We have known from the beginning that the General Data Protection Regulation (GDPR) allows European regulators to penalize a company for up to 4 percent of its annual global revenue for harms committed. However, what we’ve learned recently is that regulators in the European Union (EU) could use the underlying concepts of the GDPR preemptively to break up a company’s service. If done poorly, we run the risk of taking the original intent of the GDPR—to protect consumer privacy—and refocusing it into a weapon to stifle smaller innovators. Ensuring competitive markets and protecting consumers’ privacy are preeminent to the app economy, but mixing privacy and competition analyses is dangerous. Such a mixture could produce a gatekeeper effect for the app ecosystem in which larger platforms garner more authority to pick and choose who can enter the market. Ultimately, small business innovators and consumers will bear the actual consequences for these upstream enforcement actions, not major platforms.

On May 24, 2018, the GDPR went into effect with the stated goal of providing companies with general rules for handling personal data of an EU “data subject.” But eight months into its enactment, many businesses still wonder what exactly this regulation does and what changed since it was enacted. More unnerving, it appears some European regulators are open to experimenting with antitrust-like enforcement for data privacy violations covered under the GDPR. In fact, Germany’s premier competition regulator, Bundeskartellamt, opened an investigation into Facebook citing “the connection between data and market power” and “the possible abuse of data collection.”[1]

Freaky Friday: Privacy Regulators are Now Competition Regulators, and Competition Regulators are Now Privacy Regulators

The GDPR does allow for supervising authorities—chosen by the respective member state—to coordinate with other member states’ supervising authorities or the European Commission to ensure consistency in GDPR enforcement.[2] Now that competition regulators appear to be chiming in, it adds another level of complexity, especially when one tries to assess definitions of particular terms in the GDPR and what remedies to apply for violating one of its articles.

The recent EU-based enforcement actions against Google and Facebook suggests that Europe is now viewing the GDPR through the lens of competition, and not merely to address privacy concerns. When Bundeskartellamt opened an investigation into Facebook, its assessment noted that it “include[ed] the principles of the harmonised European data protection rules, in particular the [GDPR],” to reach its conclusion that Facebook’s data-sharing practices abuse its dominant position in the social media market. The result of that assessment prompted Bundeskartellamt to impose an order against Facebook to restrict how it collects data across its various services (e.g., Messenger, WhatsApp, and Instagram).[3]

In France, its data security regulator (CNIL) imposed a 50 million euro fine on Google citing GDPR violations relating to notice and consent, or lack thereof, as its basis.[4] CNIL used “[Google’s] prominent place in the market for operating systems” as a metric within its enforcement action.[5] It is not clear why CNIL needed to make such an assessment (or how it reached that conclusion, for that matter) due to it not being dispositive to enforce articles under the GDPR. Although CNIL taking Google’s size into account is not uncommon, making an unnecessary legal conclusion regarding Google’s position in a particular market to determine a consumer privacy concern is.

 So What?

Although most of the regulators’ sights are on larger tech firms, these regulatory measures ultimately hurt small businesses and innovative new companies. If either competition or privacy regulators insist on penalizing platforms for just being platforms, then they will force those companies to serve as gatekeepers so as to shield themselves from liability – and, worse, stop the kind of data sharing that helps companies make better products. For small businesses, this is an impossible choice: either resign to mediocrity or give up independence to the large platforms in order to seek indemnity.

 The major issue here is the potential for regulators to add structural remedies to the already draconian maximum penalty under the regulation.[6] Traditionally, the GDPR only allowed supervising authorities[7] to serve as privacy traffic cops relegated to imposing its extraordinary fine post hoc. But competition agencies have many more tools in their chest. One key tool is the authority to end the potential merging of companies’ services or break up services of a particular company.[8] Taken to its logical end, EU regulators could use the GDPR to determine what services those larger firms can provide at all. If platform companies are faced with a fine that could equal 4 percent of annual global revenue—for Google that would be about 4.7 billion euros—or have to break up part of their business model because they provided a particular service, then platforms will rightfully require more control under either authority to mitigate their liability.

Additionally, these actions may seriously affect a platform’s ability to protect their consumers’ privacy when acquiring smaller companies. For one, regulators could use competition law to disallow platforms from incorporating a newly acquired company’s service with its own services. Under various competition regulations, regulators could theoretically proscribe a newly merged, smaller company from availing itself to the larger company’s resources (e.g., software engineers, cybersecurity teams, etc.) to ensure that the smaller company remains independent from the larger firm. At which point, not only would the platforms be responsible for the newly acquired data, but they would also have to preserve the acquired company’s services and parse them from its own system. Platforms would then be in a catch-22: they are either acting anticompetitively when adding services or features from the merger or hoping the merged company’s existing privacy policy encompasses the platform’s new intended use. Platforms would simply not engage in these otherwise procompetitive and privacy-conscious acquisitions (e.g., Microsoft and LinkedIn or Facebook and Instagram) because of this added risk.

Still outstanding is the issue of conflicting interpretations related to key GDPR articles and general concepts in competition regulations.

Put another way, if issues related to privacy are now a part of a competition regulator’s analysis to find that a firm abused its market dominance, then how does that affect privacy enforcement or vertical agreements moving forward? This is especially worrisome when these legal conclusions fall outside that regulator’s subject-matter expertise.

If nothing else, the enforcement actions described above demonstrate a lack of coordination with relevant agencies. For instance, it is unclear whether Bundeskartellamt worked within the prescribed process for coordination with its data protection authority to develop its conclusions within its enforcement action. In the case against Google, it is unclear whether CNIL consulted its competition agency to develop its opinion on Google’s “prominence” in that relevant market. Additionally, CNIL gave us very little indication as to how they reached that conclusion to that effect. Now we have two government agencies addressing issues that exceed the scope of their core missions, yielding confusing or, worse, conflicting interpretations of essential concepts in both regulatory disciplines.

If EU regulators want more competitive small companies to participate in the app economy, then they need a law that encourages competition instead of limits it. The first step is for regulators to resist the temptation of merging privacy laws, like the GDPR, with ones that concern competition.

 

[1] https://www.slaughterandmay.com/media/2536711/facebook-germany-a-new-frontier-for-privacy-and-competition.pdf.

[2] GDPR Art. 63.

[3] https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2019/07_02_2019_Facebook.html.

[4] https://www.insideprivacy.com/eu-data-protection/google-fined-e50-million-in-france-for-gdpr-violation/.

[5] https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000038032552&fastReqId=2103387945&fastPos=1.

[6] The GDPR imposes a maximum monetary penalty of the higher of 20 million euros or 4 percent of an offending company’s annual global revenue.

[7] See GDPR Art. 4 (defining a Supervising Authority as “an independent public authority which is established by a Member State…”).

[8] E.g.,  https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Others/GWB.pdf?__blob=publicationFile&v=6.