Discussions about ‘breaking up’ large Internet technology companies such as Amazon, Facebook, and Google are putting pressure on regulatory authorities on both sides of the Atlantic to investigate firms whose size and capacity to generate profit from data continues to grow. This dialogue is prominent in the European Union (EU), where competition, consumer protection, and data protection authorities are addressing these tensions in different ways. Drawing on recent legal action involving Facebook and the German Federal Cartel Office (Bundeskartellamt), this piece will weigh in on the opportunities and challenges of using competition law to bolster privacy rights.
EU competition law is designed with the objectives of protecting competition and promoting consumer welfare across the internal single market. While the European Commission monitors a host of issues related to competition, each member state has a national competition authority dedicated to enforcing EU competition law and relevant domestic laws. The primary basis for EU competition law is established in Articles 101 to 109 of the Treaty on the Functioning of the European Union (TFEU). These articles emphasize the importance of regulating mergers and legal agreements between firms as well as investigating the abuse of dominant positions.
Distinctive from the predominantly economic concerns that drive competition law, European data protection law is “linked to the dignity, autonomy, and privacy of individuals.” EU data protection law builds on the individual rights to private life and the protection of personal data, which are enshrined in the Charter of Fundamental Rights of the European Union. Today, the 2018 General Data Protection Regulation (GDPR) is the central framework for EU data protection law, which extends to all EU citizens regardless of where data processing takes place. The GDPR sets out principles for data protection that are monitored by the European Data Protection Board (EDPB) and applied by national data protection authorities (DPAs).
Intersections between competition and data protection have gained increasing attention over the past several years. In particular, companies like Facebook and Google are offering ‘zero-price’ products and services to consumers in exchange for the opportunity to gather and monetize data about them. At the same time, these large Internet technology companies are actively acquiring smaller competitors and combining their data assets. Thompson and Wu have argued that “companies like Google and Facebook are, in reality, the products of hundreds of mergers.” Recognizing these trends, the European Data Protection Supervisor (EDPS) observed that:
“The lack of interaction in the development of policies on competition, consumer protection, and data protection may have reduced both the effectiveness of competition rules’ enforcement and the incentive for developing services which enhance privacy and minimize potential for harm to the consumer.”
These concerns have been mentioned during merger proceedings convened by the European Commission, including the Google/DoubleClick and the Facebook/WhatsApp mergers, which resulted in large amounts of data being combined and used by the acquiring entity. Despite efforts to confront the intersections between competition and data protection, there are clear grey areas in European laws and regulatory decisions – prompting debates at the national level. One example includes the ongoing legal dispute playing out between Facebook and the Bundeskartellamt.
As Germany’s national competition authority, the Bundeskartellamt is responsible for enforcing the TFEU and the German Competition Act (GWB). Under Section 19(1) of the GWB, the Bundeskartellamt can investigate the conduct of firms if there is evidence of a dominant position and abusive conduct. The Bundeskartellamt initiated proceedings against Facebook in March 2016 based on concerns that the firm met both of these conditions – kickstarting a multi-year enquiry into Facebook’s data processing activities. The investigation concluded with a formal decision in February 2019 that ordered Facebook to terminate all data processing activities in Germany. Interestingly, the Bundeskartellamt used a combination of competition and data protection-related concerns to justify its decision, arguing that Facebook’s data processing activities “violate the stipulations of the GDPR and are abusive within the meaning of Section 19(1) GWB.” Facebook immediately appealed the decision to the Düsseldorf Higher Regional Court, which temporarily suspended the order to prohibit data processing. During the appeal process, the Düsseldorf Higher Regional Court expressed doubts about the legality of the Bundeskartellamt’s investigation. Yet the Bundeskartellamt stood behind its original position and appealed to Germany’s highest court, the Federal Court of Justice. In June 2020, the Federal Court of Justice provisionally upheld the position of the Bundeskartellamt, which reopened debates on whether or not competition law can (and should) be used to bolster privacy rights.
There are parallel dialogues taking place across the Atlantic that can put these tensions into broader perspective. The Canadian Competition Bureau, for example, recently suggested that it could use competition law as a basis for issuing fines to organizations that “make false or misleading statements about the type of data they collect, why they collect it, and how they will use, maintain, and erase it.” Several U.S. government officials have also argued in favor of using competition as a basis for regulating the data collection and data processing activities of Internet technology companies. Among them, Senator Elizabeth Warren has been vocal about the need to ‘break up’ large companies like Google, Facebook, and Amazon, which could “put pressure on big tech companies to be more responsive to user concerns, including about privacy.”
On the one hand, using competition law to bolster privacy rights can help address legal and regulatory grey areas not only in the EU but also around the world. Commentators such as George Washington University professor, William Kovacic, have noted that Germany’s approach is “ambitious” and that “the law does not move forward if you always adopt a cautious view of your authority.” On the other hand, implementing these approaches in practice can blur the boundaries between regulatory frameworks and authorities. Marco Botta and Klaus Wiedemann of the Max Planck Institute have identified early signs of this confusion in the EU, where the German competition authority and the Italian consumer protection authority have used contrasting approaches to sanction Facebook for their data processing activities. Using competition law to reinforce privacy rights also fails to address deeper structural transformations stemming from the capital accumulation of data and the growing size of large technology companies.
There are alternative approaches that could offer productive paths forward as the digital economy continues to evolve. Among them, Viktor Mayer-Schönberger and Thomas Ramge have proposed a data-sharing mandate that “would leave these companies intact but require them to share anonymized slices of the data they collect with other companies.” In February 2020, the European Commission published a European Strategy for Data that appears to favor this general approach but it is too soon to tell how these tensions between competition and privacy will play out on both sides of the Atlantic. In the meantime, all eyes are on Facebook and the Bundeskartellamt as the multi-year legal dispute continues to unfold.