Separating or integrating? Data protection in competition assessments: a systematic literature review

Our contribution aims at giving a comprehensive overview over the intertwining of competition law and data protection law in the EU legal framework, prompted by the rising and disruptive importance of amassed data, including personal data (‘Big Data’), for competition. Big Data has quickly penetrated most business areas in the past decade, posing challenges for the effectiveness of existing data protection rules, on one hand, but also for different aspects of competition law and its enforcement, on the other hand. Access to customer contact data or customer preferences has impacted on competitive parameters, raising completely new questions of competition law, e.g. in the context of data portability or digital cartels. However, the more fundamental issue arises if and how data protection compliance can or should be a parameter in the assessment of competition authorities around the world, being a well-known fact that, in principle, competitive assessment is bound only by welfare considerations. Personal data has had multiple impacts on all pillars of competition law – anticompetitive agreements, abuse of dominance and merger control. While abuse of dominance and merger control relate to competitive harm via the access to greater customer data, the classic price fixing cartels are being replaced by seemingly irretraceable, big data based price fixing algorithms. Proceeding empirically, from the recent practice of several competition authorities, including the European Commission, as well as the German and French competition authorities, this contribution identifies three phases of development of the intersection between data protection and competition law. At the beginning, competition authorities were acknowledging data protection law as being a separate issue without relevance for the purpose of merger control proceedings and thus placing the two areas of law on parallel pathways. In a second phase, the realization that data protection rules may in fact have a role in hampering or enabling competition took more and more space both in policymaking and in adjudication, with Data Protection Authorities starting to play a role. We are currently at the dawn of the third phase identified: data protection law considerations are at the core of at least one current case looking into an abuse of dominant position in Germany, a Digital Clearinghouse started to meet twice every year in Brussels and the European Commission is laying the groundwork for potential changes in the way it enforces competition law in the digital economy. We call this last phase “Uberprotection”, which we define as the protection of the rights of individuals and their welfare as data subjects, participants to the market and consumers, afforded by concerted enforcement and facilitated by coherent policymaking of competition authorities, data protection authorities and consumer protection authorities.

• Since the notion of fairness underpins the regimes of competition, data protection and consumer law, it can act as a connecting factor to align substantive protections and enforcement mechanisms in the three fields. • While most attention has so far been devoted to how vigorous competition enforcement can render data protection rules more effective, the complementarity between the regimes also works the other way around. • In particular, substantive data protection or consumer law principles can be integrated into competition analysis so as to strengthen the ability of competition authorities to tackle new forms of commercial conduct. • At the same time, the competition concepts of market definition and market power can help to interpret the scale of obligations that data controllers and processors have to comply with under data protection law in line with the risk-based approach of the General Data Protection Regulation. • Tensions occur where competition enforcement favours sharing or merging of datasets for economic efficiency reasons against the spirit of the data protection rules, but there is also room for synergies by involving data protection or consumer authorities in merger investigations and by considering data protection or consumer interests more proactively in the design of merger remedies.

This contribution argues that a coherent and consistent interpretation of data protection and competition law is both possible and adequate. To illustrate this need, the ongoing abuse-of-dominance investigation by the French Autorité de la Concurrence against Apple is analysed. Representatives of the online advertising industry lodged a complaint against the introduction of Apple’s “App Tracking Transparency framework”. The latter includes a de facto obstacle to third-party tracking which shuts down advertisers’ access to those precious personal data that can be used for online advertising. With the Apple case in mind and by way of example, this paper argues that the regulation of consent to the processing of personal data under the GDPR serves as a dogmatic link between data protection and competition law, as this legal basis is at the heart of many digital business models. The GDPR provides a normative framework to determine when consent has been “freely given”. This can be a fruitful starting point for a competitive assessment, too, as both legal regimes pursue the objective of protecting consumer autonomy and consumer choice. The paper finishes by finding that its dogmatic approach corresponds to recent developments within competition law legislation and enforcement.

Based on a mix of conceptual insights and findings from cases, this paper discusses three ways in which the effectiveness of regulation in the areas of competition, data and consumer protection can be improved by tailoring substantive protections and enforcement mechanisms to the extent of market power held by firms. First, it is analysed how market power can be integrated into the substantive scope of protection of data protection and consumer law, drawing inspiration from competition law’s special responsibility for dominant firms. Second, it is illustrated how more asymmetric and smarter enforcement of existing data protection rules against firms possessing market power can strengthen the protection of data subjects and stimulate competition based on lessons from priority-setting and cooperation by consumer authorities. Third, it is explored how competition law’s special responsibility for dominant firms can be further strengthened in analogy with the principle of accountability in data protection law. Similarly, it is discussed how positive duties to ensure fair outcomes for consumers are developed in consumer law. The analysis offers lessons for improving the ability of the three regimes to protect consumers by imposing greater responsibility on firms with greater market power and thus posing greater risks for consumer harm.

The article focusses on (joint) trade secret ownership as a (neglected) aspect of European Union (EU) and United States (US) Trade Secret Law. The article shows that Information Privacy Law and Data Protection Law, respectively, and Trade Secret Law intersect. This intersection can be used to address not only the issue of unclear trade secret ownership in relation with personal data, but also the issue of power imbalance raised by considering two or more parties with entirely different bargaining positions as jointly responsible under Data Protection Law, in particular under the General Data Protection Regulation (GDPR). In this regard, US Information Privacy and Trade Secret Law as well as EU Data Protection and Trade Secret Law and the underlying ownership and liability concepts are analysed and compared to each other. The article shows that factors for (joint) control as developed by the Court of Justice of the European Union (CJEU) (Cases Wirtschaftsakademie, Jehovah’s Witnesses (JW), and Fashion ID) can be adapted by means of interpretation in essence under EU and US Trade Secret Law. Thus, joint controllers are often considered joint owners of the respective personal data as a trade secret. According to this approach, the parties are reciprocally entitled to prevent disclosures by each other beyond what is explicitly or implicitly agreed. Such right can act as a lever for weaker parties when bargaining with ‘stronger’ parties as necessary under Data Protection Law. At the same time, the essentially unified approach of determining trade secret ownership and data protection controllership provides for more clarity when it comes to the determination of trade secret ownership. Joint Control, Trade Secrets, Ownership, Joint Ownership, UTSA, Fashion ID, Trade Secret Directive, GDPR, FTCA, US

In digital markets, data protection and competition affect each other in diverse and intricate ways. Their entanglement has triggered a global debate on how data protection and competition law should interact to effectively address new harms and ensure that the digital economy flourishes. This book offers a blueprint for a more coherent approach towards these two areas of law for the benefit of society and the economy. By way of introduction, this book provides a comparative overview of EU data protection and competition law, focusing on their evolution, their underlying rationale, and their key features and concepts. Their touch points are explored by looking at their common objectives. In addition, a series of examples demonstrate how the same empirical phenomena in digital markets pose a common challenge for protecting personal data and promoting market competitiveness. A panoply of theoretical and empirical commonalities between these two fields of law, as this book shows, are barely mirrored in the legal, enforcement, policy, and institutional approaches in the EU and beyond, where the silo approach continues to prevail. Conceptually, the ideas that this book offers for a more synergetic path forward are anchored in the concept of ‘sectional coherence’. This new coherence-centred paradigm aspires to render the interpretation and enforcement of data protection and competition law mutually cognizant and reinforcing. The book also includes a reflection on the conceptual, practical, institutional, and constitutional implications of the transition towards coherence, and the relevance of its findings for other jurisdictions.

Personal data are both protected by a fundamental right and serves as a source of market power. As such, a complex interplay between data protection and competition law arises, sparking debate among policymakers and scholars on whether to incorporate data protection considerations (DPCs) in competition law assessments. Proponents argue that competition cases involving such an interplay require a normative contribution from data protection law, while opponents emphasize the practical challenges of considering data protection as a non-economic public policy objective. We identify nine ways in which data protection might ultimately surface in competition law assessments, categorized into five areas: (i) competition enforcement actions, (ii) existing legal and regulatory framework, (iii) personal data collection, (iv) exclusionary abuses, and (v) alleviation of competition concerns. Using a multiple-step approach for qualitative document analysis, we explore how these considerations have surfaced in the European Commission’s decisional practice through a dataset of 2.041 EU competition decision texts based on articles 101 TFEU and 102 TFEU and the EU Merger Regulation. We identify 53 decisions where DPCs have surfaced, especially in the information and communication industry, where they are more frequently subjected to commitments. In line with the evolving literature, we observe an increasingly integrationist trend as these considerations surface more frequently, particularly since the adoption of the General Data Protection Regulation in 2016 and the Digital Markets Act proposal in 2020. We also find a pattern where data protection provisions are included in commitments as a ‘tick-the-box’ exercise. Several influential alleviations of competition concerns suggest that the Commission is more comfortable using data protection to approve transactions unconditionally rather than as a substantive argument for commitments. We conclude by making a case for a more collaborative approach based on the European Court of Justice’s recent Meta Platforms (2023) judgment. Data protection should be considered in competition law assessments if its normative contribution is required. Such a stance would simply align with the internal logic of competition law without unlawfully expanding its material scope.

Personal data has both an economic and a dignitary value. This begs the question of whether competition law should respect the dual nature of personal data, given that the regulation of competition is chiefly dictated by economic concerns. This article addresses that question by mapping the potential intersections between EU data protection law and competition law. In particular, it argues that data protection law exercises an internal and an external constraint on competition law. On the one hand, competition law involves judgments about ‘normal competition’ and consumer welfare which may require a normative contribution by data protection law. Using data protection as a normative benchmark in this way does not depart from the logic of competition law as data protection still requires a competitive concern hook on which to hang. Data protection would thus act as an ‘internal constraint’ on competition law. On the other hand, regardless of such logic, competition authorities are bound to respect the fundamental right to data protection. This requires them to restrict the scope of competition law and to guarantee the effectiveness of that fundamental right. In this way, data protection acts as an ‘external constraint’ on competition law. Recognising these constraints would pave the way for a more coherent EU law approach to consumer concerns in a digital society.

Data plays a prominent role in the digital economy, as being able to use data to develop or improve innovative products or services is a key competitive parameter. Consequently, an increasing call for more data sharing is being made in the EU. However, this might create tensions with the policy objectives of the GDPR, as data sharing will often cover both personal and non-personal data mixed in the same dataset. Unsurprisingly, large data holders have started to use data protection considerations to justify refusals to share data with third parties. This could create some serious competition issues, and some authors thus argue that the GDPR strengthens large data holders’ position by increasing concentration in data markets and by reinforcing barriers to data sharing. This finding seems to rely on the double premise that: i) the GDPR is more lenient towards personal data re-use within the ecosystem of these large data holders than it is towards the sharing of this personal data with third parties; and that ii) the way in which these large data holders re-use personal data within their ecosystem complies with data protection law. In this paper, we show that these two premises can be challenged from a theoretical point of view. Yet, even if these premises are challengeable, large data holders do apply “double standards” in practice. They adopt a very restrictive approach towards data sharing with third parties while massively circulating their users’ data internally. We outline that this is mainly the result of a lack of data protection enforcement, which led, in turn, to a lack of competition enforcement. Therefore, to solve this “double standards” issue, we argue that there is a crucial need for more enforcement of the existing rules by data protection authorities. Data protection, which might presently be somewhat of a foe to competition in light of the “double standers” situation, could become a friend if enforced with more pugnacity against large data holders, as it would not only reinforce the protection of data subjects but would also ensure the existence of a healthier competitive environment.

The paper provides three specific arguments in support of the two key claims to promote an interface between data protection and digital trade law. It engages in the current academic debate among scholars to understand the role of digital trade law in coordinating the regulatory thicket of national data protection regulations (NDPRs) among states. In pursuance, it proposes a rebuttal to the critique that digital trade law is fundamentally ill-suited to engage in data protection policy debates. The paper argues that data protection and digital trade law cannot remain in separate silos as they both are fundamentally intertwined with the governance of cross-border flow of personal data. Data protection issues should form an indispensable consideration in the context of digital trade liberalisation and vice versa. The paper concludes that the standards regime in international trade law can be considered as a blueprint for the necessary regulatory interface between data protection and digital trade. The paper consists of five main sections. This introduction is the first section. The second section titled ‘Interconnected structural blocks of a data protection regulation in general’ provides the general structural elements of a data protection regulation and how the data protection principles and practices combine to actualise the mechanisms which govern the cross-border flow of personal data in a jurisdiction. It highlights that the structural elements of a data protection regulation are interconnected, which necessitates policy coherence between data protection and digital trade law. The third section titled ‘Three arguments against and in favour of an interface between data protection and digital trade law’ provides an outline of the critiques by Irion, Kaminski and Yakovleva to the proposals by Chander and Schwartz to promote a legal interface between data protection and digital trade law. Notably, it provides a rebuttal to the critiques by supporting the proposals by Chander and Schwartz. It supports the proposal for an international agreement on data privacy among states in the future which can bring coherence in the governance of cross-border flow of personal data. The fourth section titled ‘Future interface between data protection and digital trade law’ underscores the need for a self-standing agreement on data privacy in the context of international trade law. This is due to the fact that traditional trade law approaches need readjustment to cohesively tackle the realities of digital economy, especially data protection issues. In pursuance, it proposes that the trade standards regime, ie the Technical Barriers to Trade (TBT) and Sanitary and Phytosanitary (SPS) Agreement in the World Trade Organization’s (WTO) provide a unique blueprint to envision a self-standing legal agreement and forum on data protection concerns as it relates to cross-border flow of personal data in international trade law. The section briefly highlights the relevance of the WTO trade standards regime as a blueprint for the future international data privacy agreement in international trade law. The fifth section concludes the paper by raising two key challenges for a policy coherence between data protection and digital trade law — (a) progressive coordination and (b) a reasonable legal interface between the two regimes in both theory and practice.

Compared to art 82(1) of the General Data Protection Regulation (GDPR), which since 2018 grants data subjects a claim for damages resulting from the infringement of European data protection law, private enforcement of European competition law looks back on a much longer history. Thus, its concepts and learnings may serve as a model for data protection law. However, any potential transfer from one area to the other must be carefully weighed, as both the factual circumstances and the underlying regulatory framework differ. Against this background, this paper aims at identifying important similarities and differences between the private enforcement of European competition and data protection law. Amongst others, it reaches the conclusion that both fields of law – although for different reasons – share a comparably high level of Europeanisation and that the primary aims of private enforcement generally align. In addition, potential for spill-over effects from the area of competition to data protection law is identified, namely with regard to causation and the European concept of undertaking.

In his seminal article ‘The Limits of Antitrust’, Easterbrook argued that ‘when everything is relevant, nothing is dispositive’; therefore, when applying competition law, judges should resort to clear presumptions rather than balancing the proand anti-competitive effects of particular conduct. In the intervening 20 years, much ink has been spilled on the issue of whether competition law should take into consideration wider policy objectives. This discussion has been given renewed impetus in recent months following the publication of a ‘preliminary opinion on the intersection of data protection, consumer protection and competition law’ in March of this year by the European Data Protection Supervisor (EDPS). The publication of this report was followed by a workshop held under Chatham House rules in Brussels in June, a summary of which was published by the EDPS in July. The report reflects lively discussions on several issues familiar to data protection experts, such as the role of personal data in the digital economy and how to foster privacy as a competitive advantage. However, it also serves to launch a debate regarding matters which have been overlooked or unsubstantiated thus far. Most significantly, the report queries whether the traditional tools of competition law, which focus on parameters such as price, quality, and choice can explain the impact of certain business practices on data protection and privacy. It also questions ‘wider issues’ in competition law enforcement, for instance whether the Commission’s current case-by-case approach is correct in the digital environment or whether specific guidelines or a study should be introduced to inform authorities dealing with antitrust and merger cases involving personal data. These are queries which need to be addressed and the EDPS is to be applauded for kick-starting this discussion, whatever its outcome. Many of web 2.0’s datacentric services are two-sided platforms which are characterised by network effects: the more users they have, the more users they acquire. This leads to winnertakes-all markets which makes the application of key data protection concepts, such as consent, more difficult. Quite simply, individual control over personal data (or ‘informational self-determination’) becomes illusory when individuals are dealing with monopolies. For this reason, competition law is frequently depicted as the silver bullet which will render data protection rules more effective by injecting competition into monopolised markets and facilitating individual choice. However, that competition law can or even should play this role is contested by experts in that field. A discussion on the potential—and limits—of competition law was therefore conspicuously lacking until the EDPS initiative in March. Nevertheless, it is not yet apparent whether, and if so how, the two fields actually intersect. In recent years, the enforcement activity of DG Competition has been guided by a consumer welfare standard, according to which competition law should seek to deliver benefits to consumers in the form of ‘lower prices, better quality and a wider choice of new or improved goods and services’. This approach assumes that consumer welfare is negatively affected only when a particular practice has the effect of foreclosing an equally efficient competitor

This article examines the interrelationship between crossborder insolvency, insolvency in general and data protection. Prior to the outbreak of the coronavirus, the world had already been facing significant geopolitical and economic challenges. It examines Australia, the European Union, the United Kingdom (BREXIT), and the United States data protection and privacy laws. What has emerged from the recent adoption of data protection and privacy law, is a highly fragmented approach. States and in the case of the European Union have largely gone it alone. This poses significant challenges to entities that are experiencing financial stress and either going through insolvency (including cross border insolvency), restructuring or a merger or acquisition. Insolvency and legal practitioners will need to be aware of the varied approach taken by jurisdictions in defining personal data, the concept of consent and regulatory requirement(s) to appoint a controller or processor. This article argues that increasingly administrators and liquidators will need to consider the various data protection laws, when proceeding with cross-border insolvency. Cross-border insolvency, insolvency in general and data protection, Australia, the European Union, the United Kingdom (BREXIT), and the United States data protection and privacy laws

The interface between data protection law and competition rules has become a growing area of interest for companies and lawyers. First, in the course of unannounced inspections (the so-called dawnraids), European Commission and national competition authority officials typically review company records and search employees’ e-mails and electronic files and records (including those which people thought had been deleted). They will make hard and/or soft copies of relevant documents and in certain cases may even seize entire hard discs. This raises the question of whether such intrusions are compatible with data protection rules and thus which restrictions such rules impose on the ability of competition officials to collect and process data seized during inspections. Another intersection between competition law and data protection law arises where companies need to collect and further process data from their employees to respond to a competition authority’s request for information or a statement of objections in the course of a pending competition law investigation. Companies may also wish to access and review e-mails and other employee records so as to uncover potential competition law infringements (e.g., in the context of a compliance programme) or to prepare a leniency application.Against this background, this paper seeks to identify the limits that may be placed by data protection law on competition authorities, on the one hand, and companies, on the other hand, to collect and further process personal data in the context of competition law investigations.This paper is divided into four sections. Section II briefly sets out the legal framework for data collection and processing in the EU. Section III explains the key data protection principles and Section IV identifies the key players in the context of EU data protection law. Section V elaborates on the key data protection principles and how they apply to competition authorities on the one hand and companies on the other hand. Section VI discusses the legal consequences of non-compliance with data protection rules. Section VII concludes.

This article examines the concept of ‘AI fairness’ for people with disabilities from the perspective of data protection and equality law. This examination demonstrates that there is a need for a distinctive approach to AI fairness that is fundamentally different to that used for other protected characteristics, due to the different ways in which discrimination and data protection law applies in respect of Disability. We articulate this new agenda for AI fairness for people with disabilities, explaining how combining data protection and equality law creates new opportunities for disabled people's organisations and assistive technology researchers alike to shape the use of AI, as well as to challenge potential harmful uses.