Competing over privacy?

cevc consulting

Bonn, Germany; Paris, France; Mountain View and Menlo Park, California. European Union (EU) and United States of America (USA). They sometimes seem to be the opponents in the data economy. The recent trial of strength between regulators and major internet companies is an occasion to take a closer look at the legal situation.

The German antitrust authority Bundeskartellamt has recently published a ruling against Facebook. Naturally, the company is taking action against the decision, as it imposes major changes on it in the process of data collection and sharing across different business areas of Facebook. The announcement came about two weeks after the French data protection supervisory authority (Commission Nationale de l’Informatique et des Libertés) imposed a record fine on Google LLC for violating GDPR provisions. For some time now, various activist groups have been campaigning against abuse in this context (amongst others Digitalcourage, Privacy International, CCC – Chaos Computer Club and recently also strongly nyob). These activities alone show the importance and market relevance of data, albeit they are certainly seen differently depending on one’s own world view. The importance of the largest providers (especially Google and Facebook which are sometimes described as duopoly) is underlined by advertising agencies specialising in such platforms for web-based offers on them as well as by the large advertising revenues generated on them. Occasionally there are even demands to develop their own European search engine (even by the state, if necessary, ultimately not successful), or even to smash Facebook.

Similar to the discussion regarding Artificial Intelligence where certain strong voices call to “stop it before it’s too late”, demanding anticipatory regulation, we can also ask whether the data and market regulations are appropriate and how the situation looks like regarding personal freedoms. So we should ask:

  • Is the current legislation on data and the data market appropriate and sufficient?
  • How should regulation regarding data processing and the data market develop?
  • Can we rely on self-regulation or must the public authorities (legislatively) intervene?
  • How should we strike a balance between anticipatory and subsequent (possibly retroactive?) regulation? What is the relationship between free (further) development and the risk of abuse?

Although the law will probably always be lagging behind to some extent, we should work to keep it fit for future. To be more precise, we should continue to develop the law, because the future will continue to develop.

This article takes up the above-mentioned topics in the following sections: first, the characteristics of the environment are examined; second, the currently existing regulatory powers are examined; third, a forward-looking, legal-political standpoint is taken; and fourth, a brief concluding summary is given.

2. The environment

The risk of abuse appears to increase with the strength of the companies. Barriers to enter data and network markets are high. How difficult it is for new players to enter the market is shown by the comparatively rapid takeover of WhatsApp and Instagram by Facebook, as well as the “loyalty” of customers to these networks. Three of the largest social media are now in the hands of Facebook Inc. Distributed and privacy-friendly solutions such as Mastodon and diaspora* are niche phenomena. Alternative providers are often not considered sufficiently user-friendly. Irrespective of graphical and technological user experience, the ultimate argument is: my friends and colleagues are not there. The user base thus remains with the big players such as Facebook despite the many scandals surrounding the corporation.

Inertness of the user base is one of the reasons why you are so important in election campaigns. Where social media can change public opinion, their effect is not merely economic–it touches the very foundations of our society. The large digital corporations are among the companies with the highest market capitalization; their large user base automatically leads to an increase in the amount of data available and thus also in the possible quality of predictions regarding their opinion and behaviour. The market position is automatically strengthened – economies of scale. In the digital world, these are reinforced by the fact that transaction costs are very low, i.e. hardly any additional costs are incurred per additional user.

Take it up now and break-up the corporations? Rather not so quickly: we should not conclude (pre)maturely: another example shows that the traditional valuation standards are partly going astray: With iOS, Apple has an operating system market share of “only” 13.2 %1, but it is still regarded as a decisive player in the smartphone operating system market. Very few major providers afford not to have an app for the Apple operating system. In this respect, the larger competitor system Android is exposed to strong competition despite its large market share: there is no monopoly, one could at most assume a duopoly between Google (Android) and Apple (iOS). The pure market share therefore does not sufficiently reflect the importance. Even with a large market share, there can still be strong competitive pressure. Accordingly, caution is advised when making valuations.

In order to understand the environment and thus be able to make well-founded analyses, it helps to look at the core characteristics of these environments: the network effect (all relevant content, all contacts are there, the audience and customers are there), as well as the lock-in effect (own content is there and moving it is time-consuming) make it difficult to switch providers. The sheer volume of data generated (in particular “observation” of the users of the offer makes it possible to offer outstanding services, for example by better recommendation of relevant content). Last but not least, the strong market presence makes it possible to dictate the conditions. Thus, seemingly, it becomes possible to obtain a full-fledged “voluntary” consent for data processing–because the alternative of non-use is not viable for users. Hence, in the user’s point of view, provider choice is unlikely to be free. The user declares consent, but often under strong peer pressure to use exactly this one tool and thus also to make the corresponding declarations. Public discussion and, under certain circumstances, public intervention are necessary, because it remains questionable whether the competition between companies and battles between them are sufficient. The quick resolution of the recent dispute between Apple on the one hand and Google and Facebook on the other hand underlines this.

2. Existing competencies

The question arises as to whether our existing resources are sufficient to make ground for further development. In order to answer it, it is necessary to have a closer look at the current competencies authorities have in the context of data economy, which are based in competition and data protection laws.

a. Competition law competencies: prevention of market power abuse, merger control, prevention of market concentration in case of mergers

Competition law applies on several levels: at the first level it provides for mechanisms to prevent establishing market concentration. Insofar such dominance arises, competition law imposes restrictions on the company concerned and, to a certain extent, restricts its freedom contract arbitrarily. Finally, there may also be circumstances in which it provides for measures to resolve market dominance.

The law faces such bundled market power in two ways: on the one hand to a prohibition of behaviour and agreements that violate fair competition and on the other hand to the mechanism of merger control (Regulation (EC) 139/2004 and §§ 35 et seq. of the German Law Against Restraints on Competition, GWB). As one data economy example, the purchase of WhatsApp by Facebook, was the subject of a merger decision and approved by the Commission. This was not least because Facebook made certain assurances such as the separation of data between the two business units. In retrospect, the Commission’s evaluation, which focused predominantly on the advertising market and the possibility for users to use other social networks, was not reaching far enough. Nevertheless, the decision was probably correct at the time. In addition, Facebook later interpreted some of the commitments (see para. 182 of the approval decision) differently from the European Commission. It further integrated WhatsApp into the own business. A fine imposed by the Commission, however, did not deter Facebook from further advancing the deeper integration of the various business areas. This shows the difficulty perfectly: in every respect, the virtual world is more difficult to grasp than the physical economy.

Once market dominance has been established, the competition authority can make use of its competencies and intervene in case of abuse. It may then forbid certain activities, as done in the current case. Criticism that abusive practices regarding personal data should only be sanctioned by the data protection authorities is not convincing.2 There is neither an exclusive competency by them nor are the data protection authorities the natural fit for such cases – as they concern data use, but also and predominantly market power abuse and privacy violations are just the means of abusing power.

Difficulties arise in assessing whether a market concentration exists in context of data economy. The market demarcation, which is generally difficult to get right, is further complicated by the fact that there are often multi-sided markets and that the interactions between them are hard to be determined precisely, despite the additional characteristics provided for this purpose (sec. 18 para. 3a German Law Against Restraints on Competition, GWB). In that context a renowned antitrust expert has even raised started questioning the approach of market definition as a whole. However, if a market power is established, the company is subject to specific provisions that should hinder market power abuse. The European Commission as found such a market power abuse by Google Inc.: despite the strong market position of the smartphone operating system Android, the licensing of the Google Play Store, through which additional applications can be loaded onto the device, was linked to the use of other Google services, such as search. Google has appealed the decision, but is required implement its requirements in the meantime. The other side of the coin may be (non-) access to services of market-strong providers. To some extent, the Essential Facilities Doctrine provides access to these. It exists both in the US and in the EU, albeit with different prerequisites in detail. I am not aware of specific cases for the data economy, but I think that one may discuss the required market power regarding several digital services.

“I increasingly get the impression that we are not doing ourselves a favour when we trust in market definition.”
Rupprecht Podzun

In remains to be seen where legal practice is heading in terms of data. In the US, there was a lawsuit for further access to the Twitter data: PeopleBrowser sought to sue continued access to data over Twitter. This was also been discussed in the aftermath in legal academia from the point of view of access to essential data.

Last but not least, competition law also provides for so-called “structural measures”, which can even lead to the breaking-up of companies3. This can range from the unwinding of inadmissible mergers to interventions in the company’s substance may in extreme cases be legitimate under antitrust law. The latter, as already mentioned at the beginning, is occasionally demanded of Facebook, for example. However, as a very invasive measure, it requires special justification in view of the constitutional protection of ownership. This is even more important in light of the fact that breaking-up a company would not automatically eliminate the problem–other offers would follow the market needs. Without setting a suitable framework in advance, they could develop in a way similar to the broken-up company. A mere strong market position can by no means suffice as a trigger. In any case, these measures must be subsidiary to measures impacting behaviour of the comany4.

b. Privacy law competencies

A first-time aspect the aforementioned German antitrust autority’s decision is the fact that it is based, among others, on data protection aspects: the users’ consent to disclosure to other business areas was not granted voluntarily and effectively5. This shows the duality of data protection law: it is designed both as a personal liberty and as a market conduct regulation.6

Independently of the antitrust assessment, data protection law also refers to sanctions suitable for deterrence: In any case, fines of up to 2/4% of turnover or may result out of breaches of data protection regulations. These can be upped to EUR 10/20 million (the distinction is based on which rules are breached) (Article 83 of the GDPR). Furthermore, data subjects can bring claims for damages. In such cases the data processors need to bring evidence to support their claim (Article 82 GDPR). However, to trigger such provisions, the behaviour (in our case, market-relevant one) would need to violate GDPR requirements. This could be the case in several field, however, the most prominent is the legal basis for data processing.

The most apparent legal basis for data processing is consent. First, it has been the focus of communication on the legislative process, second, it closely reflects the objectives of the law and, third, from a data processors perspective, it shows the advantage that effective consent can justify almost any data processing. A virulent point, effectiveness of such consent, remains: Not only can consent be revoked, it is often not easy to implement in practice, because it must be voluntary and it must not be coupled arbitrarily with other statements.

In case of network goods, one could generally question whether consent is voluntary and cab consequently be effective at all: if the benefit of the network is large enough and access is given only after data processing consent has been given, a major part of the potential users feel compelled to agree (“I have no choice”). Under applicable law, that would lead to the consent given not being voluntary and hence being void.7 In any event, the consent would likely be subject to the  prohibition of coupling (article 7 para. 4 combined with recital 42, second sentence, GDPR). Whether a consent can support data processing in such cases, courts will need to finally decide. An alternative for data companies could be to provide choice, real alternatives. In most cases that will not be in their best interest, as their business model core is to collect and exploit data.

Practically, in most cases the only other legal basis will be to justify data processing by being necessary for the fulfillment of the contract (Article 6 (1) of the Lit. c GDPR), that is to include data in the contract as a consideration. Good arguments suggest that this is legally permissible 8, but only as far as it is communicated transparently (Article 5 (1) Lit. a) at the end, Article 13 (1) of Lit. c) Part 2, Article 14 (1) Lit. c) Part 2 GDPR). That said, data processing becomes inadmissible if it exceeds the threshold of market power abuse. In context of such market power, the circle to consent closes: the more dominant a player is on a market, the less likely a user’s consent is to be voluntary. Where no market power abuse is given, data protection law would not prevent processing, rather establish a framework to it (see in particular Article 5 GDPR).

A right to data portability (article 20 GDPR) is given for both legal bases for processing. Due to its limitations, in particular paragraph 4 – freedoms and rights of third parties – and the punctual nature of the right, this will probably not spark much movement of data. In many cases, platforms will not hand out a comprehensive data set, claiming that data point refer to several people and hence cover third parties’ rights. Most usages further imply a temporal component: only what is fresh and up-to-date is interesting, the only relevant platform is the one on which the others are currently active.9 A point-in-time snapshot, as it can be requested under Article 20, does not adequately reflect the potential of the platform. In this respect, data portability is likely to prove to be a very blunt instrument in practice.

The complexity of the requirements as well as the great economic importance of both fines and market dynamics have been the subject of strong debate since the GDPR came into effect. For example, it was asked (and so far not adequately been answered) whether the requirements could ultimately serve the large corporations due to the strong focus on consent, processes and proof, since users can give a clear consent here and then use the offers “unmolested by further queries “, while users rarely frequent smaller websites and could quickly click away the request for consent. 10

We can conclude that the GDPR requirements have potential to steer the market. At the same time, they pose the challenge of being implemented correctly and not excessively. The core of the discussion is whether a concrete legal basis (chosen by the company and also transparent to the data subjects) is the appropriate one to justify data processing. This needs to be examined on a case-by-case basis and, will in many cases remain a grey area due to the lack of case law in the coming years.

c. Appraisal

The existing instruments appear to be effective in their respective areas. However, their scope is limited. Legal practice will need to demonstrate their reach and coverage. Therefore, it remains to be seen whether additional instruments will become necessary.

The current cooperation between competent authorities may be seen as role and may have showcase potential. To manage competition purely through data protection law and the associated authorities would fall short of the legal mandate. At the same time, personal data is so important in many areas that participation by data protection actors is essential. Collaborative efforts will often prove to be difficult in view of administrative laws, still they remain essential. Where different competent bodies work hand in hand – as the decision quoted at the beginning proves – their work will probably prove to raise efficiency and effect.

However, all existing instruments apply downstream and do not allow for advance steering. With future business models and their difficulties yet unknown, this is, in principle, the right thing to do. Forefront regulation would quickly lead to ineffective bureaucracy. The existing requirements are also severely limited in their scope of use. While this is fundamentally correct given their power of intervention, it remains to be reconsidered whether they are sufficient and well targeted.

3. Policy perspective

The limit of jurisdicitional outreach often leads to enforcement problems: National borders do not correspond to the limits of the Internet. However, more and more laws (such as the US FCPA–Foreign Corrupt Practices Act, the British Modern Slavery Act and now the EU GDPR) prove that laws can radiate into foreign legal systems, enforcing certain public policies further away. On the other hand, unilateral national internet legislation may lead to the segmentation of the world wide web into quasi state controlled intranets – which is strongly conflicting with the basic understanding of our enlightened, democratic society. Such tendencies can be seen in several countries lately. In extreme cases, such segmentation will also jeopardise international trade, e.g. if companies will be unable to have trans-border trusted connections.

The specialist regulations come with their own difficulties: Platform economics can hardly be grasped with the classic market definition. The Commission’s decision to merge Facebook and WhatsApp exemplifies this: It is right to consider advertising markets comprehensively, while at the same time individual user users are also affected. In the end, they also feed back to advertising effectiveness and thus the advertising market. Where the network effect kicks in, the role of connections and participants must be considered just as much as the market. Especially in the case of data reinforced network effects such as here, the valuation measures will have to be further developed in the medium run (similarly to paragraphs 2a and 3a which have been inserted into § 18 GWB).

The potentially most highest impact would be introduced by a forced open API (application programming interface) access. It would need to comprehend all functionality that is necessary to establish a continuous exchange of data into and out of the platform. The API must be far reaching enough to enable competing providers to create services which enable an indirect use of the platform by means of the competing platform; that would need to make the original platform’s direct interface superfluous and would need to encompass all activities that can be done on the main platform. However, a question still to be answered is whether the API access would need to cover all offerings by the platform or just the mostly used ones.

An appropriate framework would also have to be put in place for the technical design; This will require further consideration, taking into account findings from the setting of industry standards. Overall, a closer look is likely to show difficulties, but all of them are likely to be ultimately solvable.

Interconnection procedures from telecommunications could serve as a blueprint, although the technical framework conditions are likely to be different. A critical question would be the economic model of such access, what a pricing model could look like. Depending on the setting, this could result in an additional, reasonable business model of its own for platform providers.

4. Summary and consideration

Given existing competition, the current situation in the data economy does not require extreme interference with the market. The decision taken by the Federal Cartel Office also shows that the law provides some perfectly viable instruments against abuse and market failure. The enforcement of the GDPR also gives hope for further readjustment. The enforcement of customer rights is essential for functioning competition as well as in the interests of users. There is still some catching up to do here.

Although current law currently presents itself as being basically appropriate, we should not stop here. It is important to constantly and critically question the existing situation and, if necessary, to readjust. If this is not done, the gap between technology and law would widen. At the same time, it must be done cautiously and wisely, because radical regulation can quickly lead to bureaucracy and thereby hinder the emergence of innovative offers. This would not be in the spirit of competition or in the interests of the people.

While current laws seem functional in principle, we should regularly question the situation and ask ourselves, among others:

  • When is a player dominant?
  • Is market the right perspective on dominance? What other perspectives could we use?
  • Which data is an essential facility?
  • How can we enable new players to enter the market?
  • Does Art. 20 GDPR provide for continuous access and would we possibly need to broaden it?

Further exciting perspectives on the topic can be found in the current CPI (Competition Policy International) Chronicle (February 2019).


 

  1. Third quarter of 2018 figures, see https://www.idc.com/promo/smartphone-market-share/os (15.02.2019)
  2. Such a position is for example taken by Leonid Bershidsky in a commentary on the financial news site Bloomberg (28.02.2019). This view goes astray. Irrespective of the field in which market power is abused, the abuse as such triggers the antitrust authority’s competency. A simultaneous competency of two authorities does not restrict one of them in acting within its competency. The duality only leads to a need of exchange between the authorities (such as it has apparently taken place here). As for the second argument of wrong market determination, the author is completely lacking a rationale. While he states which companies should have been included, he fails to say on what grounds – as opposed to the antitrust authority which clearly explained its reasoning.
  3. The Scientific Service of the German parliament, Bundestag, provides a good overview of the measure in a summary (German only, 17.02.2019)
  4. German law provides so in sec. 32 para. 2  of the Law Against Restraints on Competition, GWB, but this is a matter of course in view of the fundamental right to property, which also protects property against legal interference.
  5. Bundeskartellamt, Prohibition decision of 15 February 2019, docket number B6-22/16 (28 February 2019); abuse of conditions pursuant to Section 19 (1) GWB due to inappropriate data processing
  6. We do not need to discuss whether it now represents a market conduct regulation in the sense of sec. 8 of the German Law Against Unfair Competition, UWG. The regulation contains rules regarding the activites of data processors vis-à-vis their customers/data subject, i.e. it applies externally in face of the market. If one were to reject this, one would implicitly say that data protection violations could not affect markets either–which, however, is undisputed. This view is also presented in the decision by the Bundeskartellamt.
  7. Whether consent is voluntary has to be evaluated based on article 7 GDPR in combination with recitals 42 and 43. Recital 43 states that a strong imbalance imposes doubt on the voluntariness. On page 10, section b) of its decision, the Federal Cartel Office, Bundeskartellamt, also states that market dominance can exclude voluntary user activity. This is in line with the clear statement of recital 42, sentence 5, as to which voluntary action is excluded if the person concerned “has no genuine or free choice or is unable to refuse or withdraw consent without detriment”. Precisely this is not given where market power and a lack of alternatives exist in view of network effects.
  8. see, for example, Paal/Pauly/Frenzel DSGVO Artikel Rn. 21. Under German law, such a consideration would in many cases even be excempt from the regime on General Terms and Conditions (Allgemeine Geschäftsbedingungen) due to it being part of the synallagmatic contractual exchange. However, this possibility ends  where the free play of forces faces very different strengths of the contract partners (see, for example, Medicus, Allgemeiner Teil des BGB § 32 Rr. 473 ff., quoted based on the 1982 edition).
  9. The telephone network can be mentioned as an example: it needed a tipping point of a certain number of reachable destinations in order to be interesting for the masses. The importance of the relationships is also evident in how many people port their phone number to stay reachable as known.
  10. This is a discussion often heard in the community. As one exemplary critique, see Kofler, https://kofler.info/kommentar-zur-dsvgo/ (26.02.2019). The complexity of the topic is also apparent in the presentation of privacy cockpits by the Fraunhofer society, https://blog.iese.fraunhofer.de/digitale-oekosysteme-und-plattformoekonomie-datensouveraenitaet-in-der-praxis/(26.02.2019).