As you browse the internet, you may notice an increasing number of tech companies promoting their ‘privacy-friendly’ services. This shift toward personal data protection has also caught the eye of regulators. Indeed, the recognition of data protection as a competitive factor is evident in the cooperation between the French Competition Authority (ADLC) and the French Data Protection Authority (CNIL). While, strictly speaking, competition law and data protection law pursue distinct objectives – with the ADLC ensuring fair competition to benefit consumers through innovation, diverse offerings and competitive prices, and the CNIL safeguarding users from harmful data practices – they ultimately share a common goal: empowering citizens to make free choices. However, these areas can sometimes conflict, as data protection is a fundamental right in EU law while free competition is not.
The European Data Protection Board (EDPB) recently reinforced this trend in its position paper, emphasising the need for closer collaboration between competition authorities and data protection regulators. In this regard the Digital Markets Act (DMA) could further strengthen cooperation between the ADLC and the CNIL by establishing a framework for collaboration. Indeed, when their responsibilities overlap, the ADLC must consult the CNIL, making it an essential partner in implementing the DMA.
In the following, we explore how we expect the relationship between competition law and data protection law to evolve in France in the near future.
1. A familiar relationship: the link between competition law and data protection law
The cooperation between the ADLC and the CNIL has traditionally taken the form of cross-referrals. The ADLC is legally required to consult the CNIL on cases involving data protection aspects, a mechanism it has used in several instances. For example, in 2014, the ADLC ordered GDF Suez to grant competitors access to certain personal data it had collected as an incumbent company, aiming to ensure effective competition (decision no. 14-MC-02). In this case, the ADLC sought the CNIL’s recommendations on data protection requirements, specifying that personal data could only be shared with competitors if customers were informed and given the opportunity to object before the transfer.
2. Rethinking the relationship between competition law and data protection law in the digital age
The rise of tech companies that collect, process and use personal data at scale has shifted the relationship between competition law and data protection law. These companies’ business models often rely heavily on processing customer data.
In this context, the level of protection of personal data is becoming a competitive factor. If consumers perceive data protection as a quality feature of a service, it influences their choices in the same way as price. However, this dynamic is complicated by the ‘privacy paradox’: the gap between consumers’ stated preference for privacy and their actual behavior, where they continue to enjoy digital services despite privacy risks.
To address this paradox, the ADLC and the CNIL are collaborating on two fronts: (i) to creating incentives to make data protection a genuine competitive factor; and (ii) considering the economic context of market players in CNIL’s enforcement practice. The two authorities have issued several opinions and recommendations in the tech sector:
- In June 2023, the ADLC issued an opinion on the cloud sector highlighting that GDPR compliance could justify a national or EU market delimitation. Customers often prefer cloud providers with EU or national infrastructures for data protection and geopolitical reasons. This finding is even more relevant given the rise of AI and cloud-hosted foundation models that require GDPR-compliant cloud infrastructures, as well as developments in the EU health data space.
- The ADLC also issued an opinion in June 2023 on the competitive dynamics of the generative AI sector, showing that while GDPR compliance can be a competitive factor, it also creates a tension. On one hand, competition law pushes for greater data accessibility, while on the other, privacy law restricts it.
- In September 2023, the CNIL published recommendations on mobile apps, assessing data protection concerns while also considering competition implications. This marked the CNIL’s first formal request for an opinion from the ADLC.
- In a joint statement in December 2023, the CNIL and the ADLC emphasised that the creation of a High-Level Group as part of the DMA should help consolidate European regulators’ networks, particularly the European Competition Network (ECN) and the EDPB, to provide technical expertise and guidance on the interaction between the DMA and sectoral regulations, such as data protection.
However, balancing competition law and data protection law is complex. On one hand, weak data protection can distort competition, giving certain tech companies an unfair advantage. For example, unlawful data processing can help a company strengthen, maintain or acquire a dominant market position. On the other hand, stricter data protection rules may also restrict competition. Limiting access to personal data—which is often crucial for service delivery—can make it harder for competitors to enter or remain in the market.
The ADLC must therefore ensure that strong data protection is not merely ‘privacy washing’, while also considering whether there are less restrictive ways to achieve privacy goals without unduly impacting competition. A notable example is an interim measures case where the ADLC recognized a tech player’s ‘privacy-friendly’ approach as a legitimate business objective, making it a key milestone in integrating data protection into competitive analysis.
3. The ‘new normal’: integration of competition law and data protection law
To effectively address the challenges of the digital economy, the CNIL and the ADLC have identified the need for deeper cooperation.
In November 2022, the CNIL’s chairman tasked Bruno Lasserre (former ADLC chairman and now a CNIL board member) with conducting a study (the ‘Lassere Mission’) on the relationship between data protection law and competition law. Its conclusions, published in late 2024, proposes reinforcing the links between data protection law and competition law without modifying the current legal framework. The recommendations centre around three pillars:
- Legal concepts:
- The CNIL could rely on ADLC and European Commission decisions defining market products/services to inform its GDPR compliance assessments.
- The CNIL could consider past anti-competitive practices as potential complementary indicators of data protection breaches such as:
- Abuse of dominance through excessive data accumulation, which could violate the minimisation principle.
- Anticompetitive agreements leading to unlawful data combination, breaching the fairness principle.
- The ADLC could consult the CNIL:
- In merger control cases where privacy and personal data concerns arise, to better assess market impacts.
- In antitrust cases involving data pooling or data combination, to assess whether GDPR non-compliance could amount to an abuse of dominance.
- The CNIL and the ADLC could harmonise their approach to calculating fines.
- Legal doctrine:
- The CNIL could consider competition issues when drafting non-binding rules, such as recommendations and codes of conduct.
- The CNIL and ADLC could enhance collaboration by jointly analysing market risks and exchanging expertise.
- Implementation: Beyond case-specific cooperation, the ADLC and the CNIL could define an annual work programme to address emerging issues. A dedicated point of contact within each authority could oversee the implementation of this reinforced cooperation.
The evolving relationship between competition law and data protection law signals a shift in regulatory cooperation. As data protection becomes an increasingly influential factor in consumer choices, authorities like the ADLC and CNIL recognize its competitive significance. Their collaboration, supported by frameworks such as the DMA, EDPB guidance and the Lasserre Mission, is essential to ensuring both fair competition and strong data protection. However, striking a balance between consumer privacy and market dynamics remains a challenge. Looking ahead, we can expect not only closer cooperation but also a future where data protection plays a central part in competitive strategy, fundamentally reshaping the online business landscape.