Crossroads: The Legal Intersection Between Privacy and Competition Laws

Crossroads: The Legal Intersection Between Privacy and Competition Laws



Living in the digital age has seen a surge in the monetisation of data, especially in the platform economy, where personal data relating to human behaviour is especially valuable. Personal data now forms an integral part of business models particularly for businesses in zero price markets. As such, businesses compete to acquire and access as much personal data as possible so as to gain a competitive advantage over their rivals. The increased use of personal data brings the intersection of the laws relating to data protection and competition into sharper focus.


Regulatory Framework

Data Protection is regulated by the Data Protection Act, 2019 (the DPA). Sections 25, 26 and 32 of the DPA provide for the principles of data protection, the rights of a data subject as well as the conditions of consent for processing data. These sections mirror articles 5, 7 and 13 to 23 of the European Union General Data Protection Regulation (EU GDPR). These provisions work towards ensuring, inter alia, that personal data is “collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes”. They also accord a data subject the right “to object to the processing of all or part of their personal data and withdraw their consent at any time”. Notably, when assessing whether consent is given freely, the Office of the Data Protection Commissioner (the ODPC) takes into consideration, among other things, whether “provision of a service is conditional to consent being given”.


On the other hand, the Competition Act, 2010 (the Competition Act) regulates competition in the market, with the Competition Authority of Kenya (CAK) established as the regulator. Focal to this article are the restrictive trade practices prohibited by sections 21 to 24 of the Competition Act. Sections 23 and 24, in particular regulate dominant undertakings and prohibit conduct which amounts to an abuse of their dominance. These sections adopt the interpretation of Article 102 of the European Union Treaty on the Functioning of the European Union (TFEU).


Abuse of Dominance

In Hoffmann-La Roche & Co. AG v Commission of the European Communities (1979) I-00461, abuse of dominance was defined as the practice of an undertaking in a dominant position to influence the structure of the market, whose result is that of hindering competition, through methods that depart from those which condition normal competition.


The Competition Act and the TFEU have consolidated the following trade practices that are deemed an abuse of dominance:


  •  directly or indirectly imposing unfair purchase or selling prices or other unfair trading conditions;
  • limiting or restricting production, market outlets or market access, investment, distribution, technical development or technological progress through predatory or other practices;
  • applying dissimilar conditions to equivalent transactions with other trading parties;
  • making the conclusion of contracts subject to acceptance by other parties of supplementary conditions which by their nature or according to commercial usage have no connection with the subject-matter of the contracts; and
  • abuse of an intellectual property right.


In Lietuvos geleìinkeliai AB v Commission (2020) EU:C:2023:12 the Court opined that “the list of abusive practices contained in Article 102 does not exhaust the methods of abusing a dominant position prohibited by EU law”. However, the abuses are largely classified as either exclusionary or exploitative in nature. Examples of exclusionary abuses are those in which a dominant undertaking enters into exclusive dealing agreements or offers conditional rebates, whereas examples of exploitative abuses include excessive pricing, price discrimination or unfair trading practices.


The Intersection

As mentioned above, the platform economy commercialises the use of personal data which brings about the interplay between data protection law and competition law. Data subjects who consent to the use of their data, are also consumers in the same respect. Whereas the ODPC is concerned with harmful privacy practices by platforms, the CAK looks out for restricted trade practices that harm the consumer or distort competition. Recently, these regulatory obligations have overlapped one another, as can be seen in the following cases:


Amazon Marketplace

Amazon plays dual roles on its platform: being a marketplace as well as an online retailer. Amazon provides a space for online retailers to sell their products while also selling its own-branded products, in competition with those online retailers. By virtue of its role as a marketplace, naturally, Amazon has access to the data of the retailers. Such data includes statistics on order and shipment numbers, the retailers’ turnover as well as their growth over the years. This data can show different strategies employed by sellers to achieve financial growth or otherwise.


Amazon is said to have used this data without the retailers’ (freely given) consent to gain a competitive advantage over the retailers as the data formed a basis for Amazon’s own business strategies. As such, in July 2019, the European Union Commission (EU Commission) launched investigations into Amazon’s conduct of using retailers’ non-public seller data. In 2022, the EU Commission issued a Statement of Objection. It held a preliminary view that Amazon abused its dominant position and circumvented the usual risks of competition exclusively as a result of its access to its competitors’ non-public data.


In this case however, the EU Commission did not make a final de- termination on whether the conduct was anti-competitive. Amazon offered commitments to stop using the retailers’ data prior to the completion of investigations, which the EU Commission accepted. Nevertheless, it is evident that the EU Commission is likely to deem the data breaches by Amazon as anti-competitive upon conclusion of the investigations.


Meta: Facebook Social Network

Meta Platforms, the company that houses social networks: Face- book, WhatsApp, Instagram and more recently Threads, has come under fire for data privacy breaches which have been deemed anti-competitive. Following several years of investigations, the Federal Cartel Office (FCO) in Germany found that Meta had made the use of Facebook accounts by German citizens conditional on Meta’s processing of their third-party data (which they term “off-Face- book data”). Thereafter, the FCO prohibited Meta from doing so and further ordered Meta to make it clear that the said personal data would neither be collected nor used without the consent of a Facebook user, nor will the use of the network be made conditional on consent.


Dissatisfied with this decision, Meta filed a case against the decision to the Düsseldorf Higher Regional Court. The Regional Court in turn raised concerns and saw it fit to stay further proceedings and refer a number of questions to the Court of Justice of the European Union (CJEU) for a preliminary ruling. The crux of the matter was whether a national competition authority could find that the EU GDPR had been infringed, whilst investigating an undertaking’s abuse of dominance.


With respect to privacy breaches, it has been observed that the App fails to seek users’ consent to track, collect and process sensitive personal data such as the users’ health conditions. The purpose of these activities is to sell that personal data to vendors, who would then advertise to the users medication related to their health issues.


On 4th July 2023, the CJEU delivered its Judgment in Meta Plat- forms and Others v Bundeskartellamt (2023) EU:C:2023:537 and held inter alia as follows:

“It follows that, in the context of the examination of an abuse of a dominant position by an undertaking on a particular market, it may be necessary for the competition authority of the Member State concerned also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law, such as the rules on the protection of personal data laid down by the GDPR.


…access to personal data and the fact that it is possible to process such data have become a significant parameter of competition between undertakings in the digital economy. Therefore, excluding the rules on the protection of personal data from the legal framework to be taken into consideration by the competition authorities when examining an abuse of a dominant position would disregard the reality of this economic development and would be liable to undermine the effectiveness of competition law within the European Union.”


Meta: Threads Social Network

July 2023 proved a busy month for Meta. Notwithstanding the unfavourable Judgment received in Meta v Bundeskartellamt, on 6th July, Meta launched a new social media network, Threads (the App) which has already received widespread scrutiny and criticism and is potentially under investigation by the US Federal Trade Commission (FTC). It is reported that sources within Meta have disclosed that they are delaying the App’s launch within the Euro- pean Union due to “legal uncertainty”. This can be attributed especially to the recently released EU Digital Markets Act, which has seen Meta classified as a “gatekeeper” giving the tech giant additional regulatory obligations.


The App’s criticism is attached to privacy as well as antitrust concerns. To begin with, the App mandates that new users ought to have an Instagram account and users who intend to delete the App, would have their associated Instagram account deleted as well. This is an overt attempt at tying the App to Instagram, an abuse of dominance contrary to the Competition Act, TFEU and Antitrust laws globally.


With respect to privacy breaches, it has been observed that the App fails to seek users’ consent to track, collect and process sensitive personal data such as the users’ health conditions. The purpose of these activities is to sell that personal data to vendors, who would then advertise to the users medication related to their health issues. Meta has relied on legitimate interest as a reason for collecting the said sensitive personal data. However, it can be contended that explicit consent is a requirement prior to the processing of sensitive personal data, especially when the purpose for collecting the data is targeted advertising. Anything contrary to the foregoing may be deemed to be a privacy breach as well as an abuse of dominance.


The App, having been launched recently, is still under scrutiny by the global antitrust watchdogs and if the recent trend is anything to go by, sanctions from the said watchdogs would not come as a surprise.