Intersection between consumer and data protection laws: Italian authorities told to cooperate

On 21 December 2023, the Italian Supreme Administrative Court (CDS) held that the Italian competition authority, Autorità Garante della Concorrenza e del Mercato (AGCM), must cooperate with the Italian Data Protection Authority (Garante Privacy) when investigations give rise to substantive data protection issues. 

The judgment is a significant development that will impact future AGCM investigations (including, potentially, in relation to the enforcement of the Digital Markets Act (DMA)). It also casts doubts on the legitimacy of previous AGCM decisions where the investigation involved antitrust / consumer protection issues as well as data protection issues.   

Key takeaways

• The AGCM must cooperate with the Garante Privacy when competition / consumer (and possibly DMA) investigations give rise to substantive data protection issues.
• Due to the complexity of such cases, the Italian authorities will likely need to agree a framework for cooperating at an early stage of investigations.
• In future, complainants may need to consider proactively engaging with both authorities upfront.

Background: the AGCM's investigation into Telepass

The AGCM investigated Telepass S.p.A. and Telepass Broker S.r.l (together, Telepass) for alleged unfair commercial practices in the context of car insurance distribution for its commercial partners via its app. 

According to the AGCM, Telepass received flows of personal data from potential customers requesting quotes for insurance policies without adequately informing them of Telepass' data-sharing process with its insurance partners. Telepass' privacy notice did inform consumers that the information would be collected for the purposes of calculating the quote and then processed for marketing purposes. 

The AGCM focused on whether Telepass' conduct complied with the Italian Consumer Code (Legislative Decree of 6 September 2005, n. 206) and concluded that the conduct was capable of inducing customers to take a commercial decision that they would not have taken otherwise. Telepass was fined EUR 2 million for breaching the Consumer Code.

The AGCM argued that it did not assess whether Telepass' privacy notice (which was only referred to at the start of the quote request process) was compliant with the EU General Data Protection Regulation (Regulation 679/2016) (GDPR) and the Italian Privacy Code (Legislative Decree of 30 June 2003, n. 196). 

Telepass' appeal 

At first instance, the Regional Administrative Tribunal for Lazio (TAR) dismissed Telepass' appeal against the AGCM's decision. The TAR concluded that Telepass omitted essential information which misled consumers. In its view, the link with the privacy notice was merely incidental and not decisive for assessing the conduct. 

The TAR agreed with the AGCM that it was not required to seek the opinion of the Garante Privacy since data protection rules were not called into question. The TAR held that an opinion of the Garante Privacy is only required in cases concerning regulated activities, pursuant to Article 27, 1-bis of the Consumer Code. This is despite the fact that the Garante Privacy intervened in the case before the TAR and criticised the AGCM's failure to fulfil its duty of cooperation. As part of its intervention, the Garante Privacy confirmed that it had already examined the same conduct investigated by the AGCM and established that it was legitimate under the GDPR. The Garante Privacy stressed that it does not "regulate" any activity: it is entrusted with safeguarding a fundamental right and the free movement of data.  

Appeal to the CDS

Telepass appealed the TAR judgment to the CDS. In its defence, the AGCM argued that: (i) the conduct amounted to a commercial practice which violated the Consumer Code and (ii) it did not have to involve the Garante Privacy because it had not applied the GDPR. The AGCM stressed that the Consumer Code and GDPR pursue different objectives. 

The CDS upheld Telepass' appeal: in particular, it held that the Court of Justice of the European Union's (CJEU) judgment in Meta v Bundeskartellamt (Meta) could also apply to investigations into unfair commercial practices.

First, contrary to the AGCM's approach, the CDS established that there is a close link between Telepass' contested commercial practices and the (lawfulness of) processing of personal customer data. The conduct falls under both the Consumer Code and applicable privacy laws. According to the CDS, the broad range of activities falling within the definition of "data processing" in Article 4(2) GDPR, and which are therefore under the remit of the Garante Privacy, prevents the AGCM claiming exclusive jurisdiction to assess such conduct. Moreover, the CDS stressed that cooperation between the two authorities may also be required, particularly in light of the overlap between certain consumer and data protection provisions under Italian law. The CDS therefore concluded that the AGCM's analysis was incomplete. 

Secondly, the CDS held that the principles established in the CJEU's ruling in Meta also apply in cases concerning the interplay between consumer protection and data protection laws. Where a national competition authority (NCA) considers it necessary to rule on whether the processing of personal data complies with GDPR, the NCA and data protection authority must cooperate to ensure that GDPR is applied consistently.

Analysing whether an undertaking's conduct is GDPR-compliant may be an important element for assessing compliance with the Consumer Code. Excluding GDPR rules from the legal context forming part of the assessment of potential violations of the Consumer Code would undermine the effectiveness of the Consumer Code and disregard the fundamental importance of data for the digital economy. 

As a result, the CDS concluded that the AGCM's failure to involve the Garante Privacy during the investigation into Telepass meant that the AGCM's decision was "pathologically flawed".

The Garante Privacy is calling for the cooperation with the AGCM to extend into DMA investigations

The Garante Privacy has been vocal in stressing the need for cooperation between it and the AGCM. In addition to the Telepass case, the Garante Privacy stressed the need for cooperation in general terms and to comply with the ne bis in idem principle (double jeopardy) when commenting on the draft Annual Law on Market and Competition. 

In that context, the Garante Privacy argued that the general duty to cooperate imposed on the AGCM by EU law would extend to the enforcement of the DMA. The Garante Privacy also emphasised that Italian law states that the powers entrusted to the AGCM under the DMA are without prejudice to the Garante Privacy's competence. As a result, the authorities will need to coordinate where data protection profiles are relevant to investigations. 

In relation to the DMA, the Garante Privacy emphasised that coordination will be particularly important when assessing compliance with the obligations imposed on gatekeepers by Article 6(10) and 6(11). 

• Article 6(10) requires gatekeepers to allow business users (and authorised third parties) access to personal data generated in their use of the gatekeeper's platform. Access to data is subject to the end-users' consent, in line with GDPR requirements.
• Article 6(11) requires gatekeepers to provide search engines with access to anonymised ranking, query, click and view data for free, and paid searches generated by users.

According to the Garante Privacy, these DMA provisions presuppose duties of fairness in processing end-users' data with which the Garante Privacy must be able to ascertain compliance. 

Comment

The CDS' ruling in the Telepass case marks a significant step towards ensuring harmonised enforcement of competition, consumer and data protection laws. It is particularly important as it arguably "codifies" that the AGCM has a duty to cooperate with the Garante Privacy in consumer-related cases which concern data protection profiles. 

As a matter of EU law, this principle was established by the CJEU in Meta. The CJEU appears to have envisaged broader cooperation than the mere request / provision of an opinion under Article 27, 1-bis of the Consumer Code required for "regulated activities". 

Bearing in mind that, according to the CDS, failure to fulfil these cooperation requirements would result in the investigation being procedurally flawed and subject to annulment, it would be appropriate for the AGCM and Garante Privacy to establish a proper framework to govern their cooperation, even at an early / preliminary phase.

Increasingly, the AGCM will be confronted with complex investigations which give rise to similar data protection facets, including cases arising out of the DMA. AGCM decisions prior to the Telepass ruling will likely have limited precedential value in cases involving antitrust / consumer protection issues as well as data protection issues, given the AGCM did not cooperate with the Garante Privacy in these cases. 

In the same vein, complainants should be prepared to proactively engage with both authorities at an early stage to avoid risks of incomplete assessments that may vitiate the outcome of the investigation. 

With thanks to Maria Eugenia Finocchio of Ashurst for her contribution.