EU and US Merger review and privacy law: Does the Google/Fitbit decision draw a line in the sand?
The debate: merger control vs privacy law
Some say that antitrust authorities should factor the potential loss of consumer privacy into their merger analysis and block or condition transactions that pose a privacy or data security risk. This could be done through the expansion of the consumer welfare standard to include non-economic public concerns, such as privacy-related considerations.
For others, the protection of users’ personal data is a separate issue that merger control cannot and should not address. Merger control and privacy law have a different scope and objectives. Also, antitrust authorities lack the necessary competence and technical expertise to apply privacy rules. Further, concurrent reviews of alleged data protection violations by antitrust and data protection regulators could lead to inconsistent enforcement and cause confusion for businesses.
Google/Fitbit, the latest EC decision in the digital sector, provides valuable insights on the EC stance in the broader global debate on the intersection between merger control and privacy.
Google/Fitbit: the EC position
In Google/Fitbit, the EC was asked to consider the impact of the aggregation of Fitbit’s health and fitness user data with Google’s gargantuan amount of other user data held across its different platforms. Consistent with previous practice, the EC assessed privacy-related questions within its merger review following a three-dimensional approach.
- Privacy-related concerns are not as such a matter of merger review
In Google/Fitbit, the EC withstood the pressure to use the antitrust hammer to protect privacy considerations. It affirmed that extraneous policy factors, such as privacy, do not belong to the merger control realm and should be treated as distinct from the merger analysis. It is not for antitrust authorities to police actual or potential breaches of privacy laws and bring non-compliant companies into compliance with such rules. Instead, data protection regulators are better equipped to deal with the challenges posed by the use (or misuse) of personal data. In Commissioner Vestager’s words, the EC is “very much aware that in cases there can be a privacy issue. We are just very careful not to see a competition issue where there is a privacy issue because, if that is the case, it’s not for us”.
The EC dispelled concerns that users would be directly harmed by reduced privacy by pointing at the rightful guardians of such interests, namely the GDPR and the e-Privacy Directive. In doing so, the EC followed a steady stream of enforcement activity in “data mergers” (WhatsApp/Facebook, Microsoft/LinkedIn, Google/DoubleClick) and found backing in the EU Court’s case law: “any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection”.
Further, the EC explained that in its merger assessment, it presumed that Google and Fitbit would lawfully combine their databases under privacy law, further clarifying that should such presumption prove to be incorrect, the “effects of the transaction [...] would be the same, but the parties remain accountable for any breach of GDPR or the e-Privacy Directive”.
- Privacy will be considered if it constitutes a key parameter of competition
One way privacy can enter the realm of the substantive merger review is when privacy constitutes an important element of “quality” competition - in other words where a significant number of users base their market choices on the strength of a company’s privacy offering. This was particularly clear in Microsoft/LinkedIn, where the EC concluded that privacy, as a “significant factor of quality”, was an important parameter of competition and “driver of consumer choice”.
In Google/Fitbit, the EC found no evidence that privacy was a parameter of competition for wearable devices and accordingly, the EC did not factor privacy in its substantive assessment of the transaction. Most importantly, however, the EC indicated that any initiative of the parties in relation to privacy and data protection would have to be in compliance with GDPR, which provides a high standard of protection and “leaves little room for differentiation”.
Does that mean that there will be no place at all in merger reviews for privacy as a competition parameter, given that the GDPR has now created an unavoidable level playing field? One could argue so – and that the EC would have probably avoided bothering with privacy considerations in Microsoft/LinkedIn had the GDPR been in force at the time of that transaction. Yet, it cannot be ignored that companies could find differentiation (and hence compete) in privacy considerations within the boundaries (or beyond) of the GDPR. The EC will then need to assess, on a case-by-case basis, whether the merger eliminates or reduces competition along such a “non-price dimension”.
- Privacy rules act as an external constraint on merger remedies
Merger remedies cannot seek to rectify any privacy violations. However, the fundamental right to privacy constrains the EC from designing merger conditions that interfere with users’ right to privacy. So, where merger remedies create privacy risks (e.g. mandated data sharing whereby the merged entity commits to share its data with competitors), privacy rules will act as an external limit to EC’s merger enforcement. In such cases, consultation with the data protection regulators may be particularly useful.
In Google/Fitbit, the EC conditioned the transaction on Google’s commitment to provide users with an effective choice to: (i) grant or deny the use of certain Fitbit data by Google services; and (ii) allow third party access to the data types made available in the Fitbit Web API, subject to certain privacy and security requirements.
Anticipating the Brussels Effect? Perspectives from the US
With a marked change in the stance on enforcement in digital markets in the past decade, the US approach to data in mergers is due for a refresh. Unlike the EC, however, the US authorities have not yet weighed in on the potential issues in Google / Fitbit. When the parties closed the transaction, the DOJ announced that its investigation into the transaction was still ongoing – potentially pending the change in leadership at the agency following the elections. Six months later, the DOJ still has not made any official statements on the status of the investigation as key leadership positions remain open.
Traditionally, the agencies have sought to separate privacy considerations from competition considerations in the merger control process. Take, for example, the FTC’s 2007 decision in the Google / DoubleClick merger. Despite concerns over the acquisition’s impact on consumer privacy by expanding access to consumer data, the FTC decided it did not have the authority to block the transaction on non-antitrust grounds. The FTC argued that “the sole purpose of federal antitrust review of mergers and acquisitions is to identify and remedy transactions that harm competition.” Instead, the FTC issued separate enforcement guidelines on consumer privacy considerations relevant to the behavioural marketing issues raised by the transaction. This distinction is likely to be reinforced by the courts, where the authorities would be forced to prove a substantial lessening of competition.
Picking up on some of the themes seen in the European approach, US antitrust authorities nevertheless have suggested that they may take a more interventionist approach to data and privacy considerations in merger review going forward as a form of non-price competition. Leadership has stated that data privacy will be considered if it constitutes a key part of the antitrust analysis of a merger (i.e., if data privacy affects the “quality” of competition). The former head of the US Department of Justice’s Antitrust Division recently noted that diminished quality was a type of harm to competition that is analysed and that “privacy can be an important dimension of quality.” Similarly, the FTC has explicitly recognized that “privacy can be a non-price dimension of competition.” The exact contours of how the US agencies will seek to prove this effect are yet to be developed.
Predictions over how data privacy may eventually fit into US merger remedies also remains to be seen. Unlike in Europe, the US may have a greater opportunity to mandate data access without falling afoul of federal privacy regulations. However, important factors such as the question of how such access commitments would be implemented, and the interaction between such commitments and state regulations in jurisdictions such as California and Virginia, which have been taking a more active approach to data protection, will need to be considered.
Practical implications: What does this all mean for merging companies?
Given that recent “data mergers” have brought to the fore issues related to data collection, processing and use, companies may want to consider the following to help manage privacy-related implications:
- “Data mergers” should be expected to attract significant attention and potentially longer and more intensive merger reviews.
- The parties should consider building (incidentally) in their merger notification a showcase of their privacy policies and compliance with data protection rules. While not part of the antitrust assessment, proactively demonstrating the full respect of such rules might speed up the review process and provide the EC with ammunition against allegations of privacy concerns that the deal might bring about.
- If privacy or data policies are relevant factors for competition in a given market, those will be assessed as a non-price parameter in the substantive competition analysis the same way as any other competition aspect.
- Even where privacy does not raise issues in merger review, companies are not off the hook as they may still be found liable for breaches of privacy law by the competent data protection regulators.