In March 2014, Peter Hustinx, the European Data Protection Supervisor (EDPS), produced a preliminary opinion on "Privacy and competitiveness in the age of big data" (Opinion). The Opinion claims that closer dialogue between regulators, and a "holistic approach" to the enforcement of competition law and data protection will lead to more effective regulation in these areas. However, the Opinion looks like an attempt to pave the way for the EDPS to appropriate remedies exclusive to the competition regime in order to resolve data protection problems.
The relevant laws
Competition law uses both behavioural and structural remedies to regulate market conduct. The European Commission (Commission) may investigate and fine companies which conclude anti-competitive agreements or abuse their dominant market position. The Commission can also render illegal agreements void and require that abusive practices come to an end.However, EU competition law also regulates mergers and acquisitions through the European Community Merger Regulation (ECMR) and requires that such transactions are notified to the Commission in advance (where they exceed specified thresholds) to ensure they will not result in an impediment to effective competition in the relevant market. The Commission has powers to block mergers which raise competition problems, or impose behavioural and/or structural remedies, such as divestments, to address such concerns.
Data protection law, however, relies on behavioural remedies only. Data protection regulators can investigate and fine companies that breach data protection laws, and require certain behavioural changes from such companies. These might include improving compliance policies or implementing more advanced security measures. However, there is no ability to take pre-emptive action to prevent market conditions from arising which might be detrimental to data protection.
Google / DoubleClick
The attention on the relationship between competition and privacy has been increasing since the Google / DoubleClick merger decision in 2008. During the Commission's investigation, a number of market operators and civil society groups challenged the merger on the basis of privacy, as well as competition concerns. Since DoubleClick was a leading provider of "ad-serving" technology, many were concerned that its merger with Google would give the combined entity greater potential to track online customer behaviour and use this information for targeting purposes through their extensive combined databases of personal customer data.
The Commission found, however, that the combination of the databases on search and web browsing behaviour would not create a competitive advantage in the online advertising business; at least, no advantage which could not be replicated by other users with access to similar web-usage data. As such, the merger was cleared.
The Opinion criticises the Commission for its "purely economic approach to the case" (even though merger analysis is largely a question of economics) and for failing to consider the longer term impact, should the combined entity's search and browsing data be processed for purposesincompatible with data protection law. Taken to its logical conclusion, the EDPS's argument is that the Commission should use the competition-based merger control rules to block mergers where there are concerns regarding privacy, even if the merger raises no substantive competition concerns. Such an approach would be highly controversial.
The Opinion argues that there are currently a small number of large market operators with access to enormous databases of personal information, with most others managing to obtain only a fraction of that held by the big players (the EDPS might call them "dominant" – an issue we will focus on in Big Data and competition – data-rich does not mean dominant). The result, says the EDPS, is that companies may be able to take an aggressive approach to data collection and data use and a lax approach to compliance, safe in the knowledge that their competitors are acting in the same way.
This description is analogous to an oligopolistic market in economic analysis. Such markets are made up of a small number of operators of a similar, large size, leading to a high degree of market transparency. In such circumstances, there is often little for competitors to gain by seeking to differentiate themselves based on lower prices and/or greater quality because consumers have no other viable choices, therefore prices remain high and quality low. In the EDPS' "Dig Data" scenario, there may be little incentive for database owners to differentiate based on protecting privacy, for the same reasons. The EDPS suggests, however, that privacy policies could become a "parameter of competition", and that prohibiting certain mergers could help to expedite this process.
Even if this were true, this is not a legitimate basis on which a merger could be prohibited. Decisions to block mergers on competition grounds must be based on a substantiated "theory of harm", which would be likely to arise if the merger were permitted and which would "impede effective competition in the market". The ECMR says nothing about blocking mergers whichimpede effective data protection in the market, and certainly nothing about prohibiting mergers where the merging parties might be more likely to improve their compliance policies if the merger were blocked.
The Opinion looks like an attempt to lay the ground for allowing data protection regulators to rely on competition law's structural remedies in order to address privacy concerns which may arise in the context of a merger investigation. In doing so, the EDPS would be seeking to enable data protection law to adopt preventative, forward-looking measures to prevent future data protection problems from arising, as is authorised in the competition law context under the ECMR. However, there is nothing under any EU data protection law which authorises the use of such prospective or structural measures and it is not possible to 'borrow' remedies from another area of law simply because they might be considered attractive or effective.
Allowing competition and data protection laws to be merged in a way which does not fall within the existing parameters of competition law would lead to a highly undesirable level of uncertainty. It could open up the possibility of a company complying with applicable competition laws and with applicable data protection laws, but not complying with the EDPS' blend of the two.
Nevertheless, this issue has arisen in subsequent cases and it is likely that the EDPS will seek to intervene in merger investigations where the parties are in possession of large amounts of personal data, in order to make representations regarding data protection concerns. The Commission needs to be vigilant to ensure that these concerns are only taken into account when the use of such data has adverse economic consequences – not adverse consequences for data protection alone.
For further analysis of the Opinion, please see Big Data and competition – data-rich does not mean dominant.