Decision of the German Federal Cartel Office in 2019 FacebookData collection methods of exploitation and abuse of market power based on the finding that Europe’s General Data Protection Regulation or data collection processes are illegal. GDPR. Last week, the Supreme Court in Dసsseldorf set aside the order and asked the European Court to decide whether GDPR had been violated, not the German competing authority.
This is the latest example of the tension between competition and privacy regulators over the question of how data businesses should be run and by whom. Data protection regulators argue that they should have the final say on matters relating to personal data, as they are responsible for the personal privacy of users. On the other hand, since competitive regulators’ privacy-related actions of large tech companies reduce consumer choice, it should be considered a cost-effective factor affecting consumer welfare. Accordingly, they argue, it falls within their regulatory limit to regulate. Taken at face value, these different perspectives suggest that privacy and competition occupy opposite ends of the spectrum. While competition law restricts behavior that is detrimental to the welfare of consumers, data protection law ensures that consumers have a reasonable expectation of privacy. However, the problem is not trimmed and dried. Unlike each other, privacy and competition issues often overlap, and enforcement by one regulator causes the regulated entity to operate in a way that prohibits the other.
Take the case, for example HiQ vs. LinkedIn The US Ninth Circuit is set for 2019. LinkedIn has disabled Hike’s access to profile data on the grounds that users’ data is being scrapped, although they are clearly engaged in the ‘Do not transmit’ privacy setting regarding changes to their profile. Hike argues that LinkedIn’s decision to block access to data from LinkedIn servers is unjustified, and plans to launch its own competing data analytics service. When the Ninth Circuit ruled in favor of Haiku, it put competitive interests first and ignored the privacy it was supposed to give to LinkedIn users who were clearly chosen to ban broadcasting.
Other drastic measures are not beyond the scope of the possibility. EU Commissioner Margaret Wester records that the European Commission needs to share data with its rivals to improve competition. Although data-access barriers to corporate information (such as business plans or technical data) have long been part of the competition regulator’s toolbox, exercising these in the context of data businesses dealing with personal data can have serious consequences on privacy. Customers.
We cannot resolve these tensions unless we are committed to adopting a better coordinated approach to regulation. In all cases where competitive disputes point to issues of personal privacy, the competition regulator not only informs the data protection authority of the investigation, but also makes the subsequent judgment an integral part of the final judgment. In cases where this is not done, the courts that decide on appeals arising from the order of a given regulator must balance the welfare interests of consumers with personal privacy.
If it is difficult to resolve these differences in the US and Europe, where privacy regulators are well established, how difficult will they be in India, where we do not yet have data protection legislation?
In the absence of a Data Protection Authority that issues directives on how data businesses should operate, various other regulators have stepped in to fill the gap. Within industries, sector-specific policies on how to use personal data have been issued. Unfortunately, the patchwork of results was more confusing than providing clarity.
Recently, the Competition Commission of India entered the field and in its market survey on telecom said that privacy is a priceless factor for competition and as a result has the power to regulate. WhatsApp later did good on that statement by ordering an investigation into the recently proposed privacy-policy changes.
From these developments the competitive regulator of India wants to make data businesses ’privacy-related aspects part of its payoff. While it may be acceptable if we already have a Data Protection Authority, when there is no one case for personal privacy, the regulation of Indian data businesses now, unfortunately, clearly tastes like ‘competition first’. With regard to issues of breach of competition and confidentiality, it biases the direction of our data jurisprudence.
Enforcement of the Privacy Act can no longer be delayed. These kinds of jurisdictions show how urgent this matter has become. Further delays are pushing data jurisprudence in ways that our data industry can cope with illness.
The Rahul Mathan trilogy also has a partner and a podcast called Ex Machina. His Twitter handle @Matton