1
Position paper on Interplay between data protection and
competition law
Adopted on 16 January 2025
2
Executive summary
Promoting cooperation between personal data protection and competition authorities can be useful
to protect individuals and increase their choice. In fact, as companies’ business models evolve,
personal data and the rules applicable to its processing are becoming increasingly central. It is
therefore essential to consider ways of promoting coherence among separate but interacting areas of
regulation, bearing in mind the risks from their incoherent application at individual and societal levels.
This will require a better understanding of the relationship between concepts used in data protection
and competition law, so as to stren gthen the ability of data protection authorities of taking into
account the economic context, and the ability of competition authorities of incorporating potentially
relevant data protection considerations in their assessments and decisions.
• In accordance with the CJEU’s judgment in Case C-252/21, cooperation between data protection
and competition authorities is, in some cases, mandatory and not optional.
• Policymakers should be aware of the possibility that regulatory authorities and bodies
competent to supervise the digital sector might need to cooperate more closely in certain cases.
• Currently the degree of cooperation between authorities varies considerably between Member
States and is not harmonised by EU law.
• Within authorities, internal measures such as setting up a dedicated team to coordinate
cooperation tasks and to act as a single point of contact for other authorities, could promote
cooperation with other supervisory authorities.
• With a view to ensuring efficient cooperation, authorities should develop a basic understanding
of and familiarity with the regulatory framework employed by relevant counterparts.
3
Table of contents
1 INTRODUCTION ……………………………………………………………………………………………………………….. 4
2 PROMOTING SYNERGIES AND CONVERGENCES …………………………………………………………………… 4
2.1 Protecting individuals and their decision making ………………………………………………………….. 4
2.2 The evolution of data protection with the development of the digital economy………………. 5
3 HOW CONCEPTS CAN INTERRELATE …………………………………………………………………………………… 6
3.1 Protecting individuals and their decision making ………………………………………………………….. 6
3.2 Lawfulness 5.1 (a): an application of the Meta case within GDPR …………………………………… 6
3.3 An example of strengthening consideration of data protection ……………………………………… 7
4 BUILDING ON SYNERGIES FOR COOPERATION …………………………………………………………………….. 8
4.1 Why data protection and competition authorities should cooperate ……………………………… 8
4.2 Existing cooperation models within EU Member States ………………………………………………… 8
4.3 Ways to improve cooperation ……………………………………………………………………………………. 9
5 CONCLUSION …………………………………………………………………………………………………………………. 10
4
The European Data Protection Board has adopted the following position paper:
1 INTRODUCTION
1. For data protection regulators, recent changes in the legal landscape raise numerous issues at the
intersection of data protection and competition law. It is clear from the decision in Meta v
Bundeskartellamt1 that data protection and competition regulatory objectives cannot always be
pursued in isolation. Instead, regulators may need to cooperate and coordinate in order to explore
synergies and to engage in coherent, effective and complementary enforcement act ivities. Such
cooperation can benefit individuals, corporations and other entities: it enables different regulators to
protect individuals in the EU in the most effective and efficient manner and ensures a consistent
interpretation and application of legal norms.
2. While the GDPR and competition law may apply to the same actors and activities, they are clearly
distinct areas of law, based on different legal concepts and objectives and with their own enforcement
framework. While data protection law aims at guaranteein g data subjects’ fundamental right to the
protection of their personal data, in particular against unlawful, unfair and opaque processing of their
personal data2, competition law aims “to protect the efficient functioning of markets”3. Hence, analysis
is needed to assess situations where the interplay between data protection and competition arises.
3. With this position paper, the EDPB provides a short analysis of this interplay and give
recommendations for further development of existing cooperation between regulators.
2 PROMOTING COOPERATION AND CONVERGENCES
2.1 Protecting individuals
4. EU data protection law and competition law are clearly distinct legal frameworks and fields of law that
pursue different objectives. However, they have a number of potential commonalities, such as the
protection of individuals and their choices. Indeed, wh ile data protection policy aims to protect
individuals from any unlawful or unfair processing of their personal data, competition policy aims to
guarantee the conditions for free and undistorted competition between companies on the relevant
markets in the interests of consumers 4, by promoting innovation, diversity of supply and attractive
prices5. This aim of protecting individuals in their role as consumers under competition law is expressed
in the prohibition of cartels, abuse of dominant positions and countering anticompetitive mergers,
1 Judgment of 4 July 2023, Meta Platforms and others (C-252/21, ECLI:EU:C:2023:537), also referred to as
‘Bundeskartellamt judgment’ in this position paper.
2 See article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1)
of the Treaty on the Functioning of the European Union (TFEU), which provide that everyone has the right to
the protection of personal data concerning him or her.
3 European Commission: Directorate-General for Competition, 2017, EU competition policy in action: COMP in
action, Publications Office of the European Union. https://data.europa.eu/doi/10.2763/897035.
4 See Article 101 and 102 of the TFEU.
5 European Commission: Directorate-General for Competition, 2024, Protecting competition in a changing
world: Evidence on the evolution of competition in the EU during the past 25 years. Publications Office of the
European Union. https://data.europa.eu/doi/10.2763/089949.
5
which without intervention may lead to harm to consumers, in the form of higher prices, less choice
or lower quality and innovation6.
5. Strengthening the link between the protection of personal data and competition can contribute to the
protection of individuals and the well-being of consumers by reinforcing the common consideration of
respect for their fundamental rights and the proper functioning of competitive markets.
6. It would therefore seem beneficial to strengthen cooperation between data protection and
competition authorities especially in those cases where there is a clear intersection between the
application of competition law and the application of data protection rules. This would assist in
identifying and tackling upstream the tensions that could arise in certain situations between both fields
of law. In this way, increased cooperation between authorities could make it possible to improve
consistency and effectiveness in their respective actions, to the benefit of both individuals and entities
that must comply with the legal requirements of both fields.
2.2 The evolution of data protection with the development of the digital economy
7. The digital economy has put personal data at the heart of many business models. As a result, data
protection has become in some cases an important parameter of competition 7. At the same time, EU
data protection law aims to prevent unlawful and unfair processing of personal data, including in the
case of power imbalances between data controllers and the individual whose personal data is
collected.
8. In its new Notice on the definition of the relevant market 8, the Commission recognises that when
defining the relevant market, the protection of privacy and personal data offered to consumers may
be one of the parameters of competition to be considered 9. In other words, privacy is considered to
be one of the parameters especially “in the assessment of digital and tech mergers”10.
9. A competitive market can be a decisive facilitating factor in creating circumstances for privacy friendly
options11. In other words, if the consumer has different options in the market, this can encourage the
minimisation of the amount of personal data collected or avoid massive combinations and uses of
personal data from different sources that are harmful to users 12. The reverse is also possible. This is
6 For example, Article 102 of the TFEU specifies that an abuse of a dominant position consists of “limiting
production, markets or technical development to the prejudice of consumers”.
7 See also European Commission, Competition policy brief, April 2024, Non-Price Competition: EU Merger Control
Framework and Case Practice, Issue 1, p. 4. Paragraph 51 of the judgment in Case C -252/21, states that “access
to personal data and the fact that it is possible to process such data have become a significant parameter of
competition between undertakings in the digital economy. Therefore, excluding the rules on the protection of
personal data from the legal f ramework to be taken into consideration by the competition authorities when
examining an abuse of a dominant position would disregard the reality of this economic development and would
be liable to undermine the effectiveness of competition law within the European Union.”
8 European Commission, 2024, Communication from the Commission – Commission Notice on the definition of
the relevant market for the purposes of Union competition law, Official Journal, C 1645, ELI:
http://data.europa.eu/eli/C/2024/1645/oj
9 European Commission, 22 February 2024, Commission Notice on the definition of the relevant market for the
purposes of Union competition law, Official Journal, C/2024/1645, paragraph 13.
10 In the context of non-price competition, See European Commission, Competition policy brief, April 2024,
Non-Price Competition: EU Merger Control Framework and Case Practice, Issue 1, section 1.3, p. 5.
11 European Commission, 20 December 2020, Commission staff working document Impact assessment report
accompanying the document proposal for a Regulation of the European parliament and of the Council on
contestable and fair markets in the digital sector (Digital Markets Act), points 65-66.
12 OECD, 13 June 2024, The intersection between competition and data privacy – Background Note, paragraphs
39, 47 and 57, p.11.
6
the case with exclusionary strategies, which limit the number of players on the market, and can thus
artificially affect the number of privacy -friendly solutions. Lack of commercial alternatives can lead
users to opt for less privacy-protective products.
10. In the digital sector the behaviour of companies in a dominant position may raise questions about the
role of personal data processing in strengthening and exploiting this position. Data-driven advantages
from the combination and the cross -use of personal data from different sources by ‘gatekeepers’ in
digital markets and the risks such advantages pose to the fairness and contestability of such markets
are highlighted by the prohibitions in Article 5(2) of the DMA13.
3 HOW CONCEPTS CAN INTERRELATE
3.1 Protecting individuals and their decision making
11. In the Bundeskartellamt judgment, the CJEU clarified the role of the dominant position in the context
of the validity of consent under the GDPR. As such, a dominant position does not systematically imply
that consent is invalid 14. Nevertheless, certain conditions are necessary to ensure the validity of
consent15 because the dominant position is liable to affect “ the freedom of choice of that user, who
might be unable to refuse or withdraw consent without detriment”16 and “may create a clear imbalance
(…) between the data subject and the controller”17.
12. For example, “where a clear imbalance of power exists, consent can only be used in ‘exceptional
circumstances’ and where the controller, in line with the accountability principle, can prove that there
are no ‘adverse consequences at all’ for the data subject if they do not consent, notably if data subjects
are offered an alternative that does not have any negative impact” 18, including the possibility of
discrimination or social exclusion, especially in cases where digital services have a prominent role, or
are decisive for individuals’ participation in social life or access to professional networks, even more
so in the presence of lock-in or network effects19. Dominance could therefore be useful for identifying
when a data controller could have an impact on users. However, this concept is not sufficient in itself
to assess the validity of consent under GDPR, but is useful in a broader assessment of the imbalan ce
of power under the GDPR. Moreover, a controller does not need to have a ‘dominant position’ within
the meaning of Article 102 TFEU for their market position to be considered relevant for enforcing the
GDPR20.
3.2 Lawfulness 5.1 (a): an application of the Meta case within GDPR
13. In its judgment , the CJEU ruled that, when competition authorities are assessing whether an
undertaking abuses its dominant position within the meaning of Article 102 of the Treaty on the
13 Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on
contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828
(Digital Markets Act).
14 Bundeskartellamt judgment, paragraph 154.
15 EDPB, 17 April 2024, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models
Implemented by Large Online Platforms.
16 Bundeskartellamt judgment, paragraph 148, referring to Recital 42 GDPR.
17 Ibid., paragraph 149, referring to Recital 43 and Article 7(4) GDPR.
18 EDPB, 17 April 2024, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models.
Implemented by Large Online Platforms, point 79, p. 21.
19 Ibid., point 182, p. 39.
20 Ibid., paragraphs 103 to 105.
7
Functioning of the European Union (TFEU), subject to compliance with their duties of sincere
cooperation with data protection supervisory authorities, they can assess if the general terms of use
of undertakings relating to the processing of personal data and their implementation are not
consistent with the GDPR, where this is necessary to establish the existence of such an abuse 21.
However, the assessments of competition authorities on the compliance of general terms of use with
the GDPR for the purpose of Article 102 TFEU cannot replace the assessment of the competent data
protection authority (“DPA)22, in particular of the lead supervisory authority (“LSA”) in the case of cross
border processing within the European Union23. On the basis of Article 4(3) of the Treaty on European
Union (TEU), the CJEU considered that the various national authorities involved are all bound by the
duty of sincere cooperation and that competition authorities are required to consult and cooperate
with DPAs when they are called upon, in the exercise of their powers, to examine whether an
undertaking’s conduct is consistent with the provisions of the GDPR 24. Therefore, in accordance with
the CJEU’s judgment, cooperation between regulatory authorities is, in some cases, mandatory and
not optional. According to the settled case -law of the Court, the principle of sincere cooperation
enshrined in Article 4(3) TE U implies that, in the regulatory fields covered by EU law, the European
Union and the Member States, including their administrative authorities must, in full mutual respect,
assist each other in the performance of their tasks arising from the Treaties 25. In particular, Member
States must take all appropriate measures to fulfil their obligations arising from EU law and refrain
from taking any measures that could jeopardise the attainment of the objectives of EU law26.
14. The CJEU’s judgment creates an important incentive for authorities to streamline their cooperation
and to agree on practical ways to consult one and other.
3.3 An example of strengthening consideration of data protection
15. Building on experiences such as that of the Digital Clearinghouse established by EDPS and its early
Opinions on the need for a coherent enforcement 27, in 2020 the EDPB published a statement 28 on
privacy implications of mergers which highlights the risk of the further combination and accumulation
of sensitive personal data by a major tech company. The EDPB recalls that “It is essential to assess
longer-term implications for the protection of ec onomic, data protection and consumer rights
whenever a significant merger is proposed”29. It also states that “the implications that this merger may
have for the protection of personal data in the European Economic Area” will be considered by the
21 Bundeskartellamt judgment, paragraph 62.
22 Article 55 GDPR.
23 The LSA being, per Article 56 GDPR, the supervisory authority of the main establishment or the single
establishment of the controller of processor, it being competent to act as LSA for the cross-border processing
carried out by that controller or processor in accordance with the procedure provided in Article 60 GDPR.
24 Bundeskartellamt judgment, paragraphs 54, 58 and 59.
25 Ibid., paragraph 53 and Article 4(3) TEU
26 See, to that effect: Judgments of 7 November 2013, UPC Nederland (C-518/11, EU:C:2013:709), paragraph
59, and of 1 August 2022, Sea Watch (C-14/21 and C-15/21, EU:C:2022:604), paragraph 156.
27 EDPS Opinion on "Privacy and competitiveness in the age of big data
https://www.edps.europa.eu/sites/default/files/publication/14-03-26_competitition_law_big_data_en.pdf
EDPS Opinion on “coherent enforcement of fundamental rights in the age of big data”
https://www.edps.europa.eu/sites/default/files/publication/16-09-23_bigdata_opinion_en.pdf
28 EDPB, 19 February 2020, Statement on privacy implications of merger.
29 Ibid.
8
EDPB30. Hence, privacy and data protection should be carefully considered, where appropriate, in
merger assessments31.
16. Given the possible impact of EU data protection in merger assessments, increased cooperation
between competition and data protection authorities – including at EU level – could help regulators to
be better informed about potential personal data issues.
4 BUILDING ON COOPERATION
4.1 Why data protection and competition authorities should cooperate
17. The EDPB has examined the issue of cooperation between authorities e.g. by listening to experts in
this field and by launching a survey to understand how various authorities cooperating with one
another.
18. From this, the EDPB gained the following insight: good cooperation between authorities promotes
coherence and synergies between decisions taken in matters of competition and data protection. This
does not only benefit individuals, but also businesses by im proving understanding of how the
regulatory frameworks are applied.
19. Moreover, as legislation and case law in the two legal fields develop, the need for cooperation between
the respective competent authorities may even increase.
4.2 Existing cooperation models within EU Member States
20. Currently the degree of cooperation between authorities, which depends both on the legal framework
and on other elements, such as the degree of mutual trust between authorities, varies considerably
between Member States and is not harmonised by EU law. The EDPB carried out an analysis of existing
cooperation models in EU Member States in September 2023. Based on the degree of formalisation of
cooperation, the following picture emerges:
A. In some Member States, there is no specific legal provision mandating or enabling
cooperation between DPAs and competition authorities, and no regular and structured
cooperation on a voluntary basis. Cooperation takes place informally via ad hoc
consultations e.g., in the context of administrative procedures or sector inquiries or
occasional joint projects in areas of overlapping regulatory competence or drafting policy
papers.
B. Cooperation can also take place without a specific legal basis in national law by
arrangements for regular, coordinated and structured cooperation. These can be
established in jointly drafted cooperation protocols, joint declarations or Memoranda of
Understanding (MoU). Such arrangements, which are not necessarily legally binding, detail
modalities like joint workshops, trainings, events, regular meetings and sharing of best
practices.
30 Ibid.
31 See also European Commission, Competition policy brief, April 2024, Non-Price Competition: EU Merger
Control Framework and Case Practice, Issue 1, p. 5.
9
C. In some Member States there are explicit legal requirements that govern cooperation. The
specific form of cooperation varies depending on the individual case. Deliverables of this
type of cooperation are typically opinions on cases at the request of the other authority.
D. The highest level of formalised or structured cooperation is found in Member States where
there are both legal requirements and practical arrangements for cooperation between
authorities.
21. Even a minimum level of formalised cooperation allows authorities to cooperate through occasional
contact on specific issues. In certain circumstances , there might be cases in which those authorities
are under an obligation to cooperate because of the principle of sincere cooperation.
4.3 Ways to improve cooperation
22. It may prove beneficial that authorities learn from each other, identify matters of common interest
and possible areas of interplay regardless of ad hoc consultations, minimise obstacles for cooperation,
and jointly develop strategic actions. For this purp ose, workshops, informal or regular meetings or
special expert working groups could be agreed upon in cooperation frameworks, e.g. administrative
agreements, joint declarations or Memoranda of Understanding. These instruments may also lay down
key principles, methods and rules of the cooperation between the authorities (e.g. with regard to the
form of communication to be used, deadlines to be observed for answers – including any relevant
objections – common guidelines, policy recommendations, etc.), as well as the consideration of
decisions and penalties that have been previously issued by each of the authorities. These agreements
may also govern how much information is shared, what can be exchanged ( e.g. personal data) and
what degree of coordination on a given topic is expected between the concerned authorities.
23. Taking into account the constitutional and administrative framework in the relevant Member State,
the national legislator and/or the government should also be aware of the need for regulatory
authorities and bodies to cooperate more closely in the digital sector. This might be important also
to ensure that authorities are provided with the necessary tools and resources to be able to cooperate
efficiently, and to address legal requirements that may prevent authorities from sharing information
and thus cooperating effectively during investigations.
24. Within authorities, internal measures such as setting up a dedicated team to coordinate cooperation
tasks and to act as a single point of contact for other authorities, could promote cooperation with
other supervisory authorities. It could also prove helpful if the point of contact receives regular
trainings on the relevant legal landscape and related legal developments of cooperation in general and
10
participates in corresponding working groups or networks 32. Additionally, with a view to ensure an
efficient cooperation, authorities should develop a basic understanding and familiarity with the
regulatory framework that is supervised by their counterparts in the different legal field. For example,
before entering discussions with a competition authority on a specific issue, it would be beneficial for
data protection authorities to have a preliminary understanding on the concept of relevant market in
general, whether certain entities in that market(s) occupy (or may occupy) a dominant position, etc.
25. There may be situations where a more structured and regular form of cooperation may be preferable
or even necessary to ensure the coherent and effective application of different EU laws (see illustration
above, C and D). Establishing cooperation protocols between different competent authorities under
the duty of sincere cooperation may be the most effective way to ensure reciprocal consultations with
the right scope and at the appropriate time. This may also help to avoid instances of double jeopardy
in cases where two competent authorities decide to impose sanctions against the same entity for the
same conduct under two or more separate legal frameworks33.
26. Finally, joint sector inquiries and joint investigations could also be pursued, to the extent possible and
in line with the relevant legal framework, as an even more reinforced form of cooperation among
authorities.
5 CONCLUSION
27. Promoting synergies between personal data protection and competition authorities can improve the
ability of both regimes to protect data subjects and users. In fact, as companies’ business models
evolve, personal data and the rules applicable to its processing are becoming increasingly central. It is
therefore essential to consider ways of increasing the coherence of separate but interacting
regulations, bearing in mind the impacts of their incoherent application at individual and societal
levels. In particular, this will require a better understanding of the relationship between concepts used
in data protection and competition law, so as to strengthen the ability of data protection authorities
to take into account of the current economic context, and the ab ility of competition authorities of
incorporating potentially relevant data protection considerations in their assessments and decisions.
For the European Data Protection Board
The Chair
Anu Talus
32 E.g.: EDPB’s Taskforce on Competition and Consumer law (TF C&C), Global Privacy Assembly’s Digital Citizen
and Consumer Working Group (GPA DCCWG), Exchanges with the Consumer Protection Cooperation Network
within the CPC-DPA Framework). An overview of the EDPB's existing collaborations can be found here:
https://edpb.europa.eu/our-work-tools/support-cooperation-and-enforcement/international-cooperation-
cooperation-other_en.
33 Judgment of the Court of Justice of 22 March 2022, bpost SA v Autorité belge de la concurrence (C -117/20,
ECLI:EU:C:2022:202). According to the CJEU, for a valid duplication of proceedings and penalties under sectoral
rules and competition law, the two se ts of legislation at issue must pursue legitimate objectives of general
interest (paragraph 44). Furthermore, for a valid duplication of proceedings and penalties, there must be “ clear
and precise rules making it possible to predict which acts or omissions are liable to be subject to a duplication of
proceedings and penalties, and also to predict that there will be coordination between the different authorities,
whether the two sets of proceedings have been conducted in a manner that is sufficiently coordinated and within
a proximate timeframe and whether any penalty that may have been imposed in the proceedings that were first
in time was taken into account in the assessment of the second penalty” (paragraph 51).
