Those who have been paying attention to the antitrust world recently may have spotted a trend: Competition regulators are getting very interested in the data that large tech companies, in particular, collect, store and analyze.
Just look at EU Competition Commissioner Margrethe Vestager fretting about voluminous data sets becoming "a barrier to entry for other businesses." Senator Elizabeth Warren's, D-Mass., plan to "break up big tech" sees the pro-competitive effects of unwinding big mergers — such as that of Facebook and WhatsApp — as a way of making companies "more responsive to user concerns, including about privacy." These are arguably separate issues, but they are also two facets of the same problem: The biggest tech firms acquire data any which way they can, and once they have a sufficient amount, it puts them in what may be an unassailable position.
In an explosive recent development, Germany's Bundekartellamt (Federal Cartel Office) has fused data protection and antitrust logic in its crackdown on Facebook's harvesting and processing of data from third-party sites. It ruled in February that the social network was exploitatively and therefore illegally forcing users to agree to this collection, if they want to use the core service. "The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network," said Andreas Mundt, the antitrust authority's president, in a statement. "In such a difficult situation the user's choice cannot be referred to as voluntary consent."
Is the German ruling the start of something big? "It is, and not by surprise," European Data Protection Supervisor Giovanni Buttarelli said. "We have argued at the EDPS since 2014 that the heavy, constant surveillance profiling and targeting potentially violated more than just one area of EU law, including antitrust laws. Now the Bundeskartellamt is saying that, based on national case law."
In terms of EU-wide law, Buttarelli pointed to Article 102(a) of the Lisbon Treaty, which says prohibited anti-competitive behavior may include "directly or indirectly imposing unfair purchase or selling prices or other unfair trading conditions." He also noted that the Bundeskartellamt had "worked closely" with German data protection authorities during its Facebook investigation. "The potential for this to set an important precedent for working across boundaries, while respecting the independent actions of different regulators, is quite clear," he said.
Others are not convinced. Falk Schöning, an antitrust expert at Hogan Lovells' Brussels office, sees data hoards as a plausible EU antitrust issue, but not data protection. "If there is a separate legal regime like with [the EU General Data Protection Regulation], you don't need antitrust law if you find a regulatory breach," he said.
As Schöning sees it, in the pre-GDPR days, when data protection fines were weak, privacy authorities may have been keen to have antitrust regulators step in with their more muscular powers, but that's not necessary now. The Bundeskartellamt's ruling could prove influential in terms of inspiring antitrust regulators to tackle big tech more creatively, but "I just don't think that others will necessarily have the same approach of looking into GDPR and antitrust," he said. "Pure privacy infringement will in the future purely be dealt with by DPAs … [Competition regulators] may just look at data as such, and whether ownership of data gives you a strong or dominant position in any market and therefore requires you to act in a certain way."
But while Schöning argues that the GDPR renders the privacy-antitrust hybrid approach redundant in Europe, he also thinks it "could well go to other areas of the world," potentially including the U.S.
In the U.S., the Federal Trade Commission is responsible for enforcing privacy, consumer protection and antitrust policy. The agency has since last fall been holding a series of hearings "examining whether broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection law, enforcement priorities, and policy."
According to a dozen state attorneys general, adjustments are definitely needed. In October, the attorneys general of California, Connecticut, the District of Columbia, Illinois, Massachusetts, Minnesota, Mississippi, New York, Oregon, Pennsylvania, Rhode Island and Washington offered wide-ranging comments to the FTC, including several thoughts on the intersection between privacy, big data and competition. Some of their arguments hewed very closely to the logic of the Bundeskartellamt, covering ground that in Europe spans the domains of the GDPR and antitrust law.
"Firms may be accumulating big data — in some cases against consumers’ wishes — on account of a lack of choice and immense imbalances in market power between service providers and consumers," they said. "Consumers often concede valuable competitive data and their privacy interests because they in practice have no choice, other than foregoing the service altogether. This is compounded by a lack of meaningful information for consumers to make choices in certain spheres. Lengthy user agreements have become standard, and may also hinder competition. Such practices could raise barriers to entry and inhibit switching by consumers."
How will the FTC respond to such arguments? Right now, that's hard to say. The 13th and most recent hearing in the agency's modernization initiative took place April 12, and the 14th, which was supposed to have already taken place, was postponed and is still yet to be rescheduled – and according to FTC Spokesman Peter Kaplan, "there's been no final determination as to whether that will be the last one."
Even once the hearings are over, it's not clear exactly how the FTC will make its own views known. "We have said that once the hearings are concluded there will be output such as a report addressing issues raised in the hearings," Kaplan said. "However it hasn't been determined exactly what the form of that output will be."
There are also notable developments underway in Australia. When the Australian Competition & Consumer Commission last December released a preliminary report into Google, Facebook, and the news and advertising ecosystem, it mostly concentrated on the issue of market power but also saw fit to say it was "concerned with the large amount and variety of data which digital platforms such as Google and Facebook collect on Australian consumers, which go beyond the data which users actively provide when using the digital platform." The regulator proposed changes to the country's Privacy Act to "enable consumers to make informed decisions" about the collection of their data.
The country's privacy watchdog seems happy to see the competition and consumer protection authority wading in.
"The broad protections and requirements in the Privacy Act that apply throughout the information life cycle, complement consumer protections overseen by the Australian Competition and Consumer Commission which regulates the Australian Consumer Law," a spokesperson for the Office of the Australian Information Commissioner said. The spokesperson said the ACCC's platforms inquiry gave the two organizations "an important opportunity … to confer in addressing areas of mutual concern, to secure better data protection outcomes for all Australians."
"Both privacy and consumer protection regimes have a role to play in regulating what are now multi-faceted issues," the OAIC spokesperson added.
Over in Europe, Buttarelli will in the next couple of months be setting out the EDPS's views in a manifesto that will call for greater cooperation between different authorities.
"Companies as well as citizens often complain that regulators operate in silos, so they should welcome the decision as an exercise in possible coherent enforcement," he said. "The existing rules, as they are, may survive for the short and perhaps the mid-term, but not longer."
Photo by Randy Fath on Unsplash