Developing connections between digital markets and competition law: From Meta v. Bundeskartellamt to the Digital Markets Act and beyond

The increasingly important role of digital services within the economy and society continues to bring up legal questions. Not only do digital markets affect all areas of the law on all levels, they also lead to synergy (or at least the need for synergy) between separate fields of law. Digital markets raise two intertwined main points of interest: the protection of personal data and the market power of big tech. From a legal perspective, data protection law and competition law intersect. The 2023 Meta-judgment from the Court of Justice of the European Union (CJEU) clearly shows the relevance of data protection as an element of competition and the need for cooperation between data protection authorities and competition authorities.[1] The European Union’s Digital Markets Act (DMA) adds another layer of synergy between these two fields of law. The DMA underscores the specific risks of digital markets and the unique nature of their business models. These risks are not exclusively related to data protection, but cover broader themes as well (such as the ability to connect many business users with many end users and the importance of competition between alternative sales channels in the digital economy ). This article will look into the linkages between digital markets, data protection and competition law from an EU perspective.

Interplay between data protection law and competition law

Principles and objectives

Pursuant to Article 8 (1) of the Charter of Fundamental Rights of the European Union and Article 16 (1) of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to the protection of their personal data. Article 8 (2) of the Charter stipulates that such data must be processed fairly for specific purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone furthermore has the right of access and rectification of their data. The General Data Protection Regulation (GDPR) protects the fundamental right to the protection of personal data. It regulates the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.[2] Data protection law thus serves to protect individuals.

Articles 101 and 102 TFEU are at the heart of European competition law. Article 101 TFEU prohibits agreements and practices which may affect trade between Member States and that have, as their object or effect, the restriction, prevention or distortion of competition within the EU (such as cartels). Article 102 TFEU prohibits the abusive behavior of companies that have a dominant position. Article 101 and 102 TFEU thereby protect the proper functioning of the market and the interests of consumers and other market participants (such as competing corporations).

Earlier this year, the European Data Protection Board (EDPB) published a position paper on the interplay between data protection and competition law. In its position paper, the EDPB argues that, although EU data protection law and competition law are distinct fields of law, they have potential commonalities, such as the protection of individuals and their choices. As the EDPB highlights “data protection policy aims to protect individuals from any unlawful or unfair processing of their personal data, while competition policy aims to guarantee the conditions between companies on the relevant markets in the interests of consumers, by promoting innovation, diversity of supply and attractive prices”.[3] Within competition law, the individual is thus protected as a consumer. This aim of protecting individuals can be found in the prohibition of cartels, abuses of dominant positions, and anticompetitive mergers, which may harm consumers through, among other things, higher prices, less choice or lack of innovation.[4]

In line with the EDPB, the Organisation for Economic Cooperation and Development (OECD) points out that competition law and data protection law both aim to protect the individual: “Competition law and data privacy laws share “family ties”, as both pursue an overarching objective of protecting the welfare of the individual, whether as a consumer or as a data subject.”[5] The OECD furthermore argues that both fields of law address power asymmetries between corporations/organisations and individuals.[6]

Both the EDPB and the OECD stress the need for closer cooperation and more coherence between data protection law and competition law. The OECD argues that the growing significance of personal data for companies’ business strategies underscores the intertwined nature of safeguarding competitive markets and protecting individual data privacy. It calls for “a holistic vision at the highest levels of policymaking and coordinated action by competition and data protection authorities.”[7] The EDPB notes that, with the evolution of business models, personal data and the regulation of data processing are becoming more central. It calls for more coherence among these separate but interacting areas of regulation, as “promoting cooperation between data protection authorities and competition authorities can be useful to protect individuals and increase their choice”.[8]

Meta v. Bundeskartellamt

The notion that data protection and competition law are intertwined and that authorities should cooperate is not new. In 2019, the German Federal Cartel Office (Bundeskartellamt, BKartA) ruled that Meta abused its dominant position by processing so-called off-Facebook data (data relating to activities outside of Facebook which are linked through interfaces as well as data concerning other online services of Meta, such as Instagram and Whatsapp) in a manner which was not consistent with the GDPR, due to the lack of valid consent.[9]

The CJEU  was asked to answer whether a national competition authority can find, in the context of an abuse of a dominant position (art. 102 TFEU), that the general terms of use relating to processing of personal data and the implementation thereof are not consistent with the GDPR and whether such a finding is also possible where those terms are being investigated, at the same time, by the competent lead supervisory authority under the GDPR.[10] In its judgment of 4 July 2023 the CJEU answered this in the affirmative. It stated that no instrument of EU law provides for specific rules on cooperation between a national competition authority and the relevant supervisory authorities (data protection authorities) or the lead supervisory authority. Although the authorities perform different functions and pursue their own objectives and tasks, there are no provisions that prohibit competition authorities from finding that an undertaking in a dominant position does not comply with the GDPR.[11]

It follows from case law that the national competition authority must assess whether, by resorting to methods different from those governing normal competition in products or services, the dominant undertaking’s conduct has the effect of hindering the maintenance of the degree of competition existing in the market or the growth of that competition. The national authority does so by investigating all the specific circumstances of the case.[12] The CJEU ruled that, in that respect, the company’s compliance with the GDPR may be “a vital clue” in order to establish whether it resorts to methods governing normal competition and to assess the consequences of a certain practice in the market or for consumers.[13]

The CJEU stressed that it may even be necessary for the competition authority to examine whether the conduct complies with rules other than those relating to competition law, such as the data protection rules in the GDPR.[14] Competition authorities and data protection authorities may furthermore have a duty to cooperate with each other. The CJEU pointed out that when a national competition authority considers it necessary to rule on the compliance or non-compliance with the GDPR in the context of abuse of a dominant position, the competition authority and supervisory authority (or lead supervisory authority) must cooperate to ensure the GDPR is consistently applied.[15]

The CJEU emphasized that “the access and use of personal data are of great importance in the context of the digital economy”. It pointed out that the business model of Facebook uses personalized advertising based on personal data. In accord with the European Commission, the CJEU noted that “access to personal data and the fact that it is possible to process such data have become a significant parameter of competition between undertakings in the digital economy”.[16] It even emphasized that excluding the data protection-perspective when examining an abuse of dominant position “would disregard the reality of this economic development and would be liable to undermine the effectiveness of competition law within the European Union.”[17]

Risks and effects

These observations show the need to adapt legal frameworks to economical and societal developments. A company that collects large amounts of data as part of its business model and holds a dominant position does indeed pose specific competition risks. As the OECD points out, different theories of harm are possible in competition investigations.[18] For example, a company that relies on collecting personal data may have the incentive to reduce the level of privacy and to increase data collection in such a way that it becomes excessive or unfair, thereby taking advantage of its position and harming its consumers.[19] The market power of a dominant company can furthermore easily be used to limit the freedom of choice, thereby posing serious risks for the validity of consent.[20] As follows from the Meta judgment, the dominant position is liable to affect the freedom of choice of users, who might be unable to refuse or withdraw consent without detriment.[21]

Special attention should be drawn to situations in which powerful companies are positioned to condition the use of their service on the acceptance of terms and conditions that allow the bundling of data across all services in unrelated markets. Not only does this pose serious data protection risks for consumers, it also gives these companies a ‘data advantage’ that increases their market power and may prevent competitors from entering the market.[22] Exclusionary effects (excluding or deterring competitors from entering the market or staying) and exploitative effects (harming consumers or other actors) may thus appear simultaneously.[23]

Digital Market Act

DMA

The DMA entered into force on 1 November 2022.[24] The regulation does not change the EU competition rules, but complements the existing framework by introducing harmonized rules that regulate the “gatekeeper” power of big tech.[25] By doing so, it aims to contribute to the proper functioning of the internal market.

Gatekeepers are providers of core platform services (such as online search engines and social networks) that the European Commission has designated.[26] The DMA aims to ensure contestable and fair markets in the digital sector where these gatekeepers are present.[27] In September 2023, the European Commission designated the first six gatekeepers: Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. In May 2024, the Commission added Booking.com to the list.[28] Pursuant to Article 3 (10) DMA, the gatekeepers must comply with the obligations set out in Articles 5, 6 and 7 within six months after the designation as a gatekeeper. Therefore, most of the obligations became effective in March 2024. An earlier article reflects on the one-year anniversary of DMA enforcement.

The preamble of the DMA underscores the unique business models of core platform services and their risks and challenges. It points out that large undertakings that provide core platform services have the ability to connect many business users with many end users. This puts the undertakings in a position to leverage their advantages, such as access to large amount of data, from one area of activity to another.[29] Some of these companies “exercise control over whole platform ecosystems in the digital economy”, while contestability by new or existing market operators is “structurally extremely difficult”.[30] The preamble strikingly summarizes this situation by expressing that the combinations of the features of gatekeepers is “likely to lead, in many cases, to serious imbalances in bargaining power and, consequently, to unfair practices and conditions for business users, as well as for end users of core platform services provided by gatekeepers, to the detriment of prices, quality, fair competition, choice and innovation in the digital sector”.[31]

The competition and data perspectives, and their interplay, are thus clearly enshrined in the DMA.[32]

Recent decisions under the DMA

Articles 5, 6 and 7 are the core provisions of the DMA, as they stipulate the main obligations of the gatekeepers.  On 23 April 2025, the European Commission found Apple and Meta in breach of the DMA and imposed its first fines under the regulation.[33]

The Commission found that Apple was not in compliance with its anti-steering obligation under the DMA (Article 5 (4) DMA).[34] Article 5 (4) DMA stipulates that:

The gatekeeper shall allow business users, free of charge, to communicate and promote offers, including under different conditions, to end users acquired via its core platform service or through other channels, and to conclude contracts with those end users, regardless of whether, for that purpose, they use the core platform services of the gatekeeper.

The Commission found that app developers who distribute their apps through the Apple App Store should be able to inform customers, free of charge, of alternative offers outside of the app store, steer them towards those offers and allow them to make purchases.[35] According to the Commission, Apple imposes several (technical and commercial) restrictions which result in a breach of this obligation and thereby harm app developers and consumers.[36] In addition to imposing a € 500 million fine, the Commission ordered Apple to remove the restrictions and refrain from continuing the non-compliant behavior.[37]

The decision against Meta relates to its ‘Consent or Pay’-model, which gave Facebook and Instagram users the choice between consenting to Meta combing personal data for personalized advertising or paying a monthly subscription for an ad-free service.[38] Article 5 (2) DMA stipulates that – unless the end user has been presented with the specific choice and has given consent in accordance with the GDPR – the gatekeeper shall not:

(a) process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper;

(b) combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services;

(c) cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and

(d) sign in end users to other services of the gatekeeper in order to combine personal data

The Commission found that Meta´s ‘Consent or Pay’-model is not in accordance with this provision. Users were not given the freedom to choose an equivalent service that uses less data and the model did not allow users to exercise their right to freely consent to the combination of their data.[39] Accordingly, the Commission imposed a €200 million fine on Meta. The Commission is currently assessing whether Meta’s new advertisement model, introduced in November 2024, is in accordance with the DMA.[40]

The prohibition under Article 5 (2) DMA illustrates how data protection instruments (namely the GDPR) may intersect with competition concerns. The provision highlights the advantages that go along with combining personal data from different sources and the consequences thereof for the fairness and contestability of such markets.[41] The anti-steering obligation under Article 5 (4) DMA shows the importance of competition between alternative sales channels in the digital economy and aims to promote this competition by giving consumers choices.[42] 

Conclusion and outlook

It follows from the developments discussed above that the European Commission is cognisant of the fact that the conduct of gatekeepers in digital markets poses risks both to competition and data protection and that these issues are intertwined. Given the market power and influence that these market players exert, their conduct must be closely examined to ensure that it is compliant with all relevant rules and regulations, including competition law and data protection law.  A prevalent risk is that the conduct of large digital corporations, that have access to large amounts of data and connect businesses with end users, has the ability to give rise to both exclusionary and exploitative abuses or, in the language of the DMA, undermining contestability and impacting fairness. The DMA creates a new instrument for oversight and enforcement by the Commission.

The synergy between competition law and data protection law should also take place on a national level. As discussed, the Meta judgment shows the importance of incorporating a data perspective in investigations by national competition authorities. It also shows that, under certain circumstances, data protection authorities and competition authorities may even be obligated to cooperate. In its position paper, the EDPB, however, points out that the degree of cooperation between the authorities varies considerably between the Member States.[43] The EDPB argues for promoting synergy between data protection and competition authorities, as this can improve the ability of both regimes to protect data subjects and users.[44]

Another interesting avenue is to be found in private enforcement. The DMA allows for private enforcement, both through stand-alone actions and follow-on proceedings. Pursuant to Article 39 (5) DMA, national courts shall not give a decision which runs counter to a decision adopted by the Commission under the DMA. The decisions are thus binding on national courts. With the Commission having published its first decisions under the DMA, follow-on proceedings are to be expected.