The need for markets-focused competition watchdogs and consumer-centric privacy regulators to think outside their respective ‘legal silos’ and find creative ways to work together to tackle the challenge of considerable tech market power was the impetus for a couple of fascinating panel discussions organized by the Centre for Economic Policy Research (CEPR), which were live-streamed yesterday but are available to view on-demand here.
The conversations brought together key regulatory leaders from Europe and the US — giving a glimpse of the future shape of digital markets oversight when fresh blood has just been injected to chair the FTC. Hence, regulatory change is in the air (at least around tech antitrust).
CEPR’s discussion premise is that integration, not merely intersection, of competition and privacy/data protection law, is needed to get a proper handle on platform giants that have, in many cases, leveraged their market power to force consumers to accept an abusive ‘fee’ of ongoing surveillance.
That fee strips consumers of their privacy and helps tech giants perpetuate market dominance by locking out the interesting new competition (which can’t get the same access to people’s data, so it operates at a baked-in disadvantage).
A running theme in Europe for several years now, since a 2018 flagship update to the bloc’s data protection framework (GDPR), has been the ongoing under-enforcement around the EU’s ‘on-paper privacy rights — which, in certain markets, means regional competition authorities are now actively grappling with exactly how and where the issue of ‘data abuse’ fits into their antitrust legal frameworks.
The regulators assembled for CEPR’s discussion included, from the UK, the Competition and Markets Authority’s CEO Andrea Coscelli and the information commissioner, Elizabeth Denham; from Germany, the FCO’s Andreas Mundt; from France, Henri Piffaut, VP of the French competition authority; and from the EU, the European Data Protection Supervisor himself, Wojciech Wiewiórowski, who advises the EU’s executive body on data protection legislation (and is the watchdog for EU institutions’ own data use).
The UK’s CMA now sits outside the EU, of course — giving the national authority a higher-profile role in global mergers & acquisition decisions (vs. pre-Brexit) and the chance to help shape critical standards in the digital sphere via the investigations and procedures it chooses to pursue (and it has been moving very quickly on that front).
The CMA has several primary antitrust probes open into tech giants — including looking into complaints against Apple’s App Store and others targeting Google’s plan to deprecate support for third-party tracking cookies (aka the so-called ‘Privacy Sandbox’) — the latter being an investigation where the CMA has actively engaged the UK’s privacy watchdog (the ICO) to work with it.
Only last week, the competition watchdog said it was minded to accept a set of legally binding commitments that Google has offered, which could see a quasi-co-design process taking place, between the CMA, the ICO, and Google, over the shape of the critical technology infrastructure that ultimately replaces tracking cookies. So a pretty significant development.
Germany’s FCO has also been very active against big tech this year — making full use of an update to the national competition law, which gives it the power to take proactive inventions around large digital platforms with major competitive significance — with open procedures now against Amazon, Facebook, and Google.
The Bundeskartellamt was already a pioneer in pushing to loop EU data protection rules into competition enforcement in digital markets in a strategic case against Facebook, as we’ve reported before. That closely watched (and long-running) case — which targets Facebook’s ‘super profiling’ of users based on its ability to combine user data from multiple sources to flesh out a single high-dimension per-user profile — is now headed to Europe’s top court (so likely has more years to run).
But during yesterday’s discussion, Mundt confirmed that the FCO’s experience litigating that case helped shape critical amendments to the national law that’s given him beefier powers to tackle big tech. (He suggested it’ll be much easier to regulate tech giants going forward, using these new national powers.)
“Once we have designated a company to be of ‘paramount significance,’ we can prohibit certain conduct much more easily than we could in the past,” he said. “We can prohibit, for example, that a company impedes another undertaking by data processing relevant for competition. We can deny that service use depends on the agreement to data collection with no choice — this is the Facebook case, indeed… When this law was negotiated in parliament very much referred to the Facebook case, and in a certain sense, this entwinement of competition law and data protection law is written in a theory of harm in the German competition law.
“This makes a lot of sense. Let’s discuss dominance and assess that this dominance has come into place because of data collection, possession, and processing. You need a parameter in how far a company can gather the data to process it.”
“The past is also the future because this Facebook case… has always been big. And now it is up to the European Court of Justice to say something on that,” he added. “If everything works well, we might get an unequivocal ruling saying… as far as the ECN [European Competition Network] is concerned, how far we can integrate GDPR in assessing competition matters.
“So Facebook has always been a big case — it might get even bigger in a certain sense.” Meanwhile, France’s competition authority and its national privacy regulator (the CNIL) have also been joint working in recent years.
Including a competition complaint against Apple’s pro-user privacy App Tracking Transparency feature (which last month the antitrust watchdog declined to block) — so there’s evidence there too of respective oversight bodies seeking to bridge legal silos to crack the code of how to regulate tech giants whose market power, panelists agreed effectively, is predicated on earlier failures of competition law enforcement that allowed tech platforms to buy up rivals and sew up access to user data, entrenching advantage at the expense of user privacy and locking out the possibility of future competitive challenge.
The contention is that monopoly power predicated upon data access also locks consumers into an abusive relationship with platform giants, which can then, in the case of ad giants like Google and Facebook, extract huge costs (paid not in monetary fees but in user privacy) for continued access to services that have also become digital staples — amping up the ‘winner takes all’ characteristic seen in digital markets (which is bad for competition too).
Yet, at least, Europe’s competition authorities and data protection regulators have traditionally focused on separate workstreams. The consensus from the CEPR panels was that that is both changing and must change if civil society is to get a grip on digital markets — and wrest control back from tech giants to ensure consumers and competitors aren’t left trampled into the dust by data-mining giants.
Denham said her motivation to dial-up collaboration with other digital regulators was the UK government entertaining the idea of creating a one-stop-shop ‘Internet’ super-regulator. “What scared the hell out of me was the policymakers, the legislators floating the idea of one regulator for the Internet. I mean, what does that mean?” she said. “So I think what the regulators did is we got to work, we got busy, we become creative, got out of our silos to try to tackle these companies — the likes of which we have never seen before.
“And I think what we have done in the UK — and I’m excited if others believe it will work in their jurisdictions — but I think that what pushed us is that we needed to show policymakers and the public that we had our act together. I believe consumers and citizens don’t care if the solution they’re looking for comes from the CMA, the ICO, or Ofcom… they want somebody to have their back when protecting the privacy and security of markets.
“We’re trying to use our regulatory levers creatively to make the digital markets work and protect fundamental rights.”
During the earlier panel, the CMA’s Simeon Thornton, a director at the authority, made some exciting remarks vis-a-vis its (ongoing) Google’ Privacy Sandbox’ investigation — and the joint work it’s doing with the ICO on that case — asserting that “data protection and respecting users’ rights to privacy are very much at the heart of the commitments upon which we are currently consulting”.
“If we accept the commitments, Google will be required to develop the proposals according to several criteria, including impacts on privacy outcomes and compliance with data protection principles, and impacts on user experience and user control over the use of their data — alongside the overriding objective of the commitments which is to address our competition concerns,” he went on, adding: “We have worked closely with the ICO in seeking to understand the proposals and if we do accept the commitments then we will continue to work closely with the ICO in influencing the future development of those proposals.”
“If we accept the commitments, that’s not the end of the CMA’s work — on the contrary, that’s when, in many respects, the real work begins. Under the commitments, the CMA will be closely involved in developing, implementing, and monitoring the proposals, including through the design of trials, for example. It’s a substantial investment from the CMA, and we will be dedicating the right people — including data scientists, for example, to the job,” he added. “The commitments ensure that Google addresses any concerns that the CMA has. And suppose that problems cannot be resolved with Google. In that case, they explicitly provide for the CMA to reopen the claim and — if necessary — impose any interim measures to avoid harm to competition.
“So there’s no doubt this is a big undertaking. And I’m sure it will be challenging for the CMA. I think this is the sort of approach required if we are really to tackle the concerns we’re seeing in our markets today.”
Thornton also sa” d, “As regulators, w “need to step up. We need to get involved before the harm materializes — rather than waiting after the event to stop it from materializing, rather than waiting until that harm is irrevocable… I think it’s a big anit’schallenging move, but I think it’s a sign of their sure direction of travel in several cases.”
Also speaking du “ing the regulatory panel session was FTC commissioner Rebecca Slaughter — a dissenter on the $5BN fine it hit Facebook with back in 2019 for violating an earlier consent order (as she argued the settlement provided no deterrent to address underlying privacy abuse, leaving Facebook free to continue exploiting users’ data) — as users’s Chris D’Angelo, the chieD’Angelo AG of the New York Attorney General, which is leading a significant states antitrust case against Facebook.
Slaughter pointed out that the FTC already combines a consumer focus with attention on competition but said that historically there had been a separation of divisions and investigations — and she agreed on the need for more joined-up work.
She also advocated for US regulators to get out of a pattern of ineffective enforcement in digital markets on issues like privacy and competition where companies have, historically, been given — at best — what amounts to wrist slaps that don’t address rootzones of market abuse, perpetuating both consumer abuse and market failure. And be prepared to litigate more.
As regulators toughen up their stipulations, they must be prepared for tech giants to push back — and therefore be ready to sue instead of accepting a weak settlement.
“That is most gall” ng to me that even where we take action, in our best faith good public servants working hard to take action, we keep coming back to the same questions, again and again,” she said. “Which” means that “our actions aren’t working. Wearen’tdifferent activities to keep us from having the same conversation repeatedly.”
Slaughter also “argued that it’s essential thait’sgulators do not pile all the burden of avoiding data abuses on consumers themselves.
“I want to sound a “note of caution around approaches centered around user control,” she said. “I thi” k transparent “cy and control are essential. I believe it is problematic to burden consumers to work through the markets and use data, figure out who has their data, how it’s being used, maitake decisions… I think you end up with notice fatigue; I think you end up with decision fatigue; you get very abusive manipulation of dark patterns to push people into decisions.
“So I worry about “framework built all around the idea of control as the central tenant or how we solve the problem. I’ll keep coming bI’llto what we need to focus on: where is the burden on the firms to limit their collection in the first instance, prohibit their sharing, and restrict abusive use of data? I think that’s where we nethat’sfocus from a policy perspective.
“I think there will” be ongoing debates about privacy legislation in the US. While a powerful advocate for a better federal framework with more tools that facilitate aggressive enforcement, I think if we had done it ten years ago, we probably would have ended up with notice and consent privacy law. I t. The ink would not have been a great outcome for consumers at the end of the day. So I think the debate and discussion have evolved importantly. I also think we don’t have to waitdon’tCongress to act.”
As regards more “radical solutions to the problem of market-denting tech giants — such as breaking up sprawling and (self-serving) interlocking services empires — the message from Europe’s most ‘digEurope’switche’ on’ regulators seemed to be don’t look to us don’t; we are going to have to stay in our lanes.
So tl;dr — if antitrust and privacy regulators’ joint regulators to more intelligent fiddling around the edges of digital market failure, and it’s break-ups of tech giants that’s what’s needthat’srwhat’sdigital markets. It’s going to be it’s US agencies to wield the hammers. (As Coscelli elegantly phrased it: “It’s probably more. “It’slistic for the US agencies to be in the lead in terms of structural separation if and when it’s appropriate —either than an agency like ours [working from inside a mid-sized economy such as the UK’s].”)
The lack of UK’sny” representative from the European Commission on the panel was an interesting omission, perhaps hinting at the ongoing ‘structural separation between DG Comp and DG Justice where digital policymaking streams are concerned.
The current competition chief, Margrethe Vestager — who also heads up digital strategy for the bloc as an EVP — has repeatedly expressed reluctance to impose radical ‘break up’ remedies on tech giants. She also recently referred to waiving through another Google digital merger (its acquisition of wearable fitness Fitbit) — agreeing to accept several ‘concessions‘ and ‘ignoring significant mobilization by civil society (and indeed EU data protection agencies) urging her to block it.
Yet in an earlier CEPR discussion session, another panelist — Yale University’s Dina University’s pointed to the challenges of trying to regulate the behavior of companies when there are apparent conflicts of interest, unless and until you impose structural separation, as she said, has been necessary for other markets (like financial services).
“In advertising, w” have an electronically traded market with exchanges and brokers on both sides. When the competition was in a competitive market, you saw that those brokers acted in the best interest of buyers and sellers. And as part of carrying out that function, they were protecting the data that belonged to buyers and sellers in that market and not playing with the data in other ways — not trading on it, not doing conduct similar to insider trading, or even front-running,” she said, giving “an example of how that changed as Google gained market power.
“So Google acquires” DoubleClick made promises to continue operating in that manner; the contracts were not binding and on the record — the enforcement agencies or the agencies that cleared the merger didn’t make Googledidn’tse that they would abide by that moving forward. So as Google gained market power in that market, there’s no regulatthere’suirement to continue to act in the best interests of your clients, so now it becomes a market power issue, and after they gain enough market power, they can flip data ownership and say, ‘okay, you know what before you owned this data and we weren’t allowed toweren’tthing with it, but now we’re going to use we’re data to for example sell our advertising on exchanges’.
“But exchanges “rom other markets — and financial markets — is when you flip data ownership and engage in conduct like that, allowing the firm to build market power in yet another market now.”
The CMA’s Coscel” I picCMA’sp on Srinivasan’s point Srinivasan’s was a “powerful” one and “that the “challenges of policing “very complicated” situations involve “ing conflicts of interests are something that regulators with merger control powers should be bearing in mind as they consider whether or not to green-light tech acquisitions.
(One example of a merger in the digital space that the CMA is still scrutinizing is Facebook’s acquisiFacebook’se animated GIF platform Giphy. And it’s interesting tit’seculate whether had Brexit happened a little faster, the CMA might have stepped in to block Google’s Fitbit meGoogle’sre the EU wouldn’t.)
Coscellwouldn’tlagged the issue of regulatory under-enforcement in digital markets as a key one, saying: “One of the reasons” we are today where we are is partially historic under-enforcement by competition authorities on merger control — and that’s a theme thathat’sxtremely interesting and relevant to us because, after the exit from the EU, we now have a bigger role in merger control on global mergers. So we must make the right decisions in the future.”
“Quite often, we “i “intervene in areas under enforcement by regulators in specific areas… If you think about it, when you design systems with vertical regulators in particular sectors and horizontal regulators like us or the ICO, we are more successful if the vertical regulators do their job. I’m sure they are I’me successful if we do our job correctly.
“I think we system” typically underestimate… the ability of companies to work through whatever behavior or commitments or arrangement is offered to us, so I think these are critical points,” he added, signaling “ng that a higher degree of attention is likely to be applied to tech mergers in Europe as a result of the CMA stepping out from the EU’s competition relation umbrella.
Also speaking during the same panel, the EDPS warned that across Europe more broadly — i.e., beyond the small but engaged gathering of regulators brought together by CEPR — data protection and competition regulators are far from where they need to be on joint working, implying that the challenge of effectively regulating big tech across the EU is still a pretty Sisyphean one.
Indeed, the Commission is not sitting on its hands in the face of tech giant market power. At the end of last year, it proposed a regime of ex-ante regulations for so-called ‘gatekeeper’ platforms under ‘the Digital Markets Act. (The Commission’s answeCommission’sMA was to suggest putting itself in charge of overseeing gatekeepers, but it remains to be seen what enforcement structure EU institutions will agree on.) but the problem of effectively enforcing pan-EU laws — when the various agencies involved in oversight are typically decentralized across the Member States — is one critical complication for the bloc.’
The need for careful and coordinated joint working across multiple agencies with different legal competencies — if, indeed, that’s really whatthat’sded to awhat’sely address captured digital markets vs. structural separation of Google’s search anGoogle’s, for example, and Facebook’s variousFacebook’soducts — steps up the EU’s regulatory chEU’snge in digital markets.
“We can say that n” effective competition nor protection of the rights in the digital economy can be ensured when the different regulators do not talk to and understand each other,” Wiewiórowski war” ed. “While we are stil” thinking about the cooperation, it looks a bit like everybody is afraid they will have to trade a bit of its possibility to assess.”
“If you think ab “u” the classical regulators, isn’t it true thatisn’tome point we are reaching this border where we know how to work, we know how to behave, we need a little bit of help and understanding of the other regulator’s work… regulator’sly, there is — at the same time — the discussion about splitting the task of the American regulators joining the ones on the European side. But even the statements of some of the commissioners in the European Union saying about the bigger role the Commission will play in the data protection and solving the enforcement problems of the GDPR show there is no clear understanding of the differences between these fields.”
One thing is cle” r: Big tech’s dominance otech’stal markets won’t be unpicked tonight. But, on both sides of the Atlantic, there are now a bunch of theories on how to do it — and a growing appetite for wading in.
