Personal data markets

In assessing whether a merger, agreement or market conduct is compliant with competition law, it is usually necessary to define the relevant market in order to provide a framework for assessing the effects on competition. This is done by assessing whether certain products or services are substitutable for others; those which are not substitutes do not fall within the same market. The Opinion argues that, in addition to defining markets by reference to products and services, there should also be a "market" for personal data, and those companies in possession of Big Data should be considered to have significant power or dominance on those markets.

However, a personal data market is not truly analogous to an economic market defined using competition law tools and used to allocate market shares or power. Firstly, determining market shares is generally done by assessing the proportion of sales of each market participant in the relevant market. While personal data is, of course, bought and sold, this is not the market the EDPS focuses on. Rather, it is the share of personal data that is held by a particular operator, usually through collection from its own users. However, in addition to the obvious issue that the same personal data set can be held by more than one company, there are a number of problems with such an approach.

First, for many companies, it is information about businesses not consumers which will be important in determining the strength of their data portfolio and which may be relevant to their market power. The focus of the EDPS on personal data as a measure of market power ignores the fact that many dominant undertakings do not sell to consumers or make widespread use of personal data. As such, it is information about customers (and potential customers), not necessarily about consumers or individuals, which is potentially relevant to assessments of market power. The EDPS might suggest that there should be different rules and obligations for companies selling to businesses and those selling to consumers. However the data protection regime already operates so as to impose obligations on data controllers which are proportionate to the nature and volume of personal data they process.

One might also argue that having large amounts of personal customer data is commonly the result of having a large number of customers willing to provide it and, perhaps, also the technology and/or Intellectual Property Rights (IPRs) with which advantageously to exploit the data provided. However, it is the volume of customers (and perhaps the technology/IPRs) which are truly indicative of market power, not the personal data itself. As such, there may be little value in seeking to create distinct 'markets' relating solely to personal data. Any indication of 'data market power' would also be indicated by market power under a traditional economic and competition law analysis. This can be demonstrated using the example of a data security breach; the concern for the business in such cases is that the loss of data will lead to a loss of customer confidence and a consequent loss of sales. The concern will very rarely be the loss of the data itself.

Crucially, the accumulation of data (whether personal or otherwise) is not, in itself, problematic under competition law. Decades of economic analysis and case law of the European Courts have determined that certain conduct of companies, which are dominant from an economic perspective, is particularly capable of producing harmful effects. As such, the imposition of certain restrictions on their behaviour is justified in order to prevent such harm. However, there is no such presumption established in relation to holding large amounts of personal data. If anything, data protection cases tell us that those in possession of relatively small amounts of personal data can be equally, or even more likely, to cause harm to data subjects than those possessing large amounts, since the latter will often have more sophisticated compliance and security policies in place.

Abuse of dominance of personal data markets

Even if it could be established that there could be such a thing as a 'personal data market' in which certain companies could have a dominant position, for there to be a competition law infringement there must also be an abuse of that position. The Opinion argues that the competition case law relating to "essential facilities" might be a basis on which to require holders of Big Data to license their databases to third parties.

It is now established that dominant companies which refuse access to essential facilities, which are necessary for competition on a downstream market, may be considered to be abusing their position and be required to grant access to others. It has also been established that a dominant company that refuses to license IPRs which are essential for downstream competition can be required to license those IPRs in certain circumstances. However, the case law has consistently emphasised the highly exceptional nature of such compulsory licensing or access. In particular, it is very unlikely that the Commission would require it if it were possible for rivals to develop an alternative solution, even if this involves considerable time and investment.

It seems very unlikely that there would be many cases in which access to a database of personal data would be essential for the operation of a particular service, or where it would be commercially impossible for a competing undertaking to operate without it. The latter requirement, in particular, has been very strictly interpreted by the European Courts, and it would not be possible to short-circuit this analysis on the basis that the input in question happens to be personal data. The Commission is likely to take the view that it will always be possible for a rival to develop its own database of personal information over time, which will enable them to compete effectively.

The crucial point is that the only cases in which a database of personal data could compulsorily be licensed would be those in which such a licence would be required through the normal operation of the competition rules on refusals to license and/or essential facilities. There is currently no other legal basis on which owners of Big Data could be compelled to allow access. The correct way to develop the law would be through reforming the data protection regime, rather than artificially expanding the scope of competition laws which are quite deliberately of narrow application.  

One other potential argument not explored by the EDPS in the Opinion but which could be relevant in this area, is that a breach of data protection laws could, in some cases, also amount to an abuse of a dominant position on the basis of the Commission's decision in AstraZeneca. In that case the Commission established that AstraZeneca was dominant and had intentionally misled patent authorities in order to derive a competitive advantage. As such, an abuse of the patent system was also held to amount to an abuse of dominance under competition law.

One could, perhaps, seek to argue that where a breach of data protection law leads to a dominant company deriving a competitive advantage, this could also amount to abusive conduct. However, this leads back to the same conclusion that was reached when considering privacy issues in merger and essential facilities cases; the only cases in which a possible data protection issue could lead to a merger being blocked, or a finding of abusive conduct, are those in which such a merger will impede effective competition, or such conduct will also amount to an abuse of dominance. As such, we must query the need to expand competition law in light of data protection concerns at all.

Final thoughts

One other possible solution to address a potential gap would be to introduce sector-specific regulation for data-rich/online industries. We already have a specific competition law regulation regarding technology transfer agreements and agreements in the insurance sector. There are also specific competition rules in place, for example, in relation to the computerised reservation systems operated by airlines, which take into account the unique characteristics of such services and their potential to cause competition problems.

While it may be possible to produce similar rules or guidelines for companies involved in processing Big Data, the tendency in recent years has been to move away from sector-specific regulation and require companies to comply with the general principles of competition law. At any rate, given the level of debate that has raged regarding a new proposed Data Protection Regulation, it is hard to imagine how a specific regulation in this area could successfully be created. It could be argued, therefore, that the EU's institutions should seek to apply the established principles to new situations thrown up by market developments and innovation, instead of vainly attempting to keep pace with fast-moving industry sectors by re-writing the competition rules with them in mind.