Exclusionary conduct in data-driven markets: limitations of data sharing remedy

Author Notes

Abstract

The natural consequence of finding an infringement of Article 102 TFEU is to offset the harm to consumer welfare by restoring competition through effective remedies. As big data constitutes the most vital resource in data-driven markets, a dominant undertaking can exclude its rivals from accessing user data and thus deprive them of scale in markets that are characterized by network effects. Indeed, the European Commission found Google guilty of excluding its rivals in the Android licencing case by adopting this strategy. The Commission, however, did not impose any data sharing remedy. This article analyses the viability of mandatory data sharing as a remedy to restore competition in the affected market. It approaches this research question from both theoretical and practical standpoints. It analyses the viability of a mandatory data sharing remedy from a legal, economic, and technological perspective. A separate section makes an assessment of such a remedy within the framework of the GDPR. Based on this investigation, this article concludes that mandatory data sharing is not the optimal solution to remedy loss to consumer welfare.

I. INTRODUCTION

The recent decision by the European Commission against Google, where it found the latter to have abused its dominant position by imposing illegal restrictions on Android device manufacturers and mobile network operators to cement its dominant position in general Internet search, demonstrated that exclusionary conduct in data-driven markets is a reality.¹

European Commission, Case AT.40099 – Google Android; see also, Vikas Kathuria, ‘Greed for Data and Exclusionary Conduct in Data-driven Markets’ (2019) 35(1) Computer Law & Security Review 89.

In essence, Google’s practices were aimed at depriving its rivals of gaining users’ big data that feeds the underlying Machine Learning based algorithm, which forms the core infrastructure of their business activities.²

European Commission, ibid, see in particular paras 739, 859, 860, 1315 and 1318.

The Machine Learning-based algorithm constantly evolves after interacting with big data³

‘ML [Machine Learning] is based on algorithms that can learn from, process and rank data to make useful predictions to its users.’ European Commission, Case M.8124 – Microsoft/LinkedIn, fn 230.

—this is the nature of incremental innovation in these markets. In the hi-technology markets in general,⁴

For example, see JT Lang, ‘European Community Antitrust Law: Innovation Markets and High Technology Industries’ (1996) 20 Fordham International Law Journal 717; C Pleatsikas and D Teece, ‘The Analysis of Market Definition and Market Power in the Context of Rapid Innovation’ (2001) 19 International Journal of Industrial Organization 665.

and the Machine Learning-based markets in particular,⁵

For instance, in the Microsoft/Yahoo! Search Business deal, the Commission observed that search engine market is characterized by incremental innovation; European Commission, COMP/M.5727 – Microsoft/Yahoo! Search Business, para 101.

rapid technological changes characterize competition. Thus, subject to other constraints such as network effects and access to data, an innovative platform can outperform its competitors. Data-driven markets are often characterized by network effects where the quantity of data (scale) and variety of data (scope) have a positive influence on the market share of a platform.⁶

See, in general, ME Stucke and A Ezrachi, ‘When Competition Fails to Optimize Quality: A Look at Search Engines’ (2016) Yale Journal of Law & Technology 70; OECD, Data-driven Innovation for Growth and Well-being: Interim Synthesis Report (2014) 24–25 <https://www.oecd.org/sti/inno/data-driven-innovation-interim-synthesis.pdf> accessed 10 December 2019; for the ‘scope’ benefit in data-driven platforms, see President’s Council of Advisors on Science and Technology, Report to the President, Big Data and Privacy: A Technological Perspective (2014) 10 <https://bigdatawg.nist.gov/pdf/pcast_big_data_and_privacy_-_may_2014.pdf> accessed 10 December 2019.

By depriving its rivals of gaining scale in data, a dominant player can successfully exploit demand-side scale economies, ie network effects, to its benefit in a two-sided market. Competition agencies have long been vigilant against the practices of a dominant undertaking that restrict rivals from gaining the ‘critical mass’ to stay viable in a market characterized by network effects.⁷

See, in general, C Shapiro, ‘Exclusivity in Network Industries’ (1999) George Mason Law Review 673.

Thus, a strategy to deprive rivals of big data can come under the scrutiny of Article 102 TFEU. Indeed, the Google Android case is the manifestation of this theory of harm in the data-driven marketplace.

In the cases of exclusionary conduct by a dominant undertaking in data-driven markets, a critical question relates to the nature of the remedy that can offset the harm to consumer welfare and restore competition. Intuitively, mandating a delinquent dominant undertaking to share wrongly withheld data appears to be an optimal remedy. Indeed, some have argued that ‘[a]s Google has acquired large volumes of data through anti-competitive means, a possible remedy would be to mandate it to grant some form of access to its data to rivals hurt by its anti-competitive behaviour.’⁸

D Geradin and M Kuschewsky, ‘Competition Law and Personal Data: Preliminary Thoughts on a Complex Issue’ (2013) 13, fn 53 <https://ssrn.com/abstract=2216088> accessed 10 December 2019.

Contrary to the conventional wisdom, the Commission in its Google-Android decision refrained from granting such access by way of remedies.⁹

European Commission (n 1) paras 1394–403.

Against this backdrop, the article analyses whether in cases of exclusionary conduct by a dominant undertaking aimed at depriving rivals of user data, forced data sharing serves as an optimal remedy to restore competition in the relevant market. After analysing the viability of mandatory access to data from different standpoints, the article concludes that data sharing is not the most optimal choice to restore competition in the relevant market.

Designing appropriate remedies is an area in competition law where the antitrust authorities and courts enjoy wide discretionary powers.¹⁰

See Article 7 of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty [2002] OJ L1/1 (Regulation 1/2003); see also, C Ritter, ‘How Far Can the Commission Go When Imposing Remedies for Antitrust Infringements’ (2016) 7(9) Journal of European Competition Law & Practice 587.

Despite its importance, this is an area in competition law that has not received due attention even from academics. In the absence of clear guidelines, mainly due to the fact that remedies are fashioned on a case-by-case basis, the suitability of a particular remedy should be approached from multiple standpoints. Therefore, this article presents an analysis of mandatory data sharing as a remedy to restore competition in data-driven markets from both theoretical and practical perspectives. Section 2 begins with the general discussion on the purpose of remedies and the possibility of advantage/resource sharing as a remedy in abuse of dominance cases under European Union (EU) law. This part also establishes that an optimal remedy should aim at restoring the competition to the level that had existed at the time the abuse started (‘baseline’ scenario). Based on this standard, it analyses the viability of data sharing. Any remedy must take account of the underlying economic and technological characteristics of the relevant market.¹¹

For instance, the Commission took account of the economic and technological realities of the relevant market while fashioning a suitable remedy in the Microsoft case; European Commission, COMP/C-3/37.792 – Microsoft, paras 994–95.

In the context of data-driven markets, Section 3 then looks at the viability of data sharing against the backdrop of the technological nature of big data. Section 4 of this article examines whether the mandate of data sharing by a competition authority may run afoul of the EU General Data Protection Regulation (GDPR).¹²

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L119/1 (GDPR).

This article assesses the viability of mandatory data sharing within the framework of remedies for the violation of Article 102 TFEU. However, mandatory data sharing can also be provided by way of regulation or through the application of essential facilities doctrine.¹³

The applicability of essential facilities doctrine to big data has already been documented well in the competition law literature. See, eg J Crémer and others, ‘Competition Policy for the Digital Era’, Final Report, European Commission, Directorate-General for Competition (2019) <ec.europa.eu/competition/publications/reports/kd0419345enn.pdf> accessed 10 December 2019; Geradin and Kuschewsky (n 8) 10; I Graef, EU Competition Law, Data Protection and Online Platforms: Data as Essential Facility (1st edn, Wolters Kluwer 2016).

Admittedly, in all these cases, there are some common issues such as technological nature of data and viability of data sharing, administrative viability of data sharing, and the interface between the GDPR and data sharing provisions that this article deals with.

II. THE OBJECTIVE OF REMEDIES IN THE EU COMPETITION LAW

A remedy is not a sanction and is aimed at bringing the infringement effectively to an end.¹⁴

Article 7 of the Regulation 1/2003 (n 10); P Hellström and others, ‘Remedies in European Antitrust Law’ (2009) 76(1) Antitrust Law Journal 43, 44.

In case a dominant firm infringes Article 102, a cease and desist order will only prohibit the impugned act. The consumer harm may still resonate in some markets if nothing else is done. This may, for instance, be the case in network industries.¹⁵

Hellström and others (n 14) 48.

Thus, to effectively end the infringement and restore competition in the market, antitrust authorities are required, in certain circumstances, to do more than merely prohibiting the unlawful conduct. To this end, the OECD observes that ‘[r]emedies cure, correct, or prevent, whereas sanctions penalise or punish.’¹⁶

OECD, Remedies and Sanctions in Abuse of Dominance Cases, DAF/COMP(2006)19 (2006) <https://www.oecd.org/competition/abuse/38623413.pdf> accessed 10 December 2019, 18.

The US Supreme Court also observes that a proper relief must be ‘effective to redress the violations’ and ‘to restore competition’.¹⁷

Ford Motor Co v United States (1972) 405 US 562, 92 SCt 1142, 573 (quoting United States v EI du Pont de Nemours & Co (1961) 366 US 316, 326, 81 SCt 1243, 6 L Ed 2d 318).

The US Department of Justice (DoJ) sets out following as the goals of remedies in government section 2 cases: to terminate the defendant’s unlawful conduct, prevent its recurrence, and re-establish the opportunity for competition in the affected market.¹⁸

US DoJ (2008) 144, citing United States v Microsoft Corp (2001) 253 F 3d 34, 103 (DC Cir) (en banc) (per curiam).

To achieve these goals, the authorities are required to fashion sui generis remedies in each case.¹⁹

‘Experience tells us that the enforcement agencies and judges in the U.S. system, as well as the European Commission and the reviewing courts in the EU system, must fashion relief in cases of extraordinary importance, but often sui generis in nature.’ SW Waller, ‘The Past, Present, and Future of Monopolization Remedies’ (2009) 76(1) Antitrust Law Journal 11, 12.

The rest of the section analyses the viability of mandatory data sharing in light of the common objective of remedies in both the EU and the USA, ie to restore competition.

Can data sharing be mandated as a remedy in the EU

It is true that in some circumstances cease and desist orders can be wretchedly ineffective to restore competition in the market. This may, for instance, be the case when the abusive practice has given an unassailable market position to a dominant firm. In such cases, the dominant undertaking will keep reaping the benefits of its illegal behaviour if the only consequence it faces is a prohibition order from the antitrust authorities. Not only will this be detrimental for consumers but will also create perverse incentives for other firms to engage in illegal behaviour.²⁰

OECD (n 16) 20.

Understandably, this can be the case in a network industry, which in the absence of Article 8 interim measure has experienced tipping in favour of the defendant undertaking.²¹

Hellström and others (n 14) 48–49.

Thus, some measures other than a mere prohibition are required in order to eliminate the consequences of abusive behaviour that can restore competition in the market.

The US Supreme Court also makes it clear that it is possible to take measures that will ‘deprive the defendants of any of the benefits of the illegal conduct, and break up or render impotent the monopoly power found to be in violation of the Act’.²²

United States v Grinnell Corp (1966) 384 US 563, 577; in the same vein, the Supreme Court held in United States v United Shoe Mach Corp (1968) 391 US 244, 250 (1968) that ‘… it is the duty of the court to prescribe relief which will … deny to the defendant the fruits of its statutory violation …’.

Such restorative remedies require positive obligations that go beyond a cease and desist order. For instance, in the EU Microsoft case, Microsoft was ordered to offer a full-functioning version of its Windows client PC operating system that did not incorporate Windows Media Player, although Microsoft had the right to offer a bundled version of Windows client PC operating system and Windows Media Player.²³

European Commission (n 11) para 1011.

Regulation 1/2003 empowers the Commission in the event of the violation of Article 102 TFEU to impose on ‘… [undertakings and associations of undertakings] any behavioural or structural remedies which are proportionate to the infringement committed and necessary to bring the infringement effectively to an end’.²⁴

Article 7 of the Regulation 1/2003 (n 10) (emphasis added).

Thus, Regulation 1/2003 confers broad powers on the Commission to bring an effective end to the infringement, with the only requirement that the remedy has to be proportionate to the infringement. It is unclear, however, if requiring the infringer to share its vital resources (either tangible or intangible) can effectively end the infringement. In the absence of a direct case on this issue, the following text looks at a few judgments from the CJEU that can provide some guidance on the scope of remedies in the EU.

In the AKZO case, the CJEU upheld the remedy that prohibited AKZO from practising selective price-cutting to its rival’s customers. The Court held that ‘the measure in question was intended to prevent repetition of the infringement and to eliminate its consequences’.²⁵

Case C-62/86 AKZO [1991] ECR I-03359, para 155 (emphasis added).

The clear guidance regarding eliminating the consequences of infringement also comes from the Ufex judgment, where the CJEU held that

In this context, the Commission is required to assess in each case how serious the alleged interferences with competition are and how persistent their consequences are. That obligation means in particular that it must take into account the duration and extent of the infringements complained of and their effect on the competition situation in the Community.
If anti-competitive effects continue after the practices which caused them have ceased, the Commission thus remains competent under Articles 2, 3(g) and [102] of the Treaty to act with a view to eliminating or neutralising them (see, to that effect, Case 6/72 Europemballage and Continental Can v Commission [1973] ECR 215, paragraphs 24 and 25).²⁶
26
Case C-119/97 P Ufex and Others v Commission [1999] ECR I-01341, paras 93–94.

In the Commercial Solvents case, the Court of Justice further clarified the scope of remedy in the EU and observed that a remedy ‘may include an order to do certain acts or provide certain advantages which have been wrongfully withheld’.²⁷

Joined Cases 6 and 7–73 Istituto Chemioterapico Italiano SpA. and Commercial Solvents Corporation v Commission [1974] ECR 00223, para 45 (emphasis added).

When read together, these cases indicate that in order to eliminate the consequences of an anticompetitive behaviour, the Commission can order a dominant undertaking to share some advantages which have been wrongly denied to the competitors. While the scant body of case law throws some light on the Commission’s power to end the consequences by asking the infringer to share ‘wrongfully withheld’ advantages, there is no clarity regarding the extent to which the Commission can/should exercise this power.

It is so far clear that the existing case law recognizes that ‘infringement’ is not restricted to the conduct but extends to its effects as well.²⁸

On this see also Ritter (n 10) 588; See also, Hellström and others (n 14) 48, observing ‘Once an infringement has been properly identified, the infringement itself, but also the consequences of the antitrust violation, have to be tackled.’

The next question is how far the remedies can go to end the consequences of infringement. As Ritter proposes, there can be two ways to ‘eliminat[ing] the consequences’²⁹

AKZO (n 25) para 155.

of an infringement.³⁰

Ritter (n 10).

In such a situation, a competition authority has a choice between first, restoring the level of competition that existed before the infringement, and second, a counterfactual scenario—maintaining the level of competition that would have existed ‘but for’ the infringement.³¹

‘In other words, to bring an infringement effectively to an end, a remedy must not only bring a certain conduct to an end, but must also remedy the distortive effect the behaviour has had on the market concerned. The aim should be to re-establish the competitive situation, ie, the competitive process that would have prevailed but for the infringement.’ (emphasis in original) Hellström and others (n 14) 58.

While the CJEU in the AKZO case chose the former option,³²

‘[R]e-stablish[ing] the situation that existed before the dispute’, AKZO (n 25) paras 155 and 157.

Ritter weighs in in favour of the latter option arguing that ‘[t]ruly eliminating the consequences of the infringement would require placing the competitors in the situation that would have existed today in the absence of the infringement—so that, looking forward, they may develop their businesses unimpeded by the consequences of the infringement.’³³

Ritter (n 10) 589, citing the following authors who make the same argument: SC Salop and RC Romaine make the same point in ‘Preserving Monopoly: Economic Analysis, Legal Standards, and Microsoft’ (1999) 7 George Mason Law Review 617. See also, FW Bulst, ‘Wiederherstellung von Wettbewerb’ (2014) 2 Neue Zeitschrift für Kartellrecht 245.

Especially, when the infringer has gained a ‘long-lasting’ advantage due to the illegal act, it makes sense to calibrate the market to a ‘but for’ situation.³⁴

Ritter (n 10) 589.

For instance, this may be a case in the network industry where the market may have already tipped in favour of the infringer. A logical extension of this argument would also require restoring a competitor who had been excluded by the dominant undertaking by giving some advantages such as handing over customer lists or technology licence.³⁵

ibid 590.

Per Hellstörm et al. as well propose restoring the ‘but for’ level of competition.³⁶

Hellström and others (n 14) 43; E Hjelmeng, ‘Competition Law Remedies: Striving for Coherence or Finding New Ways?’ (2013) 50(4) Common Market Law Review 1007, 1022.

On the other hand, others argue that the purpose of antitrust remedies is to return the market to the baseline scenario.³⁷

See JE Lopatka and W Page, ‘Devising a Microsoft Remedy That Serves Consumers’ (2001) 9 George Mason Law Review 691ff, 700. The authors while delineating the goal of remedies note that ‘“Restore,” not “create:” the goal of the remedy should be to return the market to a baseline condition that would have prevailed in the market but for the defendant's anticompetitive acts, not to reshape the market to approximate a competitive ideal.’

The appropriateness of mandating resource/advantage sharing, therefore, will eventually depend upon a choice between restoring either a ‘baseline’ level of competition or choosing the ‘but for’ level of competition as the goal of remedies.

A choice between the ‘baseline’ and the ‘but for’ standards

There is little guidance on the choice between these two standards in the EU case law. In the USA, the DoJ makes a choice in favour of the ‘baseline’ standard by observing that its mandate is to ‘focus its unilateral–conduct remedies on re-establishing the opportunity for competition in the affected market rather than dictating a market outcome or any particular level of competition’.³⁸

US Department of Justice, ‘Competition and Monopoly: Single-firm Conduct under Section 2 of the Sherman Act’ (2008) 146 <https://www.justice.gov/atr/competition-and-monopoly-single-firm-conduct-under-section-2-sherman-act-chapter-9> accessed 10 December 2019.

Drawing a counterfactual to gauge the level of competition that would have existed in the absence of the infringement at the remedy stage can be extremely difficult. It is true that counterfactuals are often drawn at the time of substantive analysis.³⁹

D Geradin and I Girgenson, ‘The Counterfactual Method in EU Competition Law: The Cornerstone of the Effects- based Approach’ in J Bourgeois and D Waelbroeck (eds), Ten Years of Effects-based Approach in EU Competition Law: State of Play and Perspectives (Bruylant 2012) 211–41.

In Article 102 TFEU cases as well in order to assess anticompetitive foreclosure and consumer harm, the Commission can build ‘appropriate counterfactual’.⁴⁰

‘… This assessment will usually be made by comparing the actual or likely future situation in the relevant market (with the dominant undertaking's conduct in place) with an appropriate counterfactual, such as the simple absence of the conduct in question or with another realistic alternative scenario, having regard to established business practices.’ European Commission, Communication from the Commission – Guidance on the Commission’s enforcement priorities in applying Article 82 of the EC Treaty to abusive exclusionary conduct by dominant undertakings (2009) OJ C45/7, para 21.

For instance, comparing the prices in a geographical market where the abusive practices took place with the prices prevailing in a different geographical market can help assess consumer harm. At the remedy stage, however, drawing counterfactual and providing access to ‘wrongly withheld advantages’ to restore the ‘but for’ level of competition goes beyond merely identifying consumer harm to artificially determining competitors’ market position. What is more, at the remedy stage, allocating advantages to the competitors directly influences their market share. In the USA, at least in one case, the court was opposed to such an outcome.

In the US Microsoft case, the plaintiff had asked for mandatory installation of Sun-compliant Java Virtual Machine (JVM) with each copy of Microsoft’s Windows Operating System as a remedy.⁴¹

New York v Microsoft Corp (2002) 224 F Supp 2d 76, 94 (DDC).

This remedy was demanded as Microsoft’s anticompetitive actions were also aimed at prohibiting Sun-compliant Java platform to gain scale in the market.⁴²

ibid.

Had the Sun-compliant Java been successful, it would have offered itself as a successful cross-platform middleware challenging Microsoft’s market position in the Windows OS. While denying such a remedy, the District Court noted that ‘[o]nce Microsoft’s anticompetitive restraints on channels of Java distribution are lifted by other portions of the Court’s remedy, any continuing lack of industry interest in Sun-compliant Java is not a problem appropriately resolved by this Court in this litigation. It is the problem of a particular competitor and not competition itself and, therefore, not appropriate for redress under antitrust law.’⁴³

New York (n 41) 95; this action of the District Court was subsequently upheld by the Circuit Court on appeal, see Massachusetts v Microsoft Corp (2004) 373 F 3d 1199 (DC Cir).

Additionally, the Court also noted that ‘[t]here is no evidence that Java would today possess “equal footing”, in terms of distribution, with Microsoft, but for Microsoft’s anticompetitive conduct.’⁴⁴

Appendix A, Part X.G. New York (n 41) 149.

It means that minus the anticompetitive actions of Microsoft, there could still have been other reasons that could have prevented users from choosing Sun-compliant Java. The Court also noted that ‘[t]he Court’s role is to end the illegal conduct and to make every effort to protect against conduct of the same type or class, not to engineer a particular market outcome.’⁴⁵

New York (n 41) 95 (citing Zenith Radio Corp v Hazeltine Research, Inc (1969) 395 US 100, 89 SCt 1562, 132; Ford Motor Co (n 17) 573; United States v Gypsum Co (1950) 340 US, 88–89, 71 SCt 160).

Thus, the District Court made a choice in favour of restoring competition to the ‘baseline’ standard.

The approach taken by the District Court in the Microsoft case is the correct one as the vagaries of the market, especially in a fast-moving sector, make the determination of the exact level of competition that would have existed but for the abuse a practically impossible task. Any such attempt by competition authorities will not only be highly speculative but also risk protecting competitors, not competition. To this end, Barnett makes a valid point: ‘because a Section 2 violation hurts competitors, they are often a focus of Section 2 remedial efforts. But competitor well-being, in itself, is not the purpose of our antitrust laws’.⁴⁶

TO Barnett, ‘Section 2 Remedies: What to Do after Catching the Tiger by the Tail’ (2009) 76(1) Antitrust Law Journal, 35.

Therefore, any form of ‘market engineering’⁴⁷

In the language of New York (n 41) 262 (quoting the expert testimony of Kevin Murphy, para 239, 5 JA (II), 2678).

through the means of antitrust remedies is a suboptimal choice with detrimental effects on consumer welfare. Such a remedy can also be resorted to as ‘Trojan Horse’ strategy to further industrial policy when imposed on a foreign undertaking.

When seen in the context of mandating data sharing, any such remedy allocates the market share to competitors by giving them access to defendant’s data, something for which they were supposed to compete in the first place. This approach is all the more incorrect if it is not possible to totally attribute the current market position of the competitors to the abusive conduct of the dominant undertaking. What is more, a remedy that seeks to achieve ‘status quo ante’ or a ‘but for’ level of competition is not proper in the fast-moving data-driven markets, that are characterized by rapid innovation. Interestingly, the ‘velocity’ feature of big data allows competitors to quickly gain ground in the market as soon as the abusive restrictions are removed through an antitrust action.⁴⁸

See Section III of this article.

Highlighting the limits of restorative remedies, Hjelmeng notes that:

[a]lthough the Commission may intervene and also impose measures in order to restore competition in the future, such use of Article 7 is very rare. This may be partly explained by the fact that such solutions would require complicated structural or behavioural remedies, the effects of which may also be questioned with regard to practical implementation. In such a perspective, the better solution might be to bring an end to the infringement and let the market cure itself.⁴⁹
49
Hjelmeng (n 36) 1024.

Data sharing as a remedy in existing decisions

Admittedly, some national competition authorities have already imposed on dominant firms the obligation to share parts of their data with competitors. In the GDF Suez case, the French Autorité de la concurrence dealt with the disclosure of data in the energy sector. After the markets for electricity and gas had been opened to competition in 2007, customers obtained the possibility to choose between the regulated tariffs and the so-called market offers. Regulated tariffs were offered only by GDF Suez, a former monopoly that retained a significant market share, whereas the newly introduced market offers were offered by GDF Suez as well as by new entrants to the market.⁵⁰

Autorité de la concurrence, Décision n° 14-MC-02 du 9 septembre 2014 relative à une demande de mesures conservatoires présentée par la société Direct Energie dans les secteurs du gaz et de l’électricité, paras 17–18.

GDF Suez had a two-fold role. On the one hand, it was a former monopoly that—as the sole provider—continued offering regulated tariffs, whereas on the other, it was competing with other providers in the unregulated market. In such a situation, GDF Suez used its business structure and resources, inherited from its former monopoly status, including the subscriber database consisting of relevant information of almost all French gas customers, to offer the market-based contracts.⁵¹

This database included detailed information on clients, consumption sites, and contracts, as well as clients’ past requests; ibid, paras 133–35.

The database was exhaustive, very detailed, and regularly updated.⁵²

ibid, para 137.

The Autorité found that the database was inherited from the former monopoly position of GDF Suez and that it was irreplicable in view of the financial constraints and available time frame.⁵³

ibid, paras 147–53.

The usage of such a data set to market one’s market offers was found to have the potential of foreclosing new entrants in the liberalized market contrary to Article 102 TFEU.⁵⁴

ibid, paras 172 and 174. This conclusion, which was still preliminary in the Decision 14-MC-02 on interim measures, was confirmed in the Decision 17-D-06, in which a fine of 100 million Euro was imposed, see Autorité de la concurrence, Décision n° 17-D-06 du 21 mars 2017 relative à des pratiques mises en œuvre dans le secteur de la fourniture de gaz naturel, d'électricité et de services énergétiques, paras 131–38.

In order to remedy the harm, GDF Suez was ordered to grant access to competitors to the data relating to its regulated contracts under objective, transparent, and non-discriminatory terms.⁵⁵

See n 50, paras 290–92.

The interim measures, imposed in the GDF Suez case, provided for an obligation to share with competitors the data necessary to compete on equal terms in the liberalized energy market.⁵⁶

For the current framework established with regard to sharing of personal data, see Section 4, below.

This obligation related solely to the data ‘inherited’ from the period before liberalization. In other words, the Autorité neither requested the disclosure of data collected in the liberalized market nor did it impose the disclosure of the real-time data. Instead, it only imposed the creation and placing at competitors’ disposal of an online database with the historical data.

It is important to note that the remedy provided in the GDF Suez case, even though mandated sharing of advantages/resources with competitors, did not have the potential of returning the competition to the ‘but for’ level. This is because the incumbent undertaking, which was an erstwhile legal monopoly, did not have to compete for the advantages (in this case data). Unlike the Google (Android) case, where the defendant undertaking adopted a strategy to restrict its rivals from gaining user data, in the GDF Suez case, the user data were always available to the defendant by virtue of it being the erstwhile legal monopoly in the gas market. After the market was liberalized, there was no occasion for the market to experience the ‘but for’ level of competition. Consequently, mandatory data sharing only returned the market to a ‘baseline’ scenario, where all the market players had the similar starting point in terms of access to user data.

In 2015, the Belgian Competition Authority dealt with a very similar case related to the Belgian National Lottery.⁵⁷

Belgian Competition Authority, Beslissing n° BMA-2015-P/K-27-AUD van 22 september 2015, Zaken nr. MEDE-P/K-13/0012 en CONC-P/K-13/0013, Stanleybet Belgium NV/Stanley International Betting Ltd en Sagevas S.A./World Football Association S.P.R.L./Samenwerkende Nevenmaatschappij Belgische PMU S.C.R.L. t. Nationale Loterij NV.

In 2013, the National Lottery, holding a legal monopoly with regard to the organization of public lotteries, entered the market of sports betting with its brand Scooore. It used contact details of customers from the regulated part of the business to send them an e-mail announcing the launch of its new service.⁵⁸

Belgian Competition Authority, ‘Press Release N°15/2015 of 23 September 2015’ (2015) 1 <https://www.belgiancompetition.be/sites/default/files/content/download/files/20150923_press_release_15_abc.pdf> accessed 10 December 2019.

The Belgian Competition Authority came to the conclusion that the databank used was not created following competition on the merits but in the context of a legal monopoly and that the databank was not reproducible at a reasonable cost and within a reasonable period of time. It concluded that the National Lottery abused its dominant position and imposed a fine, but refrained from imposing a data sharing remedy,⁵⁹

ibid.

the reason for this presumably lying in the fact that the infringement was one-off.⁶⁰

See Graef (n 13) 273.

Mandating data sharing and defendant’s incentive to innovate

While the purpose of remedies is to restore competitive markets, any remedy that disincentivizes innovation is rather bad for consumers.⁶¹

Lopatka and Page (n 37) 700.

A remedy that enjoins the defendant to share its future big data has the potential to stifle incentives to engage in pro-competitive conduct. Firms continuously invest in innovative products and services that can harvest user data. Where data are the most critical input, a broad mandate to share all future data with the competitors also takes away the gains that would accrue to the defendant through its competitive means. Especially in an industry characterized by rapid innovation, where the defendant has been innovative, such measures will deprive the consumers of innovative new products. It may also be true that a defendant, for instance Google, may have stifled innovation by its competitors in the search engine market by depriving them of data. While sharing data with competitors does not guarantee innovation on their part—considering the probabilistic nature of innovation—it disincentivizes Google from attempting to undertake the risky process of innovating new products and services. Faced with such an outcome, courts should opt for means that aim at maximizing the consumer welfare, not maximizing the gains for competitors. Once again, it is important to bear in mind that remedies are different from punitive measures such as fines. The purpose of the former is to restore competition in the affected market that has experienced harm to consumer welfare (either in the short run or the long run) due to the abuse of dominance by the defendant.

Is mandating data sharing administrable

If a court or competition authority mandates the dominant player to share its data with the competitors, the court or the authority will also have to be involved in the determination of questions regarding price, quantity, and other terms. This will require ‘antitrust courts to act as central planners, identifying the proper price, quantity, and other terms of dealing—a role for which they are ill-suited.’⁶²

Verizon Communications Inc v Law Offices of Curtis V Trinko, LLP (2004) 540 US 398, 407–08 (2004); see also, WE Kovacic, ‘Designing Antitrust Remedies for Dominant Firm Misconduct’ (1999) 31 Connecticut Law Review 1285ff, 1294, observing ‘If a court decides to mandate access to a key asset, it must be prepared to specify the price and quality terms on which the defendant must provide access. In setting appropriate access charges, courts may find themselves enmeshed in ratemaking exercises for which they are institutionally ill-suited.’

Based on the presented case law, it can be concluded that to a certain extent, competition authorities have already dealt with data sharing as appropriate remedies in exclusionary conduct cases. As shown above, there have been some cases of exclusionary conduct in various countries that dealt with the role of data in the competitive process and that—more specifically—also imposed the sharing of data as a remedy. However, the presented cases dealt with data in the traditional sense, such as customer databases. None of the presented cases dealt with the very recent phenomenon of ‘big data’, ie data, characterized by the so-called 4 V’s (volume, variety, velocity, and veracity).⁶³

Instead of many, see European Commission, Big Data Analytics for Policy Making (2016) 3–17 <https://joinup.ec.europa.eu/sites/default/files/document/2016-07/dg_digit_study_big_data_analytics_for_policy_making.pdf> accessed 10 December 2019; DL Rubinfeld and MS Gal, ‘Access Barriers to Big Data’ (2017) 59 Arizona Law Review 339ff, 345–49.

An access remedy in such a situation would need to be much more sophisticated, as, among other things, data would most probably need to be provided in real time or at least in regular intervals. This will further burden the courts and antitrust regulators. Regardless of the mechanism to mandate data sharing, either as an essential facility or at the remedy stage, there remains a big challenge to ensure the efficient sharing of data. Unlike a physical asset or an identified IP right, big data is an amorphous entity with ever-changing quality and quantity. It remains extremely challenging to quantify the amount and identify the type of data that would be the subject of mandatory sharing.

III. TECHNOLOGICAL NATURE OF BIG DATA AND CHALLENGES IN MANDATING DATA SHARING

Big data is characterized by its velocity, which stands for an ever-greater pace of data creation. Velocity, which is often referred to as the ‘freshness’ of data, defines the speed of change and occupies the centre stage in the dynamic markets.⁶⁴

Rubinfeld and Gal, ibid 346–47.

In previous years, the amount of data created has grown exponentially. Whereas in 2013, 4.4 zettabytes data were collected worldwide, this number will, according to a study of the International Data Corporation (IDC), grow to 44 zettabytes in 2020 and to 175 zettabytes in 2025.⁶⁵

International Data Corporation, The Digitization of the World – From Edge to Core (IDC White Paper #US44413318, 2018) <https://www.seagate.com/files/www-content/our-story/trends/files/idc-seagate-dataage-whitepaper.pdf> accessed 10 December 2019.

From the fact that there are new data produced almost continuously, it follows that old data often lose the worth and value very quickly.⁶⁶

J Kennedy, ‘The Myth of Data Monopoly: Why Antitrust Concerns about Data Are Overblown’ ITIF (March 2017), 7 <http://www2.itif.org/2017-data-competition.pdf> accessed 10 December 2019. See also Rubinfeld and Gal (n 63) 346–47.

Thus, one interesting feature of big data is that it gets stale quickly.⁶⁷

To illustrate the importance of real-time data, see the example in A McAfee and E Brynjolfsson, ‘Big Data: The Management Revolution’ (2012) <https://hbr.org/2012/10/big-data-the-management-revolution> accessed 10 December 2019; see also B Dykes, ‘Big Data: Forget Volume and Variety, Focus on Velocity’ <https://www.forbes.com/sites/brentdykes/2017/06/28/big-data-forget-volume-and-variety-focus-on-velocity> accessed 10 December 2019.

In the fast-moving businesses, platforms are continuously required to harvest big data. Big data is often used in Machine Learning that essentially makes predictions based on user data that the ML algorithm crunches.⁶⁸

See, IM Cockburn and others, ‘The Impact of Artificial Intelligence on Innovation’ (Paper prepared for the NBER Conference on Research Issues in Artificial Intelligence, Toronto, September 2017).

Relevant predictions that could be useful for users, therefore, require real-time data for nowcasting services.⁶⁹

G Colangelo and M Maggiolino, ‘Big Data as Misleading Facilities’ (2017) 13(2–3) European Competition Journal (2017) 249, 252, observing ‘Think, for example, of real-time data: they are precious for nowcasting services but almost useless for insurance companies that need historic data.’

Contrary to this, some businesses may still find historic data useful. For example, while last month’s weather data might still be interesting for scientists doing research on global warming or for companies offering harvest prediction services, it is of little or no interest for companies active in the weather forecasting business. The data about the summer of 1970 might not be of interest to any of them.

Therefore, depending upon the business model of a firm, freshness of data can be its core competitive advantage, even more important than volume or access to past data.⁷⁰

Rubinfeld and Gal (n 63) 353 (referring to N-P Schepp and A Wambach, ‘On Big Data and Its Relevance for Market Power Assessment’ (2015) 7 Journal of European Competition Law & Practice 120, 120).

This may, for instance, be the case for search engines. For instance, every day Google experiences 15 per cent completely new queries from its users.⁷¹

AV Lerner, ‘The Role of “Big Data” in Online Platform Competition’ (2014) 37 <https://ssrn.com/abstract=2482780> accessed 10 December 2019.

Arguably, therefore, a firm’s entire stock of big data may be time sensitive as far as its market value is concerned.

Colangelo and Maggiolino also posit that as user data have a limited time span, any meaningful sharing should include fresh and updated data. The authors add that there needs to be a definite limitation on the period for which the future data can be shared with the requesting firm.⁷²

Colangelo and Maggiolino (n 69) 275.

Sharing of future data disincentivizes the competitors from developing their own resources/services to harvest user data.⁷³

One remedy in such a scenario could be an arrangement akin to the ‘ladder of rung’ strategy in Local Loop Unbundling (LLU) cases. See M Cave, ‘Encouraging Infrastructure Competition via the Ladder of Investment’ (2006) 30(3–4) Telecommunications Policy 223; see also, M Cave and I Vogelsang, ‘How Access Pricing and Entry Interact’ (2003) 27 Telecommunications Policy 717. However, to analyse the scope of such an arrangement in the context of data sharing is beyond the scope of this article.

Another problem with mandating data sharing by way of remedies is that these data can be used beyond the market in which abuse has taken place.⁷⁴

‘Finally, it is increasingly the case that data can be reused for different applications. For example, a technique called transfer learning allows data developed for one domain (the recognition of general images) to be applied to another domain (the detection of diabetic retinopathy from images of the retina). Likewise, recent work has shown that background knowledge can help improve on tasks like object detection in images. Recent work from Google has shown how training using data intended for a different task like image recognition can help performance on another completely different task like language translation.’ P Groth, ‘5 Reasons Data Is a Key Ingredient for AI Applications’ (2017) <https://www.elsevier.com/connect/5-reasons-data-is-a-key-ingredient-for-ai-applications> accessed 10 December 2019; see also, Kennedy (n 66) 7.

For example, if the Commission mandates Google to share its data with its competitors such as Bing, the latter may use these data to train its algorithm in a different market, such as social media. Therefore, the competitor receiving data would, depending on the content of the data set, be in a position to use the latter not only in the market where the competitive harm occurred but also in other markets where such data are needed as input. Such an obligation to share data would give the competitors an undue competitive advantage and would clearly exceed what is necessary to bring the infringement effectively to an end. Therefore, such a remedy can potentially distort other markets.

Alternatively, antitrust regulators or courts can provide access to relevant data sets with the limitation that the competitors can only use them for the purposes explicitly specified in the decision. However, such a limitation would be almost impossible to monitor in practice and is therefore not a viable solution.⁷⁵

See section ‘Is mandating data sharing administrable’ above. Cf also R Podszun, ‘Competition and Data’ (2017) 11 Zeitschrift für geistiges Eigentum 406, 409.

IV. THE GDPR AND MANDATORY SHARING OF DATA

The following part of the article examines the extent to which the GPDR allows a competition law remedy mandating the sharing of user data.⁷⁶

While similar issues might arise also in other contexts in which personal data are ought to be shared, the conclusions might not necessarily be the same. They will largely depend on the legal and factual circumstances of the intended data sharing activities.

The GDPR gives control to individuals over their personal data and is applicable to any processing of personal data, ie information directly or indirectly relating to an identified or identifiable natural person (data subject).⁷⁷

See the definition of personal data in art 4(1) GDPR.

As the notion of personal data is very broad and is likely to even broaden in the future due to the development of new analytical methods and tools,⁷⁸

J Jöns, ‘Daten als Handelsware’ (DIVSI Studie, 2016) 42 <https://www.divsi.de/wp-content/uploads/2016/03/Daten-als-Handelsware.pdf> accessed 10 December 2019. See also Case C-582/14 Breyer [2016] EU:C:2016:779 and Case C-434/16 Nowak [2017] EU:C:2017:994, which can be consulted to interpret the GDPR despite relating to the (old) Data Protection Directive, as the definition of personal data has not been altered. Cf also J Drexl, ‘Legal Challenges of the Changing Role of Personal and Non-personal Data in the Data Economy’ (2018) Max Planck Institute for Innovation and Competition Research Paper No 18-23, 3–4 <https://ssrn.com/abstract=3274519> accessed 10 December 2019; Crémer and others (n 13) 77, stating that a significant proportion of data generated today is data on consumer behaviour.

in the context of data-driven markets, the GDPR might be applicable in most situations.

Sharing of data with another company can be understood as making data available, from which it follows that data sharing is a subcategory of data processing.⁷⁹

In art 4(2) GDPR, data processing is defined as ‘… any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.’

Thus, sharing of data needs to comply with the principles⁸⁰

See, especially, the principles of lawful processing (art 5(1)(a) GDPR) and purpose limitation (art 5(1)(b) GDPR).

and rules governing data processing, especially with Article 6 GDPR. This article permits the processing of personal data if one of the six exhaustively⁸¹

Admittedly, in the literature, also the opinion that the catalogue is not exhaustive can be detected. However, this view does not deny the need for one of the grounds of art 6(1) GDPR to be fulfilled, but merely emphasizes that some of the grounds for processing are very broadly formulated; EM Frenzel, ‘Art. 6 DS-GVO’ in BP Paal and DA Pauly (eds), Datenschutz-Grundverordnung (C.H. Beck 2017) 84–106, para 1.

enumerated grounds for processing enshrined in Article 6(1) GDPR is satisfied. The importance of this regulatory framework for EU data protection law is emphasized by the fact that it is also enshrined in Article 8(2) of the Charter of Fundamental Rights of the EU,⁸²

Charter of Fundamental Rights of the European Union [2012] OJ C326/391 (Charter).

thus constituting part of its (binding) primary law.⁸³

See Article 6(1) of the Treaty on European Union [2012] OJ C326/1. However, it has to be borne in mind that the provisions of the Charter are not generally binding, but only on the institutions and bodies of the EU and on the Member States when they are implementing Union law; art 51(1) of the Charter.

There are three possible grounds for data processing that a dominant firm could invoke in order to comply with the competition authority’s request to share data with competitors. Despite the decision of a competition authority, the dominant firm remains fully responsible to comply with the provisions of the GDPR, and cannot exclude its responsibility by arguing that it is merely executing the request of a competition authority.

Compliance with a legal obligation

The first legal ground that could possibly be invoked is enshrined in Article 6(1)(c) GDPR, according to which, processing is lawful if it is necessary for the compliance with a legal obligation to which the controller,⁸⁴

According to art 4(7) GDPR, a controller is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A company collecting data in the framework of its business activities can be subsumed under this definition.

ie the dominant firm, is subject. Indeed some argue that a duty to share data with third parties imposed on the basis of competition law amounts to such a legal obligation.⁸⁵

Graef (n 13) 319.

However, a judgment or a decision of a public authority in a specific case, such as a decision of a competition authority in an abuse of dominance case, does not, as such, suffice as a legal ground for data sharing. It stems from Article 6(3) and is further confirmed by Recital 45 GDPR that the term legal obligation in the sense of Article 6 GDPR presupposes a (generally applicable) law as the basis for such a decision.⁸⁶

Frenzel (n 81) para 16; B Buchner and T Petri, ‘Art. 6 DS-GVO’ in J Kühling and B Buchner (eds), Datenschutz-Grundverordnung/BDSG Kommentar (C.H. Beck 2018) 233–83, paras 83–84.

Other language versions of the GDPR are even clearer: in the German language version, the term Gesetz is used, whereas the French version uses the term disposition légale, both meaning statutory law. Similarly, Article 29 Working Party recognizes the possibility of establishing legal obligations in the sense of Article 6(1)(c) GDPR in binding decisions in concrete cases, but only if this power is delegated to the relevant authority in a sufficiently specific piece of legislation.⁸⁷

Article 29 Working Party, ‘Opinion 06/2014 on the Notion of Legitimate Interests of the Data Controller under Article 7 of Directive 95/46/EC (WP217)’ (2014) 20 <https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf> accessed 10 December 2019.

Admittedly, one could argue that such a decision of a competition authority indeed has its legal basis in a law, namely in Article 102 TFEU. However, the GDPR requires a sufficiently clear and precise legal basis of data protection nature, ie a legal basis that specifies the purposes and circumstances of data processing, and not a very general legal basis of competition law.⁸⁸

See art 6(3) and Recital 41 GDPR. Alternatively, legislation can also merely set a general objective and delegate the imposition of more specific obligations to another level, eg secondary legislation or a binding decision in a concrete case, provided that the nature and object of the processing are well defined in the former piece of legislation; Article 29 Working Party (n 87) 19–20.

The legal basis for processing has to be drafted in a manner that allows the data subject to foresee the data processing activities enabled by it.⁸⁹

Recital 41 GDPR.

It is evident that Article 102 TFEU does not meet these standards. Therefore, as an obligation stemming from Article 102 TFEU does not qualify as a legal obligation in the sense of Article 6(1)(c) GDPR, the latter provision cannot be invoked when a competition authority mandates the sharing of personal data with competitors in an abuse of dominance case.

A glance at the travaux préparatoires reveals that in the German language version of its Proposal for the GDPR, the European Commission used the term gesetzliche Verpflichtung (statutory obligation).⁹⁰

European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation)’ KOM/2012/011 endgültig, art 6(1)(c).

The fact that in the legislative procedure, the EU legislator replaced this term with the broader term of rechtliche Verpflichtung (legal obligation) could be seen as an indication that the legislator deliberately decided that Article 6(1)(c) GDPR should encompass more than just obligations stemming from (statutory) law, for example, also the ones originating in decisions of competition authorities. However, according to the view represented here, such a conclusion would likely be inaccurate. Rather, it seems that the term was replaced for two other reasons, namely to align it with other language versions⁹¹

In the French and the English version, the terms obligation légale and legal obligation, respectively, were used from the beginning.

as well as with the (old) Data Protection Directive,⁹²

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31 (Data Protection Directive).

which in the (corresponding) Article 7(c) also uses the term rechtliche Verpflichtung. Using a different term in the GDPR would cause unnecessary doubts as to whether the content of the provision has changed and whether the case law relating to the Data Protection Directive can still be consulted.

Recognizing an obligation imposed on a company by a competition authority based on Article 102 TFEU as a legal obligation in the sense of Article 6(1)(c) GDPR would also be contrary to the nature of legal grounds for processing enshrined in Article 6(1) GDPR. As Advocate General Bobek notes in his Opinion in Valsts policijas, the legal grounds for processing can be divided into three groups, namely (i) consent of the data subject, (ii) cases when legitimate interests are to some extent presumed (Articles 6(1)(b)–(e) GDPR), and (iii) cases when legitimate interests need not only to be established in a specific case but also to outweigh the interests or rights and freedoms of the data subject in the balancing test.⁹³

Case C-13/16 Valsts policijas [2017] EU:C:2017:43, Opinion of AG Bobek, para 56. See also Article 29 Working Party (n 87) 9.

Indeed, as regards the second category which also encompasses Article 6(1)(c) GDPR, it can be argued that balancing has already been done in a democratic procedure by the legislator when passing the law in question and must therefore not be conducted again. However, with regard to Article 102 TFEU, such balancing of the rights and interests of the involved subjects has not been performed in the legislative procedure. Consequently, it would be contrary to the rationale of Article 6(1)(c) GDPR to recognize Article 102 TFEU as a legal obligation in its sense.

Therefore, unless a law governing data sharing in competition law cases meeting the standards set forth in the GDPR is passed, Article 6(1)(c) GDPR cannot be invoked when sharing data with third parties as a competition law remedy.

Legitimate interests of the dominant firm and competitors

The second legal basis that could possibly be invoked when sharing personal data with competitors is Article 6(1)(f) GDPR,⁹⁴

The mere fact that a processing activity appears to be close to falling under art 6(1)(c) GDPR, but does not fully meet the criteria thereof, does not preclude from applying other grounds for processing to the same case; Article 29 Working Party (n 87) 20. See also P Carey, Data Protection: A Practical Guide to UK and EU Law (5th edn, OUP 2018) 58.

which permits data processing for legitimate interests. To our knowledge, this ground has not yet been invoked as a legal basis for data processing in comparable constellations. Admittedly, some of the most common contexts in which Article 6(1)(f) GDPR might come into play include the exercise of the right to freedom of expression, marketing and advertisement, enforcement of legal claims, and fraud prevention.⁹⁵

Article 29 Working Party (n 87) 25. See also Recitals 47–49 GDPR.

However, due to the broadness and openness of this ground,⁹⁶

Cf F Ferretti, ‘Data Protection and the Legitimate Interest of Data Controllers: Much Ado about Nothing or the Winter of Rights?’ (2014) 51 Common Market Law Review 843, 859.

a dominant firm confronted with an order of a competition authority to share data might nonetheless try to base its activity thereon. Therefore, the following part analyses whether invoking Article 6(1)(f) GDPR would have any chance of success.

According to Article 6(1)(f) GDPR, processing of personal data is lawful if three conditions are met: (i) the dominant firm or one of its competitors has a legitimate interest for data sharing, (ii) the sharing is necessary for the purposes of the named legitimate interest, and (iii) there are no overriding interests or fundamental rights and freedoms of the affected natural persons, which require the protection of personal data.⁹⁷

The existence of the company’s market power should be taken into consideration in the balancing test; Crémer and others (n 13) 79–80.

In the light of Recital 47 of the GDPR, the first condition is to be understood in a broad sense.⁹⁸

Frenzel (n 81) para 28; dissenting Ferretti (n 96) 845.

As Advocate General Bobek has stated in his Opinion in Fashion ID, the notion of legitimate interests ‘… appears to be rather elastic and open-ended. There is no type of interest that is excluded per se, as long as of course they are themselves legal.’⁹⁹

Case C-40/17 Fashion ID [2018] EU:C:2018:1039, Opinion of AG Bobek, para 122 (footnote omitted).

The notion of legitimate interests covers a broad range of interests, whether trivial or compelling,¹⁰⁰

100

Article 29 Working Party (n 87) 24.

including any legal, economic, moral, or other interest.¹⁰¹

101

K-U Plath, ‘§ 28 BDSG’ in K-U Plath (ed), BDSG/DSGVO – Kommentar zum BDSG und zur DSGVO sowie den Datenschutzbestimmungen von TMG und TKG (Otto Schmidt 2016) 539–664, para 47. Article 29 Working Party notes that due to the developments in the data-driven economy, the main focus of art 6(1)(f) GDPR has shifted from the right to free commercial speech to economic interests; Article 29 Working Party (n 87) 46. Admittedly, it has also been argued in the literature that the notion of legitimate interests should be given a narrow meaning as a legally protected interest, ie another conflicting right; Ferretti (n 96) 859.

It seems plausible that a dominant firm may invoke the interests of competitors as third parties¹⁰²

102

art 4(10) GDPR defines the term third party as a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

in receiving personal data regarding the business conducts of the dominant firm, especially regarding its customers. For competitors, access to such data would be beneficial as it would allow them to directly address the customers of the dominant firm and to offer them their products and services, or at least to improve their products and services based on the data received, depending on the content of the data set.¹⁰³

103

Similarly, with regard to the combination of data across services, Article 29 Working Party recognized Google’s legitimate interests to collect a large database; Article 29 Working Party, ‘Letter to Google’ (2012) 2 <https://ec.europa.eu/justice/article-29/documentation/other-document/files/2012/20121016_letter_to_google_en.pdf> accessed 10 December 2019.

On the one hand, this might generate additional revenue, whereas on the other, it would also reduce the competitive advantage of the dominant firm. In addition to the interest of competitors in receiving data, the dominant firm could also try to invoke its own interest in executing the decision of the competition authority, as if it fails to do so, it might suffer a substantial fine by the latter. To sum up, it seems that—depending on the facts of the case—a dominant firm might fulfil the first condition.

The second condition pertaining to the necessity of processing is, however, more problematic. The GDPR does not further specify when the processing is necessary for the purposes of the legitimate interest. However, according to the legal doctrine, necessity implies that the controller must adopt the least restrictive means for achieving the aim of the legitimate interest.¹⁰⁴

104

Any processing that is just useful or convenient, rather than necessary, will not meet these requirements; Carey (n 94) 50.

Accordingly, necessity will only very exceptionally be given in a competition law case. There will often be other, from a data protection perspective less intrusive means to fulfil the named legitimate interests. This will often hold true for cases in which data are only needed to improve products and services and not to directly contact the customers. Here, sharing of anonymized data or of the outcomes of the Machine Learning-based analyses of these data sets might be seen as sufficient. In other cases, ie where a reference to a specific natural person is indispensable, all circumstances of the case would have to be taken into account in order to ascertain whether the same goal can be reached with less intrusive means.

Basing data processing on Article 6(1)(f) GDPR is not possible if there are overriding interests or fundamental rights and freedoms of the users which require the protection of personal data. When applying this balancing test, the fact that data sharing is otherwise in public interest should also be taken into account.¹⁰⁵

105

Cf Article 29 Working Party (n 87) 35.

Restoring competition in the affected market could indeed be seen as such a public interest. However, given that ex ante, data subjects cannot reasonably expect such data processing,¹⁰⁶

106

Recital 47 GDPR states that ‘[a]t any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.’

and taking into account that such sharing of data would not only enable a one-off processing by the same company but would give access to it to at least one additional company, which is associated with high risks for the data subject,¹⁰⁷

107

See art 6(4)(d) GDPR. When conducting the balancing test, all possible consequences of data processing for the rights and freedoms of the data subject have to be duly taken into account; P Voigt and A von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide (1st edn, Springer 2017) 106.

the rights and freedoms of the affected natural persons will in such cases regularly prevail over the legitimate interests of the company.¹⁰⁸

108

This is even more so if the data subject in question is a child, as explicitly stipulated in art 6(1)(f) GDPR.

To conclude, it seems unfeasible to successfully rely on Article 6(1)(f) GDPR to share personal data in competition law cases.¹⁰⁹

109

Should the controller come to a different conclusion, it would, prior to sharing of data on this legal basis, have to fulfil its duties to provide data subjects with certain information, as enshrined in arts 13(3) and 14(4) GDPR.

However, this can only be decided on a case-by-case basis by the dominant firm, which has to duly take into account the individual circumstances of the users.¹¹⁰

110

Joined Cases C-468/10 and 469/10 ASNEF [2011] ECR I-12181, para 40; Case C-13/16 Valsts policijas [2017] EU:C:2017:336, para 31; Valsts policijas (n 93) paras 67–68. As a rule, sharing of data of thousands or even millions of users would be relevant in competition law cases. Nonetheless, the balancing test would need to take into account the peculiarities of the specific situation of each data subject, at least by way of building user groups with similar characteristics.

Any such decision is subject to judicial review.¹¹¹

111

Frenzel (n 81) para 27.

Consent of the data subject

The last legal ground that could be invoked in order to share data with competitors is the consent of the affected natural person.¹¹²

112

art 6(1)(a) GDPR.

Consent is defined in Article 4(11) GDPR as any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which she, by a statement or by a clear affirmative action, signifies her agreement to the processing of personal data relating to her.

A user could theoretically give consent either before or after the decision of the competition authority is issued. However, it has to be borne in mind that according to the principle of purpose limitation, any consent clause not explicitly specifying the exact purposes for which data will be processed, but rather staying general, would be invalid.¹¹³

113

Benedikt Buchner and Jürgen Kühling, ‘Art. 7 DS-GVO’ in Kühling and Buchner (eds) (n 86) 284–307, para 62.

It is therefore unlikely that any consent given before the decision of a competition authority is issued would meet the GDPR standards. For example, a general consent to ‘use data for all appropriate purposes’,¹¹⁴

114

Consent cannot be given in the form of a general authorization for data processing; Voigt and von dem Bussche (n 107) 96.

to ‘share data with other companies’¹¹⁵

115

The controller and any third party that might rely on consent must be named in the consent clause; Carey (n 94) 53. In a similar case, AG Szpunar confirmed this position. With regard to cookies, he stated that a user should be explicitly informed whether any third parties have access to cookies and if this is the case, their identity must be disclosed; Case C-673/17 Planet49 [2019] EU:C:2019:246, Opinion of AG Szpunar, para 120.

or even to ‘use data in line with the requests of the competition authority’ would not suffice due to the lack of specificity and explicitness of the clause. Therefore, the dominant firm would in practice have to seek consent to share data with a specific competitor after obtaining the decision of a competition authority. Needless to say, such a procedure will be very burdensome for the dominant firm.¹¹⁶

116

Cf Ferretti (n 96) 856. See also Crémer and others (n 13) 80, emphasizing that obtaining consent in cases where users do not immediately benefit from granting consent may be especially burdensome.

In the GDF Suez case,¹¹⁷

117

See n 50. For the facts of the case, see section ‘Data sharing as a remedy in existing decisions’ above.

in which GDF Suez was requested to grant access to its competitors to the data regarding its customers, the French Autorité took a different approach in order to at least partially circumvent the difficulties of obtaining consent from every single customer. Following the recommendations of the French data protection authority, it obliged GDF Suez to inform its clients about the intended disclosure of data to competitors, and give them a possibility to opt-out from their personal data being shared.¹¹⁸

118

ibid, paras 289 and 294.

With the aim to find a proper balance between protecting the rights of customers and rendering the competition law remedy effective, the Autorité decided for an opt-out solution.¹¹⁹

119

In general, competition authorities would be better advised to merely define the goals to be achieved by the dominant firm, without specifying the exact way how to reach these goals, as it is not appropriate for a competition authority to define measures which need to be taken in order to comply with data protection law. By interfering in the application of data protection rules to a specific case, competition authorities might even overstep their competences; Graef (n 13) 320.

While the Data Protection Directive, which was in force at the time, remained silent on whether an opt-out solution is admissible or not, it was considered admissible by most courts.¹²⁰

120

See, for example, OLG Frankfurt GRUR-RR 2016, 252. It was only after the Data Protection Directive has ceased to apply that the CJEU has taken stance on this matter. The Court ruled that even under the old Directive, an active behaviour on the part of the user was required; Case C-672/17 Planet49 [2019] EU:C:2019:801, paras 52–54.

However, under the new Regulation, such a solution is not possible any more, as pursuant to Article 4(11) GDPR, a statement or a clear affirmative action is needed, meaning that the data subject has to explicitly opt-in to data processing.¹²¹

121

Recital 32 GDPR explicitly states that ‘[s]ilence, pre-ticked boxes or inactivity should not … constitute consent.’ See also Buchner and Kühling (n 113) para 58; L Schreiber, ‘Art. 4 DSGVO’ in K-U Plath (ed) (n 101) 969–97, para 37.

Therefore, under the GDPR, the dominant firm would need to receive explicit consent from every natural person involved. Taking into account that in the GDF Suez case, a significant number of consumers opted out from data relating to them be transferred to competitors,¹²²

122

Autorité de la concurrence and Bundeskartellamt, ‘Competition Law and Data’ (2016) 20, fn 44 <https://www.bundeskartellamt.de/SharedDocs/Publikation/DE/Berichte/Big%20Data%20Papier.pdf?__blob=publicationFile&v=2> accessed 10 December 2019.

it can be assumed that under the new system, the amount of data subjects actively opting into such a data transfer would be even smaller. Therefore, albeit seemingly the safest option, the sharing of data based on consent might in practice by far not reach the desired goals.

Sharing of sensitive data

An even stricter legal framework characterizes the processing of the so-called special categories of personal data (more commonly referred to as sensitive data), ie data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.¹²³

123

art 9(1) GDPR.

According to Article 9 GDPR, the only possible legal ground for the sharing of such data in competition law context is consent of the data subject.¹²⁴

124

art 9(2)(a) GDPR. Apart from that, sensitive data can also be processed if it was manifestly made public by the data subject; art 9(2)(e) GDPR. Data contained in a profile in a social network accessible without a user account are deemed to fall under this category; Voigt and von dem Bussche (n 107) 113. On the other hand, it is hardly imaginable that in such a context, sensitive data could be processed based on art 9(2)(g) GDPR, which allows the processing that is necessary for reasons of substantial public interest, on the basis of Union or Member State law, if it is be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

While Article 9 GDPR is an exception to the general rule enshrined in Article 6 GDPR, its scope is in fact very broad. It might apply to a significant amount of data ought to be shared in big data cases. To give a few examples: a photo showing a data subject attending a protest or a demonstration could reveal information about her political opinions, whereas GPS data revealing that she spent some time in a church or a clinic could reveal information about her religious beliefs or the state of health, respectively.¹²⁵

125

T Weichert, ‘Art. 9 DS-GVO’ in Kühling and Buchner (eds) (n 86) 319–57, paras 27–28 and 39.

Moreover, even a mere search history showing user’s special interest in a specific disease or disability could be perceived as health data, as from it indirectly, conclusions with regard to her state of health could be drawn.¹²⁶

126

ibid, para 37.

The examples show that in fact, many pieces of data fall under Article 9 GDPR. Furthermore, this differentiation might cause difficulties even when only a part of a data set contains sensitive data, as it will often be practically impossible for the company to differentiate between ‘normal’ personal data and sensitive data.¹²⁷

127

For example, before sharing pictures or texts published on Facebook, the controller would have to assess whether the content of a particular picture reveals sensitive information or not. In the first case, art 9 GDPR would apply, whereas in the second one, the general rules of art 6 GDPR would apply.

Further data processing by the competitor

Another obstacle to the effectiveness of a data sharing remedy is the fact that as such, a legal basis for the disclosure of data to a competitor does not cover any act of data processing conducted by the latter.¹²⁸

128

See H Schweitzer and M Peitz, ‘Datenmärkte In Der Digitalen Wirtschaft: Funktionsdefizite und Regulierungsbedarf?’ (2017) ZEW Discussion Paper No 17-043, 37 <http://ftp.zew.de/pub/zew-docs/dp/dp17043.pdf> accessed 10 December 2019.

Therefore, should the competitor want to store, use, alter, retrieve, or even erase the received personal data,¹²⁹

129

See the definition of the term processing, art 4(2) GDPR.

it would have to make sure that one of the legal grounds for processing enshrined in Articles 6(1) or 9(2) GDPR, respectively, is satisfied.¹³⁰

130

See M Krzysztofek, Post-reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 (1st edn, Wolters Kluwer 2017) 65.

It has to be emphasized that this already holds true for the very first act of storage of such data by a competitor.¹³¹

131

Schweitzer and Peitz (n 128) 37, fn 100. The most viable solution to this problem might be to ask data subjects for their consent not only for the disclosure of data to a competitor but also for further processing of these data by the competitor. However, it remains open how this could be realized in practice.

A full elaboration of these issues, however, is beyond the scope of this article.

Sharing of anonymized data

A possible way forward circumventing the application of the GDPR might be the sharing of anonymized data. Admittedly, the GDPR does not apply to anonymous information, ie to information which does not relate to an identified or identifiable natural person, and to personal data which was rendered anonymous in a manner that the person is no longer identifiable. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used in order to identify her. All relevant factors, such as the costs and the amount of time required for re-identification, including the available technology at the time of the processing as well as possible technological developments, should be taken into consideration.¹³²

132

Recital 26 GDPR.

If, by using at least the state-of-the-art anonymization technology,¹³³

133

M Klar and J Kühling, ‘Art. 4 Nr. 1 DS-GVO’ in Kühling and Buchner (eds) (n 86) 138ff, para 33.

data were successfully anonymized, it is not considered personal any more, meaning that the GDPR is not applicable. Such data can be shared without any limitations.

However, in practice, anonymization of data proves to be much more difficult than expected.¹³⁴

134

See Schweitzer and Peitz (n 128) 26, stating that any anonymized piece of data might—with more or less effort and additional information needed—be de-anonymized. See also Graef (n 13) 321–22; Crémer and others (n 13) 77–78.

In its Opinion 05/2014 on Anonymisation Techniques, Article 29 Working Party stated that in itself, merely removing directly identifying elements is not enough to ensure that identification of the data subject is no longer possible. On the contrary, it will often be necessary to take additional measures to prevent re-identification, depending on the context and purposes of the processing for which the anonymized data are intended.¹³⁵

135

Article 29 Working Party, ‘Opinion 05/2014 on Anonymisation Techniques (WP216)’ (2014) 9 <https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf> accessed 10 December 2019. Additional measures that could be resorted to in order to make de-anonymization less probable are noise addition (modifying attributes in the data set to make it less accurate while still retaining the overall distribution), permutation (shuffling the values of attributes in a table so that some of them are artificially linked to different data subjects), and aggregation (grouping of data). Whilst no technique is devoid of shortcomings, the combination of more techniques raises the quality of anonymization; ibid 12–17.

When deciding upon whether a certain data set has successfully been anonymized, it also has to be borne in mind that a data set could be de-anonymized by connecting it with another data set (the so-called auxiliary knowledge). In that regard, the fact that a data set is shared with a competitor might even increase the probability of successful de-anonymization, as the latter might be in possession of a database with personal data that could be used as auxiliary knowledge to de-anonymize the received data set.¹³⁶

136

Cf Recital 26 GDPR stating that account should also be taken of the means reasonably likely to be used by a person other than controller to identify a user.

This could especially be the case when the user is multi-homing.¹³⁷

137

Cf also Jöns (n 78) 24–25. For example, if Google was mandated to share its anonymized data set containing GPS location data of Android users with a provider of a mobile app that also collects users’ location data, the latter company could compare location data from the two data sets and might be able to identify which user a particular piece of data from Google’s anonymized data set relates to.

Nonetheless, the decision on the data to be shared and on the modalities of its disclosure is conditional upon the intended usage of the data. For example, sharing of anonymized data might not be a viable solution in cases where the true value of a data set lies in the reference to specific natural persons. This is especially the case when the competitor is aiming to directly address the customers, as in the GDF Suez case.¹³⁸

138

Graef (n 13) 320.

On the other hand, sharing of aggregated data with a comparably low granularity might suffice in some other situations. However, especially in the Machine Learning context, this might not go far enough as for efficient algorithm training, single pieces of data, rather than aggregated conclusions based on these data, have to be fed into the algorithm.¹³⁹

139

Aggregating data lowers its quality. The lower the quality of the data, however, the worse the Machine Learning output; cf in this regard J Drexl and others, ‘Technical Aspects of Artificial Intelligence: An Understanding from an Intellectual Property Law Perspective’ (2019) 8–9 <https://ssrn.com/abstract=3465577> accessed 10 December 2019.

V. CONCLUSION

Data-driven platforms are continuously vying for the user data that forms the core architecture upon which their success depends. Indeed, it has been now been witnessed through the Google Android decision that dominant firms can resort to illegal behaviour to exclude their rivals from gaining scale in data in the markets that are characterized by network effects. While the competition authorities the world over have been vigilant against exclusionary conduct owing to the importance of such markets, it is still unclear how best to restore competition in a market that has witnessed exclusionary conduct by a dominant firm. Thus, with the objective of devising the most optimal remedy for exclusionary conduct in data-driven markets, this article examined the viability of mandating the dominant firm to share its big data with rivals at the remedy stage.

In view of the scant guidance on the research question—both in the case law and in the academic literature—this article approached the viability of forced data sharing as a remedy from different standpoints. It first examined the possibility of forcing the dominant undertaking to share its advantages/resources (including big data) with its rivals at the remedy stage under EU law. While the legislation and the case law give a broad mandate to the Commission to put an effective end to the consequences of an infringement, the extent to which a remedy can go to restore competition is unclear in the case law. The article showed that an optimal remedy should aim at restoring competition to the level that had existed at the time the infringement began, instead of the level that would have existed but for the infringement. Judged against this standard, the article showed that data sharing would end up favouring the latter outcome, which would be detrimental to consumer welfare.

Further, scrutiny of the technological features of big data revealed that sharing of past data of the dominant firm is futile for the businesses that make prediction in the present or in the near future, owing to the ‘velocity’ feature of big data. Instead of old data, such businesses require fresh data that can capture the changing trends swiftly. Where data form the core of a business model, investment in innovative products and services may get adversely affected due to forced data sharing remedy. Further, any remedy of data sharing would require the antitrust regulators to set out the details and monitor such activity. Competition authorities and courts are not best placed for such tasks.

As a competition law remedy of data sharing may involve users’ personal data, the final part of this article made deep scrutiny into the interface between the remedy of data sharing and the GDPR. It analysed mandatory data sharing on three different grounds for data processing provided in the GDPR, namely (i) compliance with a legal obligation, (ii) legitimate interests of the companies involved, and (iii) consent of the data subject. Whereas the first two grounds do not allow for the sharing of personal data in competition law context, sharing based on consent of data subjects would be possible, but marred with significant difficulties in obtaining explicit consent from every data subject. Additionally, the technological ease of de-anonymizing user data might also prevent the dominant firm from sharing such data with its rivals.

Based on the above findings, the article concluded that data sharing is not an optimal remedy in the exclusionary conduct cases. In view of this, reliance can be placed on other behavioural and structural remedies available to the Commission. However, as this article demonstrates, the final determination of a remedy must be based on rigorous scrutiny from different standpoints.

The authors are grateful to Marco Botta, Josef Drexl, Michèle Finck, Barbara Sandfuchs, Francisco Beneke (Paco), Ana Papler, and Luc Desaunettes for their valuable comments and suggestions. Any errors remain our own.

Author notes

Jure Globocnik, Junior Research Fellow, Max Planck Institute for Innovation and Competition, Munich, Germany. Email: [email protected]

This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited.

Download all slides

Month:	Total Views:
January 2020	164
February 2020	165
March 2020	123
April 2020	100
May 2020	101
June 2020	130
July 2020	143
August 2020	178
September 2020	142
October 2020	184
November 2020	219
December 2020	177
January 2021	160
February 2021	370
March 2021	358
April 2021	282
May 2021	210
June 2021	122
July 2021	125
August 2021	132
September 2021	249
October 2021	98
November 2021	119
December 2021	78
January 2022	117
February 2022	124
March 2022	133
April 2022	104
May 2022	94
June 2022	85
July 2022	91
August 2022	67
September 2022	55
October 2022	47
November 2022	55
December 2022	58
January 2023	209
February 2023	185
March 2023	184
April 2023	251
May 2023	240
June 2023	188
July 2023	48
August 2023	85
September 2023	63
October 2023	54
November 2023	81
December 2023	73
January 2024	55
February 2024	85
March 2024	114
April 2024	91
May 2024	83
June 2024	49
July 2024	84
August 2024	74
September 2024	90
October 2024	78
November 2024	78
December 2024	58
January 2025	73
February 2025	83
March 2025	78
April 2025	53

Article Contents

Exclusionary conduct in data-driven markets: limitations of data sharing remedy

Abstract

I. INTRODUCTION

II. THE OBJECTIVE OF REMEDIES IN THE EU COMPETITION LAW

Can data sharing be mandated as a remedy in the EU

A choice between the ‘baseline’ and the ‘but for’ standards

Data sharing as a remedy in existing decisions

Mandating data sharing and defendant’s incentive to innovate

Is mandating data sharing administrable

III. TECHNOLOGICAL NATURE OF BIG DATA AND CHALLENGES IN MANDATING DATA SHARING

IV. THE GDPR AND MANDATORY SHARING OF DATA

Compliance with a legal obligation

Legitimate interests of the dominant firm and competitors

Consent of the data subject

Sharing of sensitive data

Further data processing by the competitor

Sharing of anonymized data

V. CONCLUSION

Author notes

Citations

Views

Altmetric

Email alerts

Citing articles via

Latest

Most Read

Most Cited

Article Contents

Exclusionary conduct in data-driven markets: limitations of data sharing remedy

Abstract

I. INTRODUCTION

II. THE OBJECTIVE OF REMEDIES IN THE EU COMPETITION LAW

Can data sharing be mandated as a remedy in the EU

A choice between the ‘baseline’ and the ‘but for’ standards

Data sharing as a remedy in existing decisions

Mandating data sharing and defendant’s incentive to innovate

Is mandating data sharing administrable

III. TECHNOLOGICAL NATURE OF BIG DATA AND CHALLENGES IN MANDATING DATA SHARING

IV. THE GDPR AND MANDATORY SHARING OF DATA

Compliance with a legal obligation

Legitimate interests of the dominant firm and competitors

Consent of the data subject

Sharing of sensitive data

Further data processing by the competitor

Sharing of anonymized data

V. CONCLUSION

Author notes

Citations

Views

Altmetric

Email alerts

Citing articles via

Latest

Most Read

Most Cited

This Feature Is Available To Subscribers Only