Debevoise & Plimpton Discusses Whether EU Antitrust and Data Privacy Rules Are Converging

Competition v Privacy. Competition and consumer authorities are increasingly considering the implications of digital platforms’ ownership and use of consumer data and whether concerns about harm to privacy are indicative of a lack of competition.

For a long time the orthodoxy in the EU had been that competition authorities were sensitive to the possible issues of data concentration, but, equally, were careful to contain their analysis. The prevailing view was best summarized by the EU Court of Justice that “any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection”. While the accumulation of personal data could raise competition issues in particular circumstances, data privacy issues were firmly within the remit of the EU data protection rules.

More recently, however, there has been an increasing focus led by national European competition regulators on the intersection between protecting consumers and their data, and promoting fair competition and market conditions. Central to this is the concern that dominant businesses could abuse their unique position and access to data to the detriment of both consumers and competitors. The main argument against such convergence can be summarized as the risk of incoherence. That competition law and laws designed to protect personal data have different aims, and using one to regulate the other has the potential to lead to inconsistent enforcement based largely on the size of the company holding the data.

We consider here some of the most recent developments.

German prohibition on data processing. The German Federal Cartel Office (“FCO”) has long considered that data privacy and competition law are not mutually exclusive. In a joint paper with the French Autorité de la concurrence in 2016 the suggestion was already in place that the reduction of data protection could indeed be a competition issue; “privacy issues cannot be excluded from consideration under competition law simply by virtue of their nature (…) privacy policies could be considered from a competition standpoint whenever these policies are liable to affect competition, notably when they are implemented by a dominant undertaking for which data serves as a main input of its products and services

In the same year the FCO began its inquiry into Facebook that led to its landmark decision in February 2019 that the manner and extent to which it collected and used data were in violation of the European data protection rules (the General Data Protection Regulation (“GDPR”)) and were thereby also an abuse of market power. In particular, that Facebook had made the use of its social network conditional on the collection of user data from other apps that it owned, including Instagram and WhatsApp, as well as multiple third party sources.

In interlocutory proceedings, Dusseldorf’s Higher Regional Court in August 2019 granted Facebook a temporary injunction, finding (amongst other things) that users could balance the consequences of the use of their personal data against the use of Facebook’s advertising-financed (and consequently free-to-use) platforms. It held that data privacy in this context is a data protection issues and not a competition one. More importantly, the court also noted that a breach of GDPR by a dominant player would not automatically be an abuse of dominance.

In June 2020, Germany’s highest court, the Federal Court of Justice preliminarily agreed with the FCO’s original decision, prohibiting Facebook from merging personal data without specific (rather than general) user consent. The court found it had no reasonable doubts that Facebook abuses its dominant position in the market for social media in Germany and that Facebook’s terms could potentially be both exploitative (i.e. giving users no alternative to accepting Facebook’s conditions) and exclusionary (i.e. Facebook’s access to a considerably larger database is likely to have a negative competitive effect on neighboring markets of advertising services) abuse.

Interestingly, the court did not discuss whether GDPR violations could form the basis of an abuse of conduct claim. However, it should be noted that this is a preliminary decision on the basis of a limited standard of review. The main appeal proceedings against the FCO’s decision in Dusseldorf’s Higher Regional Court are still pending. These will likely be heard in late 2020 or early 2021, and it is possible that the Higher Regional Court may curb the Federal Court of Justice’s recent decision.

UK study into online platforms. As flagged in our July European Data Protection Round Up, the UK Competition and Markets Authority (the “CMA”) has recently published the conclusions of its market study into digital advertising in the UK. It launched that review in July 2019 to find out more about how major online platforms like Google and Facebook operate.

The digital advertising market accounts for over half of all advertising, and UK expenditure was almost £13 billion in 2019, 80% of which was earned by Google and Facebook. The CMA was therefore concerned about Facebook’s and Google’s inherently dominant market positions for display and search advertising revenue and what this meant for competition. Its market study focused on three potential sources of harm:

  • to what extent Google and Facebook have market power in search and social media respectively and the sources of this market power;
  • whether consumers have adequate control over the use of their data by online platforms; and
  • whether a lack of transparency, conflicts of interest and the leveraging of market power undermine competition in digital advertising.

Similar to the FCO, the CMA reached the conclusion that (amongst other things) “limited choice and competition also have the consequence that people are less able to control how their personal data is used and may effectively be faced with a ‘take it or leave it’ offer when it comes to signing up to a platform’s terms and conditions. For many, this means they have to provide more personal data to platforms than they would like.”

This contributes to a positive feedback loop whereby the incumbents are able to collect ever-more data, without consumers being able to control and manage what data they allow to be collected, resulting in the competition being cut-off from data-reliant markets such as online advertising. This ultimately could lead to higher online advertising costs for businesses, which they pass on to customers by in turn raising the prices of their own products and services.

However, the CMA found that existing legislation (including competition, consumer and data protection legislation) is not able to satisfactorily regulate the complex digital advertising market. The CMA therefore proposes that a new pro-competition regulatory regime should be implemented to regulate the behavior of major platforms that are funded by digital advertising

Under the proposal, the CMA also recommends the creation of a ‘Digital Markets Unit’, which would have wide-reaching powers to (e.g.) enforce a code of conduct and tackle market power. This also includes the ability to introduce two interventions, the first of which is generally designed to be pro-competitive, while the second is specifically targeted at Facebook and Google:

  • The choice requirement remedy: requiring platforms to give consumers the choice not to share their data for personalised advertising, but instead to receive adverts that are not personalised.
  • “Fairness by Design” duty: placing a duty on platforms to take steps to ensure that they are promoting consumers’ awareness and their ability to make informed choices about the use of their personal data.

Interestingly, rather than finding that Facebook, Google or other dominant players are in breach of GDPR as a simultaneous breach of competition law, the CMA found that large platforms use GDPR to erect “walled gardens” to protect their market position; they claim that the GDPR restricts competitors’ access to data, while sharing more freely within their own ecosystem.

It should be noted that the CMA can only recommend legislative change but it will be left to the UK Government to implement the proposals. The government is said to be planning a response to the CMA’s recommendations later this year.

Future convergence? While the outcomes of the FCO decision against Facebook and the regulatory consequences of the CMA market study on digital advertising are not yet certain, the trend is towards data privacy and competition laws converging.  The agencies appear to be winning the argument – at least in Europe – that privacy is simply another parameter of competition, and one that should be regulated and protected as such.

Key Takeaways. Given the pace of change in this field, companies may want to consider the following takeaways to help address the emerging risks:

  • Consider data aggregation issues when assessing the substantive complexity of potential M&A transactions. Regardless, be prepared that deals where user data is a feature can typically expect a more intrusive and longer regulatory review.
  • If the merging parties compete on the basis of privacy or data policies to attract customers, those will be assessed as aspects of non-price competition in the same way as any other competitive parameter.
  • All companies that collect a significant amount of user data should be aware of the increased focus on their conduct, particularly if they are dominant or could be alleged by rivals to be so.
  • Monitor and prepare for legislative developments in what is a fast evolving area of law.
  • Ensure that terms and conditions are reviewed and that users are voluntarily consenting to the use of their data where that is a requirement.

This post comes to us from Debevoise & Plimpton LLP. It is based on the firm’s memorandum, “Regulating the Internet: Are EU Antitrust and Data Privacy Rules Converging?” dated August 14, 2020, and available here.

Leave a Reply

Your email address will not be published. Required fields are marked *