Competition Authorities must – really – deal with privacy.

Calls on Competition Authorities to give proper consideration to privacy and data protection concerns in their antitrust and merger investigations are not a new thing. Large digital platforms have long raised privacy and competition concerns due to their ability to collect troves of data from their business and consumer-facing products and use them internally as they deem fit, enjoying unparalleled data-driven advantages. And data-driven mergers have long been used by large platforms as a tool to acquire even more data, potentially harming competition and consumers. 

But in this blog post I explain that there is another, equally important reason why competition authorities should pay attention to privacy, which is that it is being increasingly used by large platforms to justify potentially anticompetitive activities.

Integrating the privacy dimension in competition analysis

Antitrust practitioners and academics have supported the recognition of privacy as a parameter of competition, comprising a dimension of “quality” of digital products. It has also been argued that privacy and/or data protection is more than a “quality” characteristic – according to Caffarra, Crawford and Ryan, “[w]e need to think instead of privacy features, and the loss of privacy or lack of data protection that comes with their relaxation, as a price. […] Framing privacy attributes as prices helps clarify that deals or conduct that allows the greater collection, combination, and use of data are deals or conduct that are simply raising consumer prices for those services.” Be they a “quality” factor or a “price”, there is a growing consensus that privacy and data protection aspects matter in antitrust.

Despite repeated requests to Competition Authorities to engage in an in-depth and well-rounded assessment of the data protection dimension of a deal or a firm’s conduct, Authorities have traditionally been reluctant to do so in practice. 

During the Facebook/WhatsApp merger review process in 2014, for example, third parties expressed concerns that some form of integration of WhatsApp data with Facebook would likely follow the transaction. The Commission, however, rejected these claims, accepting Facebook’s statements that integration would “pose significant technical difficulties”, as Facebook “would be unable to automatically and reliably associate a Facebook ID with a valid phone number used by a user on WhatsApp” without this being done manually by users. Nevertheless, in 2016 WhatsApp updated its privacy policy to enable linking WhatsApp users’ phone numbers with Facebook IDs in order to “improve customer experience.” Facebook was fined 110 million euros for providing misleading information during the merger review process, but the Commission’s clearance decision remained effective.

And while the hopes were high that Authorities would be much more cautious by now, the Google/Fitbit merger clearance came as a disappointing surprise to many. The European Commission has been criticized for failing to recognize the full extent of the harm that will be caused by Google adding even more data to its stockpile, which it can then internally use without restrictions. While focusing on the potential for Google to use Fitbit’s data to strengthen its dominance in online advertising (resulting in a commitment of Google to place Fitibit data in a “silo”) and to restrict third-party access to Fitbit data, as well as interoperability between competing wearables and the Android ecosystem, the Commission has been criticized for “rejecting warnings that Google will combine [Fitbit’s health data] with its unique demographic, interest, and location data in health-tech applications (including insurance),” given its “established track record of adding ever more data to its hoard, enabling an internal free-for-all in order to cascade its dominance into new markets.”

On the antitrust front, with the exception of the Bundeskartellamt’s Facebook decision (which led to a preliminary reference procedure before the Court of Justice of the EU), Competition Authorities in the EU – and notably, the European Commission – have not pursued cases where excessive data collection and privacy and data misuse by large platforms were given the weight they deserve.

Preventing privacy from being used to justify anticompetitive behaviour

But aside from the fact that Competition Authorities should be concerned about privacy and data protection as parameters of competition (either a dimension of “quality” or as a “price”), there is a further reason why they should properly look into privacy.

Large digital platforms are increasingly using privacy to justify potentially anticompetitive practices – perhaps counting on the fact that data protection enforcement has been far from ideal, and Competition Authorities may not feel comfortable to really take privacy considerations into account during their investigations. One could say there is a loophole arising from the existence of two parallel – though in theory intertwined – systems (i.e., the data protection framework and the competition framework), which large online platforms may exploit to get away with problematic practices.

Let us take the example of Google. In January 2020, Google announced it would progressively phase out support for third-party cookies (the cornerstone of online advertising) on Chrome, presumably to increase user privacy on the web. Google proposes a new set of tools for online advertising, known as the “Privacy Sandbox”. While this change will restrict third parties’ ability to track users across sites, it will not affect one’s ability to collect first-party data. Thus, Google will still be able to collect troves of user data and to track users through its numerous consumer-facing services, including Google Search (which allows Google to follow users’ browsing activities beyond its properties, in that Google tracks which results the user clicks on). There is a legitimate question as to whether Google is doing enough to truly increase user privacy – not only in the open web, but also within its owned and operated properties. In addition, the Privacy Sandbox browser changes could have adverse effects on competition in digital advertising (e.g., marketers could decide to shift their ad spend towards Google’s owned and operated properties, which do not rely on third-party cookies to deliver relevant advertising). The UK Competition & Markets Authority (“CMA”) is currently investigating whether Google’s Chrome changes may have such effects, working with the Information Commissioner’s Office (“ICO”), UK’s privacy regulator, to consider “how best to address legitimate privacy concerns without distorting competition.” As recently confirmed by Commissioner Vestager, Google’s proposals to deprecate third-party cookies are also within the scope of the European Commission’s preliminary investigation into the way data concerning users is gathered, processed and monetised by Google.

Similarly, Apple announced in June 2020 that starting with the launch of iOS 14, app developers (and their ad tech partners) would only be able to track users if the latter grant them permission through an Apple-designed pop-up box surfaced within the app either when the app is launched or at a later stage, but in any event before the app can access the IDFA or track the user – a move that threw an entire industry into disarray. And while Apple restricts everybody else from tracking users to engage in personalized advertising, Apple’s own advertising business, which subjects users to personalized advertising by default, stands only to benefit. This self-preferencing concern is currently being investigated by the French competition authority following a complaint by digital advertising associations (disclosure: we advised the complainants). As recently reported by the Financial Times, “Apple will expand its advertising business, according to two people familiar with its plans, just as it brings in new privacy rules for iPhones that are likely to cripple the ads offered by its rivals, including Facebook. […] If Apple cripples mobile advertising, then the App Store becomes the primary discovery point for apps again, and Apple decides how people use our iPhones, Apple decides which apps are the most popular.” 

If the above examples (Privacy Sandbox and iOS 14 tracking changes) are representative of what is likely to come in the future, one can expect large platforms to increasingly invoke privacy considerations to justify potentially anticompetitive conduct. If Competition Authorities are not eager to engage in an in-depth assessment of such privacy claims, instead preferring to view privacy and competition law as distinct fields and tryingnot to see a competition issue where the is a privacy issue because, if that is the case, it’s not for [them],” these platforms will get the message that it is fine to invoke privacy to escape antitrust scrutiny.

Respecting and improving user privacy is a good thing (and there is still a lot to do on that front). But invoking privacy to justify conduct that strengthens or leverages one’s dominant position, while harming competition is a practice Competition Authorities should be worried about.

One thought on “Competition Authorities must – really – deal with privacy.

Leave a Reply