GDPR Myopia: How a Well-Intended Regulation ended up Favoring Google in Ad Tech

Abstract

This paper shows that while the GDPR, which lies at the core of the EU digital privacy legislation, has arguably delivered positive outcomes by enhancing the protection afforded to users of digital services and strengthening the rights of data subjects, it has also had adverse effects on competition by strengthening the position of Google and other large online platforms on digital markets, at the very same time the European Commission has expressed concerns about the market power held by these companies. This is what we understand by “GDPR Myopia”: in its effort to improve the protection of data subjects, the GDPR worsened one of the main problems experienced in digital markets today, which is increased market concentration and reduced contestability. Worse, the GDPR gave Google a tool to harm rivals by reducing access to the data they need to run their business. The present paper focuses on the adverse consequences of the GDPR on competition in the so-called “ad tech” industry, which comprises the various categories of companies that provide online advertising services to advertisers and publishers of online content. We show that while it could have been initially thought that the GDPR would have negatively impacted Google’s ability to deliver ad tech services given the enormous amount of data it collects and processes, and thus weaken its dominance in such services, the opposite scenario happened. As explained in this paper, the GDPR has strengthened Google’s market position compared to smaller rivals, which have been less capable of absorbing the implementation costs of the GDPR and coping with the restrictions on the collection and processing of data. Google’s questionable data-related practices, and in particular its “internal data free-for-all”, have also so far been left unchallenged by the Irish Data Protection Authority, while the practices of much smaller actors have been subject to harsh intervention by overly zealous Data Protection Authorities. Moreover, Google has used the GDPR – or privacy concerns more generally – as an excuse to engage in practices that have strengthened its control on the ad tech ecosystem to the detriment of advertisers, publishers and smaller rivals. This could be referred to as the “weaponization” of the GDPR, i.e. the use of the GDPR by Google as a strategic tool to strengthen its grip on the ad tech market. Because of its market power, Google has become a de facto privacy regulator able to dictate to rival advertisers, publishers and rival ad tech players its interpretation of the GDPR and other privacy legislation, which is a worrying trend that needs to be countenanced. The purpose of this paper is not to call for the weakening of the GDPR, whose positive impact on users of digital services cannot be ignored. The GDPR has considerably increased privacy awareness among both companies and data subjects across the EU. However, the adverse effects of the GDPR on competition and innovation in certain digital industries should not be ignored. From a policy standpoint, the Commission, as well as the authorities that are entrusted with the enforcement of the GDPR should aim at maintaining or even perhaps increasing the level of protection offered by this legislation, while at the same time trying to mitigate its adverse effects on other dimensions of welfare, such as competition, which are equally important for both businesses and consumers. It is with this objective in mind that the present paper offers various solutions that could be explored to ensure a better balance between privacy and these other welfare dimensions.