Competition Law’s Challenges in Regulating Big Data
By Campbell Whyte
I. Introduction
The value of data today has been likened to that of oil as “the most important currency used in commerce today”.[1] Big data can be defined as large datasets controlled by companies concerning their customers that can be computationally analysed for patterns and trends to these companies’ benefit. This permeates almost every aspect of our online lives: our shopping habits, web browsing habits, travel plans and even health information[2] can all be tracked and analysed. However, for all the convenience that big data provides us, the power that big data companies wield by virtue of their controlled data is concerning from both a privacy and market competition angle.
Big data companies are subject to European Union competition law as set out by the EEA Agreement,[3] the Treaty on the Functioning of the European Union[4] and the EC Merger Regulation.[5] However, academic writing[6] and important cases in this sphere have indicated that the big data economy has anti-competitive characteristics that may make traditional application of competition law difficult or inadequate. Importantly, no other market relies so heavily on infringing on user privacy in order to function. Privacy concerns, together with a uniquely anti-competitive market, therefore warrant a closer look at the application of competition law to big data companies.
This article will analyse the fundamental difficulties that arise in applying competition law to big data companies and the challenges illustrated by the European Commission’s consideration of big data as a market resource. This article concludes that there is a need for balanced reform in this matter that respects user privacy, healthy competition, and the free market.
II. Difficulties in application of competition law
The big data economy has uniquely anti-competitive characteristics which may render traditional doctrines and standards of competition law insufficient in the big data industry. Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer, special advisers to the European Commission, have noted that the market is characterised by a significant incumbent advantage and barriers to entry.[7] This is contributed to in part by user inertia bias and network effects, whereby having a greater number of users will allow a company to improve its services and broaden its outreach, thereby causing more users to use those services. In short, competing on merit is unusually difficult in the digital economy.[8]
Consumer welfare standards present another challenge in this sphere. For example, the Commission considered data as an important input under the Non-Horizontal Merger Guidelines[9] in Microsoft/LinkedIn.[10] Under these guidelines, the relevant factor for determining an important input is ‘whether the increased input costs would lead to higher prices for consumers’.[11] However, the transfer of data to third parties for advertising purposes is exactly what allows some technology companies to offer their services for free and does not lead to higher prices for consumers. Some academics have commented that ‘an overly price-centred approach to competition risks overlooking significant welfare harms relating to non-price dimensions of competition, such as privacy harm’, and that a revision to the consumer welfare standard is therefore needed.[12]
The remedies suggested by some authors also present their own challenges. For example, Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer have suggested that ‘it may… be necessary to give [weak competitors] access to the dominant platform’s competitively relevant data resources or otherwise compensate for their… lack of data access’.[13] This approach presents clear data privacy concerns, and the authors made sure to provide that ‘under the GDPR, access to personal data can… be mandated where… data which is originally personal can be made accessible in an anonymised way.’[14] However, it is worth noting that anonymised data can be de-anonymised with certain algorithms or with a big enough data set.[15]The imperfect remedies suggested in this regard may have adverse consequences for user privacy, and they show the need for reform in this sphere that takes full account of user privacy and the true value of data in the digital market in 2020.
It is clear then that EU competition law may not always be an effective tool for promoting robust competition and consumer welfare in the big data industry. Certain European Commission decisions illustrate these difficulties even more clearly.
III. The difficulties presented in European Commission case law
In addition to the challenges discussed in applying competition law to big data companies, some European Commission case law illuminates further cause for concern. First, the relationship between big data and competition law falls at a lacuna between the jurisdiction of the European Commission and that of the European Data Protection Board (EDPB), an independent European body tasked with ensuring consistent and cooperative application of the General Data Protection Regulation (GDPR) across Europe. This legal void is even more regrettable when one considers the difficulties currently faced by authorities in GDPR enforcement.[16] This article suggests that the European Commission has shown significant deference to the EDPB because of this lacuna, possibly at the detriment of effective regulation, and has also underestimated the effect of data and particularly the benefit of combined datasets in mergers.
III.A. A legal lacuna with the European Data Protection Board
The European Commission, aware that data processing and transfer falls under the GDPR, has been unwilling to overstep its bounds by taking action which may be construed as enforcing data privacy law. In the 2014 Facebook/WhatsApp[17] decision, the Commission held that ‘any privacy-related concerns flowing from the increased concentration of data within the control of Facebook as a result of the Transaction do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules’.[18] This position can also be observed in the Microsoft/LinkedIn[19] decision, in which the European Commission conditionally authorised the $26.2 billion acquisition of LinkedIn by Microsoft. Before engaging in any competition analysis regarding the data held by LinkedIn, the Commission showed implicit deference to the European Data Protection Board by noting that processing and transfer of data between the two companies would only be allowed in accordance with the General Data Protection Regulation.[20]
The Commission’s deference is certainly justified, as the European Data Protection Board, in coordination with relevant national supervisory authorities, is tasked with enforcing the GDPR.[21] This does not fall to the European Commission, and the European Data Protection Board is equipped with the expertise and resources to tackle these specific questions.[22] However, this deference poses some difficulties in the application of competition law to big data companies. Most importantly, the European Data Protection Board does not have the power to authorise or deny a merger[23] as the Commission does.[24]
Accordingly, this relationship could result in mergers going ahead before national supervisory authorities and the EDPB can receive complaints and censure data processing. At this point, harm may have already been done to competition and user privacy. This is evidenced by Facebook’s post-merger violations[25] of its commitments to the Commission concerning matching between Facebook and WhatsApp accounts.[26] The potential for such anti-competitive behaviour shows that deference to the European Data Protection Board on the part of the European Commission could allow for significant harm to competition. This effect would be even more pronounced where the European Commission uses a ‘light touch’ and allows a merger through with minimal restrictions and commitments.
The European Commission should thus take a more proactive approach against potential violations of competition law and user rights and not be unduly hampered by the possibility of encroaching on GDPR enforcement. As mentioned before, the European Commission has itself admitted to difficulties in GDPR enforcement,[27] which may raise doubts as to data protection law’s being a sufficient remedy for privacy and competition concerns. Competition law and GDPR enforcement are separate, and it is submitted that the Commission can and should take advantage of this to fully analyze the effect of data in the market on its own terms instead of using the EDPB as a safeguard in data matters. Another solution might be a joint committee of members of the European Data Protection Board and members of the European Commission with specific expertise in this area, who would engage in a cooperative and holistic approach in competition law proceedings concerning big data companies.
III.B Underestimation of the effect of big data in the digital market
This article will attempt to show, through analysis of certain cases, that the European Commission has taken a narrow view of the crucial impact of data in the big data market and thus unduly favours the approval of these mergers.
This is most evident in Microsoft/LinkedIn,[28] where the Commission noted that as the merger was a conglomerate merger[29], the combination of LinkedIn’s data and Microsoft’s datasets would only act as a barrier to competitors or to entrants to the market in the companies’ intersection of online advertising. In the Commission’s view, internet data not controlled by Microsoft was too plentiful[30] for the data to raise barriers to entry and expansion for competitors. It is submitted that this reasoning is open to criticism and that the Commission, in allowing the merger, may not have fully guarded against the risks to competition.
First, the combination of Microsoft’s data and the professional data controlled by LinkedIn could have a significant impact on the market. Microsoft likely controls significant data concerning who has bought its products, how the products are used and in what environments its products are most popular. LinkedIn users provide LinkedIn with information regarding their workplaces, career history, aspirations, skills and connections. These two datasets combined could significantly help the conglomerate in marketing products and expanding business in a more informed manner. For example, competitors submitted at the time that the merged entity could map a user’s network and recommend LinkedIn connections with greater accuracy.[31] In addition, despite data’s general abundance, customers who have given important professional data to LinkedIn may not be as eager to give their data to another professional social network due to customer inertia bias and network effects.[32] It is therefore debatable whether relevant and valuable data is as freely available as the Commission indicated, which leaves us to wonder if the Commission does not underestimate the effect of data on the market. Finally, no ban on data transfer between Microsoft and LinkedIn or selling data to advertisers was made a condition of the merger’s authorisation in the Final Commitments.[33] The Commission appears, therefore, to have taken a slightly narrow view of the effect of this combined dataset on competition.
This was not the only decision in which the Commission has shown similar reasoning. The Commission in both Facebook/WhatsApp[34] and in Microsoft/LinkedIn[35] chose to focus on the combined dataset only in the area of intersection of the two companies (third-party online advertising) without considering how the combined dataset might help the conglomerate to expand its business in other areas, for example, in improving its professional social network services.[36] The Commission also focused in both cases on the number of competitors in the market and the vast amount of available data.[37] However, some authors have commented on the pronounced network effects, user inertia bias, and extreme returns to scale in the technology industry that greatly compound market advantage.[38] It is therefore not unreasonable to counterargue that competitors and new entrants to the market are not as much of a check on dominant market players as they are in other fields, and that companies who control a large dataset have a significant competitive advantage despite data being freely available. The result of this is that the European Commission might authorise anti-competitive mergers in an industry with significant ramifications for the privacy of EU citizens
The European Commission has in other instances attempted to adapt its reasoning to the big data industry. For example, the Commission found that Google’s self-preferencing actions in its online comparison shopping service constituted an abuse of its dominance, even where its services were offered for free.[39] The commitments required of Microsoft and LinkedIn[40] also show that the Commission is still a powerful force for assessing markets and ensuring fair competition in the technology industry. These principles will be interestingly put to the test in the upcoming Google and Fitbit[41] merger decision. Significant apprehension has been expressed by competitors and consumer groups that the merged entity will increase its power in online advertising and health technology by profiling users and raising barriers to entry.[42] In this author’s opinion, if the merger is to go through, strong commitments will have to be given by Google and Fitbit that protect user privacy and competition, and these commitments will have to be rigorously enforced.
IV. Conclusion
Despite the European Commission’s significant authority in competition law, there are certain fundamental anti-competitive characteristics of the big data industry that current competition law does not easily permit the Commission to resolve without overstepping its power and stifling innovation. Furthermore, some of the Commission’s decisions highlight the difficulties in applying traditional doctrines of competition law to big data companies and the need for reform in this area. This could be accomplished by adopting new doctrines and tests for big data companies, as well as by creating new committees with expertise in these questions.
Notwithstanding their violations of privacy and abuses of market dominance, companies such as Facebook, Google, Microsoft and LinkedIn have become essential to workers across the globe, especially during the current pandemic. Attempts at applying competition law more rigidly to these companies could rightly be seen as stifling innovation and the free market. Reform in this sphere will require a collaborative approach between legal and technological experts. It is to be hoped then that competition law can become an effective tool for protecting robust competition and allowing entrants to the market to more effectively challenge incumbents. It is also to be hoped that competition law, through updated consumer welfare standards, can effectively protect the privacy of EU citizens.
[1] Michelle Evans, ‘Why Data Is The Most Important Currency Used In Commerce Today’ (Forbes, March 2018) <https://www.forbes.com/sites/michelleevans1/2018/03/12/why-data-is-the-most-important-currency-used-in-commerce-today/#52a0160854eb> accessed 27 June 2020; Kiran Bhageshpur, ‘Data Is The New Oil — And That’s A Good Thing’ (Forbes, November 2019) <https://www.forbes.com/sites/forbestechcouncil/2019/11/15/data-is-the-new-oil-and-thats-a-good-thing/#5f3e8ede7304> accessed 15 August 2020.
[2] Foo Yun Chee, ‘Google offers data pledge in bid to win EU okay for Fitbit buy’ (Reuters, July 2020) <https://www.reuters.com/article/us-fitbit-m-a-alphabet-eu-exclusive/exclusive-google-offers-data-pledge-in-bid-to-win-eu-okay-for-fitbit-buy-idUSKCN24E2X5> accessed 15 August 2020.
[3] EEA Agreement [1994] OJ L 1, 3.
[4] Consolidated version of the Treaty on the Functioning of the European Union (TFEU) [2008] 2008/C 115/01.
[5] Council Regulation (EC) No 139/2004 of 20 January 2004 on the control of concentrations between undertakings (the EC Merger Regulation) OJ L 24, 1-22.
[6] Commission: Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer (special advisers to the European Commission), ‘Competition policy for the digital era’ (Publications Office of the European Union, 2019).
[7] Commission: Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer (special advisers to the European Commission), ‘Competition policy for the digital era’ (Publications Office of the European Union, 2019).
[8] Ibid.
[9] Commission, Guidelines on the assessment of non-horizontal mergers under the Council Regulation on the control of concentrations between undertakings (OJ 2008/C 265/07).
[10] Microsoft/LinkedIn (Case M.8124) Commission Decision 2016/C 388/04 [2016] OJ C 388/04.
[11] Commission, Guidelines on the assessment of non-horizontal mergers under the Council Regulation on the control of concentrations between undertakings (OJ 2008/C 265/07) at [31].
[12] Maria C. Wasastjerna, ‘The role of big data and digital privacy in merger review’ (2018) European Competition Journal Vol. 14, Nos. 2–3, 417–444; Commission: Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer (special advisers to the European Commission), ‘Competition policy for the digital era’ (Publications Office of the European Union, 2019).
[13] ibid.
[14] ibid at Ch 5, 104.
[15] Alex Hern, ‘Anonymised’ data can never be totally anonymous, says study’ (The Guardian, 23 July 2019)
<www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds> accessed 27 June 2020.
[16] Javier Espinoza, ‘EU admits it has been hard to implement GDPR’ (Irish Times, June 2020) <www.irishtimes.com/business/technology/eu-admits-it-has-been-hard-to-implement-gdpr-1.4286207> accessed 27 June 2020.
[17] Facebook/WhatsApp (Case M.7217) Commission decision 2014/C 297/4 (2014) OJ C 297/13.
[18] ibid at [164].
[19] Microsoft/LinkedIn (Case M.8124) Commission Decision 2016/C 388/04 [2016] OJ C 388/04.
[20] ibid at [175-185].
[21] General Data Protection Regulation article 70, EU Regulation 2016/679, OJ 2 119/1.
[22] General Data Protection Regulation article 68, EU Regulation 2016/679, OJ 2 119/1.
[23] General Data Protection Regulation article 70, EU Regulation 2016/679, OJ 2 119/1.
[24] Council Regulation (EC) No 139/2004 of 20 January 2004 on the control of concentrations between undertakings (the EC Merger Regulation) OJ L 24, 1-22.
[25] Commission, ‘Mergers: Commission fines Facebook €110 million for providing misleading information about WhatsApp takeover’ (18 May 2017)
<https://ec.europa.eu/commission/presscorner/detail/en/IP_17_1369> accessed 28 May 2020.
[26] Facebook/WhatsApp (Case M.7217) Commission decision 2014/C 297/4 (2014) OJ C 297/13.
[27] Javier Espinoza, ‘EU admits it has been hard to implement GDPR’ (Irish Times, June 2020) <www.irishtimes.com/business/technology/eu-admits-it-has-been-hard-to-implement-gdpr-1.4286207> accessed 27 June 2020.
[28] Microsoft/LinkedIn (Case M.8124) Commission Decision 2016/C 388/04 [2016] OJ C 388/04.
[29] Commission, Guidelines on the assessment of non-horizontal mergers under the Council Regulation on the control of concentrations between undertakings (2008/C 265/07).
[30] Microsoft/LinkedIn (Case M.8124) Commission Decision 2016/C 388/04 [2016] OJ C 388/04 at [180].
[31] Microsoft/LinkedIn (Case M.8124) Commission Decision 2016/C 388/04 [2016] OJ C 388/04 at [324].
[32] Commission: Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer (special advisers to the European Commission), ‘Competition policy for the digital era’ (Publications Office of the European Union, 2019).
[33] Microsoft/LinkedIn (Case M.8124) Commission Decision 2016/C 388/04 [2016] OJ C 388/04 at [434].
[34] Facebook/WhatsApp (Case M.7217) Commission decision 2014/C 297/4 (2014) OJ C 297/13.
[35] Microsoft/LinkedIn (Case M.8124) Commission Decision 2016/C 388/04 [2016] OJ C 388/04.
[36] ibid at [324].
[37] ibid; Facebook/WhatsApp (Case M.7217) Commission decision 2014/C 297/4 (2014) OJ C 297/13; Apple/Shazam (Case M.8788), Commission Decision C(2018) 5748 (2018).
[38] Commission: Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer (special advisers to the European Commission), ‘Competition policy for the digital era’ (Publications Office of the European Union, 2019).
[39] Google Search (Shopping), Commission Decision AT.39740 (2017), OJ L 337/28. This dominance, according to the Commission, arose from its accumulation of data, which acted as a barrier to entry to competitors notwithstanding Google’s arguments that its services are offered for free.
[40] Microsoft/LinkedIn (Case M.8124) Commission Decision 2016/C 388/04 [2016] OJ C 388/04 at 434.
[41] Alice Tidey, ‘EU Commission must block Google’s acquisition of Fitbit, says data protection NGO’ (EuroNews, 17 June 2020) <www.euronews.com/2020/06/17/eu-commission-must-block-google-s-acquisition-of-fitbit-says-data-protection-ngo> accessed 27 June 2020.
[42] Aaron Pressman, ‘Why Google’s Fitbit acquisition will be tough to stop’ (Fortune, 2 July 2020) <https://fortune.com/2020/07/02/google-fitbit-acquisition-european-union-regulators/> accessed 7 July 2020.