Why End-User Consent Cannot Keep Markets Contestable
A suggestion for strengthening the limits on personal data combination in the proposed Digital Markets Act
A central source of Big Tech gatekeepers’ power is their encompassing access to individuals’ personal data. By combining personal data across the range of services they provide, gatekeepers are able to create increasingly precise profiles of individuals. Their control over vast amounts and sources of data may not only erode the privacy interests of individuals but can also strengthen gatekeepers’ competitive advantage over business users and rivals.
The prohibition of Article 5(a) of the proposed Digital Markets Act (DMA), therefore, is welcome as an attempt to limit the private power over data held by gatekeeping platforms. This provision requires a gatekeeper to refrain from combining personal data sourced from its core platform services with personal data from other services offered by the gatekeeper or third parties, unless the end-user provided consent under the General Data Protection Regulation (GDPR). The prohibition is based on the remedy imposed by the German Bundeskartellamt in its 2019 Facebook decision.
However, end-user consent cannot be regarded as an adequate safeguard for keeping data-driven markets competitive. To undo the competitive harm resulting from Facebook’s practices, it is submitted here that the Bundeskartellamt should have imposed a more far-reaching remedy. For the same reason, the DMA should not rely on end-user consent as a mechanism to keep markets contestable, where gatekeepers wish to combine personal data. Rather, gatekeepers should only be able to combine personal data across services under the DMA when this is necessary to perform a contract.
The Reasoning in the Bundeskartellamt’s Facebook Case
In its 2019 decision, the Bundeskartellamt found that Facebook had violated the German competition rules, by forcing end-users to agree that their social network data would be combined with personal data collected within Facebook’s other services, such as WhatsApp and Instagram, and with personal data collected by Facebook on third-party websites. If end-users did not agree to these terms, they could not use Facebook’s social networking service. To assess whether Facebook’s conduct met the thresholds of abuse, the Bundeskartellamt relied on the data protection rules of the GDPR as a standard, against which it determined that Facebook had violated German competition law.
As part of its reasoning, the Bundeskartellamt concluded that end-user consent was not freely given, as required under Article 4(11) GDPR, due to Facebook’s dominant position and the absence of alternative social networks on the market. The combination of personal data was also not found necessary for the provision of a social network service to the end-users. And finally, Facebook’s legitimate interests in combining personal data for commercial purposes did not outweigh end-users’ interests with respect to the protection of their personal data. For these reasons, there was no lawful ground for combining personal data under Article 6(1) GDPR. By violating the GDPR, Facebook, in the view of the Bundeskartellamt, also exploited end-users and excluded competitors in violation of the German competition rules.
The reasoning of the Bundeskartellamt is controversial, especially with regard to the question whether it is desirable for a competition authority to intervene against anticompetitive conduct that also violates data protection rules, and to substantially reason on the latter grounds. In the interim proceedings on appeal, the Oberlandesgericht in Düsseldorf and the Bundesgerichtshof reached diverging conclusions on the legality of the Bundeskartellamt’s decision. The latest development is the Oberlandesgericht in Düsseldorf’s referral of questions to the Court of Justice in Luxembourg, on the Bundeskartellamt’s interpretation of the GDPR.
Irrespective of the intervention’s desirability, the key question is whether the remedy chosen by the Bundeskartellamt to put an end to Facebook’s infringement is effective to address the competitive harm.
Why the Remedy in the Bundeskartellamt’s Facebook Case Cannot Address Competitive Harm
As a result of the remedy imposed by Bundeskartellamt, Facebook is only allowed to combine personal data from its various services and third-party websites with the voluntary consent of the end-user. The inspiration for this remedy is drawn from the GDPR, where consent is one of the lawful grounds for processing personal data under Article 6. After the Bundeskartellamt’s decision, end-users are no longer required to consent to their personal data being combined as a precondition for using Facebook’s social network. Even if end-users do not consent to the combination of personal data across services, Facebook must allow them to use its social network.
Although this remedy empowers end-users by giving them more control over their personal data, it is questionable whether the imposition of end-user consent as a precondition for the combination of personal data is sufficient to silence the competition concerns. The effectiveness of the remedy of consent in promoting competition is completely dependent on individual users’ choices. This fallacy is all the more relevant now that the DMA is copying the Bundeskartellamt’s Facebook remedy in Article 5(a) DMA and is applying it to all situations where gatekeepers want to combine personal data across different services.
In fact, the remedy in the Facebook case does not go beyond ensuring compliance with the GDPR. Arguably, the outcome illustrates that competition law was merely used to enforce data protection law. By limiting the remedy to consent under the GDPR, the Bundeskartellamt makes itself vulnerable to critics who claim that, as a competition authority, it was not competent to enforce the GDPR. Had it imposed a stronger, alternative remedy to address the competitive harm beyond the data protection harm, this might have eliminated doubts about its competence. Even though it relied on the GDPR to establish a violation of the German competition rules in its substantive assessment, the Bundeskartellamt was not bound to a data protection remedy, but could instead have adopted a competition remedy to address the competitive harm. Rules from other legal regimes, such as intellectual property law, have already been used as an indicator for establishing an infringement of competition law. The key condition is that the breach of another legal regime causes competitive harm. Although the Bundeskartellamt pointed to competitive harm in the form of exploitation of end-users and exclusion of competitors caused by the violation of the GDPR, such competitive harm cannot be remedied through consent, whose effectiveness depends on the choices of individual users.
End-user consent under the GDPR cannot address competitive harm due to data externalities. These externalities imply that the choices of one person may affect other persons with similar characteristics. If person A consents to her personal data being exchanged between services, the combined dataset about her behavior and preferences may also provide more detailed insights about persons B, C and D who, for example, have similar preferences and share demographic characteristics. As explained, the Bundeskartellamt remedy makes the extent to which the exploitation of end-users and exclusion of competitors occurs dependent on the individual choices of end-users. This is not a responsibility that individual users should be expected to carry, especially given the competitive and collective harm that the Bundeskartellamt identified, which exceeds the harm to individual end-users that data protection law aims to address.
If the majority of Facebook’s users still agrees to having their personal data combined, the remedy will only have a limited effect on the protection of overall competition and consumer welfare. Since the Bundeskartellamt was not limited to remedies within data protection, it could have gone a step further, by prohibiting Facebook from combining personal data, regardless of whether end-users consent. Such a measure – while certainly controversial – would have better addressed the competitive harm in the market and the externalities that individual end-users do not and should not be expected to take into account when deciding whether to consent to the combination of their personal data.
A Shortcoming in the DMA
For the same reasons, the DMA should impose stricter requirements on the combination of personal data and should not rely on consent per the GDPR. The DMA’s goal of ensuring “contestable and fair markets in the digital sector” goes beyond protecting the individual relationship between end-users and data controllers, on which the GDPR focuses. The evident risk behind the current phrasing of Article 5(a) DMA is that gatekeepers can trick users into agreeing to the combination of personal data, without realizing the potential consequences for themselves and others.
In Article 5(a), the DMA falls short of its stated objective of imposing stricter requirements on gatekeepers in order to make markets fairer and more contestable. The European Data Protection Supervisor recalled in its opinion on the DMA (in par. 24 and footnote 26) that other digital platforms, not qualifying as gatekeepers, must already obtain consent from end-users to combine personal data for the purposes of profiling and tracking under the GDPR. In other words, Article 5(a) DMA does not depart from the current interpretation of the GDPR for these purposes, because the requirement of end-user consent already applies to all data controllers under the GDPR, irrespective of their market position.
An Alternative Condition for Combining Personal Data in the DMA
A stronger and more reliable condition for combining personal data, rather than consent, could be Article 6(1)(b) GDPR, which states that the processing of personal data is lawful when it is “necessary for the performance of a contract” to which the end-user is a party. Such an approach would offer stronger guarantees than consent because this lawful ground for the processing of personal data would only allow gatekeepers to combine personal data to the extent that this is indispensable for the performance of a contract, such as the provision of a service.
One example of a service requiring the combination of personal data could be a new application, bringing together personal data from a gatekeeper’s email service and map service, to advise a user on how to best organize her travel movements. Where the combination of personal data only increases the level of personalization of the service, but is not strictly necessary for the provision of the service, gatekeepers should not be allowed to combine personal data. Although this may seem far-reaching, the GDPR’s purpose limitation principle already limits the exchange of personal data across services offered by the same provider, if this results into personal data being processed for a different purpose than for which it was originally collected. Because of the larger impact of their practices on the market, the same should apply a fortiori to gatekeepers under the DMA. Even though one may argue that this approach harms consumers in the short term, due to the limits on personalization, the restrictions imposed on gatekeepers also provide room for other market players to attract consumers to their services, with the prospect of more consumer choice in the longer term.
Where the combination of personal data is an unavoidable prerequisite for the performance of a contract, the merging of data should be possible: it brings value to end-users and to the market in the form of new services that would otherwise not have existed. End-users will retain control over their personal data, due to their choice whether or not to receive a service from a gatekeeper.
However, monitoring is necessary to ensure that gatekeepers interpret the condition in a way that the combination of personal data only happens if strictly necessary for the performance of a contract they have concluded with end-users. In particular, the combination of personal data with the sole aim of increasing personalization, profiling end-users and improving targeted advertising should fall outside of the notion of performance of a contract. These are precisely the practices that the DMA should restrict, in order to control the private power held by gatekeepers and to open up competition to the benefit of rivals as well as to protect the long-term interests of consumers.
Unless Article 5(a) DMA is amended to relieve individual end-users of the responsibility to decide on the desirability of combining personal data across services, there is a risk that gatekeepers can continue exploiting their strong competitive advantage resulting from the ties between the range of services they offer to the detriment of consumers, businesses and the European digital single market.
This blog post is a variation of part of a Dutch language paper written by the author entitled ‘Het reguleren van het gebruik van data door digitale platforms: gaat de voorgestelde Digital Markets Act ver genoeg?’, which is forthcoming in the journal Markt & Mededinging.
The Max Planck Institute for Innovation and Competition is committed to fundamental legal and economic research on processes of innovation and competition and their regulation. As an independent research institution, the Institute provides evidence-based research results to academia, policymakers, the private sector as well as the general public.