The ongoing intertwinement of data protection, competition and consumer law (see our earlier article) explains why authorities of all stripes are turning the spotlight on companies’ personal data collection and monetisation practices. Does this mean that competition and consumer authorities can enforce data protection law on par with or instead of the DPAs? Do the various authorities work together or compete with one another? What does this mean for consumers and do individual claims for damages offer more meaningful protection than enforcement by public authorities? These questions were in the spotlight at a panel discussion organised by De Brauw at the recent IAPP Europe Data Protection Congress. De Brauw's Axel Arnbak moderated the discussion between the Netherlands Competition and Consumer Authority's chairman Martijn Snoep and two partners from our Best Friends network, Vera Jungkind (Hengeler Mueller) and Jordan Ellison (Slaughter and May). This article highlights key insights from the panel.
Competition and consumer authority enforcement actions against the commercial use of personal data by companies make headlines time and again. Having only just taken office, the European Commission has launched a preliminary investigation into how Google and Facebook collect and monetise their users' data. The Hungarian Competition Authority recently fined Facebook EUR 3.6 million for marketing its social network as "free" despite benefiting economically from processing user data - the highest possible fine for a consumer law violation in Hungary. The growing interest of competition and consumer authorities in data processing practices by companies is a response to the dramatic shift in how goods and services are produced and consumed in the digital age. In his opening statement, Axel Arnbak recalled that this trend took off in the late 1990s. Carl Shapiro and Hal Varian's 1998 book, Information Rules, already provided the playbook for commercial success in the digital economy: acquire users as quickly as you can, do not focus on revenue at the early stages, harness network effects and then expand into other markets. Only recently have market regulators and enforcement authorities realised how accumulating and commercialising personal data transforms our markets and societies. This raises regulatory dilemmas well beyond data protection law. Martijn Snoep, the panel's first speaker, explained that the accumulation of data leads to the accumulation of power, which in the end can be used to the detriment of consumers and competitors. From this perspective, data protection can be considered a parameter of competition akin to other non-economic parameters. There can also be tension between competition and data protection law. For example, access to personal data held by a dominant company may be necessary to improve competition on the market. Yet, such sharing may run afoul of data protection law, which sets strict boundaries on data sharing. According to Martijn Snoep, data protection is likely to prevail over competition law because the European Union guarantees the protection of the rights to privacy and personal data as fundamental rights. For this reason, the Dutch Competition and Consumer Authority (ACM) has, in the past, deferred to the Dutch DPA's position that data sharing is not allowed even if prescribed under competition law. Martijn Snoep also noted that Dutch market regulators, including the Dutch DPA, are working closely to review algorithms and that they regularly consult with each other on related issues. But joining forces in enforcement cases, for now, would create more problems than it would solve because each authority must follow different procedures. Looking forward, he acknowledged that in light of each individual authority's limited capacity, expertise and financial resources, the alignment of enforcement initiatives of DPAs as well as competition and consumer authorities is key to effective enforcement in the digital age. Vera Jungkind discussed a recent enforcement case by the German Federal Cartel Office (FCO) against Facebook: the FCO concluded that by illegally collecting personal data without a legal basis under the General Data Protection Regulation (GDPR), Facebook had violated German competition law. Beyond references to the GDPR, Vera Jungkind stressed, the FCO did not really explain why, from a competition law perspective, there was an abuse of a dominant market position. In her view, the FCA went too far in establishing a direct link between a violation of the GDPR and competition law. This was one of the reasons why the Higher Regional Court of Düsseldorf, where Facebook appealed the FCA's decision, suspended the decision in preliminary proceedings. Given the importance of this case for drawing a line between the two areas of law, Vera Jungkind expects that it will reach the Federal Civil Court, one of the highest courts in Germany. In the meantime, the Irish DPA is investigating Facebook's data collection practices and is expected to deliver a decision early next year. For his part, Jordan Ellison agreed that although the overarching objectives of data protection, competition and consumer law may somehow align, each of these bodies of law have different objectives and address different harms. Returning to the Facebook case, he pointed out that the FCA's decision is an example of using competition law as the wrong tool to address data protection harms. Just like a violation of tax law can allow a dominant company to invest extra money in R&D and gain a competitive advantage, he continued, competition law should not address a company gaining a competitive advantage as a result of its illegal data collection, unless such collection also violates competition law. At the end of the session, Vera Jungkind addressed the interplay between enforcement of consumer rights and data protection rights by public authorities and enforcement through civil law mechanisms, such as claims for damages that individuals can initiate themselves. She noted that empowering individuals to enforce their fundamental rights would honour their rights, and would also allow enforcement authorities to readjust their priorities. This ties into the Dutch DPA's recent enforcement priorities (for an overview read our recent article). Among other things, this strategy proclaims a risk-based approach to supervision and enforcement, which means the DPA will prioritise cases involving high risks to individuals. The panel was well attended, and saw active audience participation. It is clear that companies, authorities and society at large will need to think and work hard on addressing the challenges posed by the complex interaction between data protection, competition and consumer law. For further insights on the topic, read our recent academic article on "Kaleidoscopic Enforcement" (in Dutch) published by Paris Legal Publishers for the Dutch Commercial Law Association.