On 5 October 2023, the German competition authority adopted its first tangible evidence of enforcement surrounding its new competition rules (Section 19a GWB) directed at undertakings with paramount significance for competition across markets on its case against Google for its data processing terms (see the Bundeskartellamt’s decision designating Alphabet here and a previous comment on the NCA’s preliminary assessment of the case here).
The competition authority decided to finalise the proceedings that it had triggered against Google for its data processing terms since May 2021, given that it found that Google’s proposed commitments were sufficiently substantive to address the competitive concerns the NCA had raised on its preliminary assessment. Although the case’s resolution seems straightforward at face value, as with any other case with the Bundeskartellamt, complexity and argumentative delicacy underlie ranging from the theory of harm posed by the German competition authority.
The problem, the case and the commitments
The case that the Bundeskartellamt brought against Google was not entirely new in the eyes of those who have followed the Facebook v. FCO saga surrounding the interplay between data protection considerations and competition law (for a review of the Court of Justice’s recent ruling, see here).
The FCO took issue with the fact that Google leverages its capacity to extract and collect data from its users to build a competitive advantage for itself. As simple and as complex as that. However, in this particular case, it did not choose to apply an idiosyncratic theory of harm based on exploitation correlated with its constitutional provisions and the benchmarking of the GDPR. Instead, the Bundeskartellamt rode upon its newly passed Section 19a GWB to construe the case against Google.
In particular, from the vast range of provisions at its disposal, the German competition authority applied Section 19a(2) sentence 1 no. 4a GWB. In other words, the German competition authority analysed whether it could prohibit the “(creation or appreciable) raising (of) barriers to market entry or otherwise impeding other undertakings by processing data relevant for competition that have been collected by the undertaking, or demanding terms and conditions that permit such processing, in particular (by) making the use of services conditional on the user agreeing to the processing of data from other services of the undertaking or a third-party provider without giving the user sufficient choice as to whether, how and for what purpose such data are processed“. This is the exploitative theory of harm that the Facebook v. FCO case elucidated, as it now translated into hard law.
For that, the German competition authority analysed Google’s data processing terms on two fronts. On one side, the FCO established that Google processed user data comprehensively across its service, irrespective of the fact that data are provided directly by the users or collected from them via their use of Google’s products and services). Similar to Facebook, Google also collects data from its own users not only on its first-party services but via third-party websites and apps (paras 7-8 of the German competition authority’s decision). The technical means that Google uses to combine the different sets of data for deriving further insight into its users are identifiers, which lie on the user’s Google account or directly on their devices (para 11 lists identifiers such as the Google account ID, the cookies ID and the advertising ID’s for different mobile devices used by the undertaking to process and combine personal data). On the other side, the Bundeskartellamt’s remarks the setting options that both signed-in users and non-authenticated users have at their disposal to restrict Google’s data processing activities, in the case they wished to do it. The FCO finds that users are not offered the option to reject tracking technologies to avoid their personal data being processed in some contexts, whereas in others the German competition authority sets out that it does provide the choice to do so (paras 17, 18 and 20).
Stemming from the in-depth analysis of Google’s data operations with regard to the processing of personal data, the German competition authority goes on to establish whether those facts may qualify as anti-competitive under Section 19a(2) sentence 1 no. 4a GWB.
A three-pronged test derives from the application of the provision: i) the determination of whether Google makes the use of its services conditional on users agreeing to the processing of their data; ii) the specification of whether that conduct is accompanied by an impediment caused to other companies resulting from the processing of data; and iii) the absence of an objective justification excusing the undertaking’s conduct.
Conditionality – sufficient and free choice
The FCO’s argument on conditionality stems from categorising Google’s privacy policies and screen dialogues addressed to their users as terms and conditions, “within the meaning of competition law” (para 45). According to the German competition authority, the T&C’s define the existing business relationship between Google and its users, even though a pre-defined relation between the undertaking and the consumers is not required under antitrust. On this point, the competition authority’s assessment delves only into the user’s granting of consent under Article 6(1)(a) of the GDPR, and does not factor into its analysis the fact that Google’s processing activities might fall under the legal bases set out in Articles 6(1)(c)-(e) of the GDPR (para 56). The German competition authority opts, by choice, to ignore that Google’s processing activities may, in fact, be legal under EU data protection regulation. One would think that if non-compliance with the GDPR may be considered relevant to assessing the circumstances surrounding the undertaking’s deviation from competition on the merits (para 47, C-252/21), compliance with the same set of rules would amount to something, too.
Against this framework, conditionality is grounded on an argument threaded by Google’s unilateral imposition of its data processing terms on users. Even though it is true that digital platforms impose their terms on users in the form of contracts of adhesion, it does not always mean that users are forced to agree to those same terms. In the German competition authority’s words, due to this unilateral imposition, users must accept the conditions presented to them if they want to use Google’s service in the fashion of a take-it-or-leave-it model.
Despite that many of the purposes covered by Google’s privacy policies enable the user to outright reject the processing of personal data in some contexts, under the “sufficient choice criterion” (para 46) the fact that users cannot refuse to be tracked when using Google’s services is enough to tip the scales against the undertaking (para 47).
Alongside the sufficiency of choice, this same fact leads the German competition authority to believe that Google did not provide sufficient granularity in its setting options regarding the processing and combining of personal data across the undertaking’s services. By this token, users are tempted to consent to more extensive data processing activities than they would have otherwise accepted (para 51). Furthermore, given that users were not provided sufficient choice in fine-tuning their data protection preferences, the Bundeskartellamt finds that insufficient choice is a sign of restricted choice, in contravention to the free choice requirement enshrined under Articles 4(11) and 7 of the GDPR (paras 51 and 52). The choice was not free to the point that it was easier for users to consent than reject those terms and conditions, due to Google’s exertion of unreasonable influence over them (para 54).
Ironically, on this point, the NCA references the Court of Justice’s findings in C-252/21 (notably, para 151 of the ruling) when interpreting the GDPR in relation to the prohibition of an abuse of a dominant position. The reference is quite a mishap. The Bundeskartellamt tries to mirror the Court of Justice’s words into its own narrative, but the same facts do not hold. The CJEU’s passage touched upon the question of whether a dominant undertaking may fulfil the conditions of validity laid down in Article 4(11) GDPR due to its prominent position in relation to the data subject. The Court responded ambiguously. Users cannot be reasonably expected to predict that their personal data will be collected and processed in such a way as Facebook did (i.e., by combining first-party with third-party data). Hence, “it is appropriate (…) to have the possibility of giving separate consent for the processing of the latter data, on the one hand, and the off-Facebook data, on the other“.
The Court of Justice, however, did not mandate separate consent granted by the user for the processing of personal data in line with different data sources. It established a presumption to the case: “it is for the referring court to ascertain whether such a possibility exists, in the absence of which the consent of those users to the processing of the off-Facebook data must be presumed not to be freely given“. Nonetheless, the German competition authority reads the ruling pro-actione and assigns the fact that separate consent was not requested as an indicative of Google’s blockade on users’ consenting to the processing of their personal data.
Finally, the threshold of sufficiency is also met, in the FCO’s words, due to the lack of sufficiently concise and comprehensible indications which could provide users with sufficient information as to whether, how and for what purpose Google processes data across its services. The lack of transparency (understood under the terms of the GDPR, one should say) leads the German competition authority to believe that users cannot easily comprehend the scope of the choice options displayed to them and, thus, they end up accepting them altogether (para 53).
Causing an impediment to competitors
The German competition authority finds that the requirement of the presence of an impediment of other companies resulting from the undertaking’s conduct is easily derived from Google’s processing activities and terms. Its large pool of data builds on its (already existing and increasingly large) economies of scale present in its ecosystem -in spite of the fact that Google’s ecosystem is not defined in any given manner throughout the decision- in cementing its competitive position and enabling it to seamlessly integrate its services with ease via secondary use of personal data and dataset combination. By this means, the undertaking expanded its already existing competitive advantage to the detriment of third parties whose competitive opportunities were diminished in contrast to Google (para 52).
The Bundeskartellamt’s finding on this point is not detailed, but one can easily observe that it is inspired by the same principles that justify the DMA’s prohibition of processing, combining and cross-using of personal data across core platform services (Article 5(2) DMA).
The absence of an objective justification
The third tenet of the test regarding the competition authority’s appraisal of Google’s arguments when presenting an objective justification for its conduct is nothing but tautological. On one side, the competition authority establishes that this part of the test is carried out by weighing up interests in light of the objective of the German Competition Act, which is mainly directed towards the freedom of competition. In general, achieving short-term efficiencies for the benefit of competitors and consumers, long-term legal objectives such as limiting economic positions of power, keeping markets open and protecting the competitive process must be attributed particular weight (para 58).
Notwithstanding, the German competition authority’s decision does not balance out Google’s objective justification against these same interests. Instead, it does so by reminiscing its own case against Facebook’s processing activities. In a similar vein to the constitutional balancing that was performed in the latter case, the Bundeskartellamt upholds that “the protection of end users’ right to informational self-determination, which is also relevant under competition law, is (to be) given special weight” (para 59). As it does before, the competition authority aggrandises the CJEU’s findings regarding the interplay between the processing of personal data and competition law in its favour. In this particular instance, it does so by bringing forward the concept of informational self-determination, which is not directly acknowledged as relevant by the Court of Justice at any point of the ruling. Non(compliance) with the GDPR and the access and processing of personal data. Those are the two elements that may ground some relevance under the antitrust framework, but the constitutional manifestation of the right to data protection as informational self-determination was not regarded as an instrumental value to reaching any kind of conclusion when performing an analysis under Article 102 TFEU.
The underlying pattern surrounding Article 5(2) DMA
Once the German competition authority explains in its main arguments supporting its proceedings, it goes on to analyse Google’s proposed commitments and what they will entail in reality. From a substantive perspective, the commitments are nothing different to Article 5(2)(b) and (c) of the DMA.
The terms of the commitments prohibit Google from: i) combining personal data from a service covered by the commitments with the personal data from other Google services or with personal data from third-party services; and ii) cross-using personal data from covered core platform services (designated under the DMA, see here a review on that process) in other service provided separately without giving users sufficient choice options to consent (para 62). Moreover, Google should refrain from cross-using personal data across services without user consent (para 64). To document the process, Google compromises to submit a detailed implementation plan of the measures (with accompanying reporting obligations) (para 67).
Google presents an annex to its commitments listing the services that are comprised under their terms (the services not designated as core platform services in light of the DMA), except for Google’s Fitbit services which will abide by the conditions and commitments presented in the European Commission’s decision clearing the merger between Google and Fitbit. The delineation of the services caught under the commitments is based “on (the) principles set out in the DMA” (para 70 of the decision). In a similar vein, if any of the services comprised under the annex make it to a designation under the DMA, it will no longer fall under the German commitments “to the extent to which the service or parts of the service are subject to Article 5(2) DMA” (para 74).
In appearance, the commitments mirror the obligations set out under Article 5(2) DMA, but the difference lies in the services that are comprised under the FCO’s decision. The services covered in the latter are ‘designated’ but by exclusion to the EC’s designation process: all of Google’s services that did not fall under the designation process will be subject to the FCO’s accepted commitments. In practice, this means replicating the provisions from the DMA to the German antitrust framework, but without any immediate consequences looming over Google.
Article 5(2) DMA is not a CPS-specific obligation. It is a provision designed around a completely different objective: to detach gatekeepers from leveraging their data capabilities into their own ecosystems. Therefore, the prohibition of processing, combining and cross-using personal data is not ascribed in isolation to the links and processes that may be realised between the gatekeeper’s CPS. Of course, the provision comprises those scenarios. For example, Google Search will be prohibited from combining personal data with the Google Ads division directly (except the overriding exemptions under the provision apply, i.e., they process and combine personal data legally under the terms of the GDPR).
However, those are not the only scenarios comprised under the obligation. Article 5(2)(b) DMA extends the prohibition of combining personal data from the CPS “from any other services provided by the gatekeeper or with personal data from third-party services” and the cross-using prohibition under Article 5(2)(c) DMA extends its own arms to data “in other services provided separately by the gatekeeper“. Thus, Article 5(2) applies in the existing data operations combining and cross-using personal data from CPS to non-CPS services (or even to third-party services).
In this context, Google’s commitments do not make much sense substantively. It is true that the non-CPS services are ascribed the same value as CPS services under the German light, but the practical and immediate consequences will be the same. Google will not be able to combine personal data from those services into other proprietary services, but that does not entail much, only a change in focus.
In fact, the FCO recognises that the commitments correspond to an extension of the undertaking’s obligations under Article 5(2) DMA in two fundamental ways. On one side, the terms used in Google’s commitments must be interpreted and read in accordance with their meaning in the DMA. On the other side, Google’s commitments do not place a higher threshold of intervention into the undertaking’s business model as opposed to the DMA, since they do not impose “stricter requirements on transparency and equivalence of choices” on its settings and processing activities (para 78). At least, one can be grateful that the harmonisation motion that the DMA wants to embrace is not endangered due to the commitments that the German competition authority has accepted from Google.
However, this conclusion leads one to think that the German competition authority will continue to enforce its Section 19a GWB in a manner to (cosmetically) safeguard the missing gaps that the DMA levies from a subjective scope. One could go as far as to question the ulterior motive (and point) of the extension of the German’s competition law regime within these circumstances: if Section 19a GWB is to be understood to be subservient to the DMA, then that must mean that both pieces of law pursue the same objectives.
On this same point, the German competition authority argues in favour of discontinuing the proceedings against Google “to the extent that certain service-related practices are not covered by the scope of the commitments, this is due to the primacy of application of the DMA, which covers the practices in question” (para 85). The point seems to indicate that Section 19a GWB will keep the DMA on track with its objectives (in principle, different to those inspiring the German rules) by pursuing a gap-filling role from the subjective perspective. The bold statement on the side of the Bundeskartellamt could also hint at the fact that Section 19a GWB stands as serving a secondary role as opposed to the DMA, whereas this should not be the case from the perspective of Article 1(6) of the DMA. However, if one were to read the FCO’s findings under this perspective, then it would entail that Section 19a GWB converges with the DMA in pursuing the same objectives and, thus, defeats the whole purpose of harmonisation that was sought by passing the DMA based on Article 114 TFEU.
Alternatively, if both pieces of law pursue distinct objectives, then they should not be regarded hierarchically but in parallel in a similar spirit to the interplay between the interpretation of Article 102 TFEU and the same prohibition born into national competition law regimes under Article 3 of Regulation 1/2003. In fact, this is exactly the type of scenario that the DMA terms as ‘complementary’ under Article 1(6), which is allowed (and not curtailed) via the regulatory framework. However, the procedural aspects of the case do not seem to agree with this narrative if one looks closely at them.
The cooperation with the European Commission: wasn’t compliance expected in March 2024?
The FCO’s decision is interesting not only substantively but also in terms of its interplay with the DMA. It is the first enforcement-based decision adopted on the grounds, principles and rationale of the DMA, but which has escaped the direct administrability of the regulatory framework’s sole enforcer, i.e., the European Commission.
The German competition authority’s decision is plagued by references to the DMA and how it should be interpreted in relation to Section 19a GWB. In principle, the FCO applied the cooperation instruments set out under Article 38(3) DMA to reach its final conclusions. By doing that, it also sought to inadvertently ignore the rest of the provisions that are enshrined into the regulatory framework to ensure that the DMA’s enforcement remains coherent and effective. First of all, one should question whether the DMA should have been appraised, if at all, in line with the merits of the case.
Interim implementation of the DMA: 3 days after designation
The FCO initiated the proceedings against Google in May 2021, even before it had designated the undertaking as bearing paramount significance for competition across markets under Section 19a of the German Competition Act (that decision was incorporated into the case ex post facto, since it was issued on January 2022).
From July 2021 to November 2022, the German competition authority conducted its investigations into the merits of the case (para 26). The DMA entered into force on 1 November 2022, so the competition authority was right to remain absconded from the regulatory instrument’s impact as far as its investigatory actions were concerned.
However, it was the undertaking that brought the DMA into the conversation, since it proposed commitments from May to September 2022 before the competition authority which “merely covered Google services which Google at that time considered to be the designated by the European Commission as relevant core platform services (…) and which would therefore in the future be subject to the obligations pursuant to Article 5(2) DMA, which aims at the provision of sufficient choice options” (para 28). The overlap regarding the targeting of the undertaking was the main reason lying behind the FCO’s rejection of those commitments at that time since they did “not dispel the competition law concerns” that it had raised to Google with relation to its data processing activities and terms.
Notwithstanding, in anticipation of the DMA’s entry into force (one has to imagine, then, before 1 November 2022), the Bundeskartellamt maintained regular and close contact with the European Commission. The purpose of those contacts was “to cooperate closely pursuant to Article 37(1) DMA and to coordinate future enforcement measures in order to ensure the coherent, effective and complementary enforcement of legal instruments applicable to gatekeepers within the meaning of the DMA” (para 27). Hence, one could say that the contacts between the competition authority and the EC ‘anticipated’ the cooperation mechanism even before the regulatory instrument entered into force. This same movement repeated itself even once the DMA’s substantive provisions (Articles 5, 6, 7, 11 and 15) have not yet become applicable.
Shortly after the European Commission designated six gatekeepers regarding 22 core platform services, on 7 September 2023 Google proposed its final commitments to the German competition authority. A day later, “pursuant to Article 38(3) DMA, (… the FCO) communicated its draft decision based on Section 32b GWB to the European Commission” (para 36), and invited the EC to comment on the draft decision. The European Commission responded on 27 September 2023 with its own views on the decision (para 38).
However, it is questionable whether the dedicated cooperation procedure under Article 38(3) DMA applied at that time. There is nothing disallowing NCAs to cooperate closely with the EC, since all of the DMA’s provisions apply from 2 May 2023 (Article 54 DMA). However, the substantive aspects relating to the draft decision -notably, the interpretation of Article 5(2) DMA- issued by the German competition authority have not yet become applicable under the DMA, since their application is delayed to 5 March 2024, i.e., 6 months after a core platform service has been listed in a designation decision (Article 3(10) DMA).
By doing that, the present case advances the application of Article 5(2) DMA via the cooperation mechanism under Article 38(3) DMA from the national perspective, and not via the compliance reports issued by the gatekeepers nor the EC’s monitoring of its provisions. The discussion is resolved in the commitment’s time frame, since some of its obligations will have to be fulfilled as early as 6 March 2024 (para 66).
The complementary nature of Section 19a GWB under Article 1(6) DMA
From a procedural perspective, the DMA does open the gate for the application of Section 19a GWB as a complementary “national competition rule prohibiting other forms of unilateral conduct, insofar as (it …) amounts to the imposition of further obligations on the gatekeeper” (Article 1(6) DMA).
Pursuant to Article 1(7) DMA, the Member States and the EC are bound to work “in close cooperation and coordination their enforcement actions on the basis of the principles established in Articles 37 and 38“. In particular, Article 38 DMA establishes a set of rules to ensure cooperation and coordination with national competent authorities enforcing their own competition rules, such as an obligation to inform the Commission in writing of the first formal investigative measure, before or immediately after the start of such measure (Article 38(2) DMA) and the obligation to communicate the draft measure enforcing its national rules no later than 30 days before its adoption (Article 38(3 DMA).
Under the FCO’s retelling of the procedural aspects of its case, it decided to pursue the mechanism under Article 38(3) DMA but not the mandatory notification of its investigation under Article 38(2) DMA. The obligations set out in the provision are not exemplary but exhaustive in the sense of the steps that the NCAs shall follow to ensure coherent enforcement under the DMA. Thus, by averting the obligation to notify its investigative measures (in my own mind, once the designation decisions were issued), the German competition authority failed to abide by the existing procedural safeguards enshrined in the DMA to secure effective (and even anticipated) enforcement.
The case brought by the FCO against Google’s processing terms resembles in a more summarised way (just as Section 19a GWB allows it to), its own arguments brought against Facebook’s processing activities when it applied Section 19(1) GWB. This motion is particularly salient from the competition authority’s line of reasoning relating to Google’s imposed conditionality on its users to consent to its processing activities if they wished to use its services, within its interpretation of sufficient and free choice on the side of the data subject.
In this particular case, however, the competition authority has achieved to gain Google’s compromise via commitments to enlarge the scope of one of the DMA’s key provisions (Article 5(2) DMA) to prohibit data leveraging across gatekeeper services across all of the undertaking’s activities. In substance, the interplay with the Union’s regulatory instrument falls short of producing any substantive effects and it permeates greater doubts than it reconciles them due to the fact that:
- The covering of more services under a similar prohibition to Article 5(2) DMA does not add anything new to the transformation of Google’s business model, insofar as the provision is not thought out in the regulatory instrument as a CPS-specific obligation.
- The commitments and the German competition authority’s interpretation of the interplay infer the idea that the DMA holds greater weight than Section 19a GWB in a hierarchical fashion, despite the FCO’s holding that the obligations “by their scope and areas of application (…) do not overlap” (para 77).
- The German competition authority cooperated with the European Commission throughout its proceedings via the mechanisms of Articles 37 and 38 DMA, but it overtly ignored some of its requirements, effectively backpedalling the regulatory framework’s safeguards.
Against this background, the German competition authority appropriates and defines the first steps of DMA enforcement outside of its scope (and before its substantive provisions start to apply), by converting non-CPS services to German CPS services which were already captured by the all-encompassing provision under Article 5(2) DMA. Lo and behold on the digital regulatory patchwork.