HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers

Accessibility

Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours

Subscribe

Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

An Introduction to the GDPR and its Impact on Competition Law

Article Cover Image

About The Author

Aydeniz Baytaş (Regular Writer)

Aydeniz is currently studying for her LLM at Durham University. She is originally from Turkey, and was registered with the Istanbul Bar Association in 2016. Her main areas of interest are competition law, investment law and arbitration. Outside the law, Aydeniz enjoys playing tennis, wind surfing,  travelling and cycling.

[Read More]

Privacy means people know what they’re signing up for, in plain English, and repeatedly.

Steve Jobs

Is privacy disappearing as a social norm – as Facebook CEO Mark Zuckerberg has claimed – or is it needed to protect the rights of data subjects and ensure fair and undistorted competition in the market? After four years of negotiation, new legislation soon to be introduced by the EU aims to increase consistency across Member States and bring data protection law up to date with modern technology.

The European Parliament approved the General Data Protection Regulation EU/2016/679 (GDPR) in April 2016. Coming into force on 25 May 2018, it will imported into UK law by the Data Protection Act 2018 (thereby ensuring that it will be unaffected by Brexit). This will replace the current regime under Directive 95/46/EC that was implemented into UK law by the Data Protection Act 1998 (DPA 1998). 

The new regime which the GDPR introduces should facilitate the protection of the personal data of all EU citizens, which is considered to a fundamental right under Article 8(1) of the Charter of Fundamental Rights of the European Union. This is supplemented by Article 16(1) of the Treaty on the Functioning of the European Union (the TFEU), which holds that everyone has the right to the protection of personal data concerning them.

Crucially, however, the GDPR – as this article examines – is not the major overhaul of the law that many are making it out to be; for the most part, it is an evolution and codification of existing principles. However, it could have significant and welcome impacts upon competition law by helping it to overcome its long-standing reluctance to interfere in data protection and privacy issues, but may also cause confusion about the respective roles of each body of law.

Key Changes Introduced by the GDPR

Terminology

In order to fully get to grips with the key components of the regime introduced by GDPR, an understanding of the key terminology it uses is necessary. At its essence, the GDPR is a legislative instrument that governs how and when companies can ‘process’ data. By virtue of the breadth of the definition of processing in Article 4(2) of the GDPR, ‘processing’ covers virtually any act that can be taken in relation to ‘personal data’.

It follows that the concept of ‘personal data’ is crucial to the scope of the GDPR. It is defined in Article 4(1) of the GDPR as any information relating to natural persons – living human beings – that allows them to be identified. This can include a person’s name, ID number, location and IP address.

In order to enhance clarity as to who the obligations and rights under its regime correspond, the GDPR makes reference to ‘data subjects’ and ‘data controllers’. Article 4(1) of the GDPR holds that ‘data subjects’ are those persons to whom personal data relates, while Article 4(7) of the GDPR confirms that ‘data controllers’ are any person – whether they be a natural person, a company or a public body – who decides how and when personal data is processed.

Extra-Territorial Applicability

Despite the GDPR being an EU legislative instrument, its introduction will impact transatlantic organisations because of its extended territorial scope. Previously, the ambit of Directive 95/46/EC was restricted to undertakings that were established in the territory of the Member State (although this was interpreted widely by the courts).

The GDPR, however, alters this approach: Article 3(1) of the GDPR confirms that its provisions apply to the processing of personal data of data subjects residing in the EU, regardless of the data controller’s location. In other words, if an undertaking offers goods or services to EU citizens – even if for free – including if it monitor their behaviour in some way, the firm must abide by the GDPR even if it is located outside the EU. This provision is an important recognition of the need to protect personal data more broadly in the booming, and increasingly globalised, digital market.

Prescriptive Consent Requirements

Under both the DPA 1998 and the GDPR’s new regime, a data controller could only process personal data when it had a ‘lawful’ basis' to do so. The potential lawful bases, set out in Article 6(1) of the GDPR, that can be relied upon are consent, contract, legal obligation, vital interests, public interest and legitimate interests. They are mostly are mostly unchanged, with the major exception of consent.

As has been highly publicised, tougher conditions have been imposed upon data controllers seeking to rely on consent to process personal data; there are new obligations on how that consent – which must be freely given, specific, informed and unambiguous – is to be collected and maintained.

For example, Article 7(2) of the GDPR states that any written declaration used by a data controller to secure this consent must be intelligible and easily accessible form characterised by clear and plain language. Furthermore, consent can no longer be secured by an “opt out” or pre-ticked by default; instead, there must be a clear affirmative action such as ticking a box or pressing a button accompanied by that intelligible consent wording. Finally, data controllers must be able to produce evidence that consent was given in compliance with these requirement

However, while it is true that the GDPR has changed consent requirements drastically, the press coverage of GDPR has left many data controllers erroneously believing that it is the only way to legalise the processing of personal data, as demonstrated by the major influx of organisations sending emails asking data subjects to renew their consent to being kept on their mailing lists.

Indeed, these organisations have overlooked the impact of the ePrivacy Directive – implemented by the Privacy and Electronic Communications (EC Directive) Regulations 2003 – and Recital 171 of the GDPR, which permits data controllers to rely on existing consent that was previously given by the data subject if it was given in a form that meets the requirements under the GDPR. Though this may have not been the case for many data controllers (who may also to produce the necessary evidence of compliance with the consent requirements), the sheer extent to which organisations are trying to secure new consent suggests nothing short of a reactionary panic.

Furthermore, many organisations have also overlooked the fact that consent is not the only lawful basis. Thus, it remains open to those data controllers who have traditionally relied on consent to “migrate” to another of the lawful bases – such as contractual necessity or legitimate interests – that are outlined in Article 6(1) of the GDPR.

Strengthened Rights for Data Subjects

One of the main differences between the regime under the DPA 1998 and the new regime introduced by the GDPR is that the position of data subjects has been enhanced. Indeed, the GDPR introduces a number of new rights for data subjects, and a welcome strengthening of their existing ones.

For example, Article 17 of the GDPR gives data subjects a right to be forgotten in some circumstances. This allows a data subject to request that a data controller erase their personal data without undue delay where they withdraw their consent, where the data collected is no longer relevant to original purposes for processing, or where there is no legitimate ground for keeping the data.

Furthermore, where their personal data was provided to the controller electronically, and the controller relies on consent or contractual necessity, the data subject is afforded a right to an electronic copy of their personal data in a readily used format. This may, among other things, allow them to easily migrate it to another provider. Alongside this, data subjects can no longer be charged £10 for access to a copy of their personal data.

Another developments include the widening of the right to object to “legitimate interests” and “public interest” processing, such that grounds for objection are no longer restricted to processing that causes damage and distress, or that constitutes direct marketing.

Moreover, data subjects are also imbued with a valuable – particularly in light of recent hacking scandals and security breaches – right under Article 33(1) of the GDPR to be notified of such a breach by the data controller without undue delay and not later than 72 hours after the data controller became aware of it.

Finally, the GDPR also makes explicitly clear that group actions are possible for data protection breaches. This is an important development in some EU countries; for UK law, however, it is of lesser significance since the High Court’s landmark decision permitting such actions in Various Claimants v Wm Morrisons Supermarket Plc [2017].

Increased Responsibilities for Data Controllers

Several crucial administrative obligations are placed upon data controllers to ensure that their systems and structures are suitable for the task of processing personal data. For example, Article 32(1) of the GDPR requires data controllers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved in the processing they are carrying out.

Furthermore, there is a requirement to consider data protection from the outset when making a change to the way in which data is processed that can be classed as high-risk. This is in the form of a ‘data protection impact assessment’ which – as required by Article 35(7) of the GDPR – must be comprehensive: it should set out assessments of the necessity and proportionality of the operation, assessments of the risks to the rights and freedom of the data subjects involved, and outline the measures envisaged to address those risks.

Moreover, in a change from previous law, Article 37(1) of the GDPR requires some organisations – those carrying out a public function or those whose processing involve regular and systematic monitoring of data subjects on a large scale – to appoint a Data Protection Officer, whose duties (according to Article 39 of the GDPR) will be to monitor compliance with the GDPR and inform and advise data controllers of their obligations. They must have adequate resources and standing within the organisation to do this.

One of the most significant responsibilities stem from new accountability principles set out in Article 5(2) of the GDPR, which requires organisations to document, and be able to evidence, their compliance with the requirements of the GDPR. As Article 30(1)(3) of the GDPR explains, this involves data controllers keeping written records of processing activities that describe, among other things, the purposes of the processing, descriptions of the categories of data subjects and personal data and envisaged time limits for erasure of the different categories of data.

This is a significant obligation, particularly for large data controllers who may have been historically lax in implementing systems that will now provide the information necessary for producing these records.

Increased Penalties

The GDPR also enhances the enforcement powers of supervisory authorities – in the UK, the Information Commissioner’s Office – by providing increased level of sanctions to deter data controllers from violating the new data protection rules. For example, under Article 83(5) of the GDPR, a breach of the requirements of consent will lead to a maximum fine of either 4% of annual global turnover or €20 million, whichever is higher. This is a significant increase from the £500,000 maximum fine under the DPA 1998.

However, though the GDPR is directly applicable in all Member States without the need for implementing national laws, Article 84(1) of the GDPR leaves the majority of the enforcement of the GDPR to the Member States. This may create an ambiguous environment in terms of the application of the GDPR; all 28 Member States can adopt different approaches to impose fines. This will likely result in divergence, such that data controllers and data subjects alike will need clear guidance.

The GDPR and Competition Law: Uncertain Lines?

Competition law authorities have historically declined to intervene in data protection rules. As the European Court of Justice explained in its judgment in Asnef-Equifax v Ausbanc [2006]:

[A]ny possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection.

In the same vein, The European Commission accepted this view in the Facebook/Whatsapp merger. In its Press Release on the matter, it explained that it had found that:

Any privacy related concerns flowing from the increased concentration of data within the control of Facebook as a result of the [merger] do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules.

However, the rapid growth of online platforms and ‘the rise of big data’ have lead to major competition issues. Firms can collect and analyse internet users’ data and can predict consumers’ behaviour, attitudes or their preference to products or services. After that, this data can be used to target potential customers and individualised advertisements can be provided according to customers’ interest.

This situation may breach competition law – namely, Article 102 of the TFEU – when dominant undertakings misuse personal data in order to strengthen their power. For instance, the undertaking with knowledge of customers’ economic situation, location and preference may be able to take advantage of its dominant position and offer price in regard to these factors. This can lead to price discrimination that infringes upon fair and undistorted competition in the market. This explains the decision of the German Competition Authority (the Bundeskartellamt) to launch an investigation against Facebook

Therefore, while it seems that the aims of data protection law and competition law are different, both areas consider consumer privacy to the extent that there is a clear intersection between competition rules and data protection laws. Indeed, data protection legislation alone may not be sufficient to solve the issue of privacy; the guidance of competition law as regards to ‘the accomplishment of an area of an economic union’ may prove invaluable. For example, even though companies will comply with the GDPR, there are some markets where the dominance of a particular undertaking means an alternative supplier of a service is not present. Customers will therefore have difficulties in electing to go elsewhere, and are thus have no choice but to accept that undertaking's terms and conditions and grant permission for data collection. To prevent this abuse of dominance, competition law will undoubtedly prove a vital tool.

However, whether this will be the case is doubtful, given that the question of how competition law and data protection rules should interact to regulate and protect privacy is unanswered. In regard to imposing penalties, if the company is found liable under the GDPR and also for competition law infringement, it remains unknown whether the ne bis in idem principle (a person should not be punished twice for the same act) will be applicable, or whether the highest fine will be enforced.

Ultimately, this lack of co-ordination between data protection and competition law rules may create an uncertain and ambiguous environment for companies that undermine their ability to effectively carry out their business.

Conclusion

Mark Zuckerberg defended himself in his testimony before the US Senate Committees by persistently claiming that customers can control the extent of the collection their data by choosing when, and when not, to select the ‘share’ button. Yet, that is not enough to stop consumers from being exposed to highly targeted advertising – whilst Facebook has taken measures to obtain GDPR-compliant consent for that targeted advertising, it arguably lacks sufficient transparency.

The GDPR is therefore a welcome legislative milestone that gives strength to data subjects’ rights and imposes important obligations on data controllers regardless of their location. However, there are uncertainties that may cause issues. For example, the enforcement discretion vested in Member States may result in the GDPR’s unequal application. More crucially, the extent to which competition law will have an active role in data protection – which is needed to ensure consumer welfare and fair and undistorted competition – remains unresolved.

It is therefore clear that there should be more legislation that outlines how and when there will be cooperation between competition law and data protection law. This will protect privacy more effectively, ensuring a clear understanding of the application of both sets of rules. This will be a vital lacuna to resolve if the GDPR is to restore public trust in the digital markets that was dramatically impaired after Facebook-Cambridge Analytica data scandal.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Brexit, Competition, Consumer Rights, European Union, Privacy Law, Technology, The GDPR

Comment / Show Comments (0)

You May Also Be Interested In...

Enhancing Privacy and Data Protection: The GDPR and the Road Ahead

5th Jun 2018 by Dena Anee

A Dose of Privacy? The Impact of GDPR on the NHS

29th May 2018 by Ceylan Simsek

Competition Law in the Computer Age: Examining Microsoft v Commission

19th Jan 2018 by Konstantina Michalopoulou (Guest Author)

Dead on Arrival: The Investigatory Powers Act 2016

29th Sep 2017 by Alexios Ektor Koursopoulos

Misuse of Private Information: The Failure to Protect the Right to Privacy

10th Feb 2017 by Connor Griffith

Competition v Intellectual Property - Clarity but little substantive change

27th Mar 2014 by Chris Bridges

Section Pick August

A Permanent Investment Court: The Future of the International Investment Regime?

Editors' Pick Image

View More

KCTL News

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015

Keep Calm Talk Law's First Birthday

11th Nov 2014

Twitter

Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription