Tải bản đầy đủ - 0trang
11 Competition Law, a Specific Challenge for Creating Synergies
6.11 Competition Law, a Specific Challenge for Creating Synergies
between privacy and data protection on the one hand and competition law on the
other hand may be a promising path to follow.
The synergy between the two areas played a role in the merger between Google
and DoubleClick, which lead to decisions by the European Commission201 and the
United States Federal Trade Commission. In its decision, the Commission addressed
the market position of the merged company, because of the combination of personal
information obtained by both merging companies, but came to the conclusion that
competition would not be affected. In the US, it was in particular the dissenting
statement of FTC Commissioner Jones Harbour that addressed the issue, highlighting amongst other things the nexus between privacy and competition.202
The European Commission has not issued many competition decisions in relation to the information economy.203 At present, the Commission is conducting two
investigations in antitrust cases against Google. In April 2015, the Commission sent
a Statement of Objections to Google because of an alleged abuse of Google’s dominant position in general internet search which amounts to more than 90 % of the EU
market.204 These cases do not explicitly deal with personal data, but a few observations can nevertheless be made in relation to the subject of this book.
The first observation relates to the definition of the relevant market, the first stage
of a legal analysis in competition cases. This definition seems to be particularly
complicated in an internet economy and may require a fundamental rethinking of
market definitions. One reason is that market boundaries are continuously evolving.205 A more fundamental reason, however, is given by Jones Harbour.206 Market
definitions are normally based on products or services. As she explains, in an econ-
Commission Decision, C (2008) 927 final, declaring a concentration to be compatible with the
common market and the functioning of the EEA Agreement (Case No COMP/M.4731 – Google/
Federal Trade Commission, Dissenting Statement of Commissioner Harbour In the Matter of
Google/DoubleClick, available on: ftc.gov/sites/default/files/documents/public_statements/statement-matter-google/doubleclick/071220harbour_0.pdf. The statement is explained in the contribution of Jones Harbour in: Data protection anno 2014: how to restore trust? Contributions in
honour of Peter Hustinx, European Data Protection Supervisor (2004–2014), Hielke Hijmans and
Herke Kranenborg (eds), Intersentia 2014, at 225–234.
Statement by Commissioner Vestager on antitrust decisions concerning Google, Brussels, 15
April 2015, available on: http://europa.eu/rapid/press-release_STATEMENT-15-4785_en.htm.
The statement also mentions a separate in-depth investigation regarding the mobile operating system Android, apps and services.
As underscored by the Commission regarding social networking services, Press Release of 3
October 2014, Mergers: Commission approves acquisition of WhatsApp by Facebook, available
Contribution of Jones Harbour in: Data protection anno 2014: how to restore trust? Contributions
in honour of Peter Hustinx, European Data Protection Supervisor (2004–2014), Hielke Hijmans
and Herke Kranenborg (eds), Intersentia 2014, at 232.
6 Understanding the Scope and Limits of the EU Legislator’s Contribution…
omy based on big data207 it makes more sense to define a product market for data,
rather than a market based on specific uses of data by specific companies.
The issue is that companies208 collect large amounts of data that will later be sold
or shared with others for purposes far beyond the purpose of initial collection and
for purposes that are only defined in a later stage. This phenomenon is connected to
the two-sided business model on the internet,209 where companies are active on different markets of products and services, and where – large amounts of – personal
data are critical to both sides. Search engine providers are the example210: the
amount and quality of data play a decisive role in the quality of the service that can
be given, whereas they are also essential on the paying side, by facilitating better
A second observation relates to market power. Companies acquire market power
because they accumulate large amounts of personal data and are able to diffuse
those data. Article 102 TFEU does not address market power as such, but prohibits
the abuse of a dominant position as being incompatible with the internal market. A
breach of EU competition law could consist of an anticompetitive acquisition of
data, for instance through an exclusivity agreement imposed by a search engine.211
Such a breach does not only prejudice competition as such, but also competition on
privacy settings. The breach deprives consumers of the possibility to choose a search
engine taking into consideration the level of privacy protection.
A specific issue in relation to market power and personal data is the concept of
an essential facility,212 the idea that the owner of a facility needs to share this facility
with his rivals if access to a market would otherwise be impossible or seriously
impeded.213 The Court of Justice accepts that in exceptional circumstances the exer-
Obviously, this may not be in line with the requirement of purpose limitation under EU data
protection law, but that is not the point we want to make here. On big data, see Chap. 3, Sect. 3.6
of this book.
These companies can be defined as “data brokers”; see: Federal Trade Commission, May 2014,
Data Brokers, A Call for Transparency and Accountability.
As explained above, in this same section.
See on this: Damien Geradin & Monika Kuschewsky, Competition Law and Personal Data:
Preliminary Thoughts on a Complex Issue, Discussion Papers Tilburg Law and Economics Center,
Geradin and Kuschewsky allege that Google has entered into exclusivity agreeements with
some of the main publishers’ websites (such as Amazon.com and AOL.com) excluding other
search engines from being accessible on those websites; see: Damien Geradin & Monika
Kuschewsky, Competition Law and Personal Data: Preliminary Thoughts on a Complex Issue,
Discussion Papers Tilburg Law and Economics Center, DP 2013–010.
Damien Geradin & Monika Kuschewsky, Competition Law and Personal Data: Preliminary
Thoughts on a Complex Issue, Discussion Papers Tilburg Law and Economics Center, DP 2013010, at 3; European Data Protection Supervisor, Preliminary Opinion of 26 March 2014 on
“Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy”, at 41.
Paul Craig and Grainne de Burca, EU Law, Text, Cases and Material (Fifth Edition), Oxford
University Press, 2011, at 1031.
6.11 Competition Law, a Specific Challenge for Creating Synergies
cise of an exclusive right by the owner may involve abusive conduct.214 As summarised by the Court of First Instance: “the refusal of the service in question must
be likely to eliminate all competition on the market on the part of the person requesting the service, such refusal must not be capable of being objectively justified, and
the service must in itself be indispensable to carrying on that person’s business […].
According to settled case-law, a product or service is considered necessary or essential if there is no real or potential substitute”.215 In a market of personal data, this
concept of an essential facility could possibly be of use, for instance in respect of
the Google search engine with a market share of more than 90 %, but the threshold
The previous considerations are based on the notion that personal data have
become an asset and, therefore, relevant in a competition context. This would be a
natural way of creating synergy between these areas of law. This synergy between
competition law and privacy and data protection should be addressed by the EU
legislator in further changes of the EU legislative framework, be it the rules on data
protection or on competition. An approach based on synergies would also enhance
the Union’s legitimacy, demonstrating that different parts of bureaucracy are capable of joining efforts in addressing challenges of the information society.
A topical subject that should be part of a possible action of the EU legislator is
including considerations of privacy and data protection as such in EU competition
law and enforcement. Given the fact that protection of consumers is one of the
objectives of competition law,216 this would not be illogical.217 However, the case
law of the Court of Justice of the European Union does not give a clear basis for
including considerations of data protection in competition enforcement. As
Advocate General Geelhoed states: “Any problems concerning the sensitivity of
personal data can be resolved by other instruments, such as data protection
legislation”.218 Finally, a way of increasing synergy between competition law and
privacy and data protection would be the enforcement cooperation with the authorities which are active in the two different areas.219
E.g., Case C-7/97, Bronner, EU:C:1998:569, at 43–46.
Case T-301/04, Clearstream Banking AG and Clearstream International SA v Commission,
EU:T:2009:317, at 147.
As mentioned previously in this section.
In the same sense, Dissenting Statement of Commissioner Harbour In the Matter of Google/
DoubleClick, available on: ftc.gov/sites/default/files/documents/public_statements/statementmatter-google/doubleclick/071220harbour_0.pdf.
Opinion of AG Geelhoed in Case C-238/05, Asnef-Equifax, EU:C:2006:440, at 56, included in
the CJEU’s ruling.
Encouraging cooperation with agencies in other fields is included in the model for good governance in the conclusions of Chap. 7 of this book.
6 Understanding the Scope and Limits of the EU Legislator’s Contribution…
rivacy Rules in the US: An Introduction
to the Importance of Multi-stakeholder Solutions
The General Data Protection Regulation is largely motivated by arguments on efficiency and effectiveness. Those are also the arguments the European Commission
uses to motivate its proposal. The Explanatory Memorandum underlines that the
“current framework remains sound as far as its objectives and principles are concerned”. A new framework is needed for other reasons. It must be stronger than the
present one, more coherent and backed by strong enforcement, just to mention a few
catchwords in the Explanatory Memorandum.220
One of the focuses in the reform is the engagement of the private sector, through
multi-stakeholder solutions, empowering data controllers and making them more
responsible. This focus justifies a short look at the United States, where multi-
stakeholder solutions are at the core of privacy governance.
6.12.1 General Features of Privacy Legislation in the US
There is no general US law on privacy and data protection. The absence of a general
legal framework in this area has been generally recognised as a shortcoming in the
US system. Instead a number of state laws and sectoral laws exist, often described
as a legislative patchwork.221
At the beginning of 2012, President Obama announced a Consumer Privacy Bill
of Rights,222 containing a set of data privacy principles that were to be codified in
legislation to be adopted by Congress.223 This bill of rights was to apply to the entire
private sector, but not to the public sector. However, further initiatives towards such
a codified set of principles in federal legislation have not been approved, most likely
for reasons not related to the areas of privacy and data protection.224
Commission Proposal for a General Data Protection Regulation, COM (2012), 11 final,
Explanatory Memorandum, at “Context of the proposal”.
Erin Murphy, The Politics of Privacy in the Criminal Justice System: Information Disclosure,
The Fourth Amendment, and Statutory Law Enforcement Exemptions, Michigan Law Review,
Vol. 111, No. 4 (2013), pp. 485–546, at B.2: “Statutory Privacy Protection Is Piecemeal, Sectoral
White House paper, Consumer data privacy in a networked world, a framework for protecting
privacy and promoting innovation in the global digital economy, February 2012.
In the absence of legislation, this Bill of Rights should, in a first phase, be elaborated into
enforceable codes of conduct. The term Bill of Rights thus does not by itself imply a legislative
instrument and is not comparable to the US Bill of Rights mentioned before, which is part of the
This reason is the well-known deadlock in Congress (see, e.g.: http://www.nytimes.
This was confirmed in various contacts of the author with US experts.
6.12 Privacy Rules in the US: An Introduction to the Importance…
6.12.2 US Privacy Legislation Has a Limited Scope
The most general existing federal law225 is the US Privacy Act of 1974,226 which
gives protection to individuals against data processing by the federal government in
federal records and gives them access to records relating to them. This law was
adopted against the background not only of technological developments,227 but also
of the Watergate Scandal.
The US Privacy Act has a limited scope. It does neither apply to the private sector, nor to the administration of the States. Moreover, wide exceptions are provided
for, for instance in relation to intelligence and law enforcement agencies.228 In these
domains specific regimes for protection may exist, such as the – much criticised and
now to a certain extent strengthened – regime under the US Foreign Intelligence
One limitation to the scope that by definition affects European citizens, is that the
protection under the US Privacy act does not extend to persons who are not “a citizen of the United States or an alien lawfully admitted for permanent residence”.230
This limitation to the scope of protection ratione personae is in line with the case
law of the US Supreme Court, for instance in United States v Verdugo-Urquidez,231
a case concerning the physical search of premises abroad of an alien individual
without any links to the United States invoking his right under the Fourth
Amendment.232 The protection given under the Fourth Amendment233 does not gov225
“The closest analogue to a European data protection law”, European Parliament, DirectorateGeneral for Internal Policies, Policy Department C, Citizens’ Rights and Constitutional Affairs,
The US legal system on data protection in the field of law enforcement. Safeguards, rights and
remedies for EU citizens, May 2015, at 10–11.
Privacy Act, 5 U.S.C. 552a.
The US Privacy Act concurs in this respect with the first laws on data protection in Europe.
Section 5 U.S.C. § 552a, (j).
An example of strengthening the regime can be found in the Presidential Policy Directive – Signals
Intelligence Activities, Presidential Policy Directive/PPD-28, available on: http://www.whitehouse.
Section 5 U.S.C. § 552a, (a)(2).
United States v Verdugo-Urquidez, 110 S. Ct. 1056 (1990). See on this: Mary Lynn Nicholas,
United States v. Verdugo-Urquidez: Restricting the Borders of the Fourth Amendment, Fordham
International Law Journal, Volume 14, Issue 1 1990. Also: Kuner in: Data protection anno 2014:
how to restore trust? Contributions in honour of Peter Hustinx, European Data Protection
Supervisor (2004–2014), Hielke Hijmans and Herke Kranenborg (eds), Intersentia 2014, at
European Parliament, Directorate-General for Internal Policies, Policy Department C, Citizens’
Rights and Constitutional Affairs, The US legal system on data protection in the field of law
enforcement. Safeguards, rights and remedies for EU citizens, May 2015, at 10.
The Fourth Amendment reads: “The right of the people to be secure in their persons, houses,
papers, and effects, against unreasonable searches and seizures, shall not be violated, and no
Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly
describing the place to be searched, and the persons or things to be seized.”