It is debatable whether EU competition law already contains – or could and should potentially develop – antitrust theories of harm that apply to third-party tracking of personal user data on the web. Focusing on data gathering, this paper – available here – assesses two scenarios under which EU competition law may deem the vast amounts of data gathered by certain digital platforms excessive: excessive data “prices” and unfair data policies. In both cases, the competition law assessment is autonomous from other areas of the law: while a breach of data protection rules is not automatically a breach of competition law, a company adhering to data protection rules may still violate competition laws. The paper finds that EU competition law already possesses the necessary tools to address excessive data collection, while data protection rules provide much-needed context for this type of exploitative abuse.
Section II discusses data gathering through third-party tracking.
Tracking occurs both on the web and in applications (apps) for electronic devices. Third-party tracking therefore allows a tracker to harvest extensive amounts of personal user data from a variety of online sources and across a number of different devices, such as smartphones, tablets, laptops and desktop computers. This enables the compilation of comprehensive user profiles.
A handful of companies engage in the vast majority of third-party tracking that occurs on the web or through apps. These “data-opolies” are platforms that dominate the third-party tracking environment in many developed countries. This reflects the fact that third-party tracking is essential to the widespread online business model of providing services for free to one market side, while monetising user data on the other market side – frequently through targeted advertising. Further uses to which personal data is put include the provision of individualised services, price discrimination, and the selling-on of data sets to third parties.
Section III considers the anti-competitive effects of third-party tracking at the data acquisition stage. This discussion can be broken down into various elements.
First, within competition law, there have been powerful calls for antitrust to take privacy-related issues into account, with others voicing strong concerns over such an approach. Regardless, there has been a growing recognition that non-price parameters valued by consumers – such as customer service, innovation, quality and choice – may be just as important for competition as prices. If privacy protection is seen as a dimension of quality, then it may be directly connected to competition concerns.
While privacy is first and foremost subject to data protection rules, such rules do not exclude the autonomous application of competition law to privacy-related practices. While a breach of data protection rules does not amount to an infringement of competition law, such a breach is not a necessary condition for finding an abuse in connection with third-party tracking either. While data protection may inform the assessment of behaviour perceived to be anti-competitive, the competition law assessment of such behaviour is self-sufficient. As privacy and data accumulation can be assessed under competition law, so can data collection through third-party tracking be subject to antitrust scrutiny as well – including where excessive gathering of personal user data through third-party tracking constitutes an exclusionary or exploitative abuse of a dominant position.
Second, cases that involve third-party tracking need to address the question of which relevant market they refer to, and whether a company holds market power in that market. In cases where data from third-party tracking is sold on, this data brokerage may constitute the relevant product market for antitrust scrutiny. However, where user data harvested through third-party tracking is used exclusively for in-house purposes – such as targeted advertising or improving services – no antitrust product market for data can normally be established. In order to overcome this obstacle to market delineation, several options are available. It may be worthwhile to look at third-party tracking from a user-tracker perspective, with (personal) data provided by the consumer replacing monetary payments. Another way of conceptualising this market is to look at the relationship between the third-party tracker and the (“first party”) website or app, and to take this network of commercial relationships as the fulcrum of the antitrust inquiry. Another possibility is to regard data as its own (potential) relevant market, even where it is not (currently) traded as such. As regards market power, a company can derive market power from its ability to gather up-to-date personal information on users across platforms and devices, to analyse these vast amounts of data and to subsequently monetise that data through targeted advertising and other means.
Assuming these conditions are met, the question is whether an abuse can be made out. One possibility is for excessive data collection to amount to an abusive practice. Where sets of personal user data can be ascribed a market value, excessive data collection can be treated similarly to an excessive pricing abuse. Competition law may allow for such an analogy where the criteria for excessive pricing as established in the case law – namely the price is both unfair and excessive when compared to the economic value of the product – are fulfilled by data gathering practices. Applying this test to excessive data collection, a first step will be to look at whether the amount of personal data gathered through third-party tracking (the price paid by the user) is reasonably related to the service that the user receives in return (the product’s cost to the service provider and its economic value). A second step would be to determine whether the amount of collected data is excessive in absolute or in relative terms.
Another possibility is for excessive data collection to amount to an unfair trading condition. As a first step, addressing excessive data collection as an unfair trading condition requires antitrust enforcers to qualify contractual terms agreed upon between platforms and users where third-party tracking is provided for as trading conditions. Subsequently, it must be assessed whether these trading conditions are absolutely necessary to achieve the objective of the agreement between the data-gathering platform and the user. One would then look at whether the contractual terms are inequitable, which the author reads as a requirement that the obligations imposed on users to divulge their data should not unfairly limit their right to privacy, as guaranteed by the EU Charter of Fundamental Rights and the GDPR. For personal data, unfairness in relation to data collection may result from third-party tracking that goes beyond users’ reasonable expectations at the time of their consent to this practice, also bearing in mind the context within which that data is being collected. Data protection principles may be helpful in determining whether the extensive and comprehensive acquisition of personal user data through third-party tracking should be deemed unfair, since EU data protection law rests on a broad understanding of fairness, which includes individuals’ ability to control their personal data and in the minimisation of data collection.
Section III also considers the German Facebook decision.
As regards excessive data collection, Germany may be a special case for several reasons. First of all, the German Bundesgerichtshof has long held that a conduct’s unlawful behaviour in an area other than competition law may result in the finding of an abuse of dominance. In a case decided in 2013, this court found that a dominant company’s reliance on unlawful terms and conditions could amount to an abuse of a dominant position, particularly where the agreement on the terms and conditions was a consequence of the company’s market power. By analogy, a breach of data protection rules may also be relevant for competition law under the German approach. Furthermore, the German legislature passed an amendment to the German Competition Act in 2017, under which access to data that is relevant to competition will need to be taken into account when assessing a company’s power in platform markets.
It was in this context that the German Bundeskartellamt subjected Facebook’s terms of service to competition law. The case does not concern data that Facebook collects from within its social network. Instead, it focuses on data Facebook gathers from third-party sources, including digital services owned by Facebook (e.g. WhatsApp or Instagram) or third-party websites and applications that run Facebook APIs. Rather than developing a stand-alone theory of competitive harm in relation to Facebook’s data policies, the theory of harm in this case very much relies on Facebook’s violation of the values enshrined in data protection rules. The Bundeskartellamt considered that its terms of service enable Facebook to collect and process extensive amounts of user data from outside its social network in breach of European data protection principles, especially as users were not aware of the extent to which Facebook could collect their personal data.
However, the focus of competition law should be on the anti-competitive harm, which may occur irrespective of whether or not there is (also) an infringement of data protection rules. This is reflected in the lively discussion that has erupted in Germany as to the causal link that the Bundeskartellamt needs to establish between Facebook’s market power and the users’ acceptance of its data policy, particularly as the case concerns an alleged exploitative abuse. The appeal court found that the Bundeskartellamt has not shown the required causal link.
Section IV reflects on what the future may hold for the application of EU competition law to the vast amounts of data gathered by digital platforms.
Competition policy has long grappled with the role that data protection and privacy can play in it. For the time being, national competition authorities are leading the way in exploring whether and how competition law may confront some of the data practices that data-opolies employ. The analysis above suggests that EU competition law already provides the necessary tools to do so.
Third-party tracking may impinge on consumer welfare where consumers who value their privacy divulge vast amounts of personal data to data-opolies without any knowledge as to the extent of the trackers’ data harvesting. The data gathering practices of dominant players might also be driving out smaller competitors that do not have the ability to impose such far-reaching privacy terms on their users, particularly as market tipping can reinforce the data advantage of successful platforms. If user privacy comes to be understood as forming part of consumer welfare, data collection through third-party tracking is susceptible to attract antitrust attention. Such a development may well permeate competition law in years to come.
This paper is a companion piece to a paper the author wrote with Ariel Ezrachi which I reviewed here. In my review of that paper, I queried whether it could not have gone further in its analysis, particularly as regards exploitative data abuses. I suppose this paper acts as an answer to this question – in a thoughtful, careful manner.
I felt that the paper was a reaction to the German Facebook case, and that it tried to go beyond it by developing competition-specific theories of harm. Unsurprisingly, these theories of harm are controversial (and are currently being challenged in court). In addition, it strikes me that the author’s attempt to transpose the German antitrust approach on unfair contractual terms to the European realm – even if building solely on EU case law – is likely to be even more controversial.
The controversy surrounding such theories of harm is not specific to this paper, but extends to any argument to the effect that the unfairness of a commercial practice provides a basis for antitrust liability. It is obvious that unfairness is a relevant consideration under the EU competition law doctrines the author relies on. Nonetheless, unfairness as a legal test needs to be limited, and for competition law’s purpose, we assume that limiting principle is related to consumer welfare. One concern I have in this respect is that it is not at all clear that these practices detrimentally affect consumer welfare – after all, privacy is not money, and people spread information about themselves much more freely than they do money. That is why I originally felt – perhaps mistakenly – that the Bundeskartellamt felt the need to rely on data protection standards, and why the Italian authorities chose to apply consumer law to these practices: those rules assume that data users’ interests are affected by the prohibited practices in ways that competition law simply cannot. While the author addresses the interaction between competition and consumer/data protection law, I think the choice of what is the best regulatory approach to these practices – and what are the limitations of competition law in this realm – are important questions that would benefit from more detailed discussion.
Finally, one matter that is not specific to this paper, but has been nagging at me when reading most papers on competition and data/privacy, is that these papers tend to define markets without reference to empirical phenomena. While I am sympathetic to the idea that market definition is a construct with the objective of making it easier to identify anticompetitive effects, the fact remains that such definition requires an evaluation of empirical data concerning the relevant competitive parameters – i.e. this is not a construct that we can freely manipulate to address effects or concerns that would otherwise fall outside the scope of competition law. I have no principled objection to data-related markets, but it concerns me that market definition keeps being presented as something to be manipulated by enforcers, as if markets could simply be ‘found’ at will.