How Competition Impacts Data Privacy

Policy Brief

Download the paper (PDF)

A small number of large digital platforms increasingly shape the space for most online interactions around the globe and they often act with hardly any constraint from competing services. The lack of competition puts those platforms in a powerful position that may allow them to exploit consumers and offer them limited choice. Privacy is increasingly considered one area in which the lack of competition may create harm. Because of these concerns, governments and other institutions are developing proposals to expand the scope for competition authorities to intervene to limit the power of the large platforms and to revive competition.  

The first case that has explicitly addressed anticompetitive harm to privacy is the German Bundeskartellamt’s case against Facebook in which the authority argues that imposing bad privacy terms can amount to an abuse of dominance. Since that case started in 2016, more cases deal with the link between competition and privacy. For example, the proposed Google/Fitbit merger has raised concerns about sensitive health data being merged with existing Google profiles and Apple is under scrutiny for not sharing certain personal data while using it for its own services.
However, addressing bad privacy outcomes through competition policy is effective only if those outcomes are caused, at least partly, by a lack of competition. Six distinct mechanisms can be distinguished through which competition may affect privacy, as summarized in Table 1. These mechanisms constitute different hypotheses through which less competition may influence privacy outcomes and lead either to worse privacy in different ways (mechanisms 1-5) or even better privacy (mechanism 6). The table also summarizes the available evidence on whether and to what extent the hypothesized effects are present in actual markets.

Table 1 Overview of mechanisms through which competition affects privacy

        Mechanism Evidence
  1 If there is less competition, companies can collect more personal data. Limited effect in app markets and tentative evidence in advertising markets.
  2 If there is less competition, consumers face less choice regarding privacy. Conceptual argument, open question for competition authorities: What is the benchmark for identifying anticompetitive conduct and restoring choice?
  3 If companies merge, companies can collect and use more data. Self-evident, and a matter for competition authorities if privacy is a relevant factor for competition.
  4 Personal data in the hands of dominant firms creates more harm. None based on the (theoretical) evidence of the effects of price personalization: no link between market power and negative outcomes for consumers.
  5 If there is less competition, companies can undermine competition on privacy. Limited to the readability of privacy policies decreasing as firm size increases.
  6 Dominant firms can obtain quasi-regulatory powers over personal data that hamper competition. Harm to competition evident, unclear whether there are benefits for privacy.
Source: Stiftung Neue Verantwortung

Based on these findings, some of the mechanisms would strongly benefit from more research to better capture their relevance across markets. Others already have sufficient empirical and conceptual support to warrant stronger intervention by policymakers. These interventions should include the following:
First, besides developing a clearer notion of what it means to provide choice on privacy from a competition perspective, several options should be pursued by a collaboration between competition and data protection authorities to increase choice vis-à-vis dominant firms. These options include involving consumers in the development of privacy policies, for example through democratic decisions on privacy policies and/or forms of community consent.  Another option is to unbundle consent and/or data such that dominant firms must obtain more granular consent before being allowed to share data internally.

Second, competition authorities should recognize that in a merger, a reduction in privacy can be both out of scope of the GDPR and relevant for competition if privacy is a relevant factor for consumers. Authorities should be comfortable to rely on stated preferences to determine whether consumers care about privacy in a specific market. Revealed preferences are often less meaningful because consumers face various obstacles in making effective privacy choices.

Third, authorities as well as the wider privacy community should develop metrics to assess the quality of a privacy policy to allow for reaching a view on whether a practice improves or degrades privacy. Any set of metrics will make some simplification inevitable which is necessary to cut through the excessive complexity that currently prevents authorities from reaching a view on whether mergers or other behavior have any impact on privacy. In the longer term, a clear on such questions is needed to reach a common framework for competition and privacy. Such a framework is important for competition and privacy authorities to consistently balance privacy and competition where trade-offs are inevitable.
Fourth, statistical agencies and academia should work together to provide more evidence on the state of competition in digital markets not only but also on privacy. For example, policymakers should know whether firms with market power collect more/more intrusive data than those without. They should also know whether and how firms with market power hamper competition on privacy, e.g. by making privacy policies unnecessarily obscure. Digital platforms have been reluctant to share such data, providing a rationale for an obligation for them to make significantly more data accessible. Statistical agencies, academic research and civil society organizations should play a role in analyzing the data and making it more widely accessible.