Last week, the European Data Protection Supervisor (EDPS) released an Opinion on coherent enforcement of fundamental rights in the age of big data (available here). It builds on a Preliminary Opinion issued by the EDPS in 2014, which aimed to launch a debate on how to apply the EU’s objectives and standards in areas such as data protection, consumer protection and competition more holistically.
Recognising that the Commission’s wide-ranging Digital Single Market strategy presents an opportunity to launch a new, coherent approach, the EDPS makes recommendations (amongst others) for: (i) how merger controls should take personal data into account, and (ii) a voluntary network where regulatory bodies can share information (a Digital Clearing House).
Is personal data an asset that should be considered in mergers?
The EDPS Opinion considers that the largest web-based service providers (Google, Amazon etc., some of the biggest companies in the world) “owe their success to the quantity and quality of personal data under their control as well as to the intellectual property required to analyse and to extract value from these data”. And it’s true that gaining access to customers’ personal data has been a significant factor in some of the big tech acquisitions of the last couple of years (Facebook purchasing WhatsApp for example, or Microsoft’s pending acquisition of LinkedIn).
In a speech in March this year (here), Commissioner Vestager highlighted the fact that data is an asset, and that it can be a company’s assets rather than turnover that make it an attractive target. She warned that important deals which warrant review may be missed under the current system, as the acquisition of a company with access to – as yet unmonetised or undervalued – data may not meet the Commission’s turnover test (as with Facebook/WhatsApp, which only fell within the Commission’s remit due to Facebook’s Article 4(5) request).
The EDPS supports greater scrutiny of acquisitions of this sort, and recommends that the expertise of independent data authorities should be utilised to consider the effect of such acquisitions on consumer welfare.
Is privacy a competition law issue?
Commissioner Vestager downplayed the importance of privacy and data for competition enforcement in a speech in Copenhagen on 9 September (text here). She noted that “our first line of defence will always be rules that are designed specifically to guarantee our privacy” and that “we shouldn’t be suspicious of every company which holds a valuable set of data”. However, she did leave the door open for competition enforcement action in this area, recognising that a company in control of a unique set of data may be able to use it to shut rivals out of the market.
The EDPS Opinion also considers the interface between competition and privacy, but with a particular emphasis on personal data. It speculates that in the near future machine-learning algorithms may be able to exploit differences in consumers’ sensitiveness to price (identifiable from their personal data), enabling firms to segment the market into each individual consumer and charging according to his or her willingness to pay.
Should such an issue arise, it would prompt concerns from data protection authorities about whether personal data was being used in an appropriate way, and from competition authorities about the effect of such use on consumers and the market.
Surely it makes sense for these authorities to share expertise on these matters?
Digital Clearing House
Even before machine-learning algorithms take over, it’s clear that there are occasions where competition and privacy overlap, and where regulators can help one another. This already happens on occasion. The EDPS points to examples such as:
- The French competition authority’s interim decision in September 2014 that GDF Suez had abused its dominant position by using personal data collected when it was a state monopoly to later offer a promotion on an open market.
- The UK Data Protection Authority advised the CMA on its proposal to invite households who had not switched energy suppliers for three years to opt out from having their details shared with rival suppliers.
- Germany’s competition regulator, the Bundeskartellamt is currently investing Facebook’s privacy policies with input from a number of other national authorities – as we reported here.
The EDPS seeks to build on this kind of co-operation, proposing a voluntary network of contact points in regulatory authorities at national and EU level who are responsible for regulation of the digital sector. Such a network could discuss the most appropriate legal regime for pursuing specific cases or complaints, and could potentially use data protection and consumer protection standards to determine theories of harm relevant to merger control and exploitative abuse cases.
From a competition law perspective, this is not uncontroversial: the relevance of other laws to the competition regime has been rejected on a number of occasions in the past. Introducing privacy standards could open the floodgates to a need to consider, for example, environmental considerations, or industrial or social policy. Added to which, there would doubtless be a number of practical challenges to setting up such a network – the first which springs to mind is persuading the diverse authorities involved to listen to one another!
The Brexit shaped spanner in the works
It’s too early to tell what appetite there is across Europe for a Digital Clearing House, but any UK involvement may obviously be affected by Brexit. Aside from the politics involved, UK authorities may have to apply different legal frameworks to the rest of Europe (see our competition blogs on Brexit here and here, and our colleagues’ blog on the data protection implications here). We’ll also have to wait and see if the CMA shares the view of the EDPS on the importance of personal data.
Either way, we expect there to be significant developments in this area in the future.