The collection and use of data by digitally focused businesses can create different competition issues depending on the type of data in question and the relevance of data to the practice under scrutiny. Where the data in question relate to personal information, particular questions arise surrounding the interplay among privacy, data protection, and competition law. The global trend in the data-driven digital economy is that of moving toward greater privacy and data protection rules, led by the European Union’s General Data Protection Regulation, among others. In developed countries, in particular, policymakers and enforcers are faced with the important and thorny question of whether privacy or data protection considerations should inform the competitive assessment of conduct adopted by digital businesses, given that data and its use are integral to the business models of many economic actors in the digital economy, not least the large online platforms.
The different responses to the role of privacy and data protection in competition assessments have created a divide between those who view privacy as a non-economic matter better dealt with under other policies than competition and those who view privacy and other data policies as an integral part of the economic bargain struck between providers of digital services and users. There are touchpoints between these separate-but-related areas of policy that policymakers and enforcers have to consider in their approach. From a substantive outcome perspective, these policies do not always give the same answer to the same question, as they pursue different aims.
For example, complex and voluminous data protection obligations can affect competition adversely, if such obligations present disproportionate compliance costs and barriers for small- and medium-sized enterprises. Yet, a right to data portability provided under data protection rules can have potentially procompetitive effects by enabling multi-homing and lowering barriers to entry/expansion for rivals. Yet again, a competition law remedy that requires access to data by an undertaking’s rivals can infringe privacy rules, while a merger that combines unique datasets can potentially hamper the development of existing or potential competition and simultaneously have privacy-distorting effects depending on what the merged entity does with the datasets.
Ideally, policy responses and enforcement on the touchpoints among privacy, data protection, and competition should aim at advancing each of these interests without unnecessarily impinging on the others. Achieving that requires cooperation between the relevant enforcers and regulators, but that cooperation may be difficult to realize while the normative questions remain unanswered about whether privacy or data protection concerns should be part of the competitive assessment at all.
In some jurisdictions around the world, regulators and enforcers appear to be answering the question of whether data protection and privacy concerns are relevant to an assessment under competition law in the affirmative, particularly when it comes to the practices of “Big Tech.” Jurisdictions that have been particularly active in this space where competition law and data protection intersect from a policy and/or enforcement practice point of view include the United Kingdom, Germany, France, Australia, and the European Union. In these jurisdictions, a growing list of ongoing investigations and decisions in the areas of, in particular, merger control and abuse of dominance, directly engages with issues that arise at the intersection of data protection and privacy and the competition law analysis.
In the United States, antitrust regulators historically have not regarded privacy issues alone as a proper basis for merger or conduct enforcement, citing concerns about the limitations of existing U.S. antitrust doctrine and the possibility that enforcement centered on privacy could deter procompetitive innovation. Instead, in the United States, privacy concerns and issues relating to the alleged misuse of data by platform and other businesses have been squarely within the province of consumer protection regulation, which addresses distinct harms and vindicates different rights than antitrust law.
That historical outlook may be ripe for change, however, with the appointment of new enforcers whose writings and public statements have strongly suggested the need to consider privacy issues in the context of antitrust enforcement and the possible passage of new legislation that would mandate that concerns about privacy be analyzed in determining whether a particular transaction or type of behavior violates the Sherman Act. Most immediately, the question of whether privacy plays a role in antitrust analysis will be addressed in the government’s cases against Google and Facebook.
In Europe, the most prominent abuse of dominance case is the ongoing procedure against Facebook in Germany for allegedly exploitative data processing. Also, the Autorité de la concurrence (French competition authority) is currently investigating the impact of Apple’s recent changes to its privacy policy on third-party app providers. Merger control cases on a European Union level where privacy considerations were taken into account in the commission’s assessment include the Microsoft/LinkedIn, Facebook/WhatsApp, and Google/Fitbit mergers. On the level of new legislation, there have been competition law–related developments in the European Union (draft Digital Markets Act) and in Germany (recent amendment to the German Act against Restraints of Competition). These pieces of legislation mainly contain ex ante regulations and target large online platforms qualifying as so-called gatekeepers. The obligations imposed on these companies concern, inter alia, access to data and data portability.
In Canada, until recently at least, the Competition Bureau has been clear that its mandate is limited to conduct that harms competition and does not extend to privacy (or data security) concerns unrelated to competition and that Canadian competition policy does not, and should not, assume that “big is bad.” Despite the bureau’s historically “separatist perspective” (i.e., that privacy law and competition law address different harms and vindicate different rights), based on past enforcement action, policy documents, and statements by bureau officials, there appeared to be several areas of actual or potential privacy/competition law convergence in Canada; namely, misleading advertising/deceptive marketing practices (where the bureau has already taken enforcement action in respect of misleading claims about how firms collect, use, store, and discard consumer data) and, possibly, merger review and abuse of dominance. However, a speech by the Commissioner of Competition (the head of the Competition Bureau) in October 2021 calling for a comprehensive review and “moderniz[ation]” of the Canadian Competition Act to more effectively address potential competition issues in the digital economy portends a potentially fundamental shift in the bureau’s position on the question of whether privacy is a competition law issue.
Although enforcers have thus far focused most of their attention on Big Tech, the privacy- and data-related conduct of non-Big Tech companies can and is likely to attract the attention of competition authorities. In the United States, for example, many traditional brick and mortar retailers and e-commerce firms are looking to launch marketplaces, and there are several specialty e-commerce retailers that have amassed significant data that could be perceived as giving rise to the same competitive concerns as those identified in the investigations and lawsuits filed against so-called Big Tech. Moreover, there are several precedents already that suggest that the U.S. Federal Trade Commission is prepared to litigate against non-Big Tech firms, relying in part on claims that they misused certain large data sets. This indicates that the theories that have made headlines in the United States in connection with enforcement actions directed to Big Tech are potentially transferable to other data-centric businesses. Based on experience in other areas, it appears safe to anticipate that the Canadian Competition Bureau will follow the lead of its U.S. counterpart, and possibly sooner rather than later.
In Europe, as the protection of personal data may be an element of quality of a certain product or service, agreements or exchanges of information among competitors on privacy policies and the level of data protection are at risk of falling afoul of competition legislation such as Article 101 TFEU. Also, smaller firms may arguably be in a dominant position in a given market due, for example, to their possession of essential data that is needed by other companies to compete in that market. Even below the threshold of market dominance, recent legislation in some European countries in the area of so-called relative market power may extend privacy and data protection concerns to the conduct of companies in relation to companies that are dependent on them.
Finally, in Japan, information and competition laws have received much attention, especially in the context of platform business. Among other things, in 2019, the Japan Fair Trade Commission issued guidelines on the “superior bargaining position… between digital platform operators and consumers” and made clear that undue acquisition and utilization of consumers’ information by online platforms can be deemed as “abuse of superior bargaining position.” These guidelines are of note for both Big Tech and non-Big Tech firms alike, as a dominant position is not required; rather, relative superiority between parties is sufficient for demonstrating superior position.
DISCLAIMER: The views and opinions expressed in this article are entirely those of the authors and do not represent any policies or positions of any firm or other organization.
This article is based on the abstract prepared by the authors for a program of the same name sponsored by the Antitrust Law Committee and presented on September 22, 2021, at the ABA Business Law Section’s 2021 Virtual Annual Meeting.
