Chillin'Competition

Relaxing whilst doing Competition Law is not an Oxymoron

A Brave New World: The Potential Intersection of Competition Law and Data Protection Regulation (by Orla Lynskey)

with 5 comments

Intro by Alfonso: Some days ago someone sent me a link to a an opinion issued by the European Data Protection Supervisor dealing with the interface between data protection, competition law and consumer protection.  I already expressed some views on this in a post published last year: Data protection and antitrust law (positing my view that there’s nothing new under the sun), but this time I thought it’d be interesting to have the view of someone who’s an expert not only in competition law, but also in data protection stuff. I found the ideal guest blogger to cover this issue: Orla Lynskey, a very good friend, and an extremely promising academic in the field of IT Law who’s been assistant at the College of Europe, competition lawyer at Howrey, case handler at DG Comp, holds a PhD in European Data Protection Law from Cambridge University and is now a lecturer at LSE focusing on data protection and competition law. I leave you with her:

 

In late March the European Data Protection Supervisor (EDPS), an agency which oversees compliance with data protection rules by EU institutions and advises on the development of data protection law within the EU, issued a preliminary opinion on the intersection of data protection, consumer protection and competition law. Both scholars and the EU institutions have been musing on the relationship between data protection and competition law over the past few years. However, despite this attention, it is not yet apparent whether, and if so how, these two fields actually intersect.

Kuschewsky and Geradin have recently published a paper on the impact of data protection in Commission investigations and in particular in dawn raids. The use of fundamental rights as a shield to secure procedural guarantees is now well integrated in competition law (think, for instance, of the integration of ne bis in idem in transnational competition procedures). This narrow intersection between data protection and competition law should therefore come as no surprise.

The EDPS report attempts to identify other areas in which parallels exist, or could potentially exist, between the two fields. For instance, the report highlights that if the new data protection regulation is adopted (a big if at the moment..), both data protection and competition law would apply to entities established in third-country whose actions have effects in the EU. These type of parallels are of course present however they merely help us to compare the regimes rather than get to grips with how they intersect. Moreover, some of the parallels identified are less credible than others. For example, I still fail to see anything beyond a very superficial similarity between ‘substitutability’ for the purposes of the HMT in competition law and the notion of ‘compatibility’ in the data protection principle of purpose limitation (according to which data processed for one purpose should not be processed for another secondary purpose which is incompatible with the initial purpose).

Beyond these micro-comparisons, in a second (earlier) paper Kuschewsy and Geradin had set out some ‘preliminary thoughts’ on the bigger issues at stake. In particular, they questioned whether EU competition law can limit the accumulation and processing of personal data and whether personal data could be deemed an essential facility. However, the EDPS report seems to be kick-starting a much more ambitious discussion than that initiated by Kuschewsy and Geradin. It appears to me that the EDPS is querying, albeit indirectly, whether the notion of consumer welfare should incorporate data protection considerations. By this, I mean that competition law would incorporate fundamental rights into its substantive analysis when conducting an investigation under Article 101 or 102 TFEU or examining a concentration under the EUMR. To be very clear, this would mean a departure from a purely economic analysis of consumer welfare. If Commissioner Alumnia’s speech on the matter is anything to go by, this is not something the Commission is expecting (‘although Coates refers to this potential intersection – but certainly does not endorse it – in his book on Competition Law and Regulation of Technology Markets’.

I realise that this would represent a radical departure from the status quo and as nobody seems to be willing to move beyond ‘preliminary’ thoughts on this matter, I am merely adding my own ‘preliminary’ observations to the mix (that is a disclaimer in case I change my mind tomorrow).

I see two arguments which support this shift in policy. First, the current consumer welfare standard seeks, inter alia, to facilitate consumer choice. In industries which are heavy on data aggregation – social networking sites, search engines, micro-blogging platforms etc – network effects based on personal data constitute a significant barrier to entry. The monopolisation of these industries, in turn, poses serious problems for the application of data protection rules. In the EU, all personal data processing must have a legitimate legal basis and the legal basis most frequently used by private sector entities is ‘individual consent’. This consent must be freely given, specific and informed. However, the argument has been made (for instance before the Irish regulator in the Europe-v-Facebook audit) that consent to processing by a monopoly cannot be ‘freely given’. While this argument would never fly in the US (for reasons which I shall not explain here), it may have some traction in the EU where data protection rules seek (to little avail) to rectify power asymmetries between the individual and the data controllers. Data protection advocates have long been arguing that competition law should help facilitate actual consumer choice.

More convincingly perhaps, since 2009 data protection has been recognised as a fundamental right in the EU legal order, independently of the right to privacy. As such, it is binding on the EU institutions when enacting legislation or adopting decisions. Failure to respect this right will lead to the invalidity of the measure at stake (as we saw last week when the Data Retention Directive was declared invalid on the basis of its incompatibility with this Charter right). This may well therefore be the trump card.

This being said, there are arguments to be made against the incorporation of data protection and fundamental rights considerations into the consumer welfare standard (and I am sure readers of this blog will be very happy to point them out to me!). The primary objections I can identify are threefold. First, intervention on these grounds looks like punishing dominance and might entail significant interference with the commercial freedom of companies concerned. This should ordinarily be the purview of regulation (although as Dunne noted recently in a JCLE article, ‘regulatory competition’ is on the rise in the EU through the rollout of commitment decisions). Second, it is arguable that this would be another example of the ‘instrumentalisation’ of competition law and that it would be detrimental to the internal coherence of the discipline to incorporate fundamental rights into the substantive analysis of competition law. I have a certain amount of this sympathy for this view. Third, it might be argued that data protection regulation should adequately protect the right to data protection of individuals. This is effectively what the Commission stated in the context of the GoogleDoubleclick merger and what the Court determined in the ASNEF Equifax case. However, these matters were determined pre-2009 and the constitutional landscape has changed significantly since then. Moreover, it would now seem a little disingenuous for the Commission to argue that competition law does not apply to regulated sectors.

In short, it seems to me that whether competition lawyers agree or not, this preliminary report may be the first baby step towards a more holistic approach to the protection of data protection within the EU. Arguments to the contrary are also welcome however (I can then include them in my work in progress paper!).

Written by Alfonso Lamadrid

21 April 2014 at 10:40 am

5 Responses

Subscribe to comments with RSS.

  1. Great piece.

    I was just looking again at the original text of the draft Data Protection Regulation earlier today and Article 7(4) is interesting, to say the least: it would have entailed that consent was not a legal basis for data processing if there was ‘a significant imbalance between the position of the data subject and the controller’. This would seem to almost always be the case between a big internet corp like Google and end-users, and echoes the Europe v Facebook argument you mention above and so could have had a debilitating effect on Google et al’s ability to process user data (which of course is a key part of its business model) – since the other legal bases are restrictive and it’s not clear to me anyway that the relationship between the internet corps and users would fit their criteria. Anyway, the European Parliament adopted an amendment to that provision entailing the ‘purpose-limited’ nature of consent, which is still restrictive but evidently not as restrictive as the original text.

    Just an overall comment on this issue (and a spoiler alert for my long awaited/delayed PhD thesis): I don’t think competition law is the right tool to deal with these issues of data protection, privacy, free expression for end-users etc which can be exacerbated by economic dominance/monopoly – but I do think they ought to be dealt with, by other parts of the law/regulation/extra legal solutions.

    angeladaly

    21 April 2014 at 11:50 am

  2. Good post.

    Regarding this matter, do you have any comment on yesterday’s judgment in Case C-131/12, Google v. the Spanish Data Protection Supervisor (AEPD) and Mario Costeja? Could this new “trump card” force a move beyond ‘preliminary’ thoughts?

    jdi

    14 May 2014 at 5:13 pm

  3. Thanks for the comment, JDI. I have only skimmed quickly through the Judgment and, even though it is not a competition Judgment (or precisely because it isn’t…) it does indeed present many issues that could trigger an interesting discussion (and many practical questions as to its practical implementation).

    However, I invoke Nicolas’ wide notion of “conflic of interest” in order to justify not responding to your question: my wife used to work for the Judge “rapporteur” and even if she left a while ago and we’ve nver discussed cases, I don´t think I should comment on this one. Orla is much better placed to take the question…

    Alfonso Lamadrid

    14 May 2014 at 6:05 pm

  4. […] to reflect together on the nature, potential and limitations of each discipline in the wake of the EDPS preliminary opinion on these […]

  5. […] users to exercise effective control over their personal data. Against this background, it is often argued that strong competition enforcement could render data protection rules more effective by […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: