Two national competition authorities, the French Autorité de la Concurrence and the German Bundeskartellamt, are dealing with Apple's App Tracking Transparency Framework ("ATTF"). While the French competition authority has recently concluded its proceedings and imposed a fine of EUR 150 m. on Apple due to an infringement of competition law, the German Federal Cartel Office has sent Apple its preliminary legal assessment, also assuming that Apple is violating competition law by implementing the ATTF.
What is the ATTF about?
Apple's ATTF governs the possibility of tracking user data by third-party app providers on Apple's App Store.
Tracking allows personalised advertising to be displayed via the apps. For many app providers, the use of (personal) customer data is fundamental to their own business model, as they can monetise customer data vis-à-vis the advertising industry and thus cross-subsidise their own (often free) app offering.
Under EU and national data protection laws, the users’ consent is required before app providers may use their personal data for tracking and advertising purposes.
Due to the ATTF, which Apple introduced in 2021, providers of apps in Apple's App Store must obtain an additional consent from their app users if they want to use their data for tracking purposes. The consent then also allows the use of Apple's so-called Identifier for Advertisers (IDFA).
As part of the implementation of the ATTF, the consent is given after the download of the app through a special pop-up window in which users can agree or disagree with data tracking.
While a query of this kind is necessary for third-party app provider, it does not take place after the download of Apple’s own apps, which are partly also in competition with apps from third-party providers.
Accusation of the Autorité de la Concurrence
The French competition watchdog considers the enforcement of the ATTF to be an infringement of the prohibition of the abuse of a dominant position by Apple. In the view of the authority, Apple is dominant in the market for the distribution of mobile apps on iOS and iPadOS devices. According to the Autorité de la Concurrence, competition law does not prohibit Apple from implementing regulations to protect its customers' data, meanwhile acknowledging that data protection is a legitimate purpose. However, the ATTF is neither necessary nor proportionate for this purpose. The authority argues in this respect that the ATTF does not replace the consent required under French data protection law and does not provide an elevated standard of data protection. The app providers already have to obtain consent that meets the legal requirements in addition to the consent under the ATTF. This, as the Autorité de la Concurrence declared, would lead to user-unfriendly multiple pop-ups. The authority is also criticizes that the ATTF does not apply to Apple's own apps.
In its proceedings against Apple, the Autorité de la Concurrence worked closely with the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL). The CNIL concluded that an adjustment to the ATTF in line with competition law would not lead to a reduction in the level of data protection by Apple. On the contrary, a minor adjustment to the ATTF would allow the user's consent in this regard to constitute consent under French data protection law and the GDPR as well.
Accusation by the Federal Cartel Office
The German Federal Cartel Office also regards the implementation of the ATTF as an infringement of the prohibition of abuse of a dominant position and as an infringement of the special competition regulation for large digital companies under Section 19a German Act against Restraints of Competition, which the Federal Cartel Office considers Apple to be the addressee of.
In the view of the Bundeskartellamt, the infringement of competition law is the unlawful self-preferencing of Apple: The combination and use of user data across Apple's ecosystem is not subject to the consent requirement under the ATTF. In addition, the dialogues for Apple's own apps are designed consent-friendly, while the dialogue for users of third-party apps tends to motivate them to reject data processing.
Analysis
Importance of data for competition
The ATTF shows the competitive significance of (personal) data for digital business models. The use of many apps is free of charge for end customers. However, users pay by consenting to the use of their personal data. App providers can monetise this data vis-à-vis the advertising industry, as companies pay the app providers to display ads via the app. The more targeted the advertising can be for a customer based on comprehensive data collection, the better the app provider can market the advertising options. The regulation of data collection by dominant platform operators can therefore have far-reaching consequences for the competitive position of app providers.
Interplay of competition law and data protection (law)
Because data is so important for the competitive position of companies in the digital economy, data protection has also become increasingly important in competition law in recent years. Two examples:
• Dominant undertakings must consider their data protection compliance for competition law reasons. This is because, according to the ECJ, a breach of data protection law by a dominant company can be an indication of abuse of a dominant market position.
• And the Digital Markets Act (DMA) – a special regulation for large digital companies – stipulates that the addressees of the DMA, the so-called gatekeepers, may only combine and use personal data of their users from various (core platform) services of the gatekeeper if consent compatible with the GDPR has been given, whereby the consent is only effective if the user has the option of using the service (in a less personalised form) without consent. According to the EU Commission, Meta failed to comply with this requirement (see here for an analysis of the decision).
By contrast, in the two ATTF proceedings the issue is not the sanctioning of insufficient compliance with data protection law by the dominant undertaking, but additional data protection requirements of the dominant undertaking vis-à-vis its commercial platform users. However, the potential competitive threat can be similar in both situations. As the proceedings against Apple’s ATTF indicate, data protection requirements for (competing) companies can be used to strengthen the own market position.
Conclusions
Both competition law proceedings show how important it is for market dominant platform operators to ensure that the access and usage conditions for their business users comply with competition law. This also applies, but not only, to the requirements for the protection of personal customer data by business users. Because this data can be commercialised, it is of considerable importance for the competitive opportunities of companies. Accordingly, competition watchdogs will continue to scrutinise the terms of use of market dominant companies if they contain data protection requirements for business users.
With regard to the two proceedings, it should also be emphasised that neither the French nor the German authority questions the general admissibility of data protection requirements for the use of a platform that go beyond the legally required minimum. On the contrary, the Autorité de la Concurrence explicitly has no concerns that even market-dominant companies may impose additional data protection requirements to protect their customers.
However, the French competition authority considers the ATTF to be problematic because its regulations are neither necessary nor proportionate to achieve the objective (i.e. the protection of personal data). A proportionality test of this kind is known in competition law, for example in the sports sector, where the rules of sports associations (e.g. anti-doping rules) must also be proportionate to be permissible under competition law (
cf. ECJ, C-519/04 P, para. 42). It seems that the French competition watchdog applied such a proportionality test to Apple's rules of the game for the use of its app store.
The German Federal Cartel Office, on the other hand, focuses on the aspect of self-preferencing. It sees the infringement in the fact that the ATTF applies to business users of Apple's platform, but not to Apple itself. Actually, even market-dominant companies are not obliged to promote third-party competition. However, competition authorities have repeatedly intervened in situations in which dominant providers of digital platforms have favoured their own undertaking in adjacent markets. Operators of platforms in a dominant market position must also pay attention to this.
