Computers, Privacy & the Constitution

Taking into account data and privacy in merger control

-- By JeanPettiaux - 13 Mar 2022

The systematic collection by companies of business and personal data has seen a dramatic increase over the past decades. In today’s society and economy, the availability of large data sets is a highly powerful tool that calls for regulation to ensure the virtuous/legal use of such powerful instruments. In this context, data have as often been described as “the gold of the 21st century” and their systematic collection as “the gold rush of the 21st century”.

The weight of data in business decision-making and their intrinsic value caused the emergence over time of a plurality of new data-driven markets which have experienced over the past decades a rise of mergers and acquisitions (see, for example, Google's recent acquisition of Fitbit). This sharp rise in this type of merger has led many antitrust authorities to question the adequacy of their merger control systems in assessing these cases. In the European Union, it has been maintained/shown that the EU Merger Regulation has difficulties in catching mergers in big data-driven markets due to the current use of turnover-based merger notification thresholds. Indeed, it has been shown that many players operating in data-driven markets have a low turnover despite holding a strong position in a market, despite being potentially capable of threatening to significantly affect competition if acquired by another competing entity. To breach this enforcement gap, some authorities (e.g., the German Bundeskartellamt and the Austrian Bundeswettbewerbsbehörde) have, among other, introduced an additional merger control threshold based on the value of the merger rather than the turnover of the parties involved.

The rapid rise in numbers of data-driven mergers not only presents an issue with regard to merger notification thresholds and subsequent competitive analysis but also raises concerns relating to the privacy and use of data, especially personal data. Indeed, the most important source of data for companies consists in the interaction with actual or potential customers (user-generated content), whose rights are increasingly often protected. Take for example General Data Protection Regulation (GDPR) one of the toughest privacy laws in the world, passed by the European Union and put into effect in 2018 which requires companies to strengthen their data protection policies and processes. The GDPR is far-reaching as it protects the personal data (defined as information that relates to an individual who can be directly or indirectly identified) of EU citizens or residents and protects the rights of these individuals even if they are not in the EU. This regulation imposes extensive obligations and limitations on personal data processing relating to the use of data, data storage, the integrity and confidentiality of the stored data, the transfer of data, etc…

While it is usually well known that companies (data-related or not) breaching antitrust/competition law expose themselves to heavy antitrust sanctions (e.g., the 4.34 billion-euro $5 billion fine imposed on Google by the European Commission in 2018 in relation to its Android Operating system), companies also face significant fines for breaching data protection law. The GDPR exposes companies to fines of up to 4% of annual global revenue or ¤20 million – whichever is greater, in addition to the right of data subjects have to seek compensation for damages. As an example, Marriott International is facing a 123 million GDPR fine for a 2018 data breach of its guest reservation database, imposed by the UK Information Commissioner’s Office.

To prevent such eventualities, data privacy needs to be included in merger and acquisition due diligence processes which call for specific actions such as (i) understanding which data privacy regulations apply to each of the parties and the extent of their implication to the data shared for the purpose of the due diligence ; (ii) understanding how, where (personal devices and company-owned devices) the information is stored for each company involved, who can access the relevant data (taking into account the inherent difficulty of the common use of cloud and digital storage); (iii) undertaking a cybersecurity review of each company as the level of cybersecurity might substantively differ between the parties to the transaction.

As explained above, data-driven mergers have demonstrated the need for new tools or processes with regard to both merger control regulations and data privacy laws. While these bodies of law pursue different goals, some have argued in recent years that privacy and personal data control should be a part of the current merger review. Building on the concept of consumer protection, inherent to competition policies around the world, one can see indeed personal data privacy breaches/inconsistencies as potential indirect or direct consumer harm that calls for an ex-ante (prior to the merger) control. The existing antitrust authority could be tasked with systematically holding data privacy concerns as a potential theory of harm tested in their merger assessment (de facto creating a one-stop-shop), thereby systematically scrutinizing the respect of privacy laws in concentration cases and offering some certainty to the companies with regard to the respect of data privacy rules. However, such a scenario would lead the antitrust authority to translate privacy and personal data into quantifiable economic terms, potentially moving away from the goals of the privacy laws and would only be limited to the mergers that meet the respective merger thresholds of competition authorities.

I think the draft is an unprofitable attempt to write about the familiar in the guise of, rather than actually learning about, something new.

We can be quite sure that if we want to understand anything useful about the networked society, we will not succeed by trying our view from the perspective of mitteleuropean antitrust bureaucrats. Adjusting their micrometers is not the sort of recommendation that shows we have mastered the bigger picture.

Your first point is completely immaterial. "Data-driven" business (as opposed, I guess to "stupid business") is orthogonal to the question whether turnover as opposed to value is a bureaucratic wake-up condition not to snooze through a merger.

Your second point seems also immaterial. Data breach liabilities are functionally identical to other tort or regulatory liabilities inherited from pre-acquisition operations. If there is a relevant distinction, what is it?

Your third point is relevant but insubstantial. Privacy and "data protection" compliance auditing is part of the current checklist that the sherpas of M&A carry about with them. The regulators will eventually adopt what the private practices are doing, if only because the least successful private practitioners will be added to the bureaucracy. But really, who cares?

The best route to improvement, I think, is to adopt a slightly broader perspective than the 2.5 nanometer aperture in use here. The regulatory routine is not technology, not law, and not politics, just Max Weber's bureaucratic self-sustainment. Regulator self-involvement is the saddest of egotisms. If there is something significant here, it should be visible from above.

Navigation

Webs Webs

r2 - 11 Apr 2022 - 19:22:52 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM