Privacy is a competition issue, but privacy regulators’ failure to enforce privacy rules is the persistent failure that holds back progress in the field, write Johnny Ryan and Cristina Caffarra.
Dr Johnny Ryan is Senior Fellow at the Irish Council for Civil Liberties, and Open Markets Institute. Dr Cristina Caffarra is a competition expert at Charles River Associates, and has been an advisor on antitrust matters to companies including Apple, Amazon, Microsoft, Uber, and others.
On 8 January, the UK Competition and Markets Authority announced an investigation into Google’s purported ‘privacy fixes’ to Chrome, its dominant web browser. The CMA is acting on complaints that competition in the online advertising market is threatened under the guise of ‘privacy protection’.
Earlier this week, Facebook announced a postponement of its controversial proposal to combine data between WhatsApp and other Facebook subsidiaries. These two developments are related, and the solutions are too.
Google plans to block third-party cookies in Chrome next year. Google’s competitors in the tracking industry fear this will prevent them from surreptitiously surveilling what we all do on the Internet, and say it will entrench Google’s power because it alone will retain its surveillance capability. As these rivals’ revenue comes from this surveillance data, it is natural to reach for the antitrust lever. But there are more profound issues at play.
The ‘Adtech’ Jungle
The online advertising market is rife with documented fraud, inefficiency, hidden fees, and data theft. Adtech exposes intimate data about all of us, and what we do online, to thousands of adtech companies every day. We call this the external data free-for-all.
Adtech’s surveillance and profile trading is unlawful, and harmful. None of this is at all new. Indeed the UK Information Commissioner’s Office (ICO) acknowledged rampant illegality in its 2019 Adtech Report, but has taken no action to stop it so far.
As a result, we are all at risk. For example, a dossier about you could convince a hidden algorithm to remove you from the short list for your dream job, or make you a target of personalised disinformation.
Privacy regulators like the UK’s ICO have the tools to undo adtech’s external data free-for-all. They also have tools to deal with Google’s (and Facebook’s) internal data free-for-all, too. But they have not used any of them.
The Data Mess Needs Sorting, but Antitrust Self Preferencing Tools are Not It
In the absence of action by the ICO, is adtech’s crisis best dealt with through antitrust? We are not sure. It is tempting for competition agencies to go after Google and Facebook culprits. Complainants can fashion their plea as an antitrust issue: ‘We are the victims, Google is advantaging itself and self-preferencing’. Google’s proposed changes may well limit the external free-for-all, hampering the ability of small rivals to misuse data as they did before.
But it is hard to see how the CMA or an antitrust agency could use antitrust tools to limit how Google itself uses data. This is the fundamental problem. The external free-for-all among thousands of companies would be curtailed, but Google’s internal free-for-all would continue.
Google collects data about us from nearly everything we read, watch, and listen to; nearly every app we use, including maps and email; our passwords; and even the operating systems that run our phones and computers.
It combines these data into a dossier about each of us. It can use data collected from one area of its business (YouTube, or the Google Maps app, for example) to give it a competitive advantage in other areas of its business (such as its various advertising businesses). Thus, Google’s monopoly cascades from area to area. Facebook does the same.
Dialing up the GDPR’s ‘Purpose Limitation’
Data protection enforcers have powers to address the internal free-for-all that has enabled these actors to cascade their monopoly from market to market. European (and UK) data protection law provides a powerful principle: data collected about you for one purpose should not be automatically used for other purposes, too. This ‘purpose limitation’ principle needs to be put into use.
The GDPR says in clear language that ‘personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’. It provides strong sanctions against infringements of purpose limitation: not only fines, but the power to stop Google and Facebook from using the data. Enforcement of purpose limitation would address the vast, unlawful data advantage these tech giants gain from combining and cross-using the personal data of users.
The proposed Digital Markets Act makes an effort to put forward ex ante rules prohibiting gatekeepers from combining data, for example (Art. 5(a)). But the GDPR’s purpose limitation is clear, and strong. Vague or catch-all policy terms should not provide a loophole. A specific ‘legal basis’ is required for each purpose that a company uses a piece of personal data for.
By law, these purposes and their legal basis must be clear to the consumer. Vague descriptions such as ‘improving users’ experience’, ‘we may use your personal data to develop new services’, or ‘to offer personalised services’ are explicitly ruled out.
Not only would consumers no longer automatically be opted in to all of a conglomerate’s products and data collection, but they would have the power to decide what parts of what companies they chose to reward with their data. The ease of withdrawal of consent provided for in the GDPR gives the consumer the power to functionally separate a company at will.
Enforcing the GDPR would help curb Google and Facebook’s ability to ‘envelop’ markets at will, and end both the internal and external data free-for-all in a way that antitrust intervention cannot.
Privacy is a competition issue, but privacy regulators’ failure to enforce privacy rules is the persistent failure that holds back progress – even more than the slow turning of the antitrust wheels.