Computers, Privacy & the Constitution

View   r3  >  r2  ...
JeanPettiauxFirstPaper 3 - 24 Apr 2022 - Main.JeanPettiaux
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Changed:
<
<

Taking into account data and privacy in merger control

>
>

First Paper Second Draft - Is digital autonomy a requirement for effective regulation and protection

 -- By JeanPettiaux - 13 Mar 2022
Changed:
<
<
The systematic collection by companies of business and personal data has seen a dramatic increase over the past decades. In today’s society and economy, the availability of large data sets is a highly powerful tool that calls for regulation to ensure the virtuous/legal use of such powerful instruments. In this context, data have as often been described as “the gold of the 21st century” and their systematic collection as “the gold rush of the 21st century”.
>
>
Departing from a European-born vision
 
Changed:
<
<
The weight of data in business decision-making and their intrinsic value caused the emergence over time of a plurality of new data-driven markets which have experienced over the past decades a rise of mergers and acquisitions (see, for example, Google's recent acquisition of Fitbit). This sharp rise in this type of merger has led many antitrust authorities to question the adequacy of their merger control systems in assessing these cases. In the European Union, it has been maintained/shown that the EU Merger Regulation has difficulties in catching mergers in big data-driven markets due to the current use of turnover-based merger notification thresholds. Indeed, it has been shown that many players operating in data-driven markets have a low turnover despite holding a strong position in a market, despite being potentially capable of threatening to significantly affect competition if acquired by another competing entity. To breach this enforcement gap, some authorities (e.g., the German Bundeskartellamt and the Austrian Bundeswettbewerbsbehörde) have, among other, introduced an additional merger control threshold based on the value of the merger rather than the turnover of the parties involved.
>
>
As a European, it is sometimes too easy to see the good sides of the European Union without taking the necessary step back to realize that the Union is and has been lagging behind in many important domains. This is an attempt to depart from my European-born view by questioning the EU attempt at the Data Privacy system which is too often presented as an example, without demonstrating its efficacy. While the EU economy is thriving in many areas, it is strongly lagging behind in the tech industry, compared to other international economies. Looking at the biggest tech companies in the World (Apple, Samsung, Microsoft, Google, Huawei…) one may easily notice that none of them have been created in the EU. The EU tech market is weak, tech companies sell out early and have difficulty scaling their business to world dominant size as it has been the case in the US and Asia. In comparison, the Financial Times observed in 2016 that “Europe’s eight most valuable companies are only worth about 10 % of Facebook or 6 % of Google”. It is hard to argue that the EU (and its Members States) have much regulatory and market steering power over tech companies headquartered and/or created in other jurisdictions. while the EU boasts of having an advanced consumer protection system (including privacy protection), my premise is that the EU cannot effectively act in this area if the tech market is virtually non-existent on its territory. One cannot rule in a territory without credible subjects. When it comes to private data protection, I am of the opinion that the ability to act (to protect data) is primarily held by the data subject itself (who might take steps not to share or to protect its data) and by the big tech companies – data collector on which most of us heavily rely (search engine, smartphone, computers …).
 
Changed:
<
<
The rapid rise in numbers of data-driven mergers not only presents an issue with regard to merger notification thresholds and subsequent competitive analysis but also raises concerns relating to the privacy and use of data, especially personal data. Indeed, the most important source of data for companies consists in the interaction with actual or potential customers (user-generated content), whose rights are increasingly often protected. Take for example General Data Protection Regulation (GDPR) one of the toughest privacy laws in the world, passed by the European Union and put into effect in 2018 which requires companies to strengthen their data protection policies and processes. The GDPR is far-reaching as it protects the personal data (defined as information that relates to an individual who can be directly or indirectly identified) of EU citizens or residents and protects the rights of these individuals even if they are not in the EU. This regulation imposes extensive obligations and limitations on personal data processing relating to the use of data, data storage, the integrity and confidentiality of the stored data, the transfer of data, etc…
>
>
Europe is active but ineffective
 
Changed:
<
<
While it is usually well known that companies (data-related or not) breaching antitrust/competition law expose themselves to heavy antitrust sanctions (e.g., the 4.34 billion-euro $5 billion fine imposed on Google by the European Commission in 2018 in relation to its Android Operating system), companies also face significant fines for breaching data protection law. The GDPR exposes companies to fines of up to 4% of annual global revenue or ¤20 million – whichever is greater, in addition to the right of data subjects have to seek compensation for damages. As an example, Marriott International is facing a 123 million GDPR fine for a 2018 data breach of its guest reservation database, imposed by the UK Information Commissioner’s Office.
>
>
The EU loves regulations. When it comes to data privacy, the Data Protection Regulation is often presented as one of the toughest privacy laws in the world. The GDPR is far-reaching as it protects the personal data (defined as information that relates to an individual who can be directly or indirectly identified) of EU citizens or residents and protects the rights of these individuals even if they are not in the EU. However, a Regulation can hardly reach its goals without a strong enforcement authority. Yet, in many cases, the European Commission does not hold enough political authority to offer concrete results that do not offend one of its Members States. To solve this issue, many have called for a European Federalism, which is hardly conceivable nowadays. Others, such as the UK simply decide to left the EU to regain full autonomy. The European over-regulation can be counterproductive as it may drive companies out of the market or impeded the expansion of important players in a market due to the lack of EU political will. In 2019, the EC prohibited Siemens' proposed acquisition of Alstom on the basis that it would create a big important player in the European common market, despite the fact that both Germany and France express the need to create a company strong enough to compete worldwide.
 
Changed:
<
<
To prevent such eventualities, data privacy needs to be included in merger and acquisition due diligence processes which call for specific actions such as (i) understanding which data privacy regulations apply to each of the parties and the extent of their implication to the data shared for the purpose of the due diligence ; (ii) understanding how, where (personal devices and company-owned devices) the information is stored for each company involved, who can access the relevant data (taking into account the inherent difficulty of the common use of cloud and digital storage); (iii) undertaking a cybersecurity review of each company as the level of cybersecurity might substantively differ between the parties to the transaction.
>
>
Strong regulation in a weak market
 
Changed:
<
<
As explained above, data-driven mergers have demonstrated the need for new tools or processes with regard to both merger control regulations and data privacy laws. While these bodies of law pursue different goals, some have argued in recent years that privacy and personal data control should be a part of the current merger review. Building on the concept of consumer protection, inherent to competition policies around the world, one can see indeed personal data privacy breaches/inconsistencies as potential indirect or direct consumer harm that calls for an ex-ante (prior to the merger) control. The existing antitrust authority could be tasked with systematically holding data privacy concerns as a potential theory of harm tested in their merger assessment (de facto creating a one-stop-shop), thereby systematically scrutinizing the respect of privacy laws in concentration cases and offering some certainty to the companies with regard to the respect of data privacy rules. However, such a scenario would lead the antitrust authority to translate privacy and personal data into quantifiable economic terms, potentially moving away from the goals of the privacy laws and would only be limited to the mergers that meet the respective merger thresholds of competition authorities.
>
>
The EU is an important exporter of regulations (sometimes referred to as the “Brussels effect”) but when it comes to tangible products in the digital markets, the EU stands very low. European digital companies sell out early. Just to cite a few, Priceline (US) acquired Booking.com (NL) in 2005; between 2016 and 2019 the Chinese internet giant Tencent acquired majority participation in Supercell, a Helsinki-based mobile game maker; and in 2018, Apple closed its $400M acquisition of Shazam later announcing that it will integrate Shazam’s core product into its service. Other big tech companies are simply pushed out of the market, due to their lack of innovation in a fast-moving market: after enjoying unrivaled dominance in the mobile segment for several years, the Finnish Company Nokia lost most of its market share due to an important lack of innovation compared to its competitors. Microsoft eventually bought Nokia's phone unit in 2013 and later sold I to Foxconn (Taiwan). Aware of the weakness of its digital market for many years, the EU recently passed the “European Chips Act” in another attempt to put Europe back in the tech race. It is very hard to see how this limited act (chipset market) will really help the EU digital market catch up. This is not the first attempt to foster the digital markets and so far, it has not shown any real success as any market incentive is followed by a flurry of regulation and other limiting measures.
 
Changed:
<
<
I think the draft is an unprofitable attempt to write about the familiar in the guise of, rather than actually learning about, something new.
>
>
Call for a bottom-up approach instead of a top-down regulation
 
Changed:
<
<
We can be quite sure that if we want to understand anything useful about the networked society, we will not succeed by trying our view from the perspective of mitteleuropean antitrust bureaucrats. Adjusting their micrometers is not the sort of recommendation that shows we have mastered the bigger picture.
>
>
I think the weak EU tech and digital markets do not call for even more regulation but need strong political action at the Member States' level to foster public interest in tech. Such action would inevitably start by teaching tech to the young generations at schools and by strengthening universities tech programs across the continent. While in the US, the Silicon Salley brings a sentiment of empowerment and future success, the same feeling does not seem to prevail in the old continent where computer science is often despised in comparison to classic old studies, lawyers, doctors, civil engineers… Hermann Hauser, founder of several tech companies well summarized this sad reality by saying: “_If you’re a young chap in Europe, and you work for Siemens, and you have a great job, with credibility, and profile, and you have your pension, and your life ahead of you – and then you give it up to take a job at some futuristic start-up, your girl-friend would give you up. But in Silicon Valley, your girlfriend would leave you if you didn’t leave Siemens to join a start-up_.”
 
Deleted:
<
<
Your first point is completely immaterial. "Data-driven" business (as opposed, I guess to "stupid business") is orthogonal to the question whether turnover as opposed to value is a bureaucratic wake-up condition not to snooze through a merger.

Your second point seems also immaterial. Data breach liabilities are functionally identical to other tort or regulatory liabilities inherited from pre-acquisition operations. If there is a relevant distinction, what is it?

Your third point is relevant but insubstantial. Privacy and "data protection" compliance auditing is part of the current checklist that the sherpas of M&A carry about with them. The regulators will eventually adopt what the private practices are doing, if only because the least successful private practitioners will be added to the bureaucracy. But really, who cares?

The best route to improvement, I think, is to adopt a slightly broader perspective than the 2.5 nanometer aperture in use here. The regulatory routine is not technology, not law, and not politics, just Max Weber's bureaucratic self-sustainment. Regulator self-involvement is the saddest of egotisms. If there is something significant here, it should be visible from above.

  \ No newline at end of file

Revision 3r3 - 24 Apr 2022 - 17:15:30 - JeanPettiaux
Revision 2r2 - 11 Apr 2022 - 19:22:52 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM