How Does Data Regulation Interface With Antitrust Considerations? The European Data Protection Board Calls for Close Cooperation

In a position paper adopted on January 16, 2025, the European Data Protection Board (“EDPB”) identifies synergies and convergences across data protection and competition law and calls for closer cooperation among data protection and competition authorities. The call comes among a growing global focus both on data as a factor of production, and of privacy compliance as a parameter of competition. 

Background

As the role and value of data becomes ever more recognized across the digitalization of all sectors, the intersection of data protection and competition law has become a subject of debate. The latest contributions to that debate included a comprehensive OECD working paper on the intersection between competition and data privacy from 2024, calling for “a holistic vision at the highest levels of policymaking and coordinated action by competition and data protection authorities”.[1]

The EDPB’s position paper (“Position Paper”) responds to this call and is part of a series of contributions the EDPB has made over the years on the relevance of data protection in competition law enforcement and vice versa.[2] While it remains to be seen whether the (non-binding) Position Paper will lead to an increase in cooperation amongst EU enforcement authorities, the identified intersections are topical and relevant for both data protection and antitrust enforcement.

The Position Paper calls for regulators to move away from isolation in their enforcement approach and identifies a series of synergies and interrelations between data protection and competition law before it calls on building on these synergies to foster cooperation and a coherent enforcement framework.

Summary of Position Paper

1. Synergies and convergences. The Position Paper emphasizes that although data protection and competition laws have separate legal frameworks, both have as their objective the protection of individuals and their choices and addressing power imbalance that may exist in markets. The EDPB posits that strengthening the link between data protection and competition laws can enhance the protection of individuals as consumers and data subjects and reduce tensions that may otherwise arise, referring specifically to merger control and abuse of dominance enforcement.

   With respect to merger control enforcement, the Position Paper notes the increasing importance of personal data in the digital economy, recalling that the European Commission’s recently revised market definition notice identifies data protection offered by the relevant product or service as a relevant parameter when considering competition.[3] In that vein, the Commission also recalled in its Policy Brief 1/2024 on EU Merger Control and non-price competition that data protection and privacy are “particularly relevant parameters of competition in mergers in the digital and technology industries”, while caveating that data protection legislation can create limitations on parties which can factor into the competitive assessment of a merger (i.e., how the merger will affect both concentration of personal data and reduction of privacy-designed products).[4]

   In that regard, with respect to abuse of dominance enforcement, the Position Paper postulates that a competitive market can encourage the minimization of personal data collection and avoid data combination and concentration that could be harmful to users. Conversely, the Position Paper claims that the lack of alternatives and competition may lead to users opting for less privacy-protective products, with a consequential risk of dominant digital companies strengthening and exploiting their market position while avoiding privacy obligations. The EDPB notes that the Digital Markets Act[5] is intended to address certain of these concerns (e.g., cross-use of personal data across owned-platforms), but that there are further interrelations with privacy laws that must also be considered.

2. Key interrelations. The Position Paper draws on the 2023 European Court of Justice (“ECJ”) judgment in Facebook/Bundeskartellamt,[6] in which the ECJ clarified that a dominant market position under Art. 102 TFEU does not systematically imply that a user’s consent (under the GDPR) to the dominant undertaking processing its data can never be valid.[7] However, the ECJ acknowledged that the “freedom of choice” of a user and “the potential imbalance between the data subject and the controller” are relevant factors in evaluating the validity of consent for GDPR purposes and could result in invalidation of consent (especially where there is a potential for discrimination or access to certain networks or services).[8] Importantly, the ruling accepts that a violation of the GDPR can be the basis, or a relevant assessment factor, for the finding of an abuse of a dominant position under Art. 102 TFEU – however, the ECJ imposed an obligation on competition authorities to consult with the competent data protection authorities (“DPAs”) in relation to any such assessment. It emphasized that a DPA’s findings under the GDPR cannot be replaced by the assessment of a competition authority.[9]

   The Position Paper argues that the ECJ ruling in Facebook/Bundeskartellamt creates an important incentive for authorities to streamline their cooperation and to “agree on practical ways to consult one another”.

3. Call for cooperation. To further build on coherence and synergies between decisions taken in matters of competition and data protection in light of the identified convergences, the Position Paper claims that there is significant variation across the EU with regards to the cooperation and mutual trust between competition and data protection agencies (including whether any legislation exists to require or enable such cooperation). To improve this, the Position Paper proposes concrete steps such as: (i) national legislation to increase cooperation across agencies and reduce cooperation hurdles; (ii) the creation of dedicated coordination teams that can serve as single point of contact for other authorities; (iii) developing a basic understanding and familiarity within authorities of the regulatory framework supervised by their counterparts, including via training as necessary; and (iv) establishing structured and regular cooperation protocols, including informal workshops and meetings to assist with agreeing on shared principles and fostering connections.

Conclusion and Takeaways

• There is little reason to challenge the EDPB’s call for closer liaison and collaboration between data privacy and competition regulators. Guidance on the intersections of these regimes is valuable for businesses seeking to ensure compliance across an ever more complex regulatory landscape (especially given the significant number of additional digital laws that have been laid down in the European Union in recent years, both in relation to use of data, managing online offerings, development and use of artificial intelligence and implementing appropriate digital security controls). Indeed, businesses facing regulatory enforcement in areas where there are such overlaps may want to encourage liaison between the regulators, to ensure clear, workable outcomes that address and resolve any tensions up front.
• From a data protection perspective, the Position Paper serves as a reminder that use of personal data has wider ramifications than solely compliance with the GDPR and national privacy laws. As the collection, analysis and commercialization of personal data become more critical to business success, it will be important for companies to ensure that their internal functions have open dialogue regarding how use of personal data for business growth is balanced with broader regulatory risks.
• It will also be critical for business to review this Position Paper alongside the positions being adopted in neighboring jurisdictions – for example, the UK privacy regulator updated guidance on “pay or consent” models on January 23, 2025, adding further considerations and obligations to address power imbalances when collecting personal data for advertising.[10]
• The scope and volume of regulation (particularly digital regulation) expanded hugely under the five years of the first von der Leyen Commission. The new Competitiveness Compass from her second Commission, in office since December 1, 2024, puts regulatory simplification at the heart of driving growth and competitiveness for European businesses. Against that backdrop, the EDPB’s paper addresses a very small aspect of the challenge of navigating EU regulatory red tape.
• Indeed, alignment between the many EU DPAs themselves has been stated to be sub-optimal and is being addressed by the proposed EU Regulation on cross-border GDPR enforcement. The UK’s Digital Regulators Cooperation Forum (DRCF) offers a good example of effective cross-regulator cooperation. This long-standing body facilitates close cooperation between UK regulators, led by the Competition and Markets Authority (CMA – antitrust), Information Commissioner’s Office (ICO – data protection), Ofcom (comms and digital sector regulator) and the Financial Conduct Authority (FCA – financial services regulator). It often conducts joint research into emerging topics that straddle the remits of its various member regulators. The DRCF also oversees the AI and Digital Hub, set up as a 12-month pilot (to April 2025) for a cross-regulator sandbox that offers businesses blended regulatory support from the CMA, ICO, Ofcom and FCA. The DRCF more generally is an excellent example of ensuring that regulators understand each other and pool collective skills to present a combined approach for businesses and support innovation and growth.

*       *       *

[1]        Carolina Abate, Giuseppe Bianco, and Francesca Casalini (OECD), “The Intersection between competition and data privacy” (2024).

[2]        EDPB, 17 April 2024, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms; EDPB, 19 February 2020, Statement on privacy implications of merger.

[3]        European Commission, 2024, Communication from the Commission – Commission Notice on the definition of the relevant market for the purposes of Union competition law, Official Journal, C 1645, ELI: http://data.europa.eu/eli/C/2024/1645/oj

[4]        European Commission, 2024, Competition Policy Brief [1/2024] – Non-Price Competition: EU Merger Control Framework and Case Practice.

[5]        Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act)

[6]        Judgment of 4 July 2023, Meta Platforms and others (C-252/21, ECLI:EU:C:2023:537), available here.

[7]        Ibid, para. 154.

[8]        Ibid, para. 144.

[9]        Ibid, para. 63.

[10]       https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/online-tracking/consent-or-pay/