conditions, but it cannot treat firms with and without market power differently and deal with the negative privacy effects of mergers and cartels.Footnote 68

The outcome of our analysis in this chapter is therefore that competition law can and should take into account the negative effects of competition problems on privacy, because data protection law and consumer law are not capable of dealing these negative effects on privacy.

5 Assessing the abusive behaviour of dominant firms with regard to data-collecting practices and privacy terms

5.1 Introduction

Since data protection (and consumer) law cannot address the negative effects of competition problems on privacy, it is not possible to defend the main counterargument against the FCO’s Facebook case, which asserts that the effects of competition problems on privacy fall outside the scope of competition law. In contrast, only competition law is capable of dealing with these effects. This chapter discusses, in more detail, how it can be assessed within the control of abusive behaviour of dominant firms in EU competition law (Art. 102 TFEU). This will be done in close connection with the Facebook case.

5.2 Exclusionary abuse

In the Facebook decision, the FCO focused on assessing whether this "bundling of consent" in terms of service can be qualified as exploitative abuse and asked only very briefly whether it can also have exclusionary effects. The FCO argued that by violating the GDPR, Facebook was capable of obtaining an unlawful competitive advantage, which would lead to impeding its competitors. This advantage could increase entry barriers and enable Facebook to defend its dominant position, not only in the market for social media, but also in advertising markets.Footnote 69 One part of the critical discussion centred on the fact that the FCO did not try to substantiate this claim through a deeper investigation or evidence on how the additional data would impede competition or raise entry barriers.Footnote 70 It has been widely regretted that the FCO did not use more opportunities to examine potential exclusionary effects, as this would have allowed for a much less controversial reasoning regarding the abusive character of Facebook’s "bundling of consent" requirement.

In the meantime, a number of recent studies have shown that Google and Facebook dominate a very complex structured advertising industry, with serious competition problems and inefficiencies. According to the comprehensive CMA report (July 2020), Google is dominant in the market for search advertising, whereas Facebook has market dominance in display advertising.Footnote 71 There is considerable empirical evidence that both Google and Facebook have huge advantages through their superior access to first- and third-party data about consumers for targeting them. Since Facebook is not only dominant in the market for social media, but is assessed by the CMA even as a "must-have" platform for consumers, the latter have no real choice by switching to other competitors and have to accept also unfavourable data policies.Footnote 72 In turn, Facebook’s dominant position cannot be challenged by competition. Based on this and other research, it is now much easier to show that such a "bundling of consent" can have exclusionary effects and can be seen as abusive behaviour.Footnote 73 Both the decision of the German Federal Court of Justice and the proposed Digital Markets Act emphasise the importance of such exclusionary effects.Footnote 74

5.3 Exploitative abuse

Both in the EU and in some member states, including Germany, the control of exploitative abuse is an integral part of the control of dominant firms. If competition policy—in accordance with consumer welfare standard is also viewed as an instrument for protecting consumers against welfare losses through the abuse of market power and anti-competitive behaviour (e.g. price cartels), then controlling dominant firms’ behaviour with respect to the exploitative abuse of consumers is an essential pillar of competition policy.Footnote 75 The reluctance of competition authorities to apply this instrument of exploitative abuse and the sceptical attitude of competition scholars, who only perceive it as an instrument in exceptional cases, has its cause in the difficulties of its practical application. This refers to the question of how to determine what an abusive price is, and to the understandable fear of competition authorities of evolving into price-control authorities. This reluctance, with regard to price abuse, is justified to a large extent,Footnote 76 but it is no general argument against the use of this instrument in controlling exploitative abuse. However, it does stress the importance of the criteria for establishing exploitative abuse. This is also important in terms of dominant firms’ collection of personal data and the harm they cause to privacy.

In cases of exploitative price abuse, the usual approach, from an economic perspective, is to compare the actual price with a benchmark price under competition (e.g. the price in another market with effective competition, an analysis of costs, etc.).Footnote 77 Due to the characteristics of (multisided) platform markets (with network externalities, a tendency to tipping, and complex pricing behaviour), such an approach toward price abuse is far more difficult in platform markets than in markets for normal products and services.Footnote 78 Since there are also large differences between price effects and privacy harms through data-collecting behaviour, using the direct analogy of comparing data-collection (and privacy) terms of a dominant firm with those of firms under effective competition does not seem to be a feasible approach for solving the issue.Footnote 79 However, from a legal perspective, it is not necessary (e.g. in the application of Art. 102 TFEU) to use such a counterfactual argument; hence, other reasonings for exploitative abuse are also possible.

In the legal literature, a broad discussion can be found about the possible criteria for assessing whether excessive data collection (and privacy terms) can be assessed through an analogy to "excessive prices" or as "unfair trading conditions".Footnote 80 It is not possible to discuss these criteria in detail, but competition lawyers see, in particular, reasonings about "unfair trading conditions" (Art. 102(a) TFEU) as a possible way to identify exploitative abuse with regard to excessive data collection.Footnote 81 Several criteria for assessing the fairness of such behaviours as the "bundling of consent" may be relevant here: the indispensability of this condition for Facebook's business model and its operational interests; the principles of equity and proportionality; the bargaining power between Facebook and consumers; and the consideration of EU data protection rules and principles.Footnote 82 We cannot analyse this legal approach of balancing interests with respect to fairness from an economic angle. However, it is important to note that the concept of fairness for controlling exploitative distributional effects through powerful firms has emerged recently as an influential new view in the current competition policy discussion about large online gatekeeper platforms (for example, in the EU Commission’s proposal of the Digital Markets Act). Although it is difficult for competition economists to deal with fairness as a normative criterion, economists will always recommend that the effects of a certain behaviour (i.e. here, the "bundling of consent" on Facebook, consumers, and competition on the market for social media and other markets) should also be analysed and included in such an assessment of fairness.

This emphasis of economists on a behaviour’s effects stresses the need for a much deeper analysis and more research about the theories of privacy harms through data-collecting behaviours and privacy terms. Commentators on the Facebook decision underlined that the FCO did not develop a clear theory of harm,Footnote 83 but relied on (what lawyers call) "normative causality". In other words, it used pre-existing legal assumptions about causal effects of market dominance in other legal rulings to conclude that there are negative effects on privacy instead of proving these effects on privacy through its own investigation.Footnote 84 Although this might sometimes be a legitimate approach under the law, it would be very helpful if we could have much clearer reasonings and evidence about the harm to privacy (and welfare) of consumers. What is the harm to their privacy (and welfare) of consumers if a dominant firm such as Facebook applies a "bundling of consent" requirement?

Consequently, far more general research is needed about theories of how data-collection behaviour and privacy terms can harm consumers in situations with serious competition issues.Footnote 85 Such research should not be primarily conducted by competition authorities (as part of their investigations) but by interdisciplinary academic research. It should also include (the second market failure of) informational and behavioural problems. Moreover, it should focus not only on objective privacy risks and consumer welfare in the traditional sense, but also on privacy as a fundamental value, fairness, and freedom of choice. The results of this interdisciplinary research can then be used to develop clearer benchmarks about where the line is that separates abusive and non-abusive data-collecting behaviour (and privacy terms) in cases of exploitative abuse by dominant firms.

5.4 The solutions of the German FCO and Federal Court of Justice in the Facebook case and the EU "Digital Markets Act" proposal

5.4.1 The approach of the German FCO: Violation of data protection law as a benchmark for abuse

The most controversial issue in the Facebook decision is the approach to use the infringement of EU data protection law as a benchmark for determining that this "bundling of consent" was a form of exploitative abuse in competition law. The FCO did not use the traditional approaches of assessing excessive data-collection analogous to "excessive price" abuse or as "unfair business terms". Rather, it performed a deep assessment of whether Facebook’s terms of service violate EU data protection law and derived directly from such a violation their abusive character. This approach was heavily criticised in the discussion and led to the allegation that any breach of data protection law could be sanctioned then as an abusive behaviour, risking that competition authorities could become "super enforcers" of data protection law.Footnote 86

From our perspective on the relationship between competition law and data protection law, as explained in Sect. 3, we assert the following in relation to the FCO’s approach: We do not support the position of the FCO to directly derive from the violation of the GDPR by a dominant firm the abusive character of this behaviour, (i.e. using the infringement of EU data protection law as the benchmark for distinguishing between a behaviour of dominant firms that is abusive or unproblematic according to competition law. In Chapter 4, we examined the differences regarding the objectives and instruments of both policies. If we take into account, in competition law, the negative effects of competition problems on the privacy of consumers, as was also intended by the FCO in the Facebook case, the infringement of data protection law is neither a sufficient nor necessary condition for the abusive character of the behaviour of a dominant firm. In Chapter 4, we explained that competition law can protect the privacy of consumers to a larger extent than the minimum standards of data protection law. Conversely, not every data protection violation by a dominant firm can be seen as abusive behaviour in competition law.Footnote 87 However, this does not preclude the possibility that under certain circumstances, a specific infringement of the GDPR could be used as an important criterion in a more comprehensive assessment of the abusive character of terms of service (e.g. as part of an assessment of "unfair business terms"). Therefore, we do not recommend using the violation of data protection law as the benchmark for the abusiveness of data-collecting practices and privacy terms. This would not reflect the complexity of the relationship between the two policies.Footnote 88

Notwithstanding, this does not preclude the possibility that a competition authority might decide to use its instruments of competition law to help enforce data protection law in certain cases. We have already mentioned that EU data protection law suffers from serious problems of underenforcement, especially with respect to large digital platform firms (see Sect. 3). The fact that a certain problematic behaviour might also be prohibited by data protection law is, from an economic standpoint, not a sufficient reason for not using competition law. If we can expect that data protection law will de facto not be capable of dealing effectively with this issue, then the behaviour can be prohibited according to competition law. If competition law is capable of overcoming this challenge better or more quickly, then we can recommend, from an economic angle, that a competition authority steps in as the “superior” enforcer and helps to solve the problem. For the "division of labour" between competition law and data protection law, this implies that the effectiveness of enforcement is also an important criterion for determining which policy should deal with a case if both laws can be applied from a legal perspective.Footnote 89

5.4.2 The interim decision of the German Federal Court of Justice

We can ask whether privacy, as a fundamental value, can be considered in such a broader assessment approach in the control of abusive behaviour instead of EU data protection law. This would imply that in certain (perhaps exceptional) cases, competition law can take also other fundamental rights into account in competition law decisions, as has been suggested by competition lawyers.Footnote 90 The solution of the German Federal Court of Justice, in its decision regarding the interim proceedings of the Facebook case, used such an approach, albeit not by referring to privacy as a fundamental value at the EU level but by considering the "basic right" to informational self-determination, which is protected by the German constitution. According to the court, the right to informational self-determination grants individuals the possibility to participate substantially and in a differentiated way, whether and how their personal data are made available to, and can be used by, others. The court argued that forcing consumers, through these terms of service, to use a strongly personalised service (with consent to the merging and use of both datasets) and denying them the option to use a less personalised version of this service (with On-Facebook data only) would violate their basic right to informational self-determination.Footnote 91 In addition, the court first highlighted "that Facebook, with its social media network, provides a communication platform, which at least for parts of the consumers is necessary to a large extent for their participation in social life, and is essential for public discourse when dealing with political, social, cultural, and economic questions."Footnote 92 According to the court, this creates a special legal responsibility with regard to the conditions of the use of this platform in terms of informational self-determination.Footnote 93 Second, the court argued that the abusive character of this behaviour was, in this case, a result of both the exploitation of consumers and the negative effects on competition, i.e. the court saw a direct link between the exploitative abuse and the exclusionary effects (i.e. on the advertising markets).Footnote 94

The decision of the German Federal Court of Justice is a huge step in the direction of considering privacy concerns in competition law.Footnote 95 Although its reasoning refers solely to German law, it can also be applied in a similar way in European competition law. By using the fundamental value of privacy and informational self-determination at the EU level, it can be claimed that also the lack of choice through the’bundling of consent’, is abusive according to Art. 102 TFEU. What has precisely been decided in substance through this decision is at least as important: The crucial outcome of this decision is that individuals have a constitutionally protected right to a minimum standard of choice about the extent of the collection and use of their personal data, which a dominant firm is not allowed to deny them. In this context, the court contended that the social media platform of Facebook has the quality of a quasi-essential communication infrastructure in digital society.Footnote 96 This latter reasoning also opens up the perspective that with such an essential infrastructure-like service, dominant firms may have to fulfil many more far-reaching responsibilities, which might also justify a direct ex-ante regulatory approach beyond traditional competition law.

5.4.3 Art. 5(a) in the "Digital Markets Act" Proposal

From this perspective, it is quite interesting to examine the EU Commission’s new proposal for a "Digital Markets Act" with its basic approach of introducing an ex-ante regulation (with a set of per se rules-like obligations) for providers of "core platform services", which qualify as "gatekeepers".Footnote 97 One of these obligations focuses directly on the type of abusive behaviour in the Facebook case of the FCO:

In respect of each of its core platform services ..., a gatekeeper shall: (a) refrain from combining personal data sourced from these core platform services with personal data from any other service offered by the gatekeeper or with personal data from third-party services, and from signing in end users to other services of the gatekeeper in order to combine personal data, unless the end user has been presented with the specific choice and provided consent in the sense of Regulation (EU) 2016/679. (Art. 5(a) Draft DMA).

To a large extent, this obligation would mirror the remedies of the Facebook case about protecting the of choice regarding the combination of collected personal data from different sources. In the DMA, however, such behaviour is directly prohibited for all gatekeepers, and through the ex-ante regulatory character of the DMA, it is not subject to any specific assessment with a balancing of interests, such as control of abusive behaviour of dominant firms. It is particularly interesting that in the corresponding recital 36 of the Draft DMA, it is emphasised that this obligation should support the contestability of core platform services, which would suggest a competition rationale (i.e. it is about the exclusionary effects of this combination of personal data). Although consent, according to the GDPR, is mentioned in Art. 5(a) as part of the obligation, it remains very unclear whether and to what extent this obligation also has the task of dealing with the negative privacy effects of this data combination, and whether it can also be interpreted as a result of fairness considerations between the gatekeeper and its end users.Footnote 98 Since the EU Commission has been very reluctant regarding the German Facebook case, it is surprising that it included the remedy of the German Facebook case as a general obligation for all gatekeepers in the DMA. In general, the EU Commission acknowledges, with such an ex-ante obligation, the severity of the problem the FCO has raised. Moreover, the EU Commission supports the remedy of additional consent for the data combination. However, many open questions remain: Does the EU Commission also want to protect end users against negative effects on their privacy and support the idea of a minimum standard of choice for end users regarding their personal data, or is it only about competition? Since the EU Commission has so far been very reluctant about the German Facebook case, does the inclusion of Art. 5(a) into the DMA imply that the EU Commission will now view Facebook’s data combination behaviour as abusive according to Art. 102 TFEU?Footnote 99 In our conclusions, we return to the discussion about the DMA proposal.

5.4.4 Conclusion: a minimum standard of choice for personal data?

Importantly, these German decisions in the Facebook case and the DMA proposal have put a new remedy on the agenda of the competition policy discussion, namely, obliging firms with market (or gatekeeper) power to grant consumers a minimum standard of choice (and therefore control) over the use of their personal data. In January 2021, Germany enacted a far-reaching amendment of German competition law, which includes a similar provision about a minimum standard of choice regarding the provision of data both for end and business users with respect to the behaviour of firms with "paramount significance for competition across markets" (Sect. 19a (2) No.4 GWB). This can be described as equivalent to the gatekeepers in the DMA proposal.Footnote 100 Generally, all of this constitutes a far-reaching development in competition policy. However, it is an open question regarding how high the appropriate minimum standard of choice should be (i.e. what extent of granularity of choice consumers should have). Another more far-reaching option than “only” additional consent for the combination of personal data would be an obligation in the DMA that gatekeepers would have to offer consumers a choice between a core platform service with and without having to provide personal data (e.g. by having to offer the service for a monetary fee instead of "paying" with personal data). This would allow consumers to use a quasi-unavoidable core platform service without having to provide their personal data.Footnote 101 We think that with the German Facebook case, the decision of the German Federal Court of Justice and the DMA proposal, this concept of a minimum standard of choice for consumers with respect to their decisions about the collection and use of their personal data vis-a-vis firms with market or gatekeeper power can be a new powerful tool for protecting the privacy and the informational self-determination of consumers. Simultaneously, this can also have very positive effects on competition. In that regard, however, far more research is necessary.Footnote 102

5.5 The importance of remedies or why competition law might not be enough

In our theoretical Chapter 3 about the implications of the simultaneous existence of two market failures and two policies, we did not analyse the role of remedies in a deeper way. However, remedies play a key role in the effectiveness of both policies, particularly if negative effects on competition and privacy are caused by both market failures. In this section, we briefly discuss the potential effectiveness of the FCO’s remedy in the Facebook case, namely, the requirement of an additional consent of the consumers to merge their personal data collected within and outside of Facebook: If consumers do not give their consent to integrating all these personal data, Facebook would have to keep these sets of data separate (internal unbundling).Footnote 103 Can we expect that this remedy of the FCO is effective with regard to the alleged exploitative and exclusionary effects?

At first sight, it looks easy with regard to the exploitative effects of the "bundling of consent" behaviour on privacy. The requirement of additional consent directly increases users’ options and thus gives them more control over their personal data. By denying their consent to the integration of both datasets, they can reduce (at least to some extent) the additional privacy risks that arise from combining their personal data and can make better choices according to their own privacy preferences whether they want to use a more or less personalised version of the services of Facebook. Independent of the problem of whether this remedy offers sufficient choices (according to a minimum standard of choice; see Sect. 5.4.4), the central issue is that the remedy does not solve the market failure of information and behavioral problems of consumers. If many users of Facebook’s services do not understand the impact of this additional consent (due to a lack of transparency and awareness of the additional privacy risks that come with data combination) and are subjected to behavioural manipulation (as a "dark pattern" behaviour) by the dominant firm (or gatekeeper), then an additional option might not help them with respect to their informational self-determination and the protection of their privacy. In turn, this remedy can be ineffective in terms of the alleged exploitative effects.Footnote 104

The effectiveness of this remedy, with regard to exclusionary effects, is even more problematic. It is very unclear whether a sufficiently large number of users of Facebook’s social media platform will harness this additional option in that way and whether they do not consent to the integration of their data. If many users were to still give their consent (e.g. because Facebook incentivises this consent, or due to the above described market failure), then this remedy would be too weak to reduce the exclusionary effects in a sufficient manner.Footnote 105 Hence, from a competition perspective, a direct prohibition on the bundling of both sets of personal data, independent of users’ consent, would be a much more consequent remedy for solving the problem of superior data advantages of Facebook regarding competition in other markets.Footnote 106 Such remedies could be used in data merger cases, where keeping certain sets of data of the merging firms separated can be a condition for clearing the merger.Footnote 107 This possibility also shows that requiring additional consent is much more of a data protection remedy than a competition remedy.

Our brief discussion of the remedy of the FCO in the Facebook case indicates that despite some positive effects through providing consumers with more options, its effectiveness regarding both competition and privacy might be rather limited and presumably insufficient. It should be noted that the new obligation for gatekeeper platforms in Art. 5(a) of the Digital Markets Act proposal runs into the same problems. The remedy of an additional choice does not solve the second market failure of information and behavioural problems, and the possibilities of competition law for solving these issues might remain limited. Therefore, also data protection law or consumer law have to contribute with their remedies to solve the problems.

6 Towards a broader and more integrative policy approach

What are the main outcomes of our analysis regarding the German Facebook case? Due to the simultaneous existence of two market failures with considerable interaction effects between them, as well as between these policies in digital markets, the central counterargument against the Facebook case that privacy concerns should not be considered in competition law but only in data protection law, can no longer be defended. It is appropriate and often necessary to apply competition law in situations such as the Facebook case. The FCO’s main approach in its Facebook decision to deem the "bundling of consent" requirement (in privacy terms) as an abusive behaviour by a dominant firm because it overly restricts users’ choices is convincing and can be supported. The German Federal Court of Justice confirmed this and it is now even included in the set of general obligations for gatekeeper platforms in the EU Commission’s DMA proposal. Thus, the Facebook case sets a crucial precedent, both for considering privacy concerns in competition law and for protecting a minimum level of choice options against the market power of large digital platform firms. However, instead of directly deriving the abusive character from a violation of data protection law, it is more appropriate to consider the effects of such a behaviour on competition and privacy by using a broader approach with a balancing of interests. Notwithstanding, far more research is needed regarding the effects of data-collecting behaviour of dominant firms on privacy and competition. Particularly important is that the German Facebook case has helped to trigger a much broader international debate about the relationship between competition law and data protection (or privacy) law.

Another important outcome is that in cases with two market failures, the application of competition law alone might not be sufficient, and therefore also data protection law or consumer law have to be used for addressing both market failures. This is not surprising from an economic perspective, but the manifold interaction effects between these problems and the policies can make it difficult to apply both policies. One important question that we can ask, from the standpoint of competition law, is whether data protection law (or consumer law) should be applied first, and competition law should wait for their results, and only be employed if these policies fail. This requires an assessment of whether we can expect these policies to solve these problems in an appropriate time frame. For example, there is a broad debate about the manipulative effects of the "dark pattern" behaviour of large online platforms. Should competition law also try to solve these issues by applying specific remedies that target this behaviour or should we wait for new policy solutions in consumer law that might address them?Footnote 108 We can pose a similar question with respect to the underenforcement of EU data protection law vis-a-vis large digital platform firms such as Facebook and Google: Should competition law rely on future improvements of the defective enforcement system of EU data protection law, or should it directly address problems with its own instruments? We think that the German FCO made the right decision not to rely on data protection authorities to prohibit Facebook’s "bundling of consent" behaviour. However, it might be difficult to make such decisions.

At the end of Chapter 3, we distinguished between unilateral and coordinated strategies. The current discussion in competition law about considering privacy effects also focuses nearly entirely on such a unilateral strategy (i.e. it is asked whether and how competition authorities can include privacy effects in different parts of competition law). Considering this strategy leads to discussions about dealing with privacy effects in merger cases (e.g. with regard to the combination of different sets of personal data of the two merging parties), in horizontal agreements, or in terms of the abusive behaviour of firms with market power (i.e. the Facebook case). In all these fields of competition law, it can be asked about the relevant theories of harm as well as about appropriate remedies for solving these problems. Since privacy effects are very different from price effects, there is also a need to develop new concepts and methods for practical application in competition law.Footnote 109 Additionally, entirely new questions arise (e.g. whether the protection of privacy might be a defence in competition law with regard to otherwise anti-competitive behaviour).Footnote 110 It is not surprising that in these debates, the matter of consumers’ information and behavioural problems also emerges,Footnote 111 leading to the already mentioned discussions on whether and how to expand the toolbox of competition law remedies for dealing also with these problems.

Although this discussion in competition law is quite focused on competition law and does not include systematic analysis of the interplay between competition law and data protection (or consumer) law, it is increasingly apparent that cooperation between agencies that enforce competition law, data protection law, and consumer law might be very helpful.Footnote 112 There have already been attempts at inter-agency cooperation (e.g. consultations in specific cases, the issuance of joint guidance, agency collaborative agreements), but these developments are still in their infancy.Footnote 113 From the perspective of our theoretical framework in Chapter 3, with manifold interaction effects between these policies, a more integrative, collaborative approach between competition law and data protection law (which could include the interaction effects) may help to deal with the difficult issues that arise through the complex intertwining of both policies in digital markets. This approach could help mitigate conflicts between the policies and could also allow for the exploitation of synergies through a sophisticated alignment and combination of the different policies. In this article, we could not determine how far such a more integrative and collaborative approach should go. It could presumably only be done through a step-by-step process that would depend heavily on manifold institutional constraints, which can differ significantly across countries.

Collaboration between competition and data protection authorities is possible in different ways. A close collaboration among authorities might lead to a much better analysis and understanding of the problems, as well as through an exchange of information and mutual discussions from different perspectives on competition law and data protection law. This collaboration might allow for a better assessment of what role each of these policies could play in specific cases and what combination of remedies might be most effective for solving these problems. This collaboration could also encompass a coordination of enforcement priorities. Very important is also that competition and data protection authorities can jointly develop guidelines about data-collection behaviour and privacy terms that would consider both privacy and competition concerns. This instrument could be used to mitigate potential trade-off problems between competition and privacy protection (e.g. with respect to privacy problems through data-sharing remedies in competition law). Helping each other with investigations for specific cases can also be important.

A more integrative approach could also be applied at the level of legislation: How could competition law, data protection law, and consumer law be better aligned with each other to overcome in a more successful way the competition and privacy challenges of digital markets? This implies that debates about improving these legal regimes should also take into account the interplay with the other policies, especially in regard to digital markets. Particularly interesting in that respect is the "Digital Markets Act" proposal of the EU Commission as an entirely new ex-ante regulatory instrument for addressing the challenges of the large gatekeeper platforms. It is clearly stated in the DMA that it is different from traditional competition law, because it protects different legal interests than Art. 101 and 102 TFEU (shown by its objectives "contestability" and "fairness").Footnote 114 A number of obligations entails aspects, e.g. with respect to protecting freedom of choice of end users, that are close to consumer law, and the inclusion of Art. 5(a) DMA (based on the German Facebook case) addresses also privacy concerns. Although the DMA is mostly interpreted as another (ex-ante regulatory) form of competition law, it also offers the perspective to be interpreted and evolve into a more integrative regulatory instrument for this small number of gatekeepers that focuses not only on competition but has also the objectives to strengthen data protection and consumer protection.Footnote 115