Towards Smarter Regulation in the Areas of Competition, Data Protection and Consumer Law: Why Greater Power Should Come with Greater Responsibility

Based on a mix of conceptual insights and findings from cases, this paper discusses three ways in which the effectiveness of regulation in the areas of competition, data and consumer protection can be improved by tailoring substantive protections and enforcement mechanisms to the extent of market power held by firms. First, it is analysed how market power can be integrated into the substantive scope of protection of data protection and consumer law, drawing inspiration from competition law’s special responsibility for dominant firms. Second, it is illustrated how more asymmetric and smarter enforcement of existing data protection rules against firms possessing market power can strengthen the protection of data subjects and stimulate competition based on lessons from priority-setting and cooperation by consumer authorities. Third, it is explored how competition law’s special responsibility for dominant firms can be further strengthened in analogy with the principle of accountability in data protection law. Similarly, it is discussed how positive duties to ensure fair outcomes for consumers are developed in consumer law. The analysis offers lessons for improving the ability of the three regimes to protect consumers by imposing greater responsibility on firms with greater market power and thus posing greater risks for consumer harm.


I. INTRODUCTION
Debates about the protection of consumers are often dominated by concerns relating to the practices of powerful firms whose activities reach large groups of consumers and thereby create particularly high risks of consumer harm. This is also reflected in current policy discussions at the European Union (EU) level where the introduction of asymmetric regulation only applicable to "gatekeeping platforms" is considered within the context of the Digital Services Act. 1 According to the European Commission, additional rules may be needed to ensure fairness and innovation and to protect public interests going beyond competition or economic considerations. 2 The need for such new ex ante regulation has so far been mainly determined on the basis of alleged limits of EU competition law. 3 This paper starts from the insight that the ability of EU data protection and consumer law to address concerns should also be considered when determining possible gaps in the current EU legal framework to adequately protect consumers visà-vis conduct of powerful players. 4 While EU competition law imposes additional restrictions on the behaviour of dominant firms through the abuse of dominance prohibition of Article 102 of the Treaty on the Functioning of the European Union (TFEU), the regimes of EU data protection and consumer law apply to all firms without tailoring their obligations to a firm's market share or scope of activities. Based on an analogy with the role of the special responsibility applicable to dominant firms in EU competition law, this paper explores to what extent stricter obligations for stronger market players can already be derived from current data protection and consumer law. We submit that a more asymmetric interpretation and enforcement of data protection and consumer law is necessary to reflect market reality where the behaviour of powerful firms is less constrained by competitive forces. By interpreting and enforcing data protection and consumer law uniformly irrespective of the market position of a firm, customers of powerful market players suffer from less effective protection. To address this, we suggest ways to impose a greater level of responsibility on firms possessing greater power, not only under competition law, but also under data protection and consumer law.
Based on a mix of conceptual insights and findings from concrete cases, the paper discusses three ways in which the effectiveness of regulation can be improved by tailoring enforcement approaches to the extent of market power held by firms. Section II analyses how market power can be integrated into the substantive scope of data protection and consumer law, drawing inspiration from competition law. 1 See Commission, "Inception Impact Assessment of the Digital Services Act Package" Ares(2020)2877686, 2 July 2020. The idea of a separate regulatory regime for gatekeeping platforms is currently also being raised at the national level, such as the UK and Germany. See UK Digital Competition Expert Panel, "Unlocking Digital Competition" (2019) <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/785547/ unlocking_digital_competition_furman_review_web.pdf> (last accessed 15 July 2020); and Commission Competition Law 4.0 "A New Competition Framework for the Digital Economy" (September 2019) <https://www. bmwi.de/Redaktion/EN/Publikationen/Wirtschaft/a-new-competition-framework-for-the-digital-economy.pdf? __blob=publicationFile&v=3> (last accessed 15 July 2020). 2 Commission, "Shaping Europe's Digital Future" COM(2020) 67 final, 19 February 2020, 9-10. 3 J Crémer, A-Y de Montjoye and H Schweitzer, Competition Policy for the Digital Era (Luxembourg, Publications Office of the European Union 2019) <https://ec.europa.eu/competition/publications/reports/kd0419345enn.pdf> (last accessed 15 July 2020); UK Digital Competition Expert Panel, supra, note 1; and Stigler Committee on Digital Platforms (2019) <https://research.chicagobooth.edu/-/media/research/stigler/pdfs/digital-platforms-committee-reportstigler-center.pdf?la=en&hash=2D23583FF8BCC560B7FEF7A81E1F95C1DDC5225E> (last accessed 15 July 2020). 4 See also the pioneering work of the European Data Protection Supervisor (EDPS) in analysing synergies between the areas of data protection, competition and consumer law: Preliminary Opinion of the EDPS, "Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy" (March 2014) <https://edps.europa.eu/sites/edp/files/publication/14-03-26_competitition_law_big_data_en.pdf> (last accessed 15 July 2020); and EDPS Opinion 8/2016 on "coherent enforcement of fundamental rights in the age of big data" (September 2016) <https://edps.europa.eu/sites/edp/files/ publication/16-09-23_bigdata_opinion_en.pdf> (last accessed 15 July 2020). Section III illustrates how smarter enforcement of existing data protection rules against firms possessing market power can strengthen the protection of data subjects, as well as stimulate competition, based on lessons from priority-setting and cooperation by consumer authorities. While market power is incorporated into the very design of competition law, Section IV shows how the latter's notion of special responsibility can be further strengthened in analogy with the principle of accountability in data protection law. Similarly, it is discussed how positive duties to ensure fair outcomes for consumers are being developed in consumer law. Section V concludes by offering lessons to improve the ability of the three regimes to protect consumers in terms of both the substantive scope of protection and enforcement mechanisms.

II. INTEGRATING MARKET POWER INTO THE SUBSTANTIVE SCOPE OF PROTECTION
The special responsibility of dominant firms is a well-established but not entirely uncontroversial concept in EU competition law. After exploring the development of the notion of special responsibility in decisions of the European Commission and case law of the EU Courts, this section shows how a form of special responsibility can also be incorporated into data protection and consumer law by interpreting their rules in a way that would result in stricter requirements for larger firms. While the existing frameworks of data protection and consumer law both offer room to do so, the risk-based approach of the General Data Protection Regulation (GDPR) provides a particularly promising starting point to integrate a notion of market power into the substantive interpretation of the data protection rules.

Competition law
a. Origins of special responsibility Article 102 TFEU prohibits the abuse of a dominant position by an undertaking. The case law has emphasised that Article 102 TFEU does not prohibit companies from holding a dominant position per se. Instead, it places a "special responsibility" on a dominant firm not to allow its conduct to impair genuine competition. Dominant companies therefore have additional obligations placed upon them when compared to non-dominant companies: in specific circumstances, a dominant firm may not be allowed to engage in practices that are not in themselves abuses or practices that would be unproblematic if adopted by a non-dominant firm. 5 The notion that undertakings have a special responsibility under Article 102 TFEU can be found first in Michelin I, where the Court stated that "the [dominant undertaking] has a special responsibility not to allow its conduct to impair genuine undistorted competition on the common market". 6 In this formulation, the Court expanded on a point it made in Hoffman-La Roche, where it found that the sheer presence of a dominant firm is enough to assume a weakened state of competition. 7 Therefore, a dominant firm has a special responsibility not to distort competition because its market power provides it with greater (and perhaps unique) opportunities to damage the competitive process. 8 The Court has chosen to interpret the scope of this responsibility in a broad manner, potentially covering all conduct of a dominant undertaking that hinders the maintenance or growth of remaining competition. 9 It has also emphasised repeatedly that there is no single test for the scope of special responsibility and that it instead "must be outlined in light of the specific circumstances of each case", such as the degree of dominance and the special characteristics of the market. 10 The Court has been quick to point out that the special responsibility of a dominant undertaking does not prohibit a firm from competing altogether. In Hoffman-La Roche, the Court stated already that only "methods different from those which condition normal competition" are problematic. 11 However, while the Court has emphasised that dominant undertakings have a right to protect their own interests or otherwise meet competitors, it has historically interpreted this margin narrowly, repeatedly rejecting claims to this effect where it found that an undertaking had the "actual" purpose of strengthening a dominant position. 12 b. Link with the notion of competition on the merits Despite the fact that the existence of a special responsibility has often been mentioned in the case law, the exact implications and duties attached to it are not really clear. 13 For a long time, a reference to a dominant undertaking's special responsibility by the Court would inevitably signal the finding of an abuse, even though the exact relationship between the two was not explored. 14 The EU Courts paid lip-service to the notion of special responsibility without thoroughly examining the margin between an undertaking being dominant and an undertaking abusing this dominance. 15 The Court of Justice seems to have attempted to address this criticism by stating that special responsibility means "only that a dominant undertaking may be prohibited from conduct which is legitimate where it is carried out by non-dominant undertakings". 16 In doing so, it has in a way denoted special responsibility more as a descriptive element that is intrinsic to Article 102 TFEU (treating it indeed as a "statement of the obvious") 17 rather than as an element on the basis of which abusive behaviour can be determined in and of itself.
Because of this, more concrete inferences about the duties imposed by the special responsibility of dominant undertakings can only be retrieved by looking further at the specific tests utilised by the EU Courts and the Commission in abuse of dominance cases. 18 These tests have been substantially sharpened in recent decades due to criticism that Article 102 TFEU imposes restrictions on dominant undertakings that were unlikely to improve the competitiveness of the market, and instead were merely protecting weaker competitors. 19 Both the Court and the Commission have clarified that a dominant undertaking is allowed to "compete on the merits". 20 The Commission qualifies this as competition on "prices, better quality, and a wider choice of new and improved goods and services". 21 In practice, this has limited the additional duties flowing from the notion of special responsibility. As stated by the Court, "not every exclusionary effect is necessarily detrimental to competition", and "[c]ompetition on the merits may, by definition, lead to the departure from the market or the marginalisation of competitors that are less efficient and so less attractive to consumers from the point of view of, among other things, price, choice, quality or innovation". 22 It is no coincidence that the first ever case wherein an undertaking was stated to have a special responsibility without the Court subsequently finding an abuse (Post Danmark I) focused heavily on the undertaking competing on the merits. 23 At the same time, both the Commission and the Court have acknowledged that the special responsibility of dominant firms can also apply towards less efficient competitors in certain circumstances. In the context of rebates, the Court argued in Post Danmark II that "applying the as-efficient-competitor test is of no relevance inasmuch as the structure of the market makes the emergence of an as-efficient competitor practically impossible". 24 And in its Guidance Paper on enforcement priorities of Article 102 TFEU, the Commission recognised that a less efficient competitor may sometimes also exert a constraint that should be taken into account to determine whether there is anti-competitive foreclosure. 25 The scope of the special responsibility of dominant firms in relation to the protection of competitors is becoming more relevant again, as recent competition cases at the EU level focus on the anti-competitive effects that the conduct of dominant platforms can have on the position of businesses in downstream markets. Examples are the self-preferencing behaviour at stake in the Google Shopping decision, 26 the issue of preferential access to data in the ongoing Amazon investigation 27 and the impact of restrictions applicable to businesses in the App Store and Apple Pay in the Apple investigations. 28 c. Super-dominance and new notions of power A similar development can be seen when we examine the concept of "super-dominance" under Article 102 TFEU. Super-dominance (or "quasi-monopoly" in the terminology of the Court) had been introduced as a way to acknowledge that even among dominant undertakings there are different degrees of market power. 29 It is closely related to the concept of special responsibility, with Advocate General Fennelly arguing that undertakings that are super-dominant have a "particularly onerous special responsibility" resting upon them. 30 Expressed differently, super-dominance is a way to establish an extended scope of special responsibility for an undertaking that goes even beyond that of a "normal" dominant undertaking. 31 At first glance, this concept seems compatible with the case law requiring special responsibility to take into account the "degree of dominance and the special characteristics of the case". Some commentators have argued that super-dominance might simply acknowledge the reality that undertakings with overwhelming market power have a greater capacity to abuse that position. 32 Nonetheless, the concept has come under fire, with commentators 33 arguing that superdominance de facto ends up punishing undertakings for their size as opposed to their abusive behaviour. 34 In its Microsoft judgment, the General Court paid attention to the "extraordinary features" that Microsoft's dominant position in the market for PC operating systems exhibited, which may have formed a reason for the lowering of the conditions under which a refusal to supply interoperability information was held 26 Case AT.39740 Google Search (Shopping), 27 June 2017. 27 Press release European Commission "Antitrust: Commission opens investigation into possible anti-competitive conduct of Amazon" (17 July 2019) <https://ec.europa.eu/commission/presscorner/detail/en/IP_19_4291> (last accessed 15 July 2020). 28 Press release European Commission "Antitrust: Commission opens investigations into Apple's App Store rules" (16 June 2020) <https://ec.europa.eu/commission/presscorner/detail/en/ip_20_1073> (last accessed 15 July 2020); and press release European Commission "Antitrust: Commission opens investigation into Apple practices regarding Apple Pay"(16 June 2020) <https://ec.europa.eu/commission/presscorner/detail/en/IP_20_1075> (last accessed 15 July 2020). 29  This argument was part of a larger push for EU competition law to focus more on developing methods that substantiated economic harm instead of relying on "form-based" enforcement that deems certain behaviours and outcomes abusive without thoroughly examining their economic effect. This approach would largely reject the earlier-mentioned link between size and capacity for harm as overly formalistic. For a succinct argument in favour of this more economics-based approach, see J Vickers "Abuse of Market Power" (2005)  abusive as compared to earlier refusal to deal cases. 35 In TeliaSonera, the Court of Justice clarified in the context of the assessment of margin squeezes that the degree of dominance does not play a role in determining whether abuse exists, but is significant in relation to the extent of the effects of conduct. 36 In this regard, the degree of dominance can thus be a relevant factor in the assessment of the gravity of abusive conduct under competition law. The notion of super-dominance is gaining relevance again, but under a different name. Competition policy reports published in 2019 mentioned concepts of market players with "significant market status" and undertakings in a position to exercise market power over a gateway or bottleneck as triggers for new regulation beyond competition law. 37 The upcoming Digital Services Act is now indeed expected to introduce rules for "gatekeeping platforms", 38 and the UK Competition and Markets Authority (CMA) suggested a number of interventions targeted at platforms with "strategic market status" in its July 2020 final report on online platforms and digital advertising. 39

Data protection law
a. GDPR's risk-based approach A link between competition law's notion of special responsibility and data protection is already present in the investigation of the German Bundeskartellamt against Facebook. In its 2019 decision, the Bundeskartellamt explicitly found that Facebook holds a "quasimonopolist" position that threatens to "tip" into a monopolist one. 40 The Bundeskartellamt built its findings around a number of parameters that show how and why the position of super-dominance exists and why it is especially relevant in markets like the one for social networks. 41 From this finding of super-dominance, the Bundeskartellamt went on to impose a broadly defined special responsibility on Facebook, arguing that Facebook had abused its dominant position by infringing data protection law. The Facebook decision brings up the question whether dominant firms can be argued to carry a higher responsibility than non-dominant firms as regards compliance with data protection law. The Bundeskartellamt explored this issue by using data protection rules as a benchmark to establish an exploitative abuse in competition law, where market power and special responsibility are inherent parts of the analysis. However, one can also take a purely data protection perspective and try to incorporate a special responsibility within data protection law itself by drawing inspiration from the role of the concept in competition law, as the next paragraphs illustrate.
EU data protection law and the GDPR, 42 as the main secondary legislative instrument, apply to all forms of processing of personal data regardless of the market position of the data controller and the scope of the data processing. This means that the GDPR does not impose additional obligations on dominant firms that do not apply to non-dominant firms, as is the case under the abuse of dominance prohibition of EU competition law. All data controllers have to comply with the same duties set out in the GDPR, irrespective of their size.
At the same time, the GDPR does take into account the level of risk in terms of the scale of the obligations applicable to controllers. When the risk of processing is higher, more detailed obligations will apply to controllers. 43 For example, "the risks of varying likelihood and severity for the rights and freedoms of natural persons" play a role in determining to what extent the controller must implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the rules. 44 The GDPR makes similar references to risks of processing in the context of data protection by design, security of processing and data protection impact assessments. 45 In addition, the Court of Justice referred to the ubiquity of online search engines in Google Spain. In the case, the data subject invoked a right to have information relating to him personally no longer be linked to his name in a list of results displayed in a search engine following a search made on the basis of his name. The Court argued that "the important role played by the internet and search engines in modern society, which render the information contained in such a list of results ubiquitous", heightened the effect of the interference caused by Google's processing of personal data with the fundamental rights to privacy and data protection of the data subject. 46 Even though scale or size do not act as triggers for obligations of data controllers under EU data protection law, the risk that particular processing activities may bring about and the ubiquitous nature of a data controller can thus be considered as relevant factors in establishing, respectively, the scale of its obligations and the impact of its processing activities on the rights of the data subject. 47 Against this background, Lynskey introduced the term "data power", referring to the power exercised by firms arising from the control over the data they hold, enabling them to profile users and to influence opinion formation. In her view, the GDPR's risk-based approach could provide a normative foundation for the imposition of a special responsibility on controllers holding data power, in analogy with the special responsibility that competition law imposes on dominant firms. 48 Similarly, the European Data Protection Supervisor (EDPS) argued in its 2014 Preliminary Opinion on "Privacy and competitiveness in the age of big data" that the scalability of data protection provisions in relation to the volume, complexity and intrusiveness of data processing activities can be regarded as analogous to the special responsibility of dominant firms under competition law. 49 The EDPS also referred to case law of the European Court of Human Rights, which notes that: "The greater the amount and sensitivity of data held and available for disclosure, the more important [is] the content of the safeguards to be applied at the various crucial stages in the subsequent processing of the data". 50 Because data protection has the status of a fundamental right in the framework of the Council of Europe 51 and the EU, 52 a special responsibility could also be based on the horizontal effect of fundamental rights, going beyond data protection and applying to other constitutionally guaranteed rights, too. In this regard, the Federal Court of Justice argued in its June 2020 judgment in the German Facebook case that Facebook as a dominant social network provider that has taken over the framework conditions for communication is also bound by fundamental rights, in a similar way as the state. 53 In more general terms, the 2019 report on "Competition Policy for the Digital Era" commissioned by EU Commissioner Vestager argued that the interpretation and implementation of the GDPR should take the implications for competition into account and referred to the relevance of a firm's market power under the GDPR's risk-based approach. 54 This would seem to be particularly relevant for the interpretation of key data protection concepts such as the fairness of data processing and the accountability of data controllers. When a data controller is dominant or holds market power, we submit that it is desirable to apply stricter standards towards the principles of fairness and accountability in order to better protect data subjects, considering that they are less able to switch to another controller. 55 A concrete example where the impact and scale of the data controller's activities seems to have been implicitly taken into account in the interpretation of the GDPR's obligations 48  is the decision of the French Commission nationale de l'informatique et des libertés (CNIL) fining Google in January 2019 for a lack of transparency, inadequate information and a lack of valid consent regarding personalisation of advertising. The French Council of State confirmed the decision of the CNIL in June 2020. 56 When assessing Google's compliance with the requirements of transparency and information provision to data subjects, the CNIL paid attention to the "particularly massive and intrusive" character of the processing operations, considering the number of services offered and the amount as well as the nature of the data processed and combined by Google. 57 While the GDPR does not lay down a notion of special responsibility as has been developed by the EU Courts in competition law, the GDPR's risk-based approach does offer room to take into account the relative size of data controllers and their processing activities. Even though small data controllers may also engage in farreaching data processing activities and violations of the GDPR can take place irrespective of the size of the controller, there is reason to be particularly concerned about data controllers holding market power (which could be determined in the way that is common in competition law) whose behaviour is less constrained by market forces.
b. Relevance of market power to assess freely given consent Beyond the GDPR's risk-based approach as a high-level mechanism, there are more specific instances where a data controller's market power can be a relevant part of a data protection analysis. For instance, the Article 29 Working Party referred to the existence of a dominant market position as a relevant piece of information for assessing whether a data controller's legitimate interest in data processing is overridden by the fundamental rights or interests of data subjects in the context of establishing a lawful ground for data processing under Article 6(1)(f) GDPR. 58 Similarly, the existence of market power can be a relevant factor in the analysis of whether the consent of a data subject is freely given. Recital 43 of the GDPR states that consent is not freely given where there is a "clear imbalance" between the data subject and the data controller, in particular when the controller is a public authority. However, in its interpretation of the notion of freely given consent, the Article 29 Working Party stated explicitly that imbalances of power are not limited to public authorities. According to the Article 29 Working Party, consent is valid only if the data subject can exercise a real choice and there is no risk of deception, intimidation, coercion or significant negative consequences if he or she does not consent. More 56 French Conseil d'État "Sanction Infligée à Google par la CNIL" (19 June 2020) <https://www.conseil-etat.fr/ ressources/decisions-contentieuses/dernieres-decisions-importantes/conseil-d-etat-19-juin-2020-sanction-infligee-agoogle-par-la-cnil> (last accessed 15 July 2020). 57 Commission nationale de l'informatique et des libertés "The CNIL's Restricted Committee Imposes a Financial Penalty of 50 Million Euros Against GOOGLE LLC" (21 January 2019) <https://www.cnil.fr/en/cnils-restrictedcommittee-imposes-financial-penalty-50-million-euros-against-google-llc> (last accessed 15 July 2020). 58  specifically, the Article 29 Working Party argued that consent is not free in situations where an element of compulsion, pressure or inability to exercise free will is present. 59 The existence of market power can act as a good indicator to determine whether such a "clear imbalance" between the data subject and the data controller is present.
A data subject is usually in a weaker position than the data controller, so that situations without any imbalance are hard to imagine. In this regard, data protection law has similarities with consumer law in that both regimes are motivated by addressing power asymmetries. As a well-established concept in competition enforcement, an analysis of the market power of a data controller can act as a threshold to determine whether the extent of the imbalance in the circumstances of the case is such that the data subject's consent can no longer be regarded as freely given. 60 Such an interpretation would imply that advertising-based companies such as Google and Facebook, which arguably hold a dominant position in their respective markets of online search and social networking, have limited ability to rely on data subject consent as a lawful ground for data processing. This would increase the importance of other lawful grounds such as the performance of a contract and the legitimate interests of the data controller. The 2019 Facebook decision of the Bundeskartellamt is instructive in this regard.
The Bundeskartellamt found that Facebook had abused its dominant position in the market for social networks by making the use of its social network dependent on users agreeing to the combination of data aggregated through Facebook's different services and from third-party sources into a user's Facebook's account. In doing so, Facebook exploited its users in the view of the Bundeskartellamt by imposing "abusive business terms" that infringe data protection principles. 61 The Bundeskartellamt worked closely together with data protection authorities in coming to its conclusions (who it notes in a press statement "explicitly supported" the effort), providing a primary example of the ways in which these areas can be connected where they overlap in terms of substantive principles. 62 The way in which the Bundeskartellamt builds this connection is worth examining in more detail.
Firstly, it is important to note that the German Federal Court of Justice has ruled that the Bundeskartellamt can apply certain civil law concepts when assessing abusive practices, as well as that the Bundeskartellamt can intervene where market power leads to an interference with constitutional rights in contractual negotiations. 63 This allows the Bundeskartellamt to perhaps more easily justify the combined application of principles from different fields of law than would be possible on an EU level. The Bundeskartellamt notes that the GDPR already incorporates elements of market power, either indirectly or directly. In particular, the Bundeskartellamt states that the GDPR can be read to integrate market power in its assessment of certain areas, notably through its recitals stating that consent is not "freely given" where consumers have no alternative options or where there are clear power imbalances, such as in the case of a quasimonopolist. 64 Therefore, the Bundeskartellamt argues, this is not only an instance of a dominant undertaking violating competition law through its breaking of data protection legislation, but inversely also a case of an undertaking violating data protection legislation because it holds a dominant position. 65 The company was only in the possibility to violate data protection law in the way it did because of its dominant position, invoking the notion of special responsibility and extending it to compliance with data protection law through the finding of an exploitative abuse under German competition law. In fact, the Bundeskartellamt outright states that: "Just because other Internet companies such as Yahoo, Bing Oracle or Google collect data via interfaces does not mean the same conduct by Facebook is permissible under data protection law". 66 In formulating this two-way interaction between data protection law and competition law, the Bundeskartellamt has not only incorporated data protection principles into its competition analysis, but similarly transferred elements of competition law into data protection. Under such an approach, a case such as this could have been taken up by a data protection authority and have led to a very similar outcome: the data protection authority could integrate the market position of Facebook into its analysis and find certain data processing practices to be in violation of data protection principles, even where companies without market power might be allowed to carry out the same practices. 67 The Facebook decision also illustrates the difficulties in attempting to marry different legal disciplines, however. Facebook challenged the decision and the Higher Regional Court in Düsseldorf ruled in favour of the social media platform in the interim proceedings. In its August 2019 judgment, the Düsseldorf Court specifically chastises the Bundeskartellamt for straying too far from a traditional competition analysis, noting that data protection violations are not competition law problems when the Bundeskartellamt does not convincingly carry out a counterfactual and a consumer harm analysis. 68  protection rules. This was the reasoning at the heart of the Bundeskartellamt's decision. Instead, the Federal Court of Justice argued that Facebook's behaviour violated German competition law by restricting its users' freedom of choice and right to self-determination as protected by the German constitution. 69 The case will now have to be decided on the merits by the Düsseldorf Court, so that it remains to be seen whether the decision of the Bundeskartellamt will remain in place. 70 Irrespective of whether the competition analysis in the Facebook case will be upheld, the GDPR's risk-based approach provides room to tailor the interpretation of data protection law's substantive protections to the market power of data controllers.

Consumer law
a. Consumer law's lower thresholds as a regulatory advantage Consumer law and competition law ostensibly share an overlapping goal: both aim to protect consumers from harm. Both fields, however, carry out their analysis on a different scale: consumer law examines the individual transaction between a consumer and a trader, whereas competition law concerns itself with the competitive process of the market as a whole. 71 Although consumer law is inherently concerned with addressing power asymmetries, its application does not diverge in accordance with the market power of the involved undertaking. Aside from some notable exceptions, consumer authorities do not consider market power or any special responsibility flowing therefrom in their substantive interpretation of the consumer rules.
For instance, when considering the findings of collective enforcement actions taking place at the EU level in the Consumer Protection Coordination Network (CPC), we see that the notion of market power plays no role in these conclusions, and nor is any market analysis performed. Consumer authorities do not differentiate between undertakings that have a large market share and those that have a small market share when finding violations: consumer law is applied uniformly regardless of the size of an undertaking. One example of this is the collective enforcement action against social network platforms by the CPC, in which uniform requirements have been imposed on the examined social networks (Facebook, Twitter and Google) without taking into account any significant differences in market position and market share between the involved players. 72 The consequences of the different focuses of the two fields can be best illustrated by looking at cases where competition and consumer law investigations have been conducted in parallel. Both Dutch and UK enforcement agencies have carried out investigations (for online video platforms 73 and cloud storage services, 74 respectively) of this nature. In these investigations, no market power (and subsequently no reason to pursue further investigation) was established in the competition analysis, whereas the analysis under consumer law was not dependent on a finding of market power to identify concerns. For example, the competition analysis by the Netherlands Authority for Consumers and Markets of the online video platform market explored possible risks to competition; however, all of these risks were deemed unlikely to manifest. The reasons given for this were, among others, the absence of one single dominant player, the low barriers to entry and the non-rivalrous nature of data collected by these platforms. 75 Conversely, the different scope and approach of consumer law is apparent in that part of the analysis. The Authority compared the Unfair Contract Terms (UCT) Directive 76 to the terms utilised in contracts by these video platforms and subsequently found that all video platforms included terms that were undesirable from a consumer law standpoint. 77 Because this analysis focuses on the individual transaction between consumer and trader, one looks for behaviour that is deemed undesirable in and of itself instead of having to analyse behaviour within the context of the competitive process as a whole. This is also reflected in the length of each respective review: the competition analysis is about twelve times longer than the consumer law one.
Nonetheless, one might say that the "threshold" for finding violations under consumer law is significantly lower than that of competition law, reflecting the focuses of their respective analyses. When analysing cases under consumer and competition law in parallel, a strategic choice may therefore be to pursue investigations under consumer law because the latter does not require an analysis of the market to establish abuse of dominance. This may be especially interesting for cases concerning digital markets, as competition authorities have struggled with conducting market analyses and establishing theories of harm in these instances. 78 Conversely, the European Commission stated in its 2016 Guidance on the application of the Unfair Commercial Practices (UCP) Directive that the fact that practices infringe the competition rules does not automatically qualify them as unfair under the UCP Directive as well. However, the breach of competition law should be taken into account when assessing their unfairness under the Directive. 79 b. Usefulness of incorporating a notion of special responsibility Concerns have been raised about the effectiveness of consumer law's focus on the protection of consumers in individual transactions. Consumer law places the burden of decision-making on the consumer and remedies are often geared towards finetuning (often by increasing) the information that is made available to a consumer prior to a transaction. The criticism of this approach is that it is ineffective in addressing the power and information asymmetries that often occur in complex markets because it does not reflect economic realities of bounded rationality and the imbalances in the bargaining position of a consumer vis-à-vis a trader. 80 While there is no all-encompassing solution to such a structural problem, we submit that the recognition of a special responsibility for traders that hold market power can help address this problem.
An avenue that can be explored within consumer law in general is to incorporate a trader's market power into the assessment of the fairness of contract terms and commercial practices. To determine whether a contract term causes a significant imbalance in the parties' rights and obligations to the detriment of the consumer under the UCT Directive, 81 a more critical stance towards traders holding market power indeed seems valid, as consumers have less ability to switch to other providers. Similarly, commercial practices imposed by traders with market power may need to be assessed more strictly under the UCP Directive as to their ability to materially distort the economic behaviour of the average consumer. 82 The Italian Competition Authority (Autorita' Garante della Concorrenza e del Mercato) indeed seems to have taken such an approach in its 2017 decision qualifying WhatsApp's updated terms as unfair. The Italian Competition Authority found that WhatsApp de facto forced users to accept its new terms of service, and in particular the provision to give consent to share personal data with Facebook, by letting users believe that without granting such consent they would no longer be able to use the service. 83 According to Zingales, the position of WhatsApp as a market leader in consumer communications services has played a key role in the decision of the Italian Competition Authority, both in terms of the substance of the analysis and the quantification of the fine. Among other indications, he refers to the extent of "undue influence" exerted on consumers by WhatsApp that is defined by reference to WhatsApp's market position, where the Italian Competition Authority concludes that consumers use WhatsApp daily, even replacing regular telephony, and therefore hardly have a choice to abandon the service. In addition, according to Zingales, the Italian Competition Authority argued that WhatsApp "leveraged" the dependence of its users on the service to obtain a "consent that is broader than necessary to continue using the application". 84 Based on these elements in the reasoning of the Italian Competition Authority, one can indeed observe that higher standards have been applied to WhatsApp because of its position as a market leader. Botta and Wiedemann note that this decision concerns many of the same issues (combining concepts of market power, unfair terms and conditions and personal data protections) as covered by the German Facebook decision. 85 However, the Italian case was decided under consumer law instead of under competition law's abuse of dominance prohibition. 86 In this regard, these cases are not only exemplary of the increasing convergence of data protection, consumer and competition law enforcement, but also of the different approaches taken by national authorities.
A more explicit recognition of a special responsibility in consumer law, in analogy with how the concept is applied in competition law, would in our view better reflect market reality in the enforcement of existing consumer rules. Criticism on such an approach may be that this leads to a situation where consumers of dominant firms benefit from a higher level of protection than consumers of non-dominant firms, going against the general applicability of the consumer rules. The same argument can be made in relation to the GDPR, which as one of its objectives promotes the fundamental right to data protection that needs to be respected irrespective of the size or impact of data processing activities. However, due to their market power, dominant firms have a stronger ability to cause harm to consumers and data subjects because of the lack of alternative providers to which they can switch. Dominant firms are therefore unlike non-dominant firms not constrained by the competitive forces of the market. In a way, one could thus argue that consumers and data subjects of dominant firms are less protected if the regimes of consumer and data protection law do take into account market power in the substantive interpretation of their rules. Important to note here is that the integration of a special responsibility in consumer and data protection law would serve as a tool to impose stricter requirements on powerful businesses and not to provide small businesses with an opportunity to ignore the rules. In particular, our suggestion to take inspiration from Article 102 TFEU's notion of special responsibility for consumer and data protection law should be distinguished from the approach under Article 101 TFEU where restrictions of competition only violate the competition rules when they have an appreciable effect on competition (with the exception of by object restrictions that are considered per se harmful), and a "safe harbour" applies for minor restrictions of competition by companies below certain market share thresholds. In this sense, our proposal does not go as far as claiming that violations of consumer and data protection law by small businesses should be tolerated. One of the findings of the Netherlands Authority for Consumers and Markets in its investigation into online video platforms confirms the need to be more wary about the behaviour of dominant platforms under consumer law. The Authority established a link between platform size and the range of possibly unfair terms under consumer law, as it found that platforms with the largest user base and a wider range of (integrated) digital services have more (possibly) unfair terms. 87 It thus seems worthwhile to explore how a special responsibility can be integrated within consumer law in order to better protect consumers against unfair terms and unfair commercial practices of dominant firms.

III. TOWARDS MORE ASYMMETRIC AND SMARTER ENFORCEMENT
Apart from differentiating based on market power in the application of the law, the existence of market power can also be used as an indicator to set enforcement priorities. With regard to competition enforcement, the current policy debates display an interesting dichotomy. On the one hand, the European Commission is exploring the introduction of a "New Competition Tool" to be used by competition authorities to impose remedies on firms in case of structural problems without the need to establish a violation of the competition rules and potentially even without having to assess dominance. 88 The idea behind this tool is that intervention may come too late in certain markets where characteristics such as network effects, economies of scale and scope and the role of data lead markets to tip to a few players even before they reach the stage of dominance. With the adoption of the New Competition Tool, the reach of possible remedies imposed by competition authorities may thus extend to non-dominant firms. On the other hand, the Commission is exploring additional ex ante regulation for gatekeeping platforms as a complement to competition enforcement. 89 This illustrates the need expressed by policymakers for stricter rules for a certain class of especially strong players, beyond dominance as such. In this sense, competition law is thus being strengthened in both directions.
This section focuses on the enforcement of data protection and consumer law and makes suggestions for developing a more asymmetric enforcement approach, where cases are prioritised based on the market position of the firm under investigation. It is illustrated how consumer authorities indeed prioritise investigations based on the scale and expected impact of commercial practices on consumers. Within data protection, no such prioritisation is taking place yet in a systematic way. This section shows how the current lack of enforcement of existing GDPR requirements such as purpose limitation provides larger firms with the ability to continuously expand their control across services and markets. We illustrate how a more asymmetric approach would lead to a smarter and more focused enforcement of data protection law to the benefit of individual data subjects and overall competition.

Enforcement priorities in consumer law
While consumer law is applied uniformly regardless of market power, this does not mean that there is no consideration of market power at all within consumer law enforcement. In particular, market power does play a role in setting enforcement priorities. Enforcement actions taking place collectively at the EU level will often focus on parties that have large market shares. For example, CPC joint actions have targeted only the five largest car rental companies and the three largest social media platforms on their respective markets, and have even focused on single large players (Airbnb). 90 Rather than a substantiated effort by consumer authorities to target players holding market power with stricter obligations, this seems indeed more a reflection of the practical reality of enforcement and the selection of enforcement priorities. In fact, the CPC has carried out collective enforcement actions that focused on large quantities of players, such as when it analysed 560 digital vendors. 91 These enforcement actions are exceptional in nature though, perhaps due to the effort that is required to carry them out.
On the national level, we can also see such a development. For example, the UK CMA has explicitly noted that it prioritises enforcement for "systemic market issues". 92 This denotes that there is at least consideration of the market structure in decisions on how to use resources for enforcement, even where the substantive interpretation of the consumer rules rarely considers this aspect. Such an approach offers lessons for data protection enforcement, where authorities do not yet systematically prioritise cases in accordance with market power. The next section illustrates how such an asymmetric enforcement of the data protection rules would create more effective protection.

Impact of effective enforcement of GDPR's principle of purpose limitation
Beyond a possible integration of the competition law notions of market power and special responsibility into the interpretation of data protection law to impose stricter obligations on dominant data controllers, it is also important to realise that certain requirements of the GDPR inherently limit the data processing activities of dominant firms to a greater extent than those of non-dominant firms. These situations result automatically from applying the GDPR and therefore do not require an active tailoring of obligations to the market position or scope of data processing of a data controller. However, there is currently a lack of effective enforcement of the data protection rules that would pose limits to the data processing activities of dominant firms. 93 90 Consumer Protection Cooperation Network "Single Market Scoreboard" (2019), section C <https://ec.europa.eu/ internal_market/scoreboard/performance_by_governance_tool/consumer_protection_cooperation_network/index_en. htm> (last accessed 15 July 2020). 91 Commission, "Online Shopping: Commission and Consumer Protection Authorities Call for Clear Information on Prices and Discounts" (22 February 2019) <https://ec.europa.eu/commission/presscorner/detail/en/IP_19_1333> (last accessed 15 July 2020). 92 UK CMA, "CMA Response to Government Consultation" (July 2018), para 51 <https://assets.publishing.service. gov.uk/government/uploads/system/uploads/attachment_data/file/726169/CMA_response_to_consumer_green_paper. pdf> (last accessed 15 July 2020). 93 See also MS Gal and O Aviv, "The Competitive Effects of the GDPR" (2020) 16(3) Journal of Competition Law & Economics 349, who argue that the GDPR can have harmful effects on competition and innovation in data markets by entrenching the market power of players who are already strong.
In its response to the publication consultation of the UK CMA on online advertising, the private web browser Brave called upon data protection authorities to enforce the purpose limitation principle in order to prevent "privacy policy tying", whereby big tech firms ask users for their consent to combine all data from many services. 94 The purpose limitation principle requires personal data to be collected for specified, explicit and legitimate purposes and not to be further processed in a manner that is incompatible with those purposes. 95 A bundling of consent where companies offering multiple services ask data subjects for their consent only once for all services at the same time does not comply with this principle. Recital 32 of the GDPR explains that consent should cover all processing activities carried out for the same purpose and that consent should be given for all of them separately when the processing has multiple purposes. Similarly, the European Data Protection Board requires consent to be granular to prevent data subjects being left no choice but to consent to a bundle of processing purposes. 96 Based on these arguments, Brave argued that the bundling of consent by companies such as Google and Facebook violates several requirements of the GDPR, including the purpose limitation principle, and that their data advantage stems from a lack of data protection enforcement. 97 The enforcement of purpose limitation would restrict the combination and cross-use of personal data among services offered by the same firm, because of the requirement to separate consent for each purpose of data processing. Even though purpose limitation applies to all data controllers irrespective of their size, it inherently leads to more limitations for firms processing personal data within different services for multiple purposes at the same time. We submit that strict enforcement of purpose limitation would not only give data subjects more control over how their personal data are used, but may also help address concerns arising from the expansion of market power through the leveraging of personal data across services. Enforcement of data protection law would thus at the same time achieve results that foster more competition-orientated interests. 98 A more effective enforcement of the GDPR is thus key. One of the core aspects of the GDPR's enforcement system is that the national data protection authority of the main establishment of the data controller is automatically competent to act as the lead supervisory authority, whose investigation is effective in the entire EU. 99 According to consumer organisation BEUC, the concentration of complaints against big tech players in the hands of one single national authority has led to an "enforcement For an analysis of Brave's actions against the background of the interaction between data protection and competition law, see also G Monti, "Attention Intermediaries: Regulatory Options and their Institutional Implications", TILEC Discussion Paper DP 2020-018, 12 and 30 (7 July 2020) <http://ssrn.com/ abstract=3646264> (last accessed 15 July 2020). 99 Art 56(1) GDPR.
bottleneck effect". 100 In its June 2020 Communication evaluating the two years of application of the GDPR, the European Commission similarly pointed at the fact that the largest big tech multinationals are established in Ireland and Luxemburg so that these data protection authorities, as lead authorities in many important cross-border cases, need larger resources than their populations would otherwise suggest. In addition, the Commission argued in its evaluation that data protection authorities have not yet made full use of the tools that the GDPR provides to handle of cross-border cases more efficiently, such as through joint investigations. 101 The enforcement approach within EU consumer law, organised in the CPC, to let the national consumer authorities concerned by a widespread consumer infringement select the authority that is best placed to coordinate the case is particularly instructive. 102 The latter approach offers possibilities for burden sharing among authorities and avoids problems in situations where firms have their main establishment in Member States that do not have a strong enforcement authority with enough resources to investigate cross-border cases. To ensure the effectiveness of data protection enforcement in the future, lessons can therefore be drawn from the enforcement system within consumer law that relies much more on cooperation between national authorities.

SHOW COMPLIANCE
The previous section has shown that there is a difference between the "law on the books" and the "law in action" 103 when effective enforcement is lacking. A way to address this problem is to shift the focus from the imposition of negative duties to refrain from certain problematic behaviour to positive duties to show compliance with the rules. In such cases, the burden of proof still lies with the regulatory authority to establish a violation of the rules. However, the ability to request firms to show what measures have been taken to comply with the law allows authorities to engage in more proactive monitoring against lower enforcement efforts. The GDPR's principle of accountability can serve as an example here.
The principle of accountability implies that the controller is responsible for and able to demonstrate compliance with EU data protection rules. For instance, Article 5(2) GDPR requires controllers to demonstrate compliance with the data quality requirements, including the need for a lawful ground of data processing and the principles of data minimisation and purpose limitation. Another example can be found in Article 24(1) GDPR, which requires controllers to implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the rules. Controllers thus have to be ready to show the data protection authority upon request that adequate measures are in place to ensure that their processing activities comply with EU data protection law.
This section explores how approaches similar to the GDPR's principle of accountability can be implemented in competition law, where further expansions of the reach of the special responsibility of dominant firms are already being considered. Within consumer law, a move towards positive duties is visible as well as illustrated by the guidelines on the protection of the online consumer that the Netherlands Authority for Consumers and Markets adopted in February 2020, 104 and by the suggestion of the UK CMA in its July 2020 final report on online platforms and digital advertising to introduce a duty of "fairness by design". 105

Expanding competition law's special responsibility
Recent developments in scholarly and policy discussions indicate a renewed interpretation, and perhaps even expansion, of competition law's concept of special responsibility, particularly for the digital era. Digital markets have been considered to possess certain key characteristics (including extreme scale advantages, network effects, and competitive advantages relating to data) that result in large or dominant undertakings retaining their market position even where superior competitors might exist. 106 It has been argued that some of these characteristics could trigger a special responsibility or even a finding of super-dominance that comes with additional obligations to ensure the competitiveness of these markets. 107 In this context, reference can be made to the suggestion in the 2019 report on "Competition Policy for the Digital Era" as commissioned by EU Commissioner Vestager to reverse the burden of proof for certain abusive practices by dominant firms. In the report, the three experts appointed by the Commissioner argued that in the context of highly concentrated markets characterised by strong network effects and high barriers to entry, one may rather want to err on the side of banning certain practices that are potentially anti-competitive and to impose the burden of proof for showing pro-competitive effects on market players. 108 In particular, the experts proposed to apply a presumption in favour of a duty to ensure interoperability and to reverse the burden of proof for practices of self-preferencing in certain circumstances. 109 In 2017, the European Commission held Google liable for abusing its dominance in the market for general search by displaying its own comparison shopping service more prominently in its general search results to the detriment of rival comparison shopping services. 110 While the Commission decision was under appeal at the General Court at the time the report was finalised, the experts suggested that vertically integrated dominant digital platforms performing a regulatory function should bear the burden of proving that self-preferencing "has no long-run exclusionary effects on product markets". 111 Because of the quasi-criminal character of competition law and the presumption of innocence, a reversal of the burden of proof is not without controversy. Beyond the application of the competition rules, upcoming ex ante regulation in the Digital Services Act may ban self-preferencing as a prohibited practice for gatekeeping platforms. 112 Without going as far as to reverse the burden of proof for certain practices in competition law, inspiration can be taken from the GDPR's principle of accountability, such as by requiring a dominant firm to show what measures have been taken to prevent violations of the competition rules. An analogy can also be made with the notion of "antitrust compliance by design" that Commissioner Vestager used in a speech to indicate that businesses need to build pricing algorithms in a way that does not allow them to collude. 113 She referred to the concept of "data protection by design" of the GDPR by way of analogy, requiring data controllers to build privacy into the design of services from the very start. 114 One should note that the expansion of competition law's special responsibility as proposed here goes beyond the role that some jurisdictions have given to antitrust compliance programmes. A number of national competition authorities (but not the European Commission) 115 consider such programmes as a mitigating circumstance when calculating the fine for a competition law infringement. 116 The integration of a notion of accountability within the special responsibility held by dominant firms will be more far-reaching, because it would give rise to a positive duty for dominant firms to show what steps have been taken to ensure compliance. While the existence of antitrust compliance programmes can lead to a reduction of the fine once an infringement has been established, a notion of accountability as suggested here would impact the very issue of whether the competition rules have been violated and what the threshold for intervention will be.
Beyond capturing exclusionary effects on a dominant firm's rivals, Sauter has argued that the original open-ended nature of competition law's special responsibility also offers an opportunity to extend the notion to the way a dominant firm interacts with its consumers. This would facilitate the establishment of a duty of care towards consumers in the form of a duty to take positive steps to protect consumers by upholding norms of "fairness" and avoiding exploitation. 117 In other words, undertakings that are found to be dominant would have additional positive obligations that have their roots outside of competition lawin this case, consumer law. 118 At the same time, one can wonder whether such a duty cannot be better established within consumer law itself.

Positive duties in consumer law
There are indeed developments towards advancing consumer protection in the form of positive duties. In its February 2020 Guidelines on the protection of the online consumer, the Netherlands Authority for Consumers and Markets makes clear that it is for traders to ensure that the design of an online choice architecture is fair and that any default settings must be favourable to consumers. Consumers should not be misled by the design and should not be tricked into a decision that they would not have taken otherwise. 119 Such a responsibility of the trader may be based on the notion of "professional diligence", which is one of the elements included in the general unfairness clause of Article 5(2) of the UCP Directive. As indicated by the Netherlands Authority for Consumers and Markets, the requirements of professional diligence can be interpreted as meaning "good business conduct" in line with a professional standard of "good faith". 120 Based on this line of reasoning, we submit that the notion of professional diligence in consumer law could serve a similar role as the principle of accountability in the GDPR and be interpreted as requiring traders to take active steps to help consumers in taking an informed decision.
In its 2020 final report on online platforms and digital advertising, the UK CMA goes a step further by proposing the imposition of a duty of "fairness by design" on platforms with strategic market status. Although wider application of the duty may be considered later on, the UK CMA justifies the choice for asymmetric regulation because platforms with strategic market status are the ones possessing market power, holding the largest amount of consumer data and are the most difficult for consumers to avoid using. 121 The duty of fairness by design would require platforms to design their choice architecture in a way that encourages free and informed consumer choices. An analogy can again be made with the GDPR's concept of data protection by design, thereby indicating the move towards positive duties in consumer law as well. These developments fit with the underlying idea of this paper to consider the imposition of a special responsibility on dominant firms, which may not only involve negative duties to refrain from behaviour, but also positive duties to ensure compliance and create fair outcomes for consumers.

V. CONCLUSION
The notion of special responsibility is a well-accepted part of EU competition law. Although the exact implications of a dominant firm's special responsibility are unclear, the concept is attracting renewed attention as a mechanism to make competition enforcement more effective through proposals for reversing the burden of proof or for imposing a duty of care towards consumers. EU data protection and consumer law are regimes of general application, whose obligations apply to all data controllers or traders without differentiating based on their market position. Nevertheless, as our analysis has shown, the substance of their provisions leaves room to integrate a special responsibility as well (see a summary of our findings in Table 1).
Examples in data protection law relate to the relevance of a data controller's market power to determine whether consent is freely given. The German Facebook case indicates how this could work in practice, although the approach of the Bundeskartellamt is not without controversy. In addition, stricter enforcement of principles such as purpose limitation is desirable, as this would inherently lead to stronger limitations for data controllers that process personal data for multiple purposes and within various services at the same time.
In consumer law, the interpretation of the "fairness" of contract terms and commercial practices would benefit from a consideration of the market power of a trader. Consumers Interpretation of open norms such as "fairness", "significant imbalance" and "undue influence" Duty of "professional diligence" and "fairness by design" GDPR = General Data Protection Regulation; UCP = Unfair Commercial Practices; UCT = Unfair Contract Terms.
will be less able to switch to other providers if the market leader imposes problematic terms or practices. In its 2017 investigation against WhatsApp, the Italian Competition Authority indeed seems to integrate elements of a special responsibility for compliance with consumer rules into its reasoning. We submit that a more explicit recognition of the market position of a data controller or trader within data protection and consumer law would make these regimes more effective at protecting data subjects and consumers. To reflect current realities, a greater level of responsibility should be imposed on firms possessing greater power whose practices are less constrained by market forces and thereby risk creating greater consumer harm. Our analysis has shown that the substantive provisions of the two legal fields leave the respective regulatory authorities sufficient room to acknowledge the existence of such a special responsibility, in analogy to competition law. However, this also has to be coupled with effective enforcement. We have illustrated that steps can already be taken in this regard without the need to make any institutional changes. By integrating market power as an element in priority-setting, one can create more asymmetric and focused enforcement towards cases or areas of particular concern where the benefits to consumers of interventions would be highest. Such an approach would especially strengthen compliance with data protection law, where enforcement of existing requirements such as purpose limitation is lacking, to the detriment of data subjects and overall competition. To make the enforcement of data protection law more effective, data protection authorities can learn from how consumer authorities cooperate in cross-border cases and share the burden of investigation.
Competition law, in its turn, can take inspiration from the rise of positive duties to show compliance in data protection law in line with the principle of accountability in the GDPR. A move towards positive duties is also visible in consumer law. While a notion of market power has so far been rarely integrated into the substantive scope of consumer law, the introduction of positive duties will provide room for more proactive enforcement. In addition, priority-setting based on market power is already more well-accepted in consumer law than in data protection law.
Although the three regimes analysed here differ in terms of objectives and scope, 122 they can inspire and strengthen each other in terms of substantive interpretation and enforcement approaches. Whereas the examples to support the reasoning in this paper largely relate to digital platforms and online services, our plea for more asymmetric interpretation and enforcement of data protection and consumer law applies more generally, irrespective of the type of service or the industry at stake. Apart from bolstering the individual regimes, cooperation between regulatory authorities from different fields is desirable and logical in areas where these regimes overlap. However, care should be taken to do so in a way that protects the individual goals of the regimes and does not result in an event where enforcement in one field undermines enforcement in other areas. Finding the appropriate balance will require cooperation on both the national and EU level.