IGF 2021 – Day 1 – Lightning Talk #60 The role of privacy in antitrust policy in highly data-driven markets

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> We all live in a digital world.  We all need it to be open and safe.  We all want to trust ‑‑

>> And to be trusted. 

>> We all despise control.

>> And desire freedom.

>> We are all united. 

>> JALAJ JAIN: Greetings, everyone.  I must thank you all for joining our talk on behalf of the Institute of Internet and the Just Society.  I am Jalaj Jain, pursuing law at the National University of India.  I am a researcher with the Antitrust and Big Data Research Cycle of the Institute, specializing in blockchain and data protection.  Good morning, good evening to everyone who is here, and I hope you're having a good, good day. 

So, the Institute for Internet and the Just Society is a think tank based out of Germany, connecting civic engagement with interdisciplinary research focused on fair artificial intelligence, inclusive digital governance and human rights.  As part of the Institute, more than 100 researchers at any given point in time are researching and contributing to providing cutting‑edge research for betterment of the society.  The Antitrust Cycle works regularly to promote fair and just competition, which has been severely affected due to the privacy concerns and big data in recent times.  Over the past year, our cycle has worked very hard to essentially push this agenda that we have to have fair competition and, obviously, this event is part of many efforts that we are trying to make. 

Today we are joined by two fantastic speakers, Mr. Mario Moyron and Ms. Nidhi Singh.  Mario is a Mexican lawyer with studies in Europe who practices at AXA, the technology division of the AXA Group in Paris.  He is also a member of the IAPP and a writer for some Latin American journalists.  Nidhi is a lawyer and specializes in composition laws.  She holds separate degrees from Oxford, Harvard, and Stanford.  She serves as a Deputy Director for Center for Competition Law and Policy and is based out of India.  They are going to be speaking about the role of privacy and antitrust policy in highly data‑driven markets. 

I also must thank Mr. Marco Schmidt, who is essentially a law graduate from University in Germany and currently a candidate at the university in Netherlands.  He is basically preparing the report for today's event.  And I must apologize in advance for butchering the pronunciation of the words.  So, yeah.  So, I think, Mario, why don't you begin? 

>> MARIO TAVARES MOYRON: Yes, thank you, Jalaj.  Thanks to everyone for joining.  I see some familiar faces, and I'm glad to see you guys there.  And thank you to you, Marco, and Jalaj, for organizing, and for all the people in the Cycle of Big Data and Antitrust also for supporting us.  I'll try to be as quick as possible because this is a never‑ending story, and this will be basically just an effort to outline some basic principles for what we believe that will be then endeavored as a bigger project for the Institute.  But our conversation is framed in the context of many cases of e‑competition law that you probably are very aware of.  And one constant item that has been always underlined in these type of cases is data as a value for large tech companies. 

My purpose for today's conversation will be in the framework of first that this is a basic conversation to focus on whether privacy should be considered as an element for consumer welfare, and if so, how to incorporate it, how to internalize it into competition policy.  And please note, of course, there are different glasses to look at this.  One might be from the law and economics, the other might be the doctrine of human rights.  I'll try to be between the two of them, because otherwise, it will be impossible to remain objective. 

And keep in mind that the right of data protection is a fundamental right, together with privacy that is acknowledged not only by specialized regulation like the GDPR in Europe, but also by local constitutions and international treaties.  And what we believe is that competition authorities should now consider privacy in a different scope, because things have changed, and the main reason for this has been technological development.  This has had an impact on law and regulations, and now they need to rethink how data can be relevant for purposes of carrying out their own investigations in the context of antitrust. 

Something else to mention is antitrust agencies have been attacked for using data protection as a part of their analysis because they are said to be outside of their scope.  I believe that antitrust agencies are already following some studies of substantive subjects of law that are not competitional law, such as intellectual property in the case that this is also relevant for purposes of the competition assessment, and the same should be happening for data protection. 

Now it goes beyond this, because data is not only valuable asset in certain cases for certain transactions, but it's also a fundamental right.  And our ambition is that data protection or privacy should be taken care of even by competitional authorities before, during, and after the assessment of a competition analysis. 

Data‑driven markets, I believe that you are very familiar with this.  The particularity that they have is they use data as an advantage.  Sometimes this becomes a barrier to entry, and sometimes you can also think about data as an essential facility for purposes of becoming, let's say, a bottleneck that doesn't allow other companies to develop in the same conditions in a given market.  There are several arguments to, let's say, tackle the idea that privacy could be considered as a part of consumer welfare; first of all, because some people say that data subjects for people are willing to give up on their privacy in exchange for a free service.  This is a very conflicting idea.  And I will not delve into it, but it is true, there is another separate debate about the intrinsic value to data and whether a specific piece of data changes its value depending on the people, depending on who the data subject or the owner is, but that's for another story. 

And keep in mind that one of the central purposes of competition policy is to maximize consumer welfare, which is basically the purpose of this conversation.  The problem with this one is that consumer welfare will be read in terms of that which brings satisfaction to the consumer, which is a bit abstract to analyze.  Privacy, in my view, should be considered as a possible element for consumer welfare, not because only it's a human right acknowledged by local constitutions, but also because now it is an element for the design of solutions and services.  Today you see in your mobile applications for any possible reason, a design of privacy, while also the JAPR calls privacy by design and privacy by default.  And I believe that is important that competitional authorities use this notion as a part of their assessments. 

So, let's just put an example to make it a bit more dynamic.  You might remember that by 2017, I guess, there was this investigation by the European Commission for a merger of what Facebook and WhatsApp.  Let's just say that in a nutshell that the competitional authority considered that there was no big deal that there was no issue for this merger to happen because these two companies, even if they were providing different privacy, privacy setup, they were belonging to different markets; notably, the one from social networks and the other for messaging applications. 

In my view, which is only personal, of course, this view was a bit mistaken, because the Commission failed to assess that, actually, these data had a specific value, which I said before, depends on a case‑by‑case basis, but because then that led to some negative effects in regards to the data subject rights by the main undertaking. 

And there's two elements where I would like to focus quickly for how privacy should be internalized in competition policy.  So, first one is, of course, that it is a behavioral component for companies.  This means how they carry out their practices in regards to collecting data and processing data.  And the second one, it's about the competitional authority's interaction with supervisory authorities of data protection.  This is what I call the dialogical regulatory function.  So, for when it comes to the second one ‑‑ because the first one I think is very intuitive ‑‑ in digital markets, the analyzers of personal data is fundamental, but not only as an element to assign value to a transaction, but also for the supervisory authorities to take care of fundamental rights that are at stake.  Competition policy should allow authorities to develop legal assessments on the regulations that are not necessarily theirs, which sometimes it's a bit problematic for the other authorities, when this is relevant for the core investigation at stake, meaning when data and the data processing activities are relevant for a competition docket. 

At the same time, I believe competition policy should establish a minimum basis for this cooperation to happen between competitional authorities and data protection supervisors, whenever these data can be used to determine, for instance, substantial market power or dominance in this dialogical function that I mentioned before.  I think this could mean material overlap, and this is relevant because in some jurisdictions, this may lead to court disputes where these two offices are trying to settle who should be the one that is relevant for a given transaction, and these normally can alert also the companies that would have been otherwise subject to an investigation, and then they can take their necessary measures, let's say. 

I know that there's no vast empirical evidence to support this view, which I said before, it's only personal, but I'm going to use one example that I believe is exemplary for this, and it's from 2019.  Well, it started in 2016, but it's still going by the German Competition Authority.  I know that you guys probably know very well the story, but the Bundeskartellamt determined Facebook was abusing its domination in the market of social networks because it was exploiting the data, that it was not fully, let's say lawfully, collected from the users.  They were merging certainly data sets and using it for creating super profiles for targeted advertisement, not also to mention that this data was collected from third‑party websites.  There was also a component of possible leakage of the data.  And let's say the APIs that were functioning for purposes of sharing the data were also just the "like" button and the "share" button. 

So, they considered that because of this, there was a need to carry out an assessment of the data processing activities by Facebook, and in such regard, they had to analyze and study the GDPR.  Keep in mind that all this information was afterwards shared with the Irish Data Protection Commissioner because they were the main supervisory authority for Facebook as they have the main address in Dublin.  But what's interesting was the reaction of the Data Protection Commissioner where I will not delve into today, but also, why they decided there was a reason to look into the analysis of another legal framework, not only the legal consultation law.  They also found there was a need to enter into the civil doctrine.  They were using one that is related with abusive contractual terms, according to which, basically, an abusive commercial term exists where one of the parties in a contract has substantially more power than the other one, they can prevent the weak party to negotiate, let's say, in good flexible terms.  And whenever this happens, it has an impact in constitutional rights, when this happens, then this means that the Court should intervene to settle down and protect actually the fundamental rights of the individual that is the weakest party in the negotiation. 

So, the authority in this case found that when investigating companies relying on big data, competitional authorities ‑‑ and this is, again, my view ‑‑ should assess the data processing activities to test their level of compliance with the data privacy laws, and they should safeguard that constitutionally acknowledged rights are protected.  Keep in mind, of course, that it's also true that this framework of European ‑‑ what is called the single digital market in Europe ‑‑ is already forecasting some of these elements, the digital services second, the markets already foresee some of these elements.  And the German Competition Act was recently amended.  And now Section 19a is incorporating some of these elements as well for the internet tycoons, let's say.  But I believe this is a matter that is regardless of the jurisdiction, and these companies are operating all across the world, so we should be wary about how are we managing this at the local level, because it's not only Europe and the U.S. that wants that will be conducting in the future these types of investigations and the ones that should be taking into account also the data protection regulation. 

So, now, just to try to finalize this, because if not, I'm going to take all the time.  The same can be said ‑‑ let's say that if incorporated data privacy as an element of consumer welfare, of course, on a case‑by‑case basis, this could nudge the competitional authorities to actually study procedural deficiencies in how the data is collected, together with the scope of data processing activities carried out by the company subject to a competition analysis, and thus, of course, influencing what will be the output in the context of a merger, in the context of determining potential anticompetitive behaviors of the companies.  I think this is more or less what I wanted to outline.  Of course, we may delve into specific elements of what I just mentioned, but for purposes of keeping this simple, I'll give the word back to Jalaj, and then we can discuss again during the Q&A. 

>> JALAJ JAIN: Thanks a lot, Mario.  I think that's a completely different perspective I haven't heard in a while from a private sector person.  So, all right. 

Next up, we have Nidhi Singh.  Before that, I would remind the audience, after Nidhi's remarks, we will move on to the Q&A, so start dropping your questions in the chat box and I will recognize the questions then.  So, hi, Nidhi. 

>> NIDHI SINGH: Hi.  Thank you so much, Jalaj.  Picking up from where my colleague left.  So, as rightly argued by Mr. Mario, that digital environment as such has brought some sort of a drastic regulatory and legal transformation that require competitional authorities to sharpen their vision during procedures such as merge analysis, because of the kind of access these tech companies have to our data. 

Now, setting the stage for that, I pick up from here, and what I would want you to appreciate is that just like competition law has written as inherent conflicts with IPR, or for that matter, consumer law.  The current interface we see with data privacy also raises concerns within the domains of antitrust.  Now, the digital economy has made this tension between antitrust and data privacy more pronounced and noticeable, but you will notice that if data, on one hand, fuels competition in the economy, it comes along with a trade‑off that compromises on privacy. 

As also argued rightly by Mario, there are well-developed laws within various jurisdictions that has upheld privacy separately as a matter of right.  And I echo his reviews in this regard and would like to bring before you the complex reality that we have seen over the past two decades, wherein data privacy law can be seen overall as a separate domain of law in itself. 

Now, the digital world that you see today holds a large amount of big data which are being shaped by both antitrust and data privacy concerns.  Current times, if you see, is complete with examples of digital platforms like Facebook, Google, Apple, Amazon, that have faced the scrutiny of the effects of antitrust authorities from Asia, Europe, and the United States. 

What I want to take you through is that the privacy considerations that we see, those considerations can be considered a form of a non‑price competition.  That is especially important in industries where services are offered for free.  Now, instances have been seen where firms can compete by offering title, or for that matter, transparent privacy policies, and this acts as a competitive advantage for them.  However, in case of mergers, if you see, if the entity ‑‑ say, for example ‑‑ becomes dominant, the dominant form can harm consumers, as it has no incentive to ask such invest in privacy.  With the increasing number of big data‑related merger cases we see today, there has been a sharp increase in the potential harm that has mainly arisen on account of acquiring getting access to the underlying data, set of the target company. 

What I feel, and in my view, antitrust authorities in such scenarios need to examine transactions in light, if it is also likely to reduce incentives to compete in providing privacy to consumers.  I would like to substantiate this claim with an example.  For example, in the Google‑DoubleClick Case, while rendering a dissenting opinion, the Commissioner had remarked that privacy could be cognizable under the antitrust laws.  Having said that, it is also important to note that transactions under given circumstances could lead to some sort of an improved product, improved quality, lower prices, and greater innovation.  And this could be only possible on account of the access of the amount of the data they have. 

I would like to bring you to a prominent author, Erica A. Douglas, who recently in Yale Law Journal argued that there are two specific areas of tension emerging between data privacy and antitrust law in the digital economy, and this, to me, seemed very interesting.  Firstly, the first tension that we should examine is that the general practice which is being followed by the tech companies, like Facebook, Apple, in the platform market, is that they tend to invoke some sort of a data privacy as a business justification, to defend against the allegations they face of anticompetitive conduct. 

Secondly, the premise the author takes is that agencies have been seen to be calling for remedies that can grant access to data held by digital platforms as such. 

Now, both these concerns, in a way, if you see, has implicated the data privacy concerns in interest of consumers who are exposed to the disclosure requirements without their much willingness to do so.  However, to substantiate this, one glaring example I could give you is of the LinkedIn versus ‑‑ HiQ versus LinkedIn, wherein the recent decision rendered by the 9th Circuit of the U.S. Supreme Court provided a description of the new and this inherent tension between the antitrust and the data privacy in the digital world. 

To give you the facts of this case, in this case, LinkedIn terminated the HIQ's access to user profile data on the LinkedIn social network, arguing that the HiQ violated user privacy settings through its collection and dissemination of profile data in data analytic software.  Now, the claim of HiQ that termination was unfair competition and the practice of LinkedIn is intentional in terms of ousting a rival was upheld by the Court.  Now, the reason why I cite this example is, somehow, you see that it appears to be in contradiction with what the FTC in the United States wants.  It wants to uphold and ensure some sort of a privacy protection, but this decision rendered by the 9th Circuit Court in the USA, somehow, shows that the competition concern overrides the privacy, and the competition law perspective has been given more privacy. 

In instances like this, it begs the question whether antitrust analysis would examine data privacy protection, cognizable as a business justification.  The second area that I would like to expand on is the antitrust behavioral remedies that compel access to information held by digital platforms as a means of restoring online competition.  What is interesting to note here is that the European Commissioner very recently had remarked that with data becoming so increasingly important for competition, the future isn't too far, wherein the best way would be to restore competition through giving access to data.  And one example in this case could be behavioral remedies that grants rivals access to data held by these platforms. 

So, overall, what through this discussion I have tried to highlight is that there is some sort of a competition‑first approach which is taken even by the antitrust authorities whenever there is a conflict between data privacy and competition.  But I would want to, from speaking from a lawyer's perspective, I would not be surprised to state this, that the reason for this could be the kind of mandate competition authorities are bestowed with.  Their objective is to advance competition.  But data privacy takes a different course of law in itself.  What we should appreciate, and probably, what we should come to a conclusion that, you know, the approach with what should be followed?  What should be the right way?  And in my view, while encountering with cases that raises data privacy concerns on the horizons of antitrust, in such cases, a very non‑biased and a no‑primary approach should be followed.  Subordinate laws should be seen from an unbiased perspective.  And this needs to be done on a case‑by‑case basis, which was also argued by my co‑speaker, Mario, a couple of minutes ago. 

>> JALAJ JAIN: Thanks, Nidhi.  I think we should start taking questions.  We have five minutes left. 

>> NIDHI SINGH: Just a second, Jalaj.  I'll just wrap up in one line.  So, you know, the way I would just see this issue is that antitrust and privacy are complementary to each other and must not be separate a legal doctrine while dealing with inherent tensions and interface.  Thus, the decision as such should be made of the scope of the permitted conduct within the permitted contours of digital platform economy.  Thank you so much. 

>> JALAJ JAIN: All right, guys, great points made.  So, essentially, I think we have time for two questions.  Please keep the questions short and answers as well.  So, first question from Sahil Tharia.  Have you considered this in the antitrust context?  I think Mario can take this up. 

>> MARIO TAVARES MOYRON: Yes, if you don't mind, I can take this one. 

>> NIDHI SINGH: Please, please. 

>> MARIO TAVARES MOYRON: He says have you considered purpose limitation clause of GDPR in the antitrust context?  Great question and it was addressed before not necessarily in regards to the purpose limitation, but just to step back.  Purpose limitation is one of the many principles that should be considered before data processing and before data is collected.  So, that's basically one of the principles of the GDPR.  I consider that privacy limitation was one of the main features that was addressed by, as I said before, the Bundeskartellamt in the case of Facebook, because they said Facebook was using data for purposes other than those established from the beginning with the privacy notice to the users; meaning, by no means Facebook was letting the users know that the data would be merged and then used for targeted advertisement and for use of other third parties. 

I believe this is how we should see the purpose limitation as a key point, because if we believe that, as Nidhi mentioned before, privacy could be considered as a non‑price element of competition, we should expect that the companies are going to compete on the basis of better privacy conditions and better, potentially, security and accountability principles on how our data is used in the context of their platforms and their services.  So, I'm not sure if this answers the question, but it's just to say that companies should be accountable in how they carry on their data processing activities.  Purpose limitation is one of this.  And I believe that this would help in an overall way to the competition landscape. 

>> JALAJ JAIN: Yeah.  Thanks a lot, Mario.  I have one question for Nidhi, then I'll wrap up.  Nidhi, one question for you.  I think you are practicing in Indian courts.  And you know, essentially, what I'm asking is that, is privacy ‑‑ I mean, we can only create privacy‑compliant companies by following profits, or do you think in the future there will be a scenario where companies will respect privacy more, will actually be more profitable as well? 

>> NIDHI SINGH: Well, that's a very interesting question that you ask.  This is more particularly relevant in the kind of big data mergers that we are living in.  Definitely, privacy today gives some sort of a competitive advantage.  And just like what I had argued in my course of my talk today, is that companies would somehow have access to data and have used privacy as a competitive element also to compete in the market.  So, having said that, answering to Jalaj's question, it would, somehow, lead to a competitive advantage for these companies who trade off on some privacy concerns. 

>> JALAJ JAIN: All right.  I think we had an amazing talk, and I think both private sectors and the regulatory aspect was covered.  Lastly, I would like to thank Marco.  I think he's been taking notes and you can probably read his report and he'll have access to other points as well, so I hope it's comprehensive.  Then, obviously, you can reach out to Nidhi, who is physically present on behalf of our talk, and she can address your concerns as well.  Otherwise, feel free to reach out to Marco, me, or Mario on LinkedIn. 

Then lastly, I think I want to give a shout‑out to our Cycle coordinators and Konstantinos, who is present as a participant.  We have dropped in the links to reach out to the Institute.  You can join the Institute and participate in a similar kind of research that we are doing.  And yeah, I think the session was 39 minutes and we wrapped up in 29 minutes, 30 seconds.  So, we should get extra points.  Yes, guys, any last remarks?  Anyone wants to say anything? 

>> MARIO TAVARES MOYRON: If Nidhi doesn't go first, just, thank you guys, again.  Thank all the attendees to the session.  It's been a blast.  It's been amazing.  And I also encourage you guys to follow the work of the Institute.  I believe that there's a couple of pieces already addressing some of these points.  So, just take a look and stay put. 

>> NIDHI SINGH: Yeah, and thank you, everybody, who joined us in person here, in the room.  And we hope that you were able to gain something out of this session.  Thank you so much for joining. 

>> JALAJ JAIN: All right, guys.  I will wrap up.  And there was a team of multiple five‑ten people working behind it.  Only Marco and I are here.  So, yeah, shout‑out to the team as well.  All right, guys. 

>> MARIO TAVARES MOYRON: Thank you very much. 

 

(Session concluded at 1415 CET)