Competition law and privacy: extensive data acquisition as the “eye” of the problem

Welcome to Ph.D. Voices, a monthly series in which Ph.D. candidates share their research with the antitrust world. This month’s voice is Arletta Gorecka, PhD candidate at the University of Strathclyde, UK


  1. Introduction

Traditionally, competition law and privacy have been seen as separate. GAFAM companies, however, have blurred the line between privacy and competition law regulation. The current EU-level approach to privacy infringements, as per the case of Asnef-Equifax, indicates that “any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection.”1Case C-235/08 Asnef-Equifax v Asociación de Usuarios de Servicios Bancarios ECR I-11125. [2006]; para 177. In my perspective, this reasoning is correct; the mere breach of data protection provisions should not be seen as a competitive matter. This does not mean that privacy is never relevant to competition law assessment.

  1. The “eye of the problem”: connecting competition law with privacy

The advent of big data has fueled innovation, leading to the emergence of new products, services, and business models. With the emergence of the GAFAM companies, the line between competition law and data protection has blurred. In essence, both legal orders face challenges due to the digital transformation and the economic growth of companies, with a question remaining on defining the level of interaction between competition law and privacy.

Data protection and competition policies share fundamental concerns and similar remedial approaches: how to mitigate unfairness by introducing and imposing obligations on those with information or market power. The goal is to prevent power imbalances between individuals and powerful companies. However, data protection legislation offers only a partial response to the exploitation of personal data. Data protection law does not recognise the long-term harms to the platforms’ users, including the special responsibility that could ensure the position of power of some digital platforms.

Figure 1: The eye of the problem

Hence, to what extent could competition law remediate privacy-related harms? The presented model maps the intersection between competition and data protection (figure 1). In this interaction, there is a combination of two market failures (market power and information asymmetry), which makes it difficult to deal with the abuse of dominant position. Firstly, online digital platforms’ economic characteristics and their business models allow for unprecedented data collection: gatekeepers collect and process users’ data for industrial purposes in exchange for zero-priced digital services and products. Secondly, such broad access to personal data increases barriers to entry that could further entrench the economic power of digital firms and allows them to exploit the informational asymmetry between consumers and them, as well as to use behavioural manipulation. Even if data is seen as non-rival, its non-rivalry could increase returns and implies an important role in market structure. Essentially, such concerns are caused by the extensive collection of personal data that introduced corresponding privacy-related harms. It is of utmost importance that the competition problem is interlinked with the privacy dilemma.

However, to establish a competition law violation, there needs to be some form of misconduct that infringes competition. In other words, the conduct must not only involve the mishandling of data and the invasion of users’ privacy, but the conduct must also have a negative impact on competition. A reduction in privacy does not necessarily amount to a competition issue, just as not every reduction in privacy immediately constitutes a violation of data protection law if the data processes comply with data protection law.

  1. Privacy and competition: how relevant is privacy to competition law?

The literature recognizes two opposing views on the intersection between competition law and privacy. The first theory considers data protection law as beyond considerations of competition law.2e.g., James C. Cooper, Privacy and Antitrust: Underpants Gnomes, the First Amendment, and Subjectivity, 20 Geo. Mason L. Rev. 1129, 1146 (2013) Arguably, the separatist view originates from the Asnef-Equifax case, where the court rejected the intersection between competition law and privacy. The separatist theory views competition law and privacy as complementary in nature but not overlapping.3Maureen K. Ohlhausen & Alexander P. Okuliar, Competition, Consumer Protection, and the Right [Approach] to Privacy, 80 Antitrust L.J. 121, 138-43 (2015). The central argument remains that incorporating privacy concerns in competition law assessment would create confusion, especially in applying the consumer welfare standard.

On the contrary, the integrationist approach accepts the incorporation of privacy into the longstanding competition law framework.4E M Douglas, The New Antitrust/Data Privacy Law Interface (2021) YLJ 647. Consumer welfare could be improved by taking into account both price and non-price factors.5See for example: Nat’l Soc’y of Prof’l Eng’rs v. United States, 435 U.S. 679, 695 (1978) When there is evidence that companies compete to offer more or less privacy to their consumers,6Frank Pasquale, Privacy, Antitrust, and Power, 20 Geo. Mason L. Rev. 1009, 1009 (2013). the integrationist approach demonstrates a close connection between competition law and privacy-based competition. To demonstrate this effectively, one could consider a hypothetical merger of two internet-based companies. If these companies compete to offer different levels of privacy pre-merger, the assessment might consider if the merger substantially reduces the privacy options available to consumers post-merger. The integrationist approach would assess whether privacy-as-quality reduction leads to reduced competition. However, if there were no privacy-as-quality competition between merging parties, then the integrationist approach would consider any privacy-related concerns to be beyond the competition law assessment.7See Statement of Federal Trade Commission Concerning Google/DoubleClick, FTC File No. 071-0170, at 2 (F.T.C. Dec. 20, 2007)

Digital platforms use data to improve the quality of their services, aiming at enhancing their attractiveness to existing and potential customers. However, by including confusing and deceptive terms in privacy policies as well as engaging in unfair commercial practices, online platforms contribute to mandating the status quo in the online markets. The BKA case against Facebook is an interesting example of an attempt to conceptualise unfair commercial practices in a B2C approach, as users remained unaware of the practices of Facebook in analysing their data. They keep consumers confused or uninformed as to the privacy-related implications of accessing and using their online services and products, deepening the informational asymmetry. Accordingly, under privacy constraints, data collection continues to deepen platforms’ market power. Equally, the new initiatives of Google and Apple to limit third-party cookies might exploit the users. Possessing large quantities of data is insufficient. Indeed, without the post-ad exposure action of users and the interests or demographics of users, any targeting is limited. To capture data as positive and meaningful, it needs to be associated with a user through identifiers such as cookies IDs or users’ IP addresses. The question remains whether these pro-user and pro-privacy advancements could advance the consumer choice fallacy and act as a proxy to collect more data and exploit users.

By promoting competition in the markets, competition enforcement might ensure consumers can make real choices among products and services. There are two ways in which privacy could intersect or influence the competitive theory of harm: increased or decreased privacy protection strategy by Big Tech firms. The element of increased privacy protection deals with requiring users to consent to data collection (Apple’s strategy). This reasoning has been noted in the BKA’s Facebook case. Consumers might, arguably, be well exploited by being offered “zero price” in terms of monetary transactions, as increased personal data acquisition could reinforce dominant position of online platforms. In turn, such zero price-reasoning could be arbitrary and underline behavioural and informational market failures in acquiring private personal data, where consumers are unaware of the real value of such data exchange. In fact, current privacy regulations ignore the market failure as it is based on consumers’ “rights”, overlooking that something might be wrong with this market framed by these rights. The behavioural problems, a combination of personal data and market power, could endanger the excessiveness of personal data collection, which is a problem for exploitative abuse of market power and protection of users’ privacy. In this respect, due to the practices of large digital undertakings, we have an unsolved privacy problem, which is a challenge for both data protection law and competition law.

  1. Achieving a nexus between competition law and privacy

In the context of the aforementioned debate on defining the nexus between competition law and privacy, one question remains unanswered: to what extent can privacy-related harms directly influence competition law assessment?

I follow the risk-focused approach that requires clarity in defining the relationship between competition law and privacy. The risk-based approach focuses on creating a more integrated and holistic approach, respecting the boundaries of competition law and data protection law. The theory is labelled as “risk-based” since the risks of privacy-related harms are recognised by both the markets and consumers. I noted that there are unsolved market failure problems, and the tendency to exploit consumers creates a deficit in competition law and data protection law. Correspondingly, the risk-focused approach considers those concerns that are mutually ineffectively answered by both competition law and data protection law.

To the effect of the risk-based approach, competition law authorities should focus on situations in which the processing of data gives rise to anticompetitive effects. To this effect, authorities need to determine (i) the kind of data collected and proceeded that likely contributes to the strengthening of a dominant position and (ii) the fact that the data could have been collected and processed unlawfully.

Firstly, possible data types could strengthen the dominant position of digital undertakings. For instance, Google is dominant in the search and search advertising markets. Google needs to render more detailed and relevant search results for users and provide targeted advertisements for the advertising side. Google’s strategy has allowed for highly personalisation of the offered search services.

Secondly, the effect of misleading practices is the preservation of the gatekeeper’s dominance. Hence, how should competition law deal with this balancing practice? I recommend a cautious approach. The problems of competition law and privacy-related harms are interlinked, and competition law should only remediate concerns that directly harm competition in a relevant market. Competition law is limited to competitive issues but postulates privacy protection could form a competition dimension.8Maurice Stucke and Allen Grunes, Big Data and Competition Policy (OUP, 2016) To consider privacy as a competition dimension, it is important to consider that services are offered at zero price in exchange for personal data. A particular problem is that gatekeepers always try to get higher users’ attention and their consent. In turn, with respect to the economic power of the gatekeepers, the competition problem cannot be analysed without considering the behavioural and informational problems relating to the acquisition of personal data.

  1. Conclusions

On the fundamental level, competition and data protection laws achieve different sets of modalities. Competition law aims to ensure undistorted competition within the internal market. Competition is conceived as the best means to ensure the allocation of resources and increase consumer welfare. Privacy distortion effects could arguably violate both fairness and efficiency-based theories. Yet, we are only at the beginning to categorise this approach.

Arguably, competition could act as an effective tool for protecting privacy. Consumers should remain informed and choose products or services offering robust privacy protections, so competition law is integral to protecting consumers’ choices. By recognising the aggregation of personal data as a potential source of market power, competition law enforcement might provide recourse where companies use their market power to inflict harm, degrading privacy. However, while privacy standards are relevant to competition analysis as a qualitative parameter, it is important to keep competition law and data protection distinct. Essentially, maintaining the analytical independence of legal orders could contribute to achieving predictability and ensuring respect for legality.

Arletta Gorecka


CitationArletta Gorecka, Competition law and privacy: extensive data acquisition as the “eye” of the problem, Network Law Review, Winter 2023


Related Posts