The Norwegian Data Protection Authority (DPA) on July 14 imposed a temporary three-month ban on “behavioural advertising” on Facebook and Instagram to users based in Norway. The decision relied on the “urgency procedure” under the General Data Protection Regulation (GDPR), which exceptionally allows direct regulatory interventions by other national authorities than the authority of the country where the business is registered (here: Ireland).

My initial view of the decision is that it is both a misuse of the urgency procedure and mischaracterizes the leading judgment from the EU Court of Justice (CJEU) on which it purports to rely (see my analysis of that judgment: part 1 and part 2). The decision misses the critical legal issue that it’s unclear to what extent the CJEU’s analysis applies to first-party personal data (collected by Facebook and Instagram) as the Court’s judgment expressly covered third-party data (collected “off-platform”).

Read the full piece here.

Among the regulatory tools created by the European Union’s Digital Markets Act (DMA)—landmark competition legislation that took effect across the EU last November—is a mandate that the largest digital-messaging services must be made interoperable. In the name of promoting fairness in digital markets, these gatekeeper services are asked to allow external services to connect with them, enabling new and smaller players to compete.

Read the full piece here.

Yesterday, I delved into the recent judgment in the Meta case (Case C-252/21) from the Court of Justice of the European Union (CJEU). I gave a preliminary analysis of the court’s view on some of the complexities surrounding the processing of personal data for personalized advertising under the GDPR, focusing on three lawful bases for data processing: contractual necessity, legitimate interests, and consent. I emphasized the importance of a nuanced understanding of the CJEU decision and pointed out that the decision does not determine definitively whether Meta can rely on legitimate interests or fall back on user consent for personalized advertising.

Read the full piece here.

Today’s judgment from the Court of Justice of the European Union (CJEU) in Meta’s case (Case C-252/21) offers new insights into the complexities surrounding personalized advertising under the EU General Data Protection Regulation (GDPR). In the decision, in which the CJEU gave the green light to an attempt by the German competition authority (FCO) to rely on the GDPR, the court also explored the lawful bases for data processing under the GDPR, notably for personalized advertising.

Read the full piece here.

Abstract

The complexity of the European Union’s Digital Markets Act (DMA) raises various difficult interpretative questions. Chief among them is whether the EU law is effective in achieving its purpose of harmonizing the national laws of EU member states. The issue is not just of academic concern; if the DMA falls short in this regard, it could be viewed as having been founded on flawed legal grounds, potentially rendering it null and void. In this context, we examine recent actions by the German Federal Cartel Office (Bundeskartellamt; FCO) regarding large technology-sector firms that the DMA would regulate as “gatekeepers.” This issue brief outlines two competing legal interpretations of potential relevance. One option is that the FCO’s actions may contravene EU law. Alternatively, the recent German actions could indicate that the DMA fails in its purpose as a harmonizing measure, thereby casting doubts on the law’s validity.

I. The DMA Must Be a Harmonizing Measure

Every law enacted by the EU legislature must have a legal basis in the EU treaties. Without an appropriate treaty basis, the law would be invalid. The DMA’s drafters chose Article 114 of the Treaty on the Functioning of the European Union (TFEU) as its legal basis. Notably, unlike Article 352 TFEU, Article 114 does not require unanimity among EU member states for a law to be enacted. Because the provision has a lower threshold of member-state consent, it is more limited in its scope.

Article 114 TFEU allows adoption of “the measures for the approximation of the provisions laid down by law, regulation or administrative action in Member States which have as their object the establishment and functioning of the internal market.” In other words, it empowers the creation of harmonizing measures: EU laws that address diverging rules among the member states that “are such as to obstruct the fundamental freedoms and thus have a direct effect on the functioning of the internal market or to cause significant distortions of competition.”[1] Given that the DMA was adopted with Article 114 as its legal basis, it must satisfy those requirements. If it does not, then it risks invalidation by the EU Court of Justice.

II. The DMA’s Potential Ineffectiveness in Harmonization

As Alfonso Lamadrid de Pablo & Nieves Bayo?n Ferna?ndez have persuasively argued, an interpretation of the DMA that rendered it ineffective as a harmonization measure would, in turn, threaten the law’s validity,[2] a concern that has also been noted by Jasper Van den Boom.[3] In a similar vein, Giuseppe Colangelo has argued that the European legal framework could become more fragmented because of overlaps between, and the potential dual application of, the DMA and competition law.[4] Further, Marco Cappai & Colangelo have warned that such overlaps raise the risks of double or even triple jeopardy for defendants in competition cases.[5]

As Lamadrid & Ferna?ndez argued, the initial threshold question is whether there are, or are likely to arise, sufficient significant divergences among national laws to justify invoking Article 114 TFEU. Provided that they exist, the follow-up question is whether the DMA addresses those divergences effectively. According to Lamadrid & Ferna?ndez, if courts interpret the DMA rules meant to ensure harmonisation narrowly—namely, Article 1(5)-(7)—there is a risk that they will fail to pre-empt the very fragmentation that the law is supposed to address.[6]

The Impact Assessment for the DMA proposal gave several examples of diverging national laws, including Section 19a of the German Act Against Restraints of Competition (Gesetz gegen Wettbewerbsbeschra?nkungen; GWB).[7] Most recently amended in 2021, the GWB is intended to apply to businesses with “paramount cross-market significance”—a designation defined differently than the DMA’s “gatekeepers” but which likely would be applied to essentially the same set of companies. Colangelo cited the amended GWB—describing it as a kind of “Germanexit”—in arguing that the potential for overlapping enforcement of the DMA and national competition rules is exacerbated where member states strengthen their antitrust-enforcement tools with platform-specific provisions.[8]

On one hand, Article 1(5) states that member states “shall not impose further obligations on gatekeepers by way of laws, regulations or administrative measures for the purpose of ensuring contestable and fair markets.” But on the other hand, it qualifies this mandate by excluding prohibition measures that are “outside the scope of this Regulation,” so long as gatekeepers are not targeted explicitly for being gatekeepers. Lamadrid & Ferna?ndez suggest that the effect of this qualification may be to “exempt, permit, and leave unchanged all of the rules identified in the Commission’s Impact Assessment as sources of existing or likely regulatory fragmentation.”[9]

Article 1(6) states that the DMA is without prejudice to the application of EU competition law (Articles 101-102 TFEU); national rules analogous to EU competition law (letter (a)); rules on merger control (letter (c)); and also “national competition rules prohibiting other forms of unilateral conduct insofar as they are applied to undertakings other than gatekeepers or amount to the imposition of further obligations on gatekeepers” (letter (b)). Lamadrid & Ferna?ndez note:

Under this provision, Member States would remain free to enact new rules overlapping with those in the DMA, or even establish ‘additional obligations’, provided that these are enacted as part of their national competition rules and do not only target gatekeepers as defined in the DMA.[10]

Without questioning that a narrow interpretation is possible, Van den Boom argued that there should be a way to interpret the DMA’s pre-emptive provisions more broadly to ensure effective harmonization.[11] Van den Boom concludes that national laws like the German Section 19a GWB may need to be revised in the light of a broader, harmonization-preserving interpretation of the DMA.[12]

III. FCO Objections to Google’s Data Processing Across Services

In December 2022, the FCO issued a statement of objections regarding Google’s processing of user data across services, which noted that, under Google’s current terms, data from many services can be combined to construct user profiles for advertising and other purposes.[13] The data is collected and processed across such platforms as Google Search, YouTube, Google Maps, and even third-party sites, as well as Google’s background services, with the company periodically drawing data from Android devices.

The FCO tentatively concluded that these terms did not offer users adequate choice regarding the extensive cross-service data processing, deeming the current options insufficiently transparent and overly broad. In announcing that they would require Google to modify the choices available to users, the FCO relied on Section 19a GWB, the same provision that the DMA Impact Assessment offered as an example of the kind of legal fragmentation that the DMA was meant to address. Moreover, and crucially, the object of the FCO’s investigation—combining user data across services—is covered by the DMA in its Article 5(2). This suggests that the FCO’s may actions are prohibited by the DMA (in Articles 1(5)-(6)).

In addressing concerns that their actions were pre-empted by the DMA, the FCO claimed that they were applying domestic competition law, which would suggest that Article 1(5) DMA does not apply. The FCO also noted that no “core platform services” have been designated under the DMA, and thus we do not yet technically have any “gatekeepers” for the purposes of the DMA’s pre-emption rules. Finally, the FCO asserts that the domestic legal basis (Section 19a GWB) of their investigation “partially exceeds the future requirements of the DMA” and, moreover, that “the Bundeskartellamt is in close contact with the European Commission.”[14]

IV. The FCO Versus the DMA

By its own admission, the FCO is pursuing Google for conduct to which the European Commission is likely to apply the DMA. The FCO thus appears to be trying to beat the Commission to the chase and impose its own regulatory vision before the Commission has time to act.

The Google investigation is part of the FCO’s broader agenda for large tech firms. The agency has already used Section 19a GWB to designate Alphabet, Amazon, Apple, and Meta as having “paramount significance for competition across markets,” while an investigation to similarly designate Microsoft is pending.[15] Some, if not all, of those companies are likely to also be deemed “gatekeepers” by the European Commission under the DMA.

More importantly, at least some ongoing Section 19a investigations relate to matters covered by the DMA. For example, the FCO’s investigation of Apple’s app-tracking transparency framework focuses on so-called “self-preferencing,” a practice that the Commission could determine the DMA covers.[16] The FCO commenced that investigation after final agreement on the DMA in March 2022. Similarly, the FCO’s ongoing investigation of Meta similarly concerns the processing of user data across services, which is clearly covered by the DMA, provided that the relevant Meta services will be designated under the DMA as gatekeepers.[17]

If the Commission designates Google and its services under the DMA, the company would be subject to Article 5(2) DMA, which would require that Google obtain user consent to:

(a) process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper;

(b) combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services;

(c) cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and

(d) sign in end users to other services of the gatekeeper in order to combine personal data.

The key notions of “specific choice” and “consent” in Article 5 DMA pose difficult technical and legal questions. Exactly how Google would implement such cross-service processing of data in compliance with the DMA will be a matter for discussion between Google and the European Commission.

Different authorities are likely to reach different conclusions as to how to approach such problems. But given that the DMA is based on Article 114 TFEU and thus intended as a harmonization measure, its chief purpose must be to prevent fragmentation of regulatory approaches to issues clearly covered by the DMA. This is true irrespective of whether a national authority purports to rely on national competition rules or on other national law.

The FCO noted that Section 19a GWB “partially exceeds” the DMA’s requirements, which is a curious choice of phrase. It would appear to admit that the national law overlaps with the DMA. To the extent that such an overlap exists, application of the law to designated gatekeepers is pre-empted by Articles 1(5)-(6) DMA. Even if the FCO could show that some requirements they intend to impose on Google “exceed” what the Commission would do under the DMA, this would not render that FCO’s actions outside the scope of DMA’s pre-emptive provisions.

The FCO’s stated intent is to impose its own interpretation of what constitutes “sufficient choice” as to whether and to what extent “users agree to cross-service data processing.” Based on these assertions, it is difficult to see how the FCO’s action would either be “outside the scope” of the DMA (Article 1(5) DMA) or constitute a “further obligation” (Article 1(6) DMA). If the DMA is to be an effective harmonizing measure, then the mere fact that a national authority has an idiosyncratic interpretation of user choice and consent in the context of cross-service data processing cannot be sufficient for its actions to constitute a “further obligation.”

Any other reading of the DMA would serve to nullify Articles 1(5)-(6). Whenever any national authority disagrees with how the Commission enforces the DMA, they could simply adopt national measures that “exceed” the DMA in that they differ from the Commission’s approach. Given the scope of Article 5(2) DMA, interpreting Articles 1(5)-(6) not to preclude the FCO’s actions would jeopardize the DMA’s validity as a harmonising measure under Article 114 TFEU.

As the FCO itself has noted, the Commission has not yet designated any “gatekeepers” or their “core platform services.” The FCO has, however, conceded that its actions against Google concern services that are “likely” to be designated and therefore covered by the DMA. To preserve the DMA’s validity, actions like the FCO’s against services that are within the DMA’s scope must be pre-empted. With services that are not yet—but are likely to be—designated, actions by a national authority that will be illegal once the services are designated should also be considered illegal while a designation is imminent. This reading follows both from the DMA’s function as a harmonizing measure under Article 114 TFEU and from the principle of sincere cooperation (Article 4 TEU).

Pre-emption does not have to render Section 19a GWB and similar national rules a dead letter. As Gunnar Wolf & Niklas Brüggemann argue, there is space for “complementarity” between the DMA and national law.[18] If, however, the DMA is to remain an effective harmonizing measure, the scope for national action in areas regulated by the DMA must be narrow. It does not appear that the FCO’s proposed action is “complementary” to the DMA. Rather, it is a brazen attempt to circumvent the DMA’s harmonizing function.

V. Conclusion

The FCO and other national authorities may be less concerned than the European Commission with preserving the DMA’s validity. In fact, the FCO’s actions suggest that they are chafing against the restraints imposed by the DMA and would prefer to act as if the restraints do not apply. It would be surprising if the Commission did not respond with a more assertive approach to such prima facie breaches of EU law by national authorities. The stakes are high. If the Commission tacitly accepts an interpretation of the DMA that gives national authorities free rein for these kinds of enforcement actions, then it will cease to be a harmonizing measure and, as such, would be invalid.

[1] Case C-58/08 Vodafone, O2 et al. v Secretary of State, EU:C:2010:321 ¶ 32.

[2] Alfonso Lamadrid De Pablo & Nieves Bayón Fernández, Why the Proposed DMA Might Be Illegal Under Article 114 TFEU, and How to Fix It, 12 J. Eur. Compet. Law Pract. 576 (2021).

[3] Jasper Van den Boom, What Does the Digital Markets Act Harmonize?–Exploring Interactions Between the DMA and National Competition Laws, 19 Eur. Competition J. 57, 69 (2023).

[4] Giuseppe Colangelo, The European Digital Markets Act and Antitrust Enforcement: A Liaison Dangereuse, Eur. Law Rev. 597 (2022).

[5] Marco Cappai & Giuseppe Colangelo, Applying Ne Bis in Idem in the Aftermath of BPost and Nordzucker: The Case of EU Competition Policy in Digital Markets, 60 Common Mark. Law Rev. (2023).

[6] De Pablo & Fernández, supra note 2.

[7] European Commission, Commission Staff Working Document Impact Assessment Report Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act), Part 2, 112-113 (2020), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020SC0363.

[8] Colangelo, supra note 4.

[9] Id, 580.

[10] Id.

[11] Van den Boom, supra note 3.

[12] Id, 84.

[13] Bundeskartellamt, Statement of Objections Issued Against Google’s Data Processing Terms, (2023), https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2023/11_01_2023_Google_Data_Processing_Terms.html.

[14] Id.

[15] Bundeskartellamt, Proceedings against large digital companies – on the basis of Sec. 19a GWB – as of May 2023, (2023), https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Downloads/List_proceedings_digital_companies.pdf. Note that Amazon and Apple are disputing their designation under Section 19a and according to the FCO the court proceedings are not yet finalized.

[16] Bundeskartellamt, Bundeskartellamt reviews Apple’s tracking rules for third-party apps, (2022), https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2022/14_06_2022_Apple.html. As noted in the previous footnote, Apple is disputing their designation under Section 19a.

[17] Bundeskartellamt, Meta (Facebook) responds to the Bundeskartellamt’s concerns – VR headsets can now be used without a Facebook account, (2022), https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2022/23_11_2022_Facebook_Oculus.html.

[18] Gunnar Wolf & Niklas Brüggemann, Agenda 2025: the Digital Markets Act and Section 19a GWB, D’Kart (2022), https://www.d-kart.de/en/blog/2022/07/19/agenda-2025-der-digital-markets-act-und-§19a-gwb.

ICLE Senior Scholar Miko?aj Barczentewicz joined the Mobile Dev Memo podcast to discuss the Irish Data Protection Commission’s recent $1.3 billion levied against Meta over its transmission of EU resident data to the United States, and what the case means for the future of U.S.-EU data flows. The full episode is embedded below.

The European Commission’s recently concluded consultation on “the future of the electronic communications sector and its infrastructure” was a curious phenomenon in which the commission revived the seemingly dead-and-buried idea of a legally mandated “sender pays” network-traffic scheme, despite the fact that it remains as unpopular and discredited as it was when last discussed roughly a decade ago.

Read the full piece here.

In an appearance on the Mobile Dev Memo podcast, ICLE Senior Scholar Miko?aj Barczentewicz outlines the legal impact of the EU’s Digital Markets Act and Digital Services Act, with specific attention paid to the digital-advertising market. He also discusses the latest news related to Meta’s recent fine by the Irish DPC for using first-party data without consent to empower personalized advertising, as well as the temporary ban that the Italian DPA enforced on OpenAI’s ChatGPT. The full episode is embedded below.

ICLE Senior Scholar Miko?aj Barczentewicz was a guest on the Mobile Dev Memo podcast to discuss the recent spate of European Union decisions related to digital privacy. The full episode is embedded below.