Recent enforcement activity by various EU data protection and competition law agencies in digital markets has highlighted the potential overlap between the two different groups of agencies in tackling the abusive data practices of dominant firms in those markets. It is important to be clear how this overlap should be dealt with and, in particular, where competition law has a role to play.
Abusive conduct on the part of a dominant firm in relation to customer data is, in principle, capable of engaging both EU data protection and competition laws.
Dominant firms are those which possess such a high degree of market power that they are able (unlike other firms) to act independently of their competitors and of their customers. In a digital context, for instance, both Google and Facebook have been found to occupy dominant positions in some of the markets in which they operate.
It is possible, therefore, to identify cases – at least in principle – where the conduct (or misconduct) of a dominant firm in relation to customer data may engage both data protection and competition law. Thus, where a dominant firm takes advantage of its customers, e.g., by exploiting their data for a profit, it may not only be processing the data unfairly but also abusing its dominant position in relation to the data.
EU data protection laws apply to the data practices of dominant firms (along with other firms). Where they handle customer data in an unfair way, their behaviour may amount to a breach of those laws and be penalised as such. However, dominant firms also have a ‘special responsibility’ under EU competition law to avoid acting in an abusive manner, e.g., by unfairly exploiting the power they hold over their customers (and, by extension, their customers’ data).
Why does the overlap matter?
It is important for data protection and competition law agencies to be clear about how the boundaries between their regimes are managed for a number of reasons.
First, and most obviously, if the boundaries are left unmanaged there is the risk that firms could be left in a legally uncertain position. They may potentially be exposed to ‘double jeopardy’ in relation to the same conduct, with differing and potentially conflicting obligations or standards being applied and without any ready means of resolving the uncertainty.
Second, and as a corollary of the first point, there is a risk that customers may potentially ‘fall between stools’ if neither data protection nor competition law agencies take effective and timely responsibility for tackling a particular type of conduct on the basis that lies outside the jurisdiction of both.
Third, unless there is clarity (and consensus) about the extent and nature of any overlap and how it should be managed, there is a risk of inefficient allocation of resources and effort as between the two sets of agencies who may end up competing with each other, rather than coordinating their activities.
What role for competition law?
So where might we draw a boundary between competition law and data protection agencies, at least in relation to the data practices of dominant firms?
To help illustrate the point, let us take the example of dominant firm X which acquires customer data in relation to an online ‘platform’ activity in which it is dominant. Let us also assume that X is also active in offering services on the platform in competition with others.
Where X’s data practices fall within the scope of the prohibition on unfair processing of personal data for GDPR purposes, it would seem to make sense for competition law agencies to defer to their data protection counterparts. Data protection agencies are well placed and well equipped to tackle these sorts of unfair data practices. And they can intervene without any need to establish that the firm in question is dominant.
So, if X were to require users of the platform to give blanket consent to the indiscriminate use of their personal data as a condition for gaining access to the platform, this would amount to unfair processing and (even although it might also constitute an exploitative abuse from a competition law standpoint) could be dealt with as a data protection issue.
However, competition law agencies have an important role to play in relation to data practices which would not be regarded as unfair processing by X, but which may nonetheless restrict or distort competition in its favour. Data protection agencies also have an important supporting role to play in that context.
Thus, X might choose to design its data acquisition and processing policies in such a way as to ensure that the personal data of platform users could be used to confer an undue advantage on its own downstream activities in the platform services market. It might do this by restricting access to customer data to its affiliated businesses. This policy might not constitute unfair processing from a customer perspective. But it might well have an exclusionary impact on downstream competitors. As such, the competition agencies would have a key role to play in tackling the exclusionary conduct.
Clearly, in tackling exclusionary conduct of this sort, competition law agencies do need to work closely with data protection agencies. Competition law remedies which are designed to promote greater competition (and thus consumer benefit) need to respect privacy concerns. Thus, in our example, levelling the playing field between X’s downstream business and its competitors might involve the broadening of access to X’s customer data. But (as the recent Furman report acknowledged) that need not (nor should) involve unfettered access.