PRIMACY OF PRIVACY: CONFLICTS BETWEEN DATA PROTECTION & COMPETITION LAW IN REGULATION OF BIG DATA
Updated: May 17, 2020
This post has been authored by Avni Devgan. Avni holds an MSc. from the University of Law, Manchester and an LL.B (Hons.) from the University of Manchester.
Demystifying Big Data
The past decade has been underpinned by extensive digitization of data and information, which is evident in the fact that the global creation of data and information has grown 25 times, from 2 zettabytes in 2010 to 50.5 zettabytes in 2020.[i] This rapid growth in the creation of data has encouraged the extensive commercial application of data as well, leading to the advent of Big Data. Apart from being a relatively elusive concept, Big Data is particularly hard to define because of its dynamic nature. Big Data is dynamic because it comprises sets of data which are highly complex, differentiated and large, and therefore, cannot be processed by ordinary systems of data processing.[ii]
For corporations and businesses, the inherent benefit in the use and application of Big Data is that its value increases as the nature and variety of data expand to create progressively larger data sets.[iii] For example, with the passage of time, businesses can enhance the basic biographical data that they collect from users, including name, age and location, with behavioral data, including types of content browsed, time taken to navigate a webpage, and search history, to create sets of data that are increasingly personalized, specific and variegated.[iv] Such data can be commercially applied in a number of ways, from targeted advertising to data-driven political campaigning, which is why Big Data has immense commercial value and is widely referred to as ‘proxy for price’.[v]
Privacy v. Competition: Understanding the Jurisdictional Conflict
If data is a proxy for price, it can be argued that the ordinary rules of competition law will need supplementation to adequately regulate data-driven businesses. This is because such businesses are distinguished by the value of their data sets rather than the price of their services or their turnover,[vi] which is why it is essential that the assessment of anti-competitive behaviour in Big Data businesses includes the careful consideration of non-price factors, including the strength of privacy of data.
However, a key area of conflict in a privacy inclusive competition assessment is determining when competition concerns have primacy over privacy.[vii] Simply put, as a competition regulator, in what circumstances will a dominant firm be asked to compromise privacy to remedy their anti-competitive behaviour, or be reprimanded for breaching privacy as a means to gain a competitive advantage.
A Wider Perspective- UK, EU and Germany
The jurisdictional conflict between data protection and competition law has presented itself globally in a number of ways. After clearing Apple’s acquisition of music recognition SaaS.[viii] company Shazam, the European Commission (EC) expressly recognized the importance of data in the digital economy and confirmed that the EC found it essential to scrutinize whether Apple’s acquisition of Shazam’s data sets would adversely affect competition in the digital music streaming market.[ix] An important area of the EC’s investigation was whether acquiring Shazam’s data sets and merging with them with Apple’s data sets considerably enhanced Apple’s ability to target customers in comparison to its competitors.[x] Importantly, this approach was adopted shortly after the EC fined Facebook €110 million after Facebook misled the EC about its ability to automatically merge its data sets with that of Whatsapp, whom Facebook had acquired for $21.8 billion.[xi]
When the UK’s Competition and Markets Authority (CMA) found that energy firms restricted competition by refusing to share customer data when customers shifted to alternate energy providers on the basis that doing so would infringe their privacy, the CMA adopted an arrangement wherein the firms were forced to share data as a remedy for their anti-competitive practices.[xii] Notably, this decision clearly presents the conflict between data protection and competition law, and the circumstances in which regulators will find breaching privacy as an acceptable measure to maintain competition in the market. In a bid to take steps towards regulating competition between digital platforms, the CMA released an interim report in December 2019 that outlined a range of interventions that the CMA could adopt to combat the dominance of digital behemoths like Google and Facebook.[xiii] A proposed intervention, which the CMA self-admittedly considers intrusive, includes breaking up vertically integrated firms, including Google, to cease the seamless flow of data between their advertising and data collection businesses.[xiv]
A common conundrum in investigating data-driven mergers is the low turnover of the companies involved, which despite having a significant impact in the market, can evade competition investigations as their turnover falls below the specified thresholds.[xv] To overcome this conundrum, the German competition authority, the Bundeskartellamt, set its turnover threshold for merger investigations at €400 million so that transactions between data-driven and digital companies with a significant impact on and presence in the German market would fall under their purview.[xvi]
Significantly, a scenario where privacy concerns took precedence over competition concerns was when the Bundeskartellamt made a landmark decision in 2019 to prohibit Facebook from combining user data from Facebook-owned services and third parties without users’ voluntary consent.[xvii] Saliently, the basis for the Bundeskartellamt’s decision to impose this special obligation on Facebook was borne out of the fact that Facebook was the dominant social media platform in Germany, and would therefore need to comply with an extended range of competition laws that regulate the extent of Facebook’s dominance.[xviii]
Tailoring to Tech: The Indian Perspective
Unlike its European counterparts, the Competition Commission of India (CCI) has indicated its hesitation to infringe upon the jurisdiction of data protection authorities in competition assessments. For example, when Facebook acquired Whatsapp, and the transaction was under a competition assessment by the CCI, despite allegations of Whatsapp breaching users’ privacy by sharing its data sets with Facebook, the CCI refrained from assessing this behaviour as potentially anti-competitive.[xix] However, a change in attitude seems to be enveloping the Indian judicial system in more recent times. In Puttaswamy, the Supreme Court analysed the European approach to privacy and subsequently held that the right to privacy is a fundamental right in India.[xx] Consequently, the Supreme Court held that data can only be collected for legitimate aims in a manner that is proportionate to the achievement of such aims.[xxi] However, the specific application of this judgement on the collection of Big Data and when its commercial use is considered legitimate remains to be seen.[xxii]
To evolve and adapt to the increasingly digital landscape of the Indian economy, the Ministry of Corporate Affairs came out with the draft Competition (Amendment) Bill 2020 and invited comments from the public for the same in February 2020.[xxiii] A welcome provision in the Bill is the inclusion of sector-specific merger thresholds, similar to Germany, which shall allow the CCI to set lower thresholds which are able to capture digital transaction between companies with low turnovers but commercially valuable data sets.[xxiv] However, the Bill disappointingly leaves out key provisions that would allow the CCI to undertake competition assessments based on non-price factors, including privacy, either alone or in conjunction with data protection authorities.[xxv] In the absence of such provisions or a genuine initiative by the CCI to include infringements of privacy in assessments of anti-competitive behaviour, the conflict between data protection and competition law in India shall only persist.
Conclusion: When Should Privacy Win Over Competiton?
The right to privacy should be balanced against competition concerns on a case-by-case basis with a keen analysis of the facts and intentions of the firms under investigation. Coordination between competition and data protection authorities is vital to rapidly and adequately capture excesses by Big Data businesses. Most importantly, understanding that Big Data businesses can escape the traditional principles of competition law and modifying competition regimes to specifically capture Big Data transactions is the need of the hour.