Excessive Data Collection and (Mis)use of Data: A Comparative Law and Economics Study on the Chinese Didi Case and the German Facebook Case

Data Protection and Competition Law: The Dawn of ‘Uberprotection’

Can competition law consider effects on privacy, or should privacy concerns of data-collecting behaviour only be dealt with by data protection law? In this paper, we analyse the German Facebook case, in which the requirement of giving consent to the combination of personal data from different sources was prohibited as exploitative abuse by a dominant firm. We show, from an economic perspective, that due to the simultaneous existence of two market failures (market dominance, information and behavioural problems) and complex interaction effects between both market failures and both policies in digital markets, a new, much more complex relationship emerges. Since the traditional approach of a strict separation of both policies is no longer feasible, a more integrative and collaborative policy approach for competition law and data protection law might be necessary. With respect to the substantive issue in the Facebook case, i.e. protecting a minimum standard of choice for consumers regarding their personal data vis-a-vis dominant digital platform firms, the recent decision by the German Federal Court of Justice in this case and the proposed Digital Markets Act have led to new perspectives for dealing with privacy concerns in competition law and new forms of ex-ante regulation.

The German Facebook Case: The Law and Economics of the Relationship between Competition and Data Protection Law

This article provides a critical analysis of the German Facebook case and stresses the limits of competition law. Facebook’s terms and conditions regarding the use of Off-Facebook data were qualified as an exploitative abuse at various stages of the German Facebook proceedings. However, it is far from certain that Facebook would have written its terms any different if it was operating on a competitive market. From an economic viewpoint the market failure at hand is a pervasive information asymmetry rather than market power. Therefore, it is doubtful that the correct response lies within competition law. If competition rules must be rewritten in order to cope with market failures in digital markets, there is a serious risk that the abuse found is not an abuse of market power but an abuse of the market power provisions in competition law. Alternative routes that can be found in consumer contract, unfair competition or data protection laws might be viable options. The latter rules can be applied without a complicated finding of causality between market dominance and the use of ‘unfair’ contract terms. Admittedly, also the information paradigm can be called into question but amending rules of contract law avoids Herculean interpretations of competition law that go against a broadly supported ‘more economic approach’. Abusing competition law or enhancing contract law to improve the efficiency of digital markets, that is the question. Facebook case, goals of competition law, market failures, data law, information disclosure, consent, signing-without-reading problem, abuse of dominance, unfair contract terms, unfair commercial practice

Based on a mix of conceptual insights and findings from cases, this paper discusses three ways in which the effectiveness of regulation in the areas of competition, data and consumer protection can be improved by tailoring substantive protections and enforcement mechanisms to the extent of market power held by firms. First, it is analysed how market power can be integrated into the substantive scope of protection of data protection and consumer law, drawing inspiration from competition law’s special responsibility for dominant firms. Second, it is illustrated how more asymmetric and smarter enforcement of existing data protection rules against firms possessing market power can strengthen the protection of data subjects and stimulate competition based on lessons from priority-setting and cooperation by consumer authorities. Third, it is explored how competition law’s special responsibility for dominant firms can be further strengthened in analogy with the principle of accountability in data protection law. Similarly, it is discussed how positive duties to ensure fair outcomes for consumers are developed in consumer law. The analysis offers lessons for improving the ability of the three regimes to protect consumers by imposing greater responsibility on firms with greater market power and thus posing greater risks for consumer harm.

Recent years have shown a surge of interest from various enforcement agencies to remedy commercial behaviour exploiting the increasing information and power asymmetries between consumers and firms. What is particularly notable about this rise in attention is that enforcement actions demonstrate clear interactions between different legal fields that are traditionally applied and enforced in isolation. The present article will focus in particular on the growing interaction between competition, data protection, and consumer law.

Personal data are both protected by a fundamental right and serves as a source of market power. As such, a complex interplay between data protection and competition law arises, sparking debate among policymakers and scholars on whether to incorporate data protection considerations (DPCs) in competition law assessments. Proponents argue that competition cases involving such an interplay require a normative contribution from data protection law, while opponents emphasize the practical challenges of considering data protection as a non-economic public policy objective. We identify nine ways in which data protection might ultimately surface in competition law assessments, categorized into five areas: (i) competition enforcement actions, (ii) existing legal and regulatory framework, (iii) personal data collection, (iv) exclusionary abuses, and (v) alleviation of competition concerns. Using a multiple-step approach for qualitative document analysis, we explore how these considerations have surfaced in the European Commission’s decisional practice through a dataset of 2.041 EU competition decision texts based on articles 101 TFEU and 102 TFEU and the EU Merger Regulation. We identify 53 decisions where DPCs have surfaced, especially in the information and communication industry, where they are more frequently subjected to commitments. In line with the evolving literature, we observe an increasingly integrationist trend as these considerations surface more frequently, particularly since the adoption of the General Data Protection Regulation in 2016 and the Digital Markets Act proposal in 2020. We also find a pattern where data protection provisions are included in commitments as a ‘tick-the-box’ exercise. Several influential alleviations of competition concerns suggest that the Commission is more comfortable using data protection to approve transactions unconditionally rather than as a substantive argument for commitments. We conclude by making a case for a more collaborative approach based on the European Court of Justice’s recent Meta Platforms (2023) judgment. Data protection should be considered in competition law assessments if its normative contribution is required. Such a stance would simply align with the internal logic of competition law without unlawfully expanding its material scope.

This chapter examines the extent to which excessive data collection and unfair privacy policies of dominant undertakings could amount to exploitative abuses under Article 102 of the Treaty on the Functioning of the European Union'. The chapter begins by examining the interplay between competition law and the data-centric provisions of the Digital Markets Act (DMA) in addressing some of these privacy-related practices. While the DMA tackles key data and privacy issues associated with major digital platforms, Article 102 remains crucial in addressing broader privacy and data-related practices of dominant firms. This includes curbing excessive data collection and ensuring a broader range of choices concerning user privacy. Subsequently, the chapter addresses the prospectus and challenges of applying the case law on Article 102 to excessive data collection and unfair privacy policies. The discussions reveal the difficulty of applying the case law on excessive pricing to excessive data collection, especially considering the technicality of the test using price-cost margins. Instead, the chapter suggests that the case law on unfair contract terms is better suited to privacy-related practices. Resorting to unfair terms shifts the focus from purely ‘excessive’ data collection to the broader context, including how users’ personal data and privacy are addressed in the terms of service and privacy policies. Next, the chapter explores the question of whether and to what degree breaches of data privacy rules can contribute to breaches of competition rules or represent deviation from competition on the merits. The chapter ends by highlighting some of the implications for the interface between the two legal regimes from the potential application of competition law to data-related exploitative abuses.

The expansion of digital educational platforms and artificial intelligence solutions in public school systems has intensified the large-scale processing of data from students, families and education professionals. In this context, the implementation of Brazil’s General Data Protection Law, Law 13.709 of 2018, becomes a legal and ethical imperative, especially when dealing with children and adolescents as data subjects. This article discusses challenges and opportunities regarding compliance with the data protection framework in the use of digital platforms and AI tools in public education. It is a bibliographical and analytical study, based on Brazilian legislation, guidance documents from national and international organizations, and recent research on data protection, ethics of artificial intelligence and information governance in the educational sector. The findings indicate that, despite recent advances in laws, guidelines and manuals tailored to education, there are persistent weaknesses related to the lack of data governance, algorithmic opacity, excessive data collection, limited risk assessment and low participation of school communities in setting rules for technology use. The article argues that effective implementation of the data protection law in digital educational platforms requires an articulation between legal compliance, ethical responsibility and pedagogical projects, supported by data governance policies, continuing professional development, transparency and social participation. Keywords: General Data Protection Law; Digital educational platforms; Artificial intelligence; Ethics; Public school systems.

The article focusses on (joint) trade secret ownership as a (neglected) aspect of European Union (EU) and United States (US) Trade Secret Law. The article shows that Information Privacy Law and Data Protection Law, respectively, and Trade Secret Law intersect. This intersection can be used to address not only the issue of unclear trade secret ownership in relation with personal data, but also the issue of power imbalance raised by considering two or more parties with entirely different bargaining positions as jointly responsible under Data Protection Law, in particular under the General Data Protection Regulation (GDPR). In this regard, US Information Privacy and Trade Secret Law as well as EU Data Protection and Trade Secret Law and the underlying ownership and liability concepts are analysed and compared to each other. The article shows that factors for (joint) control as developed by the Court of Justice of the European Union (CJEU) (Cases Wirtschaftsakademie, Jehovah’s Witnesses (JW), and Fashion ID) can be adapted by means of interpretation in essence under EU and US Trade Secret Law. Thus, joint controllers are often considered joint owners of the respective personal data as a trade secret. According to this approach, the parties are reciprocally entitled to prevent disclosures by each other beyond what is explicitly or implicitly agreed. Such right can act as a lever for weaker parties when bargaining with ‘stronger’ parties as necessary under Data Protection Law. At the same time, the essentially unified approach of determining trade secret ownership and data protection controllership provides for more clarity when it comes to the determination of trade secret ownership. Joint Control, Trade Secrets, Ownership, Joint Ownership, UTSA, Fashion ID, Trade Secret Directive, GDPR, FTCA, US

The relationship between data protection law and antitrust law is – also and especially with regard to undertakings with a dominant position in the market of digital economy (i.e. big tech companies) – with good reason a highlighted subject of legislation and case law, legal practice and research activities. This article examines whether and to what extent the antitrust law-concept of market power may have effects in the fields of data protection law. The very elements of lawfulness laid down in Article 6 of the General Data Protection Regulation (GDPR), which are decisive for the lawful processing of personal data, are used as a reference for this purpose. Market Power, Antitrust Law, Dominant Position, Legitimate Interests, Consent, Data Portability, Voluntariness

Data Protection in the Context of Competition Law Investigations: An Overview of the Challenges

Personal Data Law and Competition Law – Where is it Heading?

The Internal and External Constraints of Data Protection on Competition Law in the EU

Data protection and competition law: friends or foes regarding data sharing?