The preliminary opinion of the European Data Protection Supervisor, published in March 2014, set out to promote a dialogue between the privacy and the antitrust circuits. The EDPS paper, to give it its full name, was entitled:
Privacy and Competitiveness in the Age of Big Data: The interplay between data protection, competition law and consumer protection in the Digital Economy.1
The EDPS also convened a workshop on 2 June 2014, of which there is a summary available on the EDPS website.2 The summary concluded with a number of points for further debate, and today’s gathering is a response to that invitation, focusing on certain of the questions identified which are of most interest to antitrust practitioners.
Most of you here, from the antitrust circuit, will be surprised to know that there was such a consultation paper or workshop. MLex did carry a story3 about the consultation paper, but somehow the participants on the day were very much from the privacy circuit, and from my perspective the discussion got bogged down on an unexpected preliminary point: seen from within the data protection/privacy orbit, many people thought it was strange or even improper to consider applying antitrust disciplines.I learn the curious expression “instrumentalise” that day. It seems to be a new loan word from the French, meaning to use something as an instrument for a purpose that wasn’t intended. Those few of you who were there that day will remember my outburst from the audience in frustration at that point of view, and in this gathering I don’t doubt that people will understand why. To start with straightforward examples:
- Big datasets are assets, and valuable ones at that. Businesses spend good money accumulating them and buying other businesses that have them.
- Privacy features are differentiating characteristics between competing service providers, and relevant as a non-price parameter of competition.
There are numerous further examples which we will see as the afternoon goes on, but this audience will recognize at once that antitrust law is relevant to this economic sector, as it is to every other economic sector.
- Acquiring valuable assets is relevant in analysing a merger.
And the Commission has examined whether a concentration might enable a dominant player to degrade the level of protection of confidential data without fear of losing business.4
- Defining privacy characteristics in an industry standard is subject to Article 101 disciplines on objectivity of standard-making: that’s a current controversy in relation to the creation of a DO NOT TRACK standard by the W3C consortium.5
And Art 101 is relevant to exclusivity clauses preventing transfer of a dataset.
- And if you have lots of such agreements, or anyhow lots of data, that could be an issue under Art 102.6 Significant holdings of data, used as a platform to provide services, are potentially a barrier to entry to others who might like to provide a competing service.
And there is the concern that a dominant player may, unrestrained by effective competitors, degrade the quantity or quality characteristics of its output. (And privacy characteristics are, we know, a non- price parameter of competition.) Mr Buttarelli, the EDPS, referred in a recent speech to competition authorities addressing abusive use by [a] dominant firm of non-negotiable ‘privacy policies’.7
How we approach the analysis is today’s topic, not the application to any particular set of facts.
It is not unusual of course to have areas of economic activity which fall into multiple legal regimes. The cases around Libor and Forex, for example, are up before antitrust regulators and also financial service regulators.8
Faull & Nikpay have this to say about a similar debate thirty-five years ago:
[R]epresentatives of the [financial] sector long argued that the uniqueness of the sector precluded a full application of Articles [101 and 102], despite the absence of any such exclusion in the Treaty. In the 1980s the Court had the opportunity to reject this hypothesis, both for banking and for insurance. In the Zuechner case, the Court rejected arguments that banks are not fully subject to Articles [101 and 102].9
So I don't think we need to pause long over any supposed threshold issue whether we should be talking about antitrust at all.
Let me pinpoint though a very specific question concerning the intersection of the two laws, which is around the question of consumer welfare. In its simplest form, the question raised by the EDPS is whether the consumer welfare pursued by the privacy laws overlaps with the consumer interests which the antitrust laws try to protect. To put that differently: should DG Comp give weight to privacy protection in balancing an antitrust equation? The Commission has been into this in a couple of merger decisions – Google/DoubleClick10 and Facebook/WhatsApp11. In the Facebook press release it wrote:
In the context of this investigation, the Commission analysed potential data concentration issues only to the extent that it could hamper competition in the online advertising market. Any privacy- related concerns flowing from the increased concentration of data within the control of Facebook as a result of the transaction do not fall within the scope of EU competition law.
The General Court has said something similar, albeit only in passing. This was in the Asneft case in 2006, which concerned a register containing credit and solvency information about individuals. The Court said:
…any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection.12
You would not be using time productively if you go back to the judgment to see the reasoning behind the statement: there is none. The Advocate General has a similar single sentence.13 The subject matter of the case was unconnected: it was a reference from a Spanish court on the question whether agreements between financial institutions to share information on customer credit/solvency are liable to restrict competition, and the possibility of exemption.
So there is guidance from the Commission and the Court, which coincide in saying that privacy concerns, “are not, as such, a matter for competition law”. But the Commission is explicit that it analysed data concentration issues to see if there might be harm to competition. In today’s debate we shall be taking a deep dive into the tools and theories for assessing data issues under the competition laws. And we will test the notion that privacy issues are by that simple characterisation outside of any antitrust analysis. There is more to say than the Court’s passing comment, made in a case not presenting a relevant set of facts.
I do not hold myself out as an expert in privacy laws, but in developing my interest in this debate I feel confident at least in observing that Big Data seems in any event to be substantially outside privacy regulation. That seems indeed to be a matter of discussion in the privacy world, and it does seem to me to be curious, if you start from the notion that the data protection rules are meant to ensure that personal data is
…collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.14
Now it may be true that some diagnostics on big datasets do not relate to individuals. That would be the case, for example, where a search engine is able to measure the spread of a flu epidemic across a continent, looking at the pattern and volume in the searches made by millions of individuals on terms such as “sore throat”, “flu symptoms”, “aching bones and fever”, etc. But we know that much of the information gathered in this way is profiled and analysed in a way specific to individuals, because he or she becomes a target for specific relevant advertising, as the search engine – in the ugly phrase – sells their “eyeballs” to advertisers keen to be exposed to customers who are known to be interested in a particular purchase, be it a camera, a skiing holiday or a restaurant meal. But unless I am missing something, privacy laws do not prevent that profiling of individuals. So all the more reason to look after the consumer with available tools.
There are some interesting and novel challenges for antitrust in evaluating the two-sided markets in which advertisers buy access to people searching on the internet. The advertising side of that market is easily enough addressed with usual antitrust tools, but what about the user side? We all search for free – that is, we don’t pay in money. But we do pay, in the information that we provide about ourselves, which the platform can then monetise by selling our eyeballs to advertisers. How far we all realise that we are paying in personal data may be a question. That seems to me to be a legitimate privacy issue, but there are also plenty of legitimate antitrust angles.
- Some personal data is acquired and then traded as a commodity, by data brokers. So there is a market in that data, and the need to define it in terms of relevant antitrust parameters.
- Some of it is used to provide advertising opportunities to businesses on the other side of the two- sided market, and so may be an input to that service rather than a commodity sold in its own right. The identity of the targeted individuals isn’t disclosed, unless they choose to click into a website and so identify themselves. But as an input the dataset used by the search engine has economic significance.
- That invites us into a discussion as to the type and quantity of data that a given player holds, and whether others hold comparable datasets that allow them to offer the same service.
- If you shop on Amazon, then Amazon knows your shopping preferences in the same way as Google does by your online shopping expeditions.
- If you research your next holiday on Expedia, TripAdvisor and Google Hotel Finder, all three can develop relevant datasets about you.
- An email provider, say Google, Yahoo or Microsoft, may know your Contacts list, similar in a way to the information that Facebook and Google+ have about your on-line “Friends”. (Indeed some email providers scan your emails for any useful profiling information.) And LinkedIn knows your professional networks.
- If you listen to music through iTunes, Spotify and YouTube, then Apple, Spotify and Google all know your musical preferences.
- So in any one of those areas, a competitor may be able to compile a similar dataset, at least if they have a similar size of operation. But in my examples, only one company knows your activity in all four areas and so is able to combine data from many different sources to create the most sophisticated profile. Is that significant? Do those things constitute a factual circumstance suggesting market power or a barrier to entry?
At the very least interesting questions of substitutability of data and market definition are there to be discussed.
To declare an interest, I am active in support of the FairSearch coalition which is a complainant in the Commission’s ongoing investigation into Google, for Microsoft as a member of the coalition, as well as for other players in the industry that have concerns about Google. But we have speakers today on the other side of the debate, and I am sure we will have a vigorous discussion. On behalf of Cadwalader, and Concurrences, I welcome you here today.