Competition law and personal data law: towards a “convergence of regulations”?

In the legal ecosystem, competition law and personal data law are two different species, stemming from distinct strains. The protection of personal data is one of Europe’s fundamental rights[1]. Free competition is protected indirectly through freedom of enterprise, a general principle of law with constitutional value[2], as well as through the French[3] and European[4] prohibition of cartels and abuse of dominant positions.

The objectives pursued by these two branches of law are distinct. Competition law guarantees the conditions for free, undistorted competition between companies in the same market, by promoting diversity of supply, attractive prices and innovation, in the interests of consumers. Personal data law aims to protect users against any collection or harmful use of their personal data[5].

Despite these divergences, these two rights have the claimed common objective of benefiting consumers, data subjects within the meaning of EU Regulation 679/2016, known as the “RGPD”.In practice, however, their articulation sometimes proves conflicting: a personal data protection measure may prove detrimental to free competition, and vice versa.

The application of personal data protection rules can distort competition. This is the case when, on the same market, the legislation of one country makes access to personal data more difficult than that of another. This is also the case when a private operator, with the laudable aim of better protecting users’ personal data, decides to delete third-party cookies [6], which enable a third-party site to track a surfer’s activity in order to draw up a user profile. Although third-party cookies need to be regulated, they are nonetheless a fundamental component of the online advertising business model, helping to make competition more effective. Restricting or even eliminating third-party cookies would therefore deprive competing companies of a source of data essential to their development.

Conversely, competition rules could generate infringements of personal data protection. The digital industry’s business models, based on the massive accumulation and cross-referencing of personal data, are conducive to the development of dominant positions, which could lead competition authorities to encourage, or even impose, the sharing of personal data files. On the other hand, personal data protection authorities, for equally legitimate reasons, could on the contrary refuse such file sharing, or at the very least impose conditions and restrictions designed to protect the data they contain.

Finally, the central character at the heart of this conflict, the consumer-data subject, can play the spoilsport by adopting a paradoxical behavior (” privacy paradox “). In an ideal world, a company offering a high level of personal data protection would be perceived by the consumer as offering a better quality of service, attracting more customers and encouraging other companies to strengthen their data protection measures. However, in practice, some consumers perceive these protection measures (cookies, consent) as obstacles, and prefer to neglect the protection of their personal data in favor of a faster purchasing process. Paradoxically, less protection for personal data could generate a form of competitive advantage.

In order to resolve these antagonisms, a delicate compromise needs to be found between the objectives of protecting personal data and protecting free competition. The search for this compromise was entrusted by Marie-Laure Denis, President of the CNIL, to Bruno Lasserre, whose report was submitted on November 24, 2024^[7]. The report proposes fifteen steps towards a “convergence of regulations” and a “dialogue of concepts” between competition authorities and personal data protection authorities.

These recommendations focus on the following themes:

• strengthening doctrinal cooperation between authorities at national level, by experimenting with concepts such as “data power” (in addition to the already well-known concepts of dominant position or market power), and organizing joint academic events (symposia, training courses, exchanges of expertise, etc.);

• promote the same work at European level by extending the mandate of the Consumer and Competition task force set up in 2023 within the EDPS (European Data Protection Committee) beyond the end of its initial mandate, to enable it to play a pivotal role in organizing regular dialogue between the EDPS and the European competition network,

• the development of a “competition reflex” within the CNIL, enabling it to control the effects of its decisions on competition, and to develop the consideration of competitive illegality as an aggravating factor in breaches of personal data protection,

• developing a “data reflex” within the Competition Authority, encouraging it to refer to the CNIL, formally or informally, when personal data is at stake in a merger or antitrust case.

The “dialogue of concepts” initiated by the authorities at the end of 2023[8] is already well underway. Let’s hope that it will be fruitful, in the interests of both companies and consumers, and that it will pave the way towards the much-desired “convergence of regulations”.

---

[1] Article 16 of the Treaty on the Functioning of the European Union (TFEU), and articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

[2] Article 4 of the 1789 Declaration of the Rights of Man and of the Citizen and Cons. const. Jan. 16, 1982, no. 81-132 DC.

[3] Articles L 420-1 et seq. of the French Commercial Code

[4] Articles 101 to 109 TFEU

[5] Joint declaration by the Autorité de la concurrence and the CNIL of December 12, 2023

[6] Google’s “Privacy SandBox” affair, which has seen and is still seeing numerous twists and turns in several European Union countries.

[7] “Conclusions of the mission to examine the relationship between data protection and competition”: https: //www.cnil.fr/sites/cnil/files/2024-12/rapport_mission_lasserre.pdf

[8] Joint declaration by the Autorité de la concurrence and the CNIL of December 12, 2023