Protecting consumers and their data through competition law? Rethinking abuse of dominance in light of the Federal Cartel Office’s Facebook investigation

ABSTRACT The Facebook proceeding of the German Federal Cartel Office is the latest among a number of competition law investigations that target large US-American technology companies. The Office suspects that Facebook abused its dominant position on the market for social networks by imposing unfair data privacy conditions upon its users. This preliminary finding presents a legal novelty because it relies mainly on the fact that the company violated rules outside of competition law, namely data protection law. This calls for a wider evaluation of the currently debated relationship of competition and data protection law. We investigate if such an abuse theory is also conceivable under EU competition law, specifically under Art 102 TFEU. Although the Court of Justice of the European Union separates competition and data protection law strictly, it hinted at a different understanding in a recent judgment. Also, the sentiment of the nascent ‘Vestager School’ with its emphasis on fairness may support this theory of an abuse. We conclude that this novel concept is conceivable under EU law.


I. Introduction
For a long time, services provided by online platforms like Google, Facebook and Amazon were cheered for being useful and innovative. But now, times and moods have changed. The same platforms are today among the most valuable and powerful companies in the world. Recently, Cambridge Analytica has given the debate a new, more alarming and even political dimension. 1 The awaking public opinion coincides with tightened antitrust enforcement against online platforms. The European Commission fined Google €4.34 billion for illegal practices regarding Android mobile devices and €2.4 billion last year for its comparison shopping service. 2 Margrethe Vestager, the EU's Competition Commissioner, warns that "[i]f we want to get the most out of these technologies, people need to have confidence that they'll be treated fairly". 3 This emphasis on fairness appears to set the tone for future antitrust enforcement. In a similar vein, Andreas Mundt, the president of the Bundeskartellamt, the German Federal Cartel Office ("FCO") wants to tame dominant companies' "appetite for data". 4 His agency is following through. The FCO is investigating Facebook's practice of data collection, a proceeding that could redefine the intersection between competition and data protection law. Because of these parallel developments on the EU and national levels, this paper raises the question if the investigation could serve as a prototype case for EU law. We proceed in two steps: in the first part, we present the Facebook proceeding and analyse the case law on which it is based (II.). In the second part, we examine if the FCO's alleged 'data privacy abuse' is legally conceivable under EU competition law, namely Art 102 TFEU (III.). We will then outline the case law of the Court of Justice of the European Union ("CJEU") regarding exploitative abuses (III.A.) and discuss the current notion of fairness in EU competition policy (III.B). We weigh this up against potential challenges, namely the CJEU's jurisprudence on data protection issues in competition law (III.C.) and the risks that accompany dual procedures (III.D.). Finally we conclude (IV.).

II. The Facebook proceeding
In December 2017 the German Federal Cartel Office ("FCO") published its preliminary legal assessment 5 in the abuse of dominance proceeding against Facebook. The FCO had initiated the administrative proceeding against Facebook in March 2016. 6 Depending on the final decision, the proceeding may result in the offer of commitments by the company or a prohibition by the competition authority. 7 The preliminary legal assessment gives a first impression of the FCO's opinion of the proceeding as well as its more general opinion of the abuse of dominance in the social media sector and the relationship between data protection law and competition law.

A. Abuse of dominance and abusive terms and conditions in German law
Before examining the Facebook case more closely, some introductory comments on German competition law are necessary. In German law the abuse of a dominant position by one or several undertakings is prohibited according to §19(1) of the Act against Restraints of Competition ("ARC") which resembles Art 102 TFEU. The main requirements of §19(1) ARC are (i) a dominant position and (ii) an abusive conduct.
(1) Dominant position According to § 18(1) ARC an undertaking is dominant where, as a supplier or purchaser of a certain type of goods or commercial services in the relevant product and geographic market, it has no competitors (no. 1), it is not exposed to any substantial competition (no. 2), or has a paramount or superior market position in relation to its competitors (no. 3). To assess this it is necessary to define the relevant market in each case. In general the main criteria for defining the product market are the substitutability of products. 8 The demonstration of market power is determined by various criteria, but primarily by the presumption of dominance where the undertaking has market shares of 40 percent or more (see § 18(4) ARC). The new § 18(3a) ARC uses criteria that are specific to the digital economy, such as network effects and companies' access to data. 9 (2) Abusive terms and conditions In German law, market dominance is not prohibited per se but only its abuse. There are several types of conduct that may constitute abuse of dominance. In particular § 19(2) no 2 and no 3 ARC 10 prohibit undertakings from exploiting their dominant position by imposing conditions or prices that the undertaking could probably not demand if there was effective competition in the relevant market. In order to assess whether the imposed conditions or prices are exploitative it needs to be shown that the imposed conditions or prices are significantly less favourable than the conditions or prices that would be demanded in a competitive market or that the imposed conditions or prices disadvantage the weaker party in a way which is incompatible with the parties' interests because of general legal principles. 11 In practice, the courts weigh the interests of the dominant undertaking against those of its customers and suppliers. 12 In the VBL-Gegenwert judgments 13 the German Federal Court of Justice ("FCJ") held that general legal provisions and principles can be taken into account in performing the required weighing of interests. This means that the finding of exploitative abuse can be based primarily on the finding that a rule from outside competition law has been breached. This concept is called 'conditions abuse'. For example, the FCJ found that a violation of consumer protection law by a dominant undertaking can constitute an abuse of dominance. 14 So far neither the FCO nor the courts have decided whether a breach of data protection law may constitute an abuse of dominance. Therefore the Facebook proceeding of the FCO is expected to be a landmark decision that could expand the frontiers of competition law. 15 In general, the 10 An abuse is prohibited in particular if a dominant undertaking as a supplier or purchaser of a certain type of goods or commercial services demands payment or other business terms which differ from those which would very likely arise if effective competition existed; in this context, particularly the conduct of undertakings in comparable markets where effective competition exists shall be taken into account (Art 19 (2) No 2 ARC) or demands less favourable payment or other business terms than the dominant undertaking itself demands from similar purchasers in comparable markets, unless there is an objective justification for such differentiation (Art 19 (2) No 3 ARC FCO seems very keen to build up consumer protection as one of its central enforcement pillars. 16

B. The Facebook proceeding of the FCO
The FCO suspects that Facebook abuses its dominant position in the market for social networks by enforcing unfair terms and conditions of service. Firstly, the agency explains in its preliminary assessment why it thinks that the company holds a dominant position. The relevant product market reportedly includes services which enable the user to connect with his friends and family. Besides Facebook, undertakings on the market for social networks are Google+ and smaller German undertakings offering social networks. Professional network services (e.g. Linke-dIn and Xing), messaging services (e.g. WhatsApp and Snapchat) and other social media are not part of the relevant product market as these services address different needs. 17 On the relevant market Facebook holds a market share of 90 percent. 18 This market position is further strengthened by network and lock-in effects as well as high barriers to entry. 'Identity-based network effects' describe the phenomenon that the larger the social network, the more users it attracts. 19 Furthermore, Facebook is a two-sided platform that serves not only users but also advertisers. Both sides of the platform are connected through indirect network effects: a large user base leads to an increase in advertisement income which further reinforces the dominant company's strong market position. 20 This results in high barriers to entry. 21 Consequently the FCO's preliminary finding is that Facebook has a dominant position in the relevant market. 22 The abusive conduct that is a cause for concern for the FCO is Facebook's practice of data collection. So far, the FCO has investigated the processing and the transfer of data generated by Facebooks' subsidiaries (e.g. WhatsApp and Instagram) and third parties (e.g. news websites). The reason for focusing on third parties is that Facebook is collecting user data from third party websites when these websites implement a Facebook 'Like Button' or a 'Facebook Login' interface even if the user is not using these services or has actively objected to web tracking. 23 In the end, this enables Facebook to collect its users' data without their knowledge and even against their explicit will. In the eyes of the FCO, this is a violation of German data protection law that is based on the Data Protection Directive, 24 and in breach of the General Data Protection Regulation ('GDPR'). 25 Facebook's practice reportedly takes away its users' ability to determine autonomously what happens to their data. This autonomy is guaranteed by the fundamental right to data protection in the German constitution, which is how the case gains constitutional relevance. 26 The FCO points out that there may be no financial harm to the consumer because Facebook is a free service. However, it is the infringement of fundamental rights and the loss of control over their data that represents the harm to consumers. 27 Referring to the FCJ's jurisprudence on unfair terms and conditions, the FCO bases its finding of exploitative abuse on this breach of data protection law. Furthermore, the FCO stresses that the network and lock-in effects described above are reinforced by Facebook combining the data generated on its own platform with data generated by other services. 28 This enables Facebook to offer more personalized advertisements and to enhance its leading position as a supplier of advertising on social networks. 29 In this way, Facebook's conduct also affects competition in the advertising market.

III. Abusive privacy conditions as violations of Art 102 TFEU
The Facebook proceeding could redefine the idea of abusive conditions and tighten the connection between data protection and competition law. The concept might well find its way into EU competition law and 23 ibid para 4. 24 The Bundesdatenschutzgesetz ('BDSG') is based on Directive 95/46/EC. 25 Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive), adopted by the European Parliament and the Council of the European Union, No 2016/679, OJ L 119, 4 May 2016, 1-88. 26 FCO, Hintergrundinformationen Facebook-Verfahren (n 5) para 7; the fundamental right to privacy is guaranteed by Art 1 in connection with Art 2 of the Grundgesetz (Basic Law). 27 FCO, Hintergrundinformationen Facebook-Verfahren (n 5) para 7. 28 ibid. 29 ibid.
lead to a rethinking of the prohibition of abuses under Art 102 TFEU. This is why we ask if such a case is conceivable also under EU competition law. Are companies going to be fined by the Commission because of data protection law violations? To answer this, four main aspects have to be considered: first, the legal differences between Art 102 TFEU and § 19 ARC; second, the current notion of fairness in EU competition law; third, the CJEU's case law on the relationship between data protection and competition law; and finally, the risks of dual procedures.
A. The case law regarding abusive conditions under Art 102 TFEU In its wording and structure, § 19 ARC and Art 102 TFEU are very similar. Both norms in their German version require demonstration of a dominant position ("marktbeherrschende Stellung") and of abusive conduct ("missbräuchliche Ausnutzung"). German courts also strongly rely on European case law in interpreting the ARC. § 19(2) no 2 ARC prohibits the use of trading terms and conditions that the dominant undertaking could probably not demand if there was effective competition in the relevant product market. Art 102 TFEU prohibits any exclusionary or exploitative abuse by one or more undertakings in a dominant position. 30 Exclusionary behaviour is aimed at the undertaking's competitors and can take the form of inter alia exclusive dealing, tying and bundling, predatory pricing or refusal to supply. 31 According to Art 102(a) TFEU, an exploitative abuse targets customers or suppliers and consists of "directly or indirectly imposing unfair purchase or selling prices or other unfair trading conditions". A data privacy abuse like the one that is alleged in the Facebook case may be prohibited as such an unfair trading condition. But when is a trading condition unfair?
In BRT II, a case that concerned copyright, the CJEU decided that imposing "obligations which are not absolutely necessary for the attainment of the object of the contract and which thus encroach unfairly upon a member's freedom to exercise his copyright can constitute an abuse." 32 In GEMA II, another copyright case, the Commission specified that "the decisive factor is whether [the obligations] exceed the limits absolutely necessary for effective protection (indispensability test) and whether they limit the individual copyright holder's freedom to dispose of his work no more than need be (equity)." 33 The Commission further stressed the importance of necessity or indispensability in Tetra Pak II, where it lamented that the obligations in casu "have no connection with the purpose of the contract and … deprive the purchaser of certain aspects of his property rights." 34 Finally, in DSD, the Commission decided that the conditions were unfair because they failed to comply with the principle of proportionality, which in this case meant a sound ratio of the price vis-à-vis the economic value of the service. 35 To sum up the case law, terms and conditions are unfair in the sense used in Art 102(a) TFEU if they are (a) not necessary to achieve the object of the contract and (b) not proportionate in view of the object. Proportionality requires that (i) the object of the contract is legitimate, (ii) the obligation in the contract can contribute to achieving this object, (iii) there are no less abusive means to achieve the object and (iv) the legitimate object should outweigh the exploitative effect. 36 Since necessity is a part of the proportionality test in (iii), the entire fairness test comes down to the question of whether the obligation is proportionate.
In light of this, it seems to be a very real possibility that a data privacy abuse could constitute a violation of Art 102(a) TFEU. Applying the CJEU's criteria to a hypothetical data privacy condition used by an internet company, the terms and conditions would first have to serve a legitimate object. Often data collection at least partly contributes to enhancing the user experience, e.g. by individualising offers or advertisements. This is a legitimate goal that collecting data can valuably contribute to. However, it is not always necessary in the sense that there are no less abusive means. Admittedly, sometimes, internet companies need to have your data in order to provide you with a service. Google cannot answer your search request unless you type in a request. Facebook cannot connect you with your friends unless it knows your name. However, tracking data about users' online behaviour outside Facebook, like in the FCO's case, seems not to be necessary for users to enjoy the social network experience. So a data collection agreement may be unnecessary in the sense of the proportionality test. Finally the negative effect of the clause would be weighed against the positive gains of its legitimate object. This largely depends on the specific facts of the case. In the end, the outcome of this proportionality enquiry can hardly be predicted, or as O'Donoghue & Padilla euphemistically phrase it, can be "more art than science". 37 Schneider raised the point that the Commission could also rely on the CJEU's judgment in AstraZeneca in which the Court decided that an abuse could consist of providing misleading information with a lack of transparency. 38 An abuse could thus also be found in a company's non-transparent data collection standards. 39 AstraZeneca, however, was not about unfair trading conditions. The company provided misleading information to patent offices in various jurisdictions, yet this was only a competition issue because of the unique monopoly that patents grant. Data are by their very nature non-rivalrous and do not grant monopolies. Also, Astra-Zeneca concerned the relations between the company and administrative state institutions, not private individuals as in Facebook. It is thus questionable if both cases are comparable.
To conclude, the Commission does not have to refer to data protection law to find an abuse. It can base its finding simply on the terms being disproportionate. However, a violation of data protection law gives the abuse theory additional weight. Art 5(1)(c) GDPR provides that "personal data shall be … limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')". If data processing lacks necessity, it could fail both the GDPR and the proportionality tests. Furthermore, in weighting the positive and negative effects the Commission can refer to other rules that might have been violated. Art 5-11 GDPR provide a whole body of principles that can help in determining the proportionality of data processing. In this way the test becomes more nuanced and predictable. Reference to the GDPR thus appears highly advisable.

B. Fairness
Furthermore, one point which stands in favour of data privacy abuses as cases falling under Art 102 TFEU is the recent tendency in the communication of the EU Commission to put an emphasis on "fairness". 40 Commissioner Margrethe Vestager and Director General Johannes Laitenberger have repeatedly spoken of fairness as the foundation and motivation of EU competition law. 41 While earlier antitrust schools were focused on achieving consumer welfare, efficiency or protecting competition as a process, fairness as a goal of competition law seems to be a new approach that could succeed the currently fading Chicago School. 42 This movement was labelled the 'New Brandeis School', borrowing from Louis Brandeis, an American Supreme Court Justice who helped to develop the right to privacy around 1900. The Economist once called him a "Robin Hood of the law", 43 referring to his efforts to promote the public good. 44 However, the Justice, honourable as his cause may be, has no involvement in what is currently happening in the EU, not the US. Against this background, the new school is perhaps more adequately served by carrying the name of its most prominent proponent and being called the 'Vestager School'. After all, it was her term in office that both marks a distinct departure from the work of former, more traditional, Commissioners and presents a stark contrast to the laissez-faire enforcement in the US. 45 Regardless of the nomenclature, data protection violations being used to justify antitrust action could perfectly serve to advance the goal of fairness. 46 Many internet users do not feel fairly treated and lament a lack of choice. In this sense, and particularly in view of the current opposition to excessive data collection by the 'tech titans', fairness-based antitrust action fits our zeitgeist very well. Kalimo & Majcher even note that fairness is essentially the common root of competition law and data protection law because both laws use this concept as an anchor, the former in Art 102 (a) TFEU and the latter in Art 8 of the Charter of Fundamental Rights and Art 5 GDPR. 47 This brings us to another point of the debate: the relationship between data protection law and competition law in the EU case law.

C. The relationship between data protection law and competition law in the EU case law
Despite their common intention of achieving fairness, the case law clearly separates data protection and competition law from each other. 48 In 2006, the CJEU decided in thefor our purposesseminal Asnef-Equifax judgment that "any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection". 49 Although the case concerned an exchange of information case I am aware that it is often suggested thatunlike Section 2 of the Sherman Act -Article 82 [now Art. 102 TFEU] is intrinsically concerned with "fairness" and therefore not focussed primarily on consumer welfare. As far as I am concerned, I think that competition policy evolves as our understanding of economics evolves. In days gone by, "fairness" played a prominent role in Section 2 enforcement in a way that is no longer the case. I don't see why a similar development could not take place in Europe.
The term 'Vestager School' would also stress the modernity of the school as something genuinely new and not look back to a jurist of the last century. 46 NB Vestager personally does not think that competition law should be used to advance data protection goals, see her speech at the DLD 16 in Munich, 17 January 2016, 'Competition in a big data world' <https://ec.europa.eu/commission/commissioners/2014-2019/vestager/announcements/competitionbig-data-world_en> accessed 10 October 2018. However, the school of legal thought for which Vestager provides the eponym might very well, in its general stance and independent of Vestager personally, advocate precisely this intertwined enforcement of competition and data protection law because this could eventually serve the goal of fairness. under Art 101 TFEU, it has since set the path for the relationship between data protection and competition law. 50 In Google/DoubleClick, the Commission reviewed a merger of two online advertising companies that strongly relied on data analysis in their business model. The Commission decided that it would review the merger only from the perspective of competition law, namely to answer the question of whether the merger would impede effective competition. Although the Commission affirms that it respects fundamental rights, the [d]ecision is without prejudice to the obligations imposed onto the parties by Community legislation in relation to the processing of personal data […] Irrespective of the approval of the merger, the new entity is obliged in its day to day business to respect the fundamental rights […] namely but not limited to privacy and data protection. 51 The Commission continued this line of reasoning in Facebook/What-sApp. The merger raised concerns about Facebook combining the datasets of the companies. However, [f]or the purposes of this decision, the Commission has analysed potential data concentration only to the extent that it is likely to strengthen Facebook's position in the online advertising market or in any sub-segments thereof. Any privacy-related concerns flowing from the increased concentration of data within the control of Facebook as a result of the transaction do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules. 52 A similar combination of datasets was under review in Microsoft/Linke-dIn. In this case the Commission again hinted at the protection of data by the relevant national law, the Data Protection Directive 53 and the thenupcoming General Data Protection Regulation ("GDPR"). 54 Also, the Commission declared that [p]rivacy related concerns as such do not fall within the scope of EU competition law but can be taken into account in the competition assessment to the extent that consumers see it as a significant factor of quality, and the merging parties compete with each other on this factor. 55 Here, the Commission laid out its credo that data protection is only relevant insofar as it is a parameter in the competitive process.
Finally, in Google/Sanofi/DMI JV, the Commission considered the claim that the joint venture would have the ability to lock-in customers, in this case medical patients, by limiting the portability of their data to other platforms. 56 Again, the Commission referred to the GDPR, which would restrict the joint venture's ability to lock-in customers by granting a right to data portability. It was concluded that any privacy-related concerns did not fall within the scope of the EU competition rules. 57 In sum, the Commission has considered data privacy (a) as a non-price parameter of competition but more importantly (b) data protection rules such as the GDPR as legal limitations on the combination of datasets. 58 When privacy related concerns were raised, the agency referred to the data protection laws which are supposed to solve those issues. The Commission made clear that it would not prohibit a merger on privacy grounds because after the merger, the company would have to adhere to data protection rules. Those rules would restrict the ability of the new entity to combine its data sets and to use this data aggregation to impede effective competition. So in these cases, the Commission used data protection rules as an argument to limit its review, not to broaden it. Overall, the CJEU as well as the Commission seem to be firm in their position of keeping competition and data protection issues apart.
For a number of reasons, this separation makes sense. Competition law is not a regulatory instrument. 59 There are multiple domestic and EU laws that already sufficiently protect consumers by means of data protection regulation. 60 As opposed to data protection regulation, competition law is operating at a market level: while data protection rules are supposed to ensure that the game is being played fairly, competition law guarantees that the game is being played at all, that anyone can play and that everyone has the same number of cards. Mixing these two areas would be an unwarranted expansion of the scope of competition law. The purpose of competition law, after all, is not to protect the consumer from data privacy infringements, but to protect the competitive process itself. 61 One practical example is the Facebook/WhatsApp merger which had an interesting aftermath: Facebook had claimed that it was not a technical possibility to "match" the datasets of both companies. This presumably pre-empted any in-depth investigations about data privacy concerns that the merger might have raised. Yet this turned out to have been false testimony when Facebook indeed matched its data with those of WhatsApp. The company was consequently fined for the supply of incorrect or misleading informationthe first company ever fined for this procedural violation. 62 However, despite the false testimony, data privacy concerns can still be resolved through data protection law. A German court already found the data privacy conditions that Facebook implemented after the merger to be illegal. 63 This shows how well both fields of law can co-exist with separate scopes of application.
On the other hand, Costa-Cabral & Lynskey have argued that this separation could violate the fundamental right to data protection in Art 8 of the Charter of Fundamental Rights of the EU. The Commission is, so the argument goes, also in its antitrust, cartel and merger decisions obliged to respect and promote the Charter. This is supposedly not achieved by flatly ignoring data protection issues in its decisions. 64 However, this argument does not take into account the difference in jurisdiction that parallels the separation of both fields of law. While the Directorate General for Competition (DG Comp) at the EU Commission is competent to review companies' conduct through the lens of its effect on competition, the competence to review behaviour against data protection law lies with the data protection agencies in the member states. 65 This is how Art 8 of the Charter is being protected independently of the practice of DG Comp. Hence, the strict separation of competition and data protection law is indeed compatible with the protection of fundamental rights.
There are other aspects in the case law, though, that alleviate this strict separation. So far, the separation dogma has been applied only in respect of Art 101 TFEU and merger control cases. There is not a single abuse of dominance case that expressis verbis disregards the relevance of data protection laws. 66 No rule compels the Commission to transfer the separation dogma to abuse of dominance cases. After all, the three pillars of competition law are very different: merger control relies on forecasting the future while the prohibitions of cartels and abuses judge past conduct. Also, Art 102 TFEU requires the demonstration of dominance while Art 101 TFEU does not. This could pave the way for an exception from the separation dogma.
Ultimately, the jurisprudence of the CJEU is not set in stone. Another CJEU judgment can be understood to open competition law to influences from other legal norms instead of isolating it. In Allianz Hungária, the CJEU followed reasoning similar to that of the FCJ, yet in a different legal sphere. 67 The case concerned an agreement between the insurance company Allianz and car repair shops. The agreement provided that the shops' remuneration depended on the number of Allianz insurance contracts they sold to their customers. The CJEU had to decide if this behaviour constituted a restriction of competition by object in the sense of Art 101(1) TFEU. Although this was for the national court to decide, the CJEU explained obiter dictum that the agreement restricted competition by object if national law requires insurance brokers to be independent of insurance firms. If this was the case in Hungary, the CJEU opined that the breach of this national rule suggested a violation of Art 101(1) TFEU. 68 So the fact that domestic consumer protection rights were infringed could justify the finding that the agreement restricts competition by object. In other words, and this is essential, the CJEU decided that a violation of domestic laws can lead to a finding that EU competition law has also been violated. In this sense it is similar to the FCJ's approach to abusive conditions because in both cases the violation of competition law is based on the judgment of another body of law, in both of these cases of consumer protection law. The CJEU accepted that the assessment of illegality of anothereven domesticlaw could determine the legality under EU competition law. This might also be applied to data protection laws: the violation of data protection laws by a dominant undertaking may constitute an exploitative abuse under Art 102(a) TFEU. 69 To sum up, the EU case law on the relationship between data protection and competition law is not entirely clear. On the one hand, the separation dogma provides that competition and data protection laws should be kept separate. This makes sense because it prevents data protection regulation and competition law from being mixed up. On the other hand, the dogma has not been applied in abuse of dominance cases so far and the Allianz Hungária judgment opens competition law up for external influences.

D. The risks of dual procedures
One final challenge might speak against characterising data protection law violations as potentially falling under Art 102(a) TFEU. According to Art 57 and 83 GDPR, the supervisory authorities in the member states can impose fines on the companies that infringe the regulation through their behaviour. Also, Art 79 GDPR provides that, without prejudice to the administrative remedies, data subjects have the right to an effective judicial remedy before the courts in the member states. If the authorities or data subjects make use of their rights and the Commission wants to base its finding of abuse on the same privacy-infringing behaviour, a number of problems occur: 70 Firstly, the fines that the Commission can impose are significantly higher than those in the GDPR. While Art 83 GDPR generally allows for fines of up to 4% of annual revenue, Art 23(2) Reg. 1/2003 allows up to 10%. Competition law thus permits fines of more than double those permitted by data protection law. The rationale behind the lower GDPR fines is that breaches of data protection law are considered less severe and less detrimental to society than breaches of competition law. The concept of the data privacy abuse of dominance circumvents this rationale by de facto imposing competition law fines on data protection law violations. Since every breach of data protection law by a dominant company could in theory constitute an abuse of dominance, dominant The same problems exist in German law, but are solved by § 84 OWiG which prohibits agencies from prosecuting a behaviour that has already been prosecuted. Also, the Bundeskartellamt does not plan to fine Facebook for its misconduct but only to issue a prohibitive injunction. companies would categorically face higher fines if they breach data protection rules. 71 Secondly, the Commission and a data protection agency could evaluate the same behaviour differently. The Commission may regard certain behaviour to be in breach of data protection law while a data protection agency may not. This contradicts the maxim that laws should be interpreted uniformly which is rooted in the principle of the rule of law. 72 Dual procedures could, thirdly, infringe the ne bis in idem principle which prohibits an accused from being convicted twice for the same offence. 73 This principle has been acknowledged by the CJEU in multiple cases and is also laid down in Art 50 of the Charter and in Art 4 of Protocol No 7 to the European Convention for the Protection of Human Rights and Fundamental Freedoms. 74 The CJEU decided that a breach of the ne bis in idem principle requires showing the identity of (a) the facts, (b) the offender and (c) the legal interests protected. 75 Assuming that both the facts and the offender are identical in a hypothetical case, the Commission would have to show how the data privacy abuse harms the legal interest that it is supposed to protect, i.e. the competitive process. This harm would need to go beyond what constitutes a mere breach of data protection law. Conversely, if certain behaviour only infringes data protection rights but not the competitive process, the legal interests protected by the Commission and the data protection authorities would be identical. Also, harm to the abstract goal of fairness would not suffice because it is the same legal interest which both competition and data privacy law protect. In any data privacy abuse case, the Commission would therefore have to show how the abusive conduct has a specific harmful effect on competition. Competition would not be harmed just because a dominant undertaking is collecting more data from its users by applying exploitative and illegal terms. The Commission rather needs to show how the additional data grant the company a specific competitive advantage. In the case of online platforms, this can be done by arguing that the additional data generate network effects. A company that owns more data attracts more advertisers which rely on the data to individualize their ads to specific customers. Thus, a company that collects more data on the user side of the platform gains a competitive advantage on the advertiser side. 76 This competitive advantage is central to the business model of many online platforms because in many cases, advertisers finance the whole platform while users are not charged at all.
Furthermore, the CJEU decided that a double fine is legitimate if the acting agencies have different scopes of competence. The relevant cases were about fines from both the Commission and competition authorities in non-EU countries. 77 In our data protection scenario, the Commission and the national data privacy supervisory authorities certainly have different scopes of competence, the protection of users' data and the protection of competition, respectively. The question, though, is still if the Commission is also competent to punish data privacy violations or if this is the sole responsibility of the data protection authorities. If the Commission was acting ultra vires by finding a data privacy abuse, it would violate the ne bis in idem principle. 78 In a similar, recent case, the CJEU decided that the same behaviour can be made subject both of a criminal and an administrative proceeding if the legislation governing the fines (i) pursues an objective of general interest which can justify such a duplication of proceedings and penalties, it being necessary for those proceedings and penalties to pursue additional objectives, (ii) contains rules ensuring coordination which limits to what is strictly necessary the additional disadvantage which results, for the persons concerned, from a duplication of proceedings, and (iii) provides for rules making it possible to ensure that the severity of all of the penalties imposed is limited to what is strictly necessary in relation to the seriousness of the offence concerned. 79 Assuming that, despite the aforementioned principles, the same behaviour is indeed fined twice, the CJEU decided that "any previous punitive decision must be taken into account in determining any sanction which is to be imposed". 80 Thus, the second fine would have to be reduced by the amount of the first. The German FCJ has not considered the ne bis in idem problem in its case law on abusive trading conditions. However, it appears to justify its reference to consumer protection law by requiring that the abusive conditions are based on the company's dominant position. 81 So the FCO has to show that there is a causal link between the dominant position and the abusive conditions. This is where competition law meets data protection law: if the company can apply its conditions only because it is dominant, the company can enhance its dominant position and distort the competitive process further by making use of the competitive advantage it gained through its abusive data conditions. This is how a data protection law violation gains distinct relevance for the competitive process. It justifies that a data protection infringement should be fined not only by data protection authorities but also by competition authorities. Schneider has argued that the causal link is also required under Art 102 TFEU. 82 However, the requirement of a causal link between dominance and abusive behaviour is a specificity of German competition law. The CJEU has made clear that such a link is not required for the application of Art 102 TFEU. 83 To avert violating the ne bis in idem principle, the Commission would thus not have to prove a causal link. It is bound by what the CJEU requires, not by the decisions of the German FCJ. As explained above, it would consequently suffice to show that the company gains a competitive advantage from the abusive behaviour.

IV. Conclusion
In German competition law the Facebook case is a novelty in that the FCO based its preliminary assessment of abusive behaviour mainly on the fact that the company violated data protection law. The charges against Facebook are based on the specifics of German competition law, namely the concept of the abusive conditions developed by the FCJ. Applying this concept, an abuse can be found when a dominant company violates consumer protection law.
We investigated whether this concept is also conceivable in EU competition law. Similar to § 19 ARC in German law Art 102(a) TFEU also 81 FCJ, 6 November 2013, case no KZR 58/11, VBL-Gegenwert I, para 68. prohibits the use of unfair terms and conditions. Yet, so far, the CJEU applies a proportionality test in order to assess the legality of the terms and conditions under review and does not refer to norms outside of competition law. The application of the proportionality test may well result in a finding of abuse based on data protection agreements without reference to other laws. However, the reference to data protection laws is preferable because it would increase clarity and predictability in the proportionality test.
The recent emphasis on fairness in the nascent 'Vestager School' could support such a finding. Competition policy currently seems to be shifting from a laissez-faire doctrine to a more proactive and consumer focused enforcement. Finding a data privacy abuse would suit this new movement.
On the other hand, the CJEU and the Commission strictly keep data protection issues out of their competition assessment. Long-standing jurisprudence has used data protection laws as an argument in favour of limiting competition enforcement rather than broadening it. Data privacy issues are supposed to be solved by data protection law and competition law focuses solely on competition issues. This appears to be a reasonable policy because data protection law comprises a body of regulatory rules that are intended to protect consumers while competition law is operating at a market level and serves to protect the competitive process.
However, the CJEU's Allianz Hungária judgment could point to a more lenient interpretation of this 'separation dogma'. In this case the CJEU was open to the idea of inferring a breach of competition law primarily from a violation of domestic consumer protection law.
Still, there is one final hurdle to finding abuse of dominance through data protection conditions. Both a competition agency and a data protection authority could fine the very same behaviour. This could infringe the rule of law and the ne bis in idem principles and also circumvent the system of fines in data protection law. To prevent this, the Commission has to make clear how the abusive behaviour is not only relevant for data protection, but harms the competitive process as the legal interest that Art 102 TFEU protects. Showing that the abuse is causally based on the dominant position of the company is not required, though.
In sum, we identified a number of challenges that the Commission would face if it tried to punish abusive data privacy conduct. However, if the Commission abides by the rules that prevent dual procedures and relies on the Allianz Hungária judgment, a data privacy abuse case might strike the current tone of competition policy.

Disclosure statement
No potential conflict of interest was reported by the authors.