Conclusions of the Lasserre report on data protection and competition : deepening the dialogue

In December 2023, the Autorité de la concurrence (the French competition authority) and the CNIL published a joint declaration on the links between competition law and personal data protection, confirming their will to deepen their cooperation and specifying the ways in which data protection and competition can be taken into account in their respective actions. In the same spirit, the CNIL Chair has entrusted Bruno LASSERRE, member of the CNIL's plenary college and former Chair of the French competition authority, with a mission to examine the consequences of the interplay between data protection and competition for the CNIL and its regulatory practice.

For Bruno LASSERRE, “protecting privacy and personal data means taking better account of economic and competitive realities. Even if the GDPR is not an economic regulation but one that falls within the scope of fundamental rights, the economic and competitive angle contributes significantly to its effectiveness and impact.”

15 proposals to promote synergies

On November 28, the mission headed by Bruno LASSERRE presented its conclusions to the plenary college of the CNIL. They take the form of 15 proposals, highlighting the interest of better articulating competition policy and data protection, and drawing lessons for CNIL doctrine from the dialogue of concepts between the two fields. The mission finds a number of operational consequences for the CNIL's activities, as well as for its cooperation with the Autorité de la concurrence, and finally looks at the strategy to be adopted on this topic at European level.

The starting point is that, in today's digital economy, the two fields of regulations cannot operate in “silos”, given the partial convergence of their objectives and as the impact of their actions are dependent on each other in many cases. Against this backdrop, cooperation between authorities needs to be stepped up to encourage dialogue on concepts, doctrine and cases. The aim is to exploit and develop synergies, while respecting the independence and mandate of each authority.

Cooperation between regulators is not a zero-sum game: it aims at taking advantage of convergences, in the interest of freedom of choice for users on the market and of legal certainty for business.

A role in guiding markets

With data now playing a central role in the business models of the digital economy, the behaviour of the entities involved reveals the closeness of the links between data protection and competition. The CNIL must strive to understand and develop the virtuous circle between privacy and data protection on the one hand, and competition and free choice for consumers on the other. This can be done, firstly by better understanding competitive analysis, and secondly by integrating economic analysis even more fully into the CNIL's regulation in order to make its role in guiding markets, which is already a reality, more relevant.

The protection of personal data has become one of the elements that can contribute to the emergence of competitive advantages for companies, but also forms of competition through innovation for the benefit of individuals.

A dialogue between concepts and tools

It is then important to explore, in depth, the role of competition concepts and tools, such as market power or the relevant market, can play in the CNIL's regulatory doctrine and practice. This may involve using existing concepts, or adapting these concepts to the context of data protection (for example via the notion of ‘data power’). In its Meta ruling of July 2023, the Court of Justice of the European Union admitted that an authority could apply a qualification or use a concept from another field of law if the two authorities had engaged in sincere cooperation.

This may also involve considering competitive realities in the CNIL's legal reasoning for the application of GDPR or a joint risk-based approach that the two regulators could develop. They should also develop the possibilities they have for jointly exploring the markets, for example by conducting joint studies.

Operational changes for CNIL

In practice, the CNIL must develop its ability to better understand competition issues, so that it can take them into account upstream in its work, and if necessary request the Autorité de la concurrence for an opinion, as it did recently in the case of mobile applications. This can be done very simply, for example through cross-training between the two authorities.

In terms of sanctions, too, taking into account market position and ‘data power’ of the concerned actors would make it possible to better proportionate the amount of CNIL sanctions to the size of the players and the risks that their activities entail for individuals and privacy. Studies have shown that large players, who have more resources to devote to compliance and therefore have no excuses in this area, are also those whose behaviour can have an influence over the whole ecosystem.

Consequences for the cooperation with the Autorité de la concurrence

While consideration of the data issue is already well advanced in the practice of the competition authorities, the mission presents several avenues for facilitating the integration of data protection and the CNIL's suggestions in this area in specific cases, for example in relation to mergers, or the definition of competitive remedies, following on from the requests for advice already sent to the CNIL by the Autorité de la concurrence.

The mission therefore recommends capitalising on existing exchanges in order to gradually establish a common doctrine between the two authorities and to envisage consultation of the CNIL by economic players when situations of non-compliance with GDPR have been identified by the Autorité de la concurrence. These players could then benefit from the CNIL's support tools and remedies suggested by the latter.

A European ambition for joint work

In the context of the implementation of the ‘’EU digital package’, cooperation between data protection authorities and competition authorities also takes on its full meaning. The European Data Protection Board (EDPS), which brings together data protection authorities, has set up a task force in charge of the interplay between data protection, competition and consumer protection.

The enhanced cooperation promoted at national level could also be brought at European level via a dialogue between the EDPB and the European Competition Network, which brings together the national competition authorities and the European Commission. This dialogue would enhance cooperation between authorities throughout the EU, which would serve the objective of greater harmonisation of the internal market, in line with one of the recommendations of the Letta and Draghi reports.