Chillin'Competition

Intro by Alfonso: Some days ago someone sent me a link to a an opinion issued by the European Data Protection Supervisor dealing with the interface between data protection, competition law and consumer protection.  I already expressed some views on this in a post published last year: Data protection and antitrust law (positing my view that there’s nothing new under the sun), but this time I thought it’d be interesting to have the view of someone who’s an expert not only in competition law, but also in data protection stuff. I found the ideal guest blogger to cover this issue: Orla Lynskey, a very good friend, and an extremely promising academic in the field of IT Law who’s been assistant at the College of Europe, competition lawyer at Howrey, case handler at DG Comp, holds a PhD in European Data Protection Law from Cambridge University and is now a lecturer at LSE focusing on data protection and competition law. I leave you with her:

In late March the European Data Protection Supervisor (EDPS), an agency which oversees compliance with data protection rules by EU institutions and advises on the development of data protection law within the EU, issued a preliminary opinion on the intersection of data protection, consumer protection and competition law. Both scholars and the EU institutions have been musing on the relationship between data protection and competition law over the past few years. However, despite this attention, it is not yet apparent whether, and if so how, these two fields actually intersect.

Kuschewsky and Geradin have recently published a paper on the impact of data protection in Commission investigations and in particular in dawn raids. The use of fundamental rights as a shield to secure procedural guarantees is now well integrated in competition law (think, for instance, of the integration of ne bis in idem in transnational competition procedures). This narrow intersection between data protection and competition law should therefore come as no surprise.

The EDPS report attempts to identify other areas in which parallels exist, or could potentially exist, between the two fields. For instance, the report highlights that if the new data protection regulation is adopted (a big if at the moment..), both data protection and competition law would apply to entities established in third-country whose actions have effects in the EU. These type of parallels are of course present however they merely help us to compare the regimes rather than get to grips with how they intersect. Moreover, some of the parallels identified are less credible than others. For example, I still fail to see anything beyond a very superficial similarity between ‘substitutability’ for the purposes of the HMT in competition law and the notion of ‘compatibility’ in the data protection principle of purpose limitation (according to which data processed for one purpose should not be processed for another secondary purpose which is incompatible with the initial purpose).

Beyond these micro-comparisons, in a second (earlier) paper Kuschewsy and Geradin had set out some ‘preliminary thoughts’ on the bigger issues at stake. In particular, they questioned whether EU competition law can limit the accumulation and processing of personal data and whether personal data could be deemed an essential facility. However, the EDPS report seems to be kick-starting a much more ambitious discussion than that initiated by Kuschewsy and Geradin. It appears to me that the EDPS is querying, albeit indirectly, whether the notion of consumer welfare should incorporate data protection considerations. By this, I mean that competition law would incorporate fundamental rights into its substantive analysis when conducting an investigation under Article 101 or 102 TFEU or examining a concentration under the EUMR. To be very clear, this would mean a departure from a purely economic analysis of consumer welfare. If Commissioner Alumnia’s speech on the matter is anything to go by, this is not something the Commission is expecting (‘although Coates refers to this potential intersection – but certainly does not endorse it – in his book on Competition Law and Regulation of Technology Markets’.

I realise that this would represent a radical departure from the status quo and as nobody seems to be willing to move beyond ‘preliminary’ thoughts on this matter, I am merely adding my own ‘preliminary’ observations to the mix (that is a disclaimer in case I change my mind tomorrow).

I see two arguments which support this shift in policy. First, the current consumer welfare standard seeks, inter alia, to facilitate consumer choice. In industries which are heavy on data aggregation – social networking sites, search engines, micro-blogging platforms etc – network effects based on personal data constitute a significant barrier to entry. The monopolisation of these industries, in turn, poses serious problems for the application of data protection rules. In the EU, all personal data processing must have a legitimate legal basis and the legal basis most frequently used by private sector entities is ‘individual consent’. This consent must be freely given, specific and informed. However, the argument has been made (for instance before the Irish regulator in the Europe-v-Facebook audit) that consent to processing by a monopoly cannot be ‘freely given’. While this argument would never fly in the US (for reasons which I shall not explain here), it may have some traction in the EU where data protection rules seek (to little avail) to rectify power asymmetries between the individual and the data controllers. Data protection advocates have long been arguing that competition law should help facilitate actual consumer choice.

More convincingly perhaps, since 2009 data protection has been recognised as a fundamental right in the EU legal order, independently of the right to privacy. As such, it is binding on the EU institutions when enacting legislation or adopting decisions. Failure to respect this right will lead to the invalidity of the measure at stake (as we saw last week when the Data Retention Directive was declared invalid on the basis of its incompatibility with this Charter right). This may well therefore be the trump card.

This being said, there are arguments to be made against the incorporation of data protection and fundamental rights considerations into the consumer welfare standard (and I am sure readers of this blog will be very happy to point them out to me!). The primary objections I can identify are threefold. First, intervention on these grounds looks like punishing dominance and might entail significant interference with the commercial freedom of companies concerned. This should ordinarily be the purview of regulation (although as Dunne noted recently in a JCLE article, ‘regulatory competition’ is on the rise in the EU through the rollout of commitment decisions). Second, it is arguable that this would be another example of the ‘instrumentalisation’ of competition law and that it would be detrimental to the internal coherence of the discipline to incorporate fundamental rights into the substantive analysis of competition law. I have a certain amount of this sympathy for this view. Third, it might be argued that data protection regulation should adequately protect the right to data protection of individuals. This is effectively what the Commission stated in the context of the GoogleDoubleclick merger and what the Court determined in the ASNEF Equifax case. However, these matters were determined pre-2009 and the constitutional landscape has changed significantly since then. Moreover, it would now seem a little disingenuous for the Commission to argue that competition law does not apply to regulated sectors.

In short, it seems to me that whether competition lawyers agree or not, this preliminary report may be the first baby step towards a more holistic approach to the protection of data protection within the EU. Arguments to the contrary are also welcome however (I can then include them in my work in progress paper!).