The digital economy is fundamentally reshaping the regulatory landscape. The parallel rise of personal data as a key economic asset and the dominance of digital platforms have made clear that competition law and data protection law can no longer operate in silos. Amongst numerous developments, the recent Apple ATT decision of the French Competition Authority[i] (“FCA”) – has again placed the spotlight on how privacy rules and competition dynamics can be used, misused, or neglected, with significant consequences for markets and consumers.

What is now becoming evident is the need for close, institutionalised cooperation, not only between data protection authorities (DPAs) and competition authorities, but also between practitioners from both fields. This article explores how that cooperation is taking shape and what it means for businesses and their advisors.

Beyond legal silos: similar objectives, distinct tools

Historically, data protection law and competition law have pursued different goals: protecting fundamental rights versus safeguarding competitive markets. Yet, both ultimately aim to protect individuals, whether as citizens or consumers - one through the lens of autonomy and dignity, the other through the lens of choice and economic efficiency.

Until recently, these two legal regimes functioned in silos. Their respective authorities operated independently, with little to no overlap. Data protection enforcement focused narrowly on ensuring that individuals' personal data was processed lawfully, fairly, and transparently. Competition authorities, meanwhile, concerned themselves with issues such as market shares, barriers to entry, and pricing strategies.

However, the digital transformation of the economy has rendered such compartmentalisation outdated. Today, companies such as digital platforms accumulate an enormous competitive advantage through the control and use of personal data. Practices around consent, data sharing, and user tracking therefore directly shape the market power of digital firms. As such, the traditional boundaries between the two regimes are blurring, revealing points of necessary cooperation.

This convergence has become more than theoretical. In digital markets, a dominant firm's data practices can simultaneously raise antitrust and data protection concerns. As the European Data Protection Board (EDPB) stated in its January 2025 position paper[ii], regulators must adopt a “coherent, effective and complementary” approach, particularly where exclusionary practices exploit privacy rules or where non-compliance with data protection grants an undue competitive advantage.

A new standard of cooperation between regulators

The ECJ has already clarified in 2023 that competition authorities may take GDPR into account but cannot override or contradict the conclusions of the competent data protection authority, if relevant.

In this regard, the ECJ encourages competition authorities to coordinate with data protection authorities under the principle of sincere cooperation (Article 4(3) TEU) while also delineating the final responsibilities: data protection authorities remain the final arbiters of GDPR interpretation, while competition authorities are responsible for evaluating whether those data practices result in exclusionary or exploitative effects.

In France, the data protection agency (the Commission nationale de l'informatique et des libertés or "CNIL") and the FCA have embraced this shift. In a joint declaration issued in 2023[iii], they committed to a deeper working relationship, including formal consultations, shared research, and cross-training. They also plan to issue joint guidance and position papers on data-related market practices. This French initiative sets an important precedent and could serve as a blueprint for broader EU-wide regulatory collaboration.

The EDPB, for its part, has supported this cooperative turn. In its January 2025 opinion, it emphasised the mutual benefits of cross-regime enforcement: data protection decisions can be made more robust through economic analysis, while competition cases benefit from a better understanding of the nuances of GDPR compliance.

Lessons from recent enforcement: privacy as a tool of market power

The recent French Apple ATT case provides a compelling practical illustration of this cooperation. Apple’s App Tracking Transparency (ATT) framework, launched under the banner of privacy protection, imposed new consent requirements on third-party apps wishing to track user activity. However, Apple’s own apps were not subject to the same restrictions.

The FCA launched an investigation into whether this framework unfairly disadvantaged third-party developers and advertisers. To evaluate Apple’s justification based on GDPR compliance, it consulted the CNIL on whether the ATT mechanism was required or proportionate under GDPR.

The CNIL concluded that, while Apple had broad discretion to define its privacy policies, the way the ATT was implemented - by imposing asymmetrical obligations - was not mandated by GDPR. In particular, the ATT made it more difficult for third parties to obtain user consent, while allowing Apple to continue collecting first-party data through default settings and opaque user journeys.

The FCA used this determination to argue that Apple’s actions were not justified by genuine privacy concerns but rather aimed at consolidating its dominance in the digital advertising space. The ATT framework effectively restricted competitors’ access to valuable data while bolstering Apple’s own capabilities, an exclusionary practice hidden behind a privacy veneer.

This case shows how privacy mechanisms can be weaponised for competitive gain and how collaboration between authorities can reveal and address such practices more effectively.

The path forward 

Data protection is no longer just about mitigating privacy-related risks. Increasingly, it can serve as a competitive barrier or a competitive advantage. Ensuring that these distinctions do not undermine legitimate competition goals demands that competition and data protection authorities intensify their collaboration.

Companies can be penalized when they misuse strict privacy frameworks to foreclose rivals or when they skip data protection obligations and unfairly reduce compliance burdens. Moving forward, holistic solutions, unifying privacy, antitrust, and consumer protection considerations will best tackle the complexities of digital markets. 

The convergence of legal regimes has profound implications for lawyers and in-house legal teams. Traditional silos between antitrust and data protection expertise are no longer sustainable. Advising digital businesses today means integrating knowledge of both fields.

For competition practitioners, this means gaining fluency in GDPR principles such as data minimisation, lawful basis, and transparency, as these are not simply compliance obligations, but drivers of market structure and competitive advantage. For data protection lawyers and in-house counsel, it means recognising how seemingly neutral privacy implementations (such as consent banners, tracking settings, or API restrictions) can tip the scales of competition and require antitrust scrutiny.

Equally, businesses dealing with dominant platforms must remain vigilant. Where data restrictions or privacy claims appear unjustified or one-sided, companies may now rely on antitrust arguments to challenge them. Legal teams should document the technical and economic impacts of such restrictions and be prepared to raise exclusionary abuse or unfair practice complaints where appropriate.

For businesses, success will hinge on navigating the converging mandates of these regulators by implementing aligned compliance strategies and fostering open communication with both authorities. By doing so, organisations can reap the benefits of data-driven innovation while also safeguarding their reputations, user trust, and market positions.

For more information or guidance in this area, please contact Thomas Oster and Elsa Mandel. 

VISIT OUR COMPETITION & EU HOMEPAGE

[i] Décision 25-D-02 du 31 mars 2025 relative à des pratiques mises en œuvre dans le secteur de la publicité sur applications mobiles sur les terminaux iOS (link to the English version of the press release and the French version of the decision)

[ii] Position paper on Interplay between data protection and competition law Adopted on 16 January 2025 (link)

[iii] Competition and personal data: a common ambition, Joint declaration by the Autorité de la concurrence and the Commission nationale de l’informatique et des libertés (CNIL) Tuesday, 12 December 2023 (link to the English version)