Answer given by Mr Reynders on behalf of the European Commission
26.3.2021
Under the General Data Protection Regulation (GDPR)[1], enforcement of data protection rules is assigned to the independent supervisory authorities in the Member States.
The supervisory authority of the Member State of the controller’s main establishment acts as lead authority for cross-border cases, cooperating with the other authorities concerned through the consistency mechanism under GDPR. As the EU main establishment of WhatsApp is in Ireland, the Irish Data Protection Commission is the lead supervisory authority under the GDPR.
In 2014, the Commission cleared unconditionally the WhatsApp acquisition by Facebook under the EU Merger Regulation 139/2004[2]. In 2017, the Commission fined Facebook EUR 110 million for providing incorrect or misleading information (on the technical (im)possibility to automatically match user identifiers) during the review of that transaction.
The incorrect or misleading information did not have an impact on the merger clearance decision, which was based on a number of elements going beyond automated user matching, such as the number of available alternative consumer communications applications (such as iMessage, Viber or Telegram) that would still be available post-merger.
The Commission had also carried out an ‘even if’ assessment that assumed user matching as a possibility.
Competition concerns were identified in the Alstom/Bombardier merger bringing together two leading suppliers of trains and signalling solutions.
Under the EU Merger Regulation, merging parties may offer the divestiture of a part or the whole of a business to address competition concerns, and therefore, a divestiture was accepted as a condition for clearing the Alstom/Bombardier merger.