“The evolution of big data has exposed gaps in EU competition, consumer protection and data protection policies”, said Peter Hustinx, the European Data Protection Supervisor (EDPS), when presenting the EDP’s preliminary opinion on the interplay between these three policy areas. The Opinion titled “Privacy and Competitiveness in the Age of Big Data”, issued on 26 March 2014, (the Opinion) aims at stimulating a debate between experts and practitioners. The EDPS’ preliminary opinions are not legally binding but intended to inform and facilitate discussion.
“Big data” refers to gigantic digital datasets held by corporations, governments and other large organizations which are then extensively analyzed using computer algorithms. Big data has been very much in the focus of data protection regulators across both sides of the Atlantic. For instance, the Article 29 Working Party, the EU advisory body on data protection which is comprised of a representative of the data protection authorities in each of the EU Member States, a representative of the EDPS and of the European Commission, has provided guidance on so-called “Big Data” activities in its Opinion on purpose limitation of last year (see InsidePrivacy, Article 29 Working Party Releases New Opinion on Purpose Limitation, April 15, 2013). In August 2013, Edith Ramirez, the new chairwoman of the Federal Trade Commission (FTC), gave a speech in which she focused on the privacy challenges of “big data” (see InsidePrivacy, Ramirez Says That FTC Will Use Tools To Protect Consumers From “Big Data” Privacy Concerns, August 22, 2013). The FTC is expected to release a report this year on the activities of data brokers (who compile data profiles on consumers and make them available for sale) and other big data activities. The FTC also has been investigating potential privacy abuses by companies that process big data and even the White House’s 2014 focus is on privacy and big data (see InsidePrivacy, White House Seeks Public Comment on Implications of Big Data, March 6, 2014).
The Opinion develops the themes which Mr. Hustinx had outlined during a seminar in June 2013 which had been jointly organized by Covington’s Privacy & Data Security and Antitrust practices in Covington’s Brussels office. The EDPS recognizes that EU principles and rules on data protection, competition and consumer protection share common goals, including the promotion of welfare of individual consumers and the facilitation of the creation of a single European market. However, as collaboration between policy-makers in these respective fields is still limited, the EDPS calls for a closer dialogue between regulators and experts, expecting that this would aid the enforcement of the rules on competition and consumer protection and foster privacy as a competitive advantage, thereby stopping the risk of a ‘race to the bottom’ of privacy protection.
The Opinion is divided in four chapters. Chapter 2 outlines the trends in the digital economy and the role of personal data as a substantial intangible asset as more and more companies across all industry sectors rely on it. Many online services, such as search engines, require users to pay with their personal information. Vice President of the European Commission, Commissioner Viviane Reding, has therefore repeatedly referred to personal data as the currency of today’s digital market. Often companies rely on big data to cross-finance distinct services (see also ‘Competition Law and Personal Data: Preliminary Thoughts on a Complex Issue’, SSRN, February 12, 2013). Chapter 3 sets out the legal background and compares the rules in the different areas, more specifically looking into the scope of application, data control and relevant markets, transparency and choice, prevention of harm as well as supervision, enforcement, sanctions and remedies. Chapter 4 finally analyzes the interrelations between the three policy areas.
The Opinion’s key findings include:
- Privacy and data protection should be considered as central factors in the appraisal of companies’ activities. For instance, the value of personal data as an intangible asset should not only be taken into account for the purposes of defining the relevant market but also for measuring a company’s dominance. Conversely, digital market power and competition analysis could help highlight data protection violations.
- Personal data protection may be relevant for the appraisal of mergers. However, a full market analysis for the ‘free’ digital services has not yet been carried out by the European Commission. In particular, the most significant Commission decision on a merger among undertakings in the digital economy (Google/DoubleClick) “disregarded the search market” and did not consider the likely long-term impact on the users whose datasets (here search and browsing) may be merged.
- “Powerful or dominant firms can exploit ‘economies of aggregation’ and create barriers to entry […]” and information could in theory be considered as an essential facility. On a related note, according to its inaugural press release of April 1, 2014, the Competition and Markets Authority (CMA), which is the UK’s primary competition and consumer agency, has “launched a research project that will use “big data” techniques to identify sectors of the economy where online commerce is developing more slowly than might be expected, so it can investigate whether this is because incumbents have acted anti-competitively to block entry or innovation by online competitors or innovators.” The EDPS is also concerned that dominant undertakings may abuse data protection law, by seeking to justify their refusal to supply competitors with datasets and trying to shield themselves from remedies on data protection grounds. In the EDPS’s view it may be necessary to develop a concept of consumer harm in cases where freedom of choice and control over one’s own personal information is restricted by a dominant undertaking.
- Remedies in competition cases should respect the principle of ‘data minimization’, whereby only the personal data which is strictly necessary to perform a desired functionality should be collected. Other remedial options might include (i) offering users a paid service with enhanced personal data protection; (ii) applying a proportionate limit to data retention; (iii) allowing users to withdraw their personal data and port it to another provider (data portability); and (iv) placing strict controls on data processing across different services and businesses.
- Improved consumer choice and transparency with respect to personal data processing and privacy policies could contribute to consumer welfare. One possible response to the challenges might be standards for transparency and intelligibility of contractual terms in online services. Data portability may empower consumers and prevent that they are locked into certain services.
- National competition, consumer protection and data protection authorities might need to agree upon a more holistic approach to enforcement and dialogue should be more systematic.
Pursuant to the Opinion, the lack of interaction in the development of policies on competition, consumer protection and data protection may have reduced the effectiveness of competition rules’ enforcement. The EPDS considers that a comprehensive response to these challenges might include:
- raising awareness of technological developments and their implications for competitiveness, consumer welfare and privacy-enhancing services;
- providing guidance on the application of data protection, competition and consumer protection rules for ‘free’ online services;
- cooperation between authorities in investigation and enforcement (for example, identifying possible standards for measuring market power) and consultation in individual cases; and,
- reviewing competition legislation, in particular its interface with other areas of laws.
The EDPS will also organize a workshop in Brussels on June 2, 2014 to facilitate discussions among experts and practitioners from the EU and the U.S. and may include more concrete recommendations for action in a subsequent opinion.