IndiaCorpLaw

Can Competition Law Regulate Privacy?

[Jyotsna Vilva is a 5th year B.A. LL.B. (Hons.) student at the National Law School of India University, Bangalore]

The question of regulation of privacy and data protection issues through competition law has gained traction in recent years. In the past, while the European Commission has considered privacy to be a parameterof non-price competition, both the European Court of Justice and the European Commission have categorically denied the opportunity to address issues of privacy stemming from concentration of data. Both have stated that privacy concerns arising from data aggregation do not fall within the scope of competition law, but are rather to be regulated by data protection law. Issues of privacy were raised before the Competition Commission of India regarding the merger of WhatsApp user data with Facebook after the latter’s acquisition of the former. However, the Commission ultimately held that this issue would not fall within the scope of the Competition Act. But recent developments in Canada and Germany have shown the increased willingness of competition authorities to regulate privacy through antitrust. 

The goal of competition law is to maximise consumer welfare. Competition law measures target those businesses whose activities negatively impact consumer welfare. However, it merits questioning whether competition law is actually capable of identifying and rectifying privacy issues stemming from concentration of data, which result in harms to consumer welfare. This post considers this issue by, first, analysing the effectiveness of remedies available to competition authorities to rectify such issues and enhance consumer welfare and, second, questioning whether privacy issues stemming from data aggregation would actually fall within the domain of competition law, or whether they remain a data protection problem.

Effectiveness of Remedies

Large or dominant digital companies may be at a significant advantage over their competitors due to their ability to collect vast amounts of data. Resultantly, such companies may be able to offer services which their less data driven competitors cannot, and their vast data aggregation may pose privacy concerns to consumers. In such a situation, there are two possible remedies that a competition authority can consider to tackle competition issues.

First, the competition authority could ask the dominant data aggregator to share data through an agreement with other companies to enable them to compete, if such data is indispensable for their sector’s business activities and if refusal is likely to exclude all other competition. Such a measure has previously been ordered by the French Competition Commission in the GDF Suez Case, even though such data was protected by French data protection laws. Thus, the solution to dominance through data aggregation seems to be expanding data aggregation to more companies – an option which puts the privacy of users on the backburner. However, it could theoretically be possible for the dominant data aggregator to share anonymised or pseudonymised data, which would partly solve such issues.

Second, the competition authority could block a merger or consolidation of data sets which would result in such data aggregation, in order to keep the market competitive. But this option reduces consumer value and welfare that would accrue to the company’s consumers, which was made possible solely due to greater data aggregation and analytics – such as by offering more products, the provision of free services, and helping to target advertising. Empirical research has shown time and again that even privacy concerned individuals are willing to make the trade-off of more data for improved services or compensation.

This is not to say that data aggregation by companies does not have any detrimental effects on consumers, but rather that both these remedies place competitor companies in a more competitive position (which arguably increases consumer welfare), but at the same time seem to decrease consumer choice and, thus, their welfare. Therefore, the public policy choices involved in assessing whether there exists harm to consumers and competition, which can be effectively rectified by a competition order which expands consumer welfare, are not as straightforward as may seem. Further, the remedies available to competition authorities are ultimately more to do with the tackling a concentration of market power, rather than solving privacy concerns.

Competition Law or Data Protection Law?

In order to analyse whether the problems of data aggregation are really a competition law problem or a data protection problem, consider the recent and only competition decision on abuse of dominance and data aggregation. In February 2019, the German Competition Authority  held that Facebook was abusing its dominance by using its market power to compel users to access Facebook only on the pre-condition of their acceding to the fact that Facebook combines their data from other Facebook owned services – like Whatsapp and Instagram. This, it was held, violated users’ right to informational self-determination under the GDPR. In essence, the German Competition Authority held Facebook’s violation of a privacy law – the GDPR – as per se a violation of competition law as well, instead of establishing a violation on the basis of competition law principles.

Under competition law, an abuse of dominance occurs only when a company in a dominant position, by virtue of its dominant position, is able to impose certain anti-competitive conditions. By virtue of owning several other social media entities, Facebook did have the ability to combine vast data sets. But what the Authority failed to recognise is that the ability of Facebook to stipulate such a data combination pre-condition to its users did not arise by virtue of it being a dominant market player. Rather, this was a condition that any company which owns multiple entities would be capable of imposing.

Had the Authority considered that this was actual abuse of dominance, their solution would not have been to allow Facebook to go ahead with combining such data sets after taking the voluntary consent of its users. What the Authority also implicitly affirms is that it is not the aggregation of vast amounts of data which is anti-competitive, but rather the wrongful manner of aggregation. Thus, the Authority squarely identified a data protection law violation and requested Facebook to correct its practices to rectify the same, and did not identify and rectify a competition law violation.

This decision pre-supposes that large data driven market players who violate user privacy are inherently dominant. However, studies show that large companies are more likely to be privacy law compliant. This begs a question: if a company were to legally aggregate and process data according to the terms of the existing privacy laws – for example, by taking permission from consumers to combine data sets – would any facet of this still make it an exploitative abuse of their dominance on consumers? Wouldn’t the problem then lie with the fact that the standards in data protection law seem to be too lax to protect consumers?

Thus, it appears that not all harm arising from data aggregation can be attributable as harm to competition. Considering the courts’ historical hesitancy to extend competition law to protect consumer privacy, and in order to prevent a dilution of principles of competition law, perhaps a better recourse to such issues of privacy might simply be to tighten data protection laws instead. 

Jyotsna Vilva