Header graphic for print
Focus on Regulation

EU Data Protection Supervisor’s workshop examines role of privacy in merger reviews and competition investigations

Should privacy issues be part of merger review and competition investigations? That was the question addressed in a recent workshop convened by the European Data Protection Supervisor (the “EDPS”). A report issued after the workshop concludes that the world of “Big Data” likely will require consideration of privacy in competition matters.

What was the workshop?

The workshop, which was hosted by EDPS in the European Parliament in Brussels on 2 June 2014, discussed the technological advances and market for ‘big data’ analytics and the policy implications for the fields of data protection, competition and consumer protection of the rapidly expanding digital economy in the EU and in other regions, particularly the in US. Around 70 experts attended, including representatives from the European regulators and the US Federal Trade Commission.

‘Big data’ refers to the very large structured and unstructured datasets held by corporations, governments and other large organisations which are extensively analysed using computer algorithms.

Key findings and calls for action – “The genie is out of the bottle”

The report notes a number of current regulatory challenges, in particular shortcomings in the application of competition law in the privacy sphere. The EDPS considers that discussion of the issues has generated momentum, or, as the report puts it, that “the genie is out of the bottle”.

Key findings include:

  • “Internet companies could enjoy ‘economies of scope’, network effects of more data attracting more users attracting more data, culminating in winner-takes-all markets and near monopolies which enjoy increasing returns of scale due to the absolute ‘permanence’ of their digital assets.”
  • The effective application of the EU merger control rules to ‘big data related’ transactions is difficult. “For zero cost services – like social media, search and gaming – the competition authorities’ ‘SSNIP’ test (i.e. small but significant non-transitory increase in price which estimates products to which customers would switch in the case of a 5% or 10% price increase) could not be applied. The real cost of the transaction is different than the price: it includes the price plus anything else parties consider of value.” Furthermore, “the turnover thresholds of merger control regulations might not be suited to ‘big data’ markets and where personal data are a crucial input and asset.”
  • For dominance investigations, “the concept of ‘essential facility’ is much contested, and it is very difficult to establish whether personal data held by a dominant company is erected as a barrier to entry by competitors.”
  • There is a forceful argument for “integrating competition on privacy into enforcement procedures, and assessing to what extent a merger of two companies competing for the same data would foreclose competition or affect the transparency of privacy policies and motivation to invest in privacy enhancing technologies.”
  • It is open to debate whether the time is approaching when plurality of choice “in privacy-intrusive, personal data-fuelled digital markets” should be given the same treatment as media plurality (where competition law and merger control are explicitly used to ensure media plurality).
  • “Insofar as consumer welfare is the ultimate goal, competition authorities still tend to view this aim through one particular microeconomic perspective leaving other dimensions of consumer welfare to other specialised authorities.”
  • “Data protection and competition specialists do not necessarily speak the same language. Laws may currently be applied effectively to address visible large scale abuses. But the laws seem not to cover the incremental ‘day-by-day drops into the ocean of data’ which are used to construct user profiles, where even seemingly innocuous data can reveal sensitive information.”

The report suggests a number of areas of further discussion, which include:

  • How the value of personal data can be assessed as a currency and an asset in competition analysis
  • How the ‘parameters of competition’ – especially price, quality, and choice – can be applied in explaining the impact on privacy and data protection.
  • Whether there should be a wider study or guidelines to inform authorities dealing with competition and merger cases in the digital economy. This might include a retrospective/ex post analysis of the impact of competition decisions and a study as to whether privacy protection merited similar protection as the preservation of media plurality.
  • Investigation of practical steps that the supervisory authorities could take to improve cooperation between themselves, for example joint investigations or guidelines.

One of the presentations given at the workshop was by Julie Brill, Commissioner at the US Federal Trade Commission. She noted in her published speech that she looked forward to “a world where competition on privacy becomes so robust that this dimension of competition becomes baked into antitrust analysis”. She remarked that the FTC has already recognised that mergers can “adversely affect non-price attributes of competition, such as consumer privacy” in the Google/Doubleclick case. Furthermore, in the Facebook/WhatsApp case (where there were concerns about the merger from the privacy perspective) the FTC had issued a letter to both companies underscoring Facebook’s obligations to abide by WhatsApp’s existing robust privacy policy.

The workshop followed a preliminary opinion published by EDPS in March 2014 on “Privacy and competitiveness in the age of big data”. This opinion concluded that “the lack of interaction in the development of policies on competition, consumer protection and data protection may have reduced both the effectiveness of competition rules’ enforcement and the incentive for developing services which enhance privacy and minimise potential for harm to the consumer.” The opinion suggests that in addition to raise awareness, an appropriate response to this issue might be effective guidance on the application of privacy, competition and consumer protection rules; cooperation between authorities in investigation and enforcement; as well as a review of competition legislation.

Current application of EU competition law

The leading case in which personal data was looked at by the European Commission was in the context of its review under the EU Merger Regulation of the 2008 merger between Google and Doubleclick. In this case the European Commission considered the effect of the increase in the amount of personal information obtained by the merger entity. It found that the combination of information on search behaviour and web-browsing behaviour would not give a competitive advantage in the advertisement business that could not be replicated by other players that have access to similar web-usage data. Nevertheless, the decision stated that it was clearing the transaction “without prejudice to the obligations under the EU legislation in relation to the protection of individuals and privacy with regard to the processing of personal data”.

This case does not rule out that the European Commission will not investigate in the future “big data” issues under the EU’s merger control provisions or wider competition law provisions, such as the control of the abuse dominance. Indeed, EU Commissioner Almunia specifically alluded to this possibility in a speech in November 2012 (Competition and Privacy in Markets of Data, Brussels, 26 November 2012) when he commented: “The fact that we have not encountered such a case [in which the accumulation or the manipulation of personal data was or could be used to hamper competition] does not mean that we can rule out the practice altogether”. He further stated that the line between the sensible use of big data and its abuse is “very thin”.


The appetite of regulators to take a vigorous and coordinated look at ‘big data’ issues in the EU is increasing. Whilst the extent to which the EU regulators will be able to interact going forward is not yet clear, companies who gather data or try to access data need to be aware that their activities raise a number of data protection, competition and consumer law issues, whose interplay is currently being discussed by the EU regulators.