Although competition law has been a part of the South African legislative landscape for a few decades, data protection law is a recent development. Despite its short tenure, the Protection of Personal Information Act 4 of 2013 (POPI) which became fully effective on 30 June 2021, has quickly become a major regulatory compliance focus for small and big business alike. This focus has only been heightened in light of the Information Regulator’s first administrative fine, issued on 3 July 2023, of R5 million for non-compliance with POPI.

The interaction between technology and competition has also been a focus of the Competition Commission (Commission) in recent times. This is evident from the Commission’s latest market inquiries into the distribution of media content on digital platforms as well as the soon to be finalised online intermediation platform market inquiry into industries including ecommerce, property portals, food delivery and travel.

Although competition and data protection laws appear to regulate to achieve different outcomes, there are instances in the digital age where these considerations collide. This is illustrated in the Court of Justice of the European Union’s (CJEU) decision in Meta Platforms and Others v Bundeskartellamt (ECLI:EU:C:2023:537).

EU case of Meta Platforms v Bundeskartellamt

The case concerned allegations that Meta (previously Facebook) aggregated personal data from its users without their consent across its social media platforms, including Instagram, WhatsApp and Facebook, as well as off-Facebook data derived outside of the social media platforms through its business tools, in contravention of its data protection law. This aggregation was allegedly done to allow Meta to provide more targeted and accurate advertisements to its social media users.

The German competition authorities found that the processing of such aggregated data (in particular the off-Facebook data) constituted an abuse of dominance under competition law because Meta, which was dominant in the market of German online social networks, forced users to accept its terms and conditions in order to use the Meta product offering, despite such terms not being consistent with data protection law. This practice allegedly gave Meta the ability to unfairly acquire large amounts of data to better the targeted nature of its advertising offering – to the detriment of consumers and rival/potential rival social media platforms.

To determine whether this conclusion was in line with EU competition law, the CJEU was asked by a German court to decide whether the German competition authority, for the purposes of determining whether conduct amounted to an abuse of dominance, could make a finding as to whether Meta’s data accumulation practices infringed data protection law.

The CJEU held that when deciding whether conduct amounted to an abuse of dominance, competition authorities must assess whether, based on the specific circumstances of the case, resorting to different methods other than those governing normal competition in products or services, would have the effect of hindering or promoting competition in the market. Therefore, compliance or non-compliance with rules outside of competition law, depending on the circumstances, may be a necessary inquiry to determine whether a firm has abused its dominant position.

The CJEU stressed that access to personal data and the ability to process such data has become a significant parameter for competition in the digital economy. Therefore, ignoring the rules of data protection from the legal framework considered by competition authorities when examining an abuse of dominance would disregard the reality of this economic development.

The CJEU encouraged co-operation between data and competition regulators. It cautioned that, ideally, only data protection regulators should make findings as to whether the particular conduct violated data protection legislation. In instances where a competition regulator identifies a potential infringement of data protection legislation in the context of determining whether conduct amounts to an abuse of dominance, such a decision must be taken in co-operation with the data protection regulator and should be consistent with any decision to be made by the data protection regulator in the future. Such findings (and future findings) on the aspects of data protection should not contradict one another.

The South African context: The Competition Act and POPI

The interaction between competition law, as contained in the Competition Act 89 of 1998 (Competition Act), and other regulated areas of law is not a novel consideration in South Africa.

The Competition Tribunal (Tribunal), in Cape Gate (Pty) Limited v Emfuleni Local Municipality CT Case No: CRP162Jan22/PIL201Feb22 (see link to our previous article here), recently considered whether it had jurisdiction to decide an excessive pricing case against energy providers in light of the sector-specific Energy Regulation Act 4 of 2006 (ERA). The main argument was that the Tribunal did not have jurisdiction as the ERA gave the National Energy Regulator of South Africa (NERSA) the power to investigate instances of discriminatory pricing and that these internal remedies should be exhausted before the Tribunal could be approached.

The Tribunal confirmed that it and NERSA would have concurrent jurisdiction to deal with the issue of pricing in terms of their respective empowering legislation. The Tribunal would, nevertheless, retain authority in terms of enforcing the Competition Act unless expressly ousted.

It also confirmed that once a complaint referral process has been initiated, the Tribunal is obliged to conduct a hearing into the matter to determine whether a prohibited practice (like an abuse of dominance) has occurred.

Although the interaction between POPI and the Competition Act has not been ventilated by the Tribunal or any court, it seems conceivable from POPI that such a concurrent jurisdiction would be possible.

POPI envisages co-operation between regulators in that it allows for the Information Regulator to have the ability to consult with other regulators before reaching a decision and also allows for the Information Regulator to refer a complaint to another regulator if it is more appropriate for such a regulator to deal with the complaint.

On the face of POPI and its regulations, there appears to be nothing that would prevent an alleged infringement of POPI also being considered as an abuse of dominance in terms of the Competition Act. 

Can a data protection infringement amount to an abuse of dominance?

A firm can only abuse a dominant position where it occupies a dominant position in a market. The Competition Act generally states that firms having a market share of more than 35% would likely be considered dominant.

When considering the types of abuses sanctioned by the Competition Act, there could be conceivable facts where a firm violates POPI in order to accumulate large amounts of valuable personal data. This data could afford it an unfair competitive advantage in a digital market to the disadvantage of (potential) competitors. As recognised by the CJEU, large amounts of data affords firms in digital markets the opportunity to provide more targeted and specialised products and services. Smaller potential entrants, who adhere to the confines of POPI, may not be able to obtain the required data and reach sufficient scale to provide a quality product or service to their customers, entrenching the dominance of the incumbent firm.

The legitimacy of this theory of harm will of course depend on the facts of the given case, but the Meta case and the Information Regulator’s activities nevertheless serve as a stark reminder for firms to treat their POPI commitments seriously to avoid a potential two-pronged attack.