In a digital landscape increasingly shaped by complex European regulations – GDPR, DMA, DSA, AI Act, to name just a few – cooperation between Regulators is not only relevant but essential. Our distinguished colleague Dr Konstantina Bania has already explored this topic in a previous Post, to which we refer the reader.
This Post focuses on the French perspective, and more specifically on the evolving relationship between the Autorité de la concurrence (AdlC) and the Commission nationale de l’informatique et des libertés (CNIL), which has reached a symbolic (and potentially structural) stage in their cooperation.
The Joint Statement of December 12, 2023, entitled “Data Protection and Competition: A Shared Ambition”, issued by the AdlC and CNIL, seems to have marked a turning point. Going beyond the traditional divide between Competition law and Data protection, the two Regulators take a cross-cutting approach to digital regulation issues. This was most recently illustrated by the AdlC’s 2025 Apple ATT decision.
Yet the question remains: does this rapprochement suggest that the two Regulators are poised to live happily ever after? This is the question we will reflect upon and offer some thoughts on.
Context: An Increasingly Visible Intersection
For several years now, the areas of friction (or complementarity) between Competition and Data protection, driven inter alia by the digital transformation of the economy, the importance of data in new business models, the growing role played by the major digital platforms in everyday life, the race to innovate and the EU Digital regulations, have been multiplying. The 2023 ECJ Meta Platforms case (2023) clarified the duty of sincere cooperation between Regulators in cases where the Competition and Data protection regulators’ jurisdictions overlap, providing a legal framework for what could have previously been only sporadic and circumstantial collaboration.
In France, the AdlC and the CNIL had already crossed paths on certain cases (GDF Suez in 2014, Apple ATT Interim Measures in 2021), but without developing a truly coordinated strategy – it being clarified that prior coordination between them was largely at the initiative of the AdlC.
That has now changed with the above-mentioned Joint Statement, which shows a clear ambition: to integrate both competition and privacy concerns into their respective actions.
An Ambitious Yet Cautiously Flexible Roadmap
On paper, the Joint Statement published in December 2023 appears ambitious. It outlines numerous areas for enhanced cooperation:
- On the AdlC’s side, the personal data dimension is integrated into its analyses in coordination with the CNIL. This applies to: (i) the development of new antitrust theories of harm that place (personal) data at their core – such as exploitative abuses concerning how user data are collected and processed; (ii) the design of remedies or commitments related to user data in antitrust investigations – such as data sharing obligations with competitors or duties not to combine or use certain data; and (iii) merger control analyses – including the definition of relevant markets (e.g., where user data are considered key inputs), the role of data as a parameter of competition or as a contributor to the creation or reinforcement of dominance, and the formulation of both structural and behavioural remedies.
- On the CNIL’s side, the competitive impact of its interventions on a given market is taken into account. For major decisions with competitive implications, this means analyzing market positions and attempting to anticipate unintended legal consequences. Concepts such as relevant market and dominant position inform both the assessment of data processing purposes and the severity of sanctions. Moreover, dominant market positions are treated as a factor when evaluating the validity of consent – particularly in cases where there is a clear imbalance. In markets lacking competition, the CNIL may also adopt a more asymmetric regulatory approach, reflecting higher risks to individual rights and freedoms – elements that could also lead to more severe sanctions.
- On both sides, the enhanced cooperation aims to encourage a joint compliance approach, whereby economic operators incorporate both privacy and data protection requirements and competition rules from the earliest stages of designing a product or service.
In terms of operational implementation, the document contains a fairly detailed action plan structured around six methods: (i) strengthened dialogue (in particular, exploratory and informal exchanges of views on a given issue, or to prepare a formal referral to the other Regulator or ex-officio action), (ii) early consultation, (iii) better understanding of the other Regulator’s regulatory framework to help identify issues requiring a joint approach, (iv) joint foresight initiatives (including joint studies on topics of mutual interest, and, in this context, joint hearings or joint calls for contributions), (v) operational exchanges at different levels of the Regulators in order to keep their cooperation active, and (vi) seminars.
These ideas, which resonate with (and may have inspired?) the subsequent EDBP’s position paper on the interplay between data protection and competition law (16 January 2025), clearly reflect the serious nature of the stated commitment made by the two Regulators toward enhanced cooperation.
But having said that, some nuances need to be considered. The choice of a soft law instrument raises the question of its effectiveness. While soft law instruments offer significant advantages in terms of rapid development compared to hard law instruments, which require a lengthy legislative process, they come with two major disadvantages.
First, soft law instruments inevitably limit the scope for enhanced cooperation to the boundaries of the existing legal framework, particularly the provisions regarding regulators’ powers and procedural rules.
Second, soft law instruments have an ambiguous legal scope and involve a degree of legal uncertainty. Although they are not legally binding, they may, in certain circumstances, be deemed to have legal effects. In the present case, the Joint Statement appears prima facie to be above all a mere declaration of intent, unlikely to be legally binding on the AdlC and the CNIL. It is indeed not guaranteed that the Courts would recognize its potential legal effects, even if a closer reading may prompt further consideration.
Therefore, at least for the time being, the level of enhanced cooperation is likely to be heavily reliant on the goodwill of the Regulators (with the exception, of course, of the mandatory framework established by the ECJ’s Meta Platforms case). But so far, their involvement seems strong, as will be seen below.
First Tangible Results: The CNIL Recommendation on Mobile Apps
It did not take long for the first fruits of this enhanced collaboration to appear. In parallel with the elaboration of the Joint Statement, the CNIL requested for the first time the opinion of the AdlC on its draft recommendation concerning Mobile Apps. The aim of this prior consultation was to ensure that the CNIL’s recommendation effectively protected users’ personal data without having the effect of strengthening the dominant position of certain players and/or these recommendations being used by certain players as justification for anticompetitive practices.
In its Opinion, the AdlC first insisted on the fact that providing enhanced information to actors along the mobile App value chain regarding the implementation of privacy regulations was crucial to reduce entry barriers and equip stakeholders with a clear understanding of their regulatory environment. It also noted that transparency of access rules played a vital role in preventing discriminatory practices against smaller market players.
The AdlC then recognized that tensions might arise between the objectives of privacy protection and the need to maintain competitive markets. For the AdlC, while privacy measures that go beyond the strict requirements of the GDPR are not inherently unlawful, they must be carefully defined and implemented to avoid generating anticompetitive effects that are not balanced by adequate consumer benefits. This is especially critical when dominant operators are involved; they must ensure that their access and operational rules remain proportionate, objective, transparent, and non-discriminatory.
The AdlC further recommended that the CNIL designed its recommendations so as not to confer additional power on already dominant market players – particularly those designated as gatekeepers – nor delegate national regulatory authority to them, as this could worsen existing market asymmetries. Moreover, it was deemed necessary for the CNIL to explicitly state that its guidelines apply equally to both proprietary Apps from OS or App store providers and third-party Apps, thereby preventing any preferential treatment.
Finally, to avert the risk of creating extra barriers to entry or causing competitive distortions between the mobile and web sectors, the AdlC advised that the CNIL’s recommendations be part of a harmonized approach among national privacy regulators.
The result was perceptible: an enriched CNIL’s 2024 final Recommendation on Mobile Apps[1] that takes into account both privacy protection requirements and competition issues. In particular, the CNIL has further clarified the distinction between obligations, on the one hand, and recommendations or good practices on the other hand, to provide greater legal certainty. It has also stressed out that recommendations must be applied in compliance with Competition law and the Digital Market Act (DMA). Lastly, the CNIL has refocused its recommendations on permissions systems by targeting so-called “technical” permissions, designed by OS providers, which allow users to grant or block access to certain information (contact book, geolocation, microphone, camera, etc.), regardless of the purposes for which it might be used (advertising, statistics, technical, etc.).
The Apple ATT Case: Enhanced Cooperation in Action
On March 31st 2025, the AdlC imposed a €150 million fine on Apple for abuse of dominant position (in the distribution of Mobile Apps on iOS and iPadOS) through the implementation of its App Tracking Transparency (ATT) framework between April 2021 and July 2023.
In short, Apple’s implementation of ATT required a two-step process for iPhone and iPad users to grant their consent to data collection on third-party Apps before any use of a newly downloaded Apps. Subject to this consent, those third-party apps could access the Identifier for Advertisers (“IDFA”), by which each device could be tracked through its use of third-party Apps and sites. On the other hand, refusal for tracking was given by users with a single action. This implementation was and is not applied in a uniform manner to third-party publishers and Apple’s own Apps.
While the AdlC acknowledged the stated goal of better protecting personal data as legitimate, it deemed the way the ATT operated neither necessary nor proportionate to it and economically harmful to third-party advertisers and app publishers.
In particular:
- The consent obtained via ATT by third-party apps does not meet legal standards (including data protection laws), meaning that publishers must still implement their own additional consent mechanisms, which makes the use of third-party Apps in the iOS environment more complex and hence difficult.
- Rather than facilitating informed consent (a legal basis that makes data processing compatible with the GDPR), ATT’s implementation is found to undermine it, contradicting its own stated purpose.
- Apple imposes stricter consent requirements on third-party publishers while applying more lenient rules to its own apps, an imbalance that still persists today.
The AdlC decision marked the first concrete step in the Regulators’ joint declaration and was widely advertised as such by the two Regulators. In that context, the AdlC received not one but two opinions from the CNIL, emphasizing that privacy compliance could be achieved without compromising the user experience. They suggested that minor adjustments to the ATT pop-up would allow it to meet both privacy and competition law requirements, without creating unnecessary complexity. The CNIL’s position was clearly very helpful to back up the AdlC’s theory of harm, which heavily relied on the CNIL’s opinion for running the necessity and proportionality test.
This decision did not really come up as a surprise as the opinion expressed by the AdlC in relation to the draft CNIL Recommendation on Mobile Apps had already given clear indications as to how the case would be addressed.
And Tomorrow? Spotlight on Artificial Intelligence
The latest area of enhanced cooperation is Artificial Intelligence. Several concerns are already being raised, specifically in relation to access to data, which plays a crucial role in both the development and the deployment of AI technologies. Those concerns have been highlighted in particular in the AdlC opinion 24-A-05 of June 28, 2024 on the competitive functioning of the generative artificial intelligence sector, commented in this BlogPost.
On March 5, 2025, the two authorities held a joint seminar on AI-related challenges, from model training to open-source strategies and economic models, which they both advertised on their respective websites (this active communication seems also to be part of the new paradigm). The joint seminar further underscored the need for effective regulation to balance innovation with the protection of fundamental rights, such as personal data protection and the need for cooperation between the AdlC and the CNIL to anticipate friction points and ensure that competition remains fair while fostering the growth of AI technologies.
Love or Convenience? Signs of Convergence, but Caution Still Needed
As this enhanced cooperation is still in its early stages, it remains uncertain whether it will lead to a true hybridization of competition and data protection concepts and doctrines, or whether it will remain limited to sporadic, case-specific collaborations.
There does, however, appear to be a genuine commitment on the part of the two French regulators to join forces and stay ahead of the curve. The initial test cases already point to a growing convergence. In doing so, they have sent a clear message to Big Tech platforms: the strategy of playing one regulator against the other has become significantly more difficult (as Apple recently discovered), and this will likely become even more challenging if the current trend toward an entente cordiale continues.
Nonetheless, several important questions remain unanswered. What role is left for private stakeholders in this new dynamic? What level of transparency and legal certainty can be expected from a form of cooperation that often relies on informal exchanges or is not strictly mandatory for the regulators? How can extended processing times—due to increased coordination between authorities—be avoided, so as not to burden stakeholders? And is the current legal framework, including the guidance from the ECJ’s Meta Platforms case, sufficient to support the regulators’ ambitions? Or is there a need for legislative intervention?
It would be preferable for these issues to be addressed sooner rather than later. On other fronts, the proposals in the Lasserre Report – commissioned by the CNIL and authored by Mr. Lasserre, former Chairman of the French Competition Authority shortly after the Joint Statement was published – offer several ideas that may be worth further exploration.
[1] The Recommandation was repealed and replaced by an amended Recommandation aiming at rectifying certain errors, omissions or inconsistencies, and at responding to requests for clarification from certain stakeholders affected by the recommendation(see Délibération n° 2025-024 du 27 mars 2025 portant adoption de la recommandation modifiée relative aux applications mobiles et abrogeant la délibération n° 2024-061 du 18 juillet 2024 portant adoption de la recommandation relative aux applications mobiles).