Press play to listen to this article
Europe’s flagship privacy standards, mandating how companies collect, store and use people’s data, got off to a stuttering start. But as the rules turn 3 years old on Tuesday, enforcement is finally on the way.
It’s just not coming from the bloc’s privacy regulators.
The European Union’s powerful competition authorities — both in Brussels and in national capitals — are elbowing their way into the world of data protection. Their focus is a small number of mostly American tech companies that have garnered so much control over reams of people’s social media messages, online search queries and digital shopping purchases.
The land grab has given these antitrust agencies an increasingly large say over privacy rules — albeit one framed around how dominant companies may abuse their market power over data, not around upholding people’s fundamental data protection rights.
It is also shifting the power dynamics — three years into the EU’s General Data Protection Regulation, or GDPR — as questions swirl about the ability of the region’s privacy agencies to enforce rules that have become the de facto global standard. So far, Google has faced the largest fine after the French privacy watchdog doled out a €50 million levy in 2019. Facebook’s WhatsApp messaging service is also on deck for a penalty of up to €50 million later this year. Almost all of the other fines have barely hit the million-euro mark.
Yet where once companies feared how these data protection watchdogs would enforce Europe’s tough privacy rules (including hefty penalties), firms are increasingly worried about how antitrust regulators are homing in on data — and the potential abuse of such digital information — as the front line in their efforts to enforce global competition norms.
That’s blurring the lines between antitrust and data protection, with competition watchdogs so far coming out on top because of their decades of legal enforcement experience compared with the relatively limited know-how within Europe’s privacy agencies. Both sets of regulators across Europe have openly discussed working with each other to tackle joint problems.
“Privacy and competition will be one of the big topics of the year,” Isabelle de Silva, France’s competition chief, told POLITICO. Her agency is currently assessing several cases that question Big Tech’s use of people’s data. “I think this will be a very big thing to follow.”
More power, more responsibility
The fast-expanding role of competition authorities was not how it was supposed to shake out when the bloc’s data protection agencies were given the new rulebook in 2018.
The standards, which have been co-opted by scores of countries worldwide, include the ability to fine companies either €20 million or 4 percent of their annual revenue, whichever is higher. Other provisions require firms to give people a greater say in how their data is used, and the ability to opt out of aggressive online targeting practices.
After years of obscurity, EU countries’ national privacy watchdogs came to the forefront amid growing wariness of how individuals’ data was used by companies and governments alike. Previously obscure civil servants were now central to these hot-button political fights, while scrutiny mounted over how the 27-country bloc’s individual regulators — many with drastically opposing views of data protection — would work with each other to enforce the rules.
Three years into that overhaul, it’s been hit and miss.
A pan-European group of regulators aimed at smoothing out disagreements between officials has struggled to fast-track cases. Problems range from the mundane — like it taking months to share enforcement documents between EU agencies — to the existential — like watchdogs fundamentally disagreeing over how to police Europe’s privacy rules, according to four officials who spoke on the condition of anonymity because they were not authorized to speak publicly.
At the center of the regulators’ difficulties is a lack of enforcement experience from agencies that now have the power to levy multimillion-euro fines and demand fundamental changes to the worst offenders’ business practices. The biggest fear: Cases will inevitably be appealed to local courts, so any mistake could prove devastating.
When the United Kingdom’s agency announced eye-watering fines against both Marriott International, the hotel chain, and British Airways, respectively, in 2019, it was seen as Europe’s privacy enforcers finally showing their teeth. But after several legal mistakes, including not following the correct procedures in determining those penalties, the British enforcer accordingly reduced each of those levies by more than 80 percent.
The Irish regulator, too, has been extremely cautious in how it has gone after companies despite the country’s Data Protection Commissioner (DPC) opening 27 cases that involve U.S. tech companies. Before Europe’s new rules came into affect, Dublin did not have the power to levy fines. Officials have been deliberate in handling these investigations — critics say to the detriment of people’s privacy rights — out of fear of losing them on appeal.
“Going after headline fines doesn’t work, it leads to legal challenges,” said Daragh O’Brien, managing director of Castlebridge, an Irish data protection consultancy that has filed multiple complaints with the country’s watchdog. “It’s a question of the tortoise versus the hare. The tortoise has been criticized. But the DPC has been careful to clarify legal points so they won’t lose on appeal.”
Enter the competition posse
Privacy agencies’ caution has been a windfall for competition regulators.
As antitrust attention has increasingly focused on Big Tech, these agencies have turned to new policy levers — including how data is collected and used via mergers — to corral potentially anticompetitive behavior by a small number of Silicon Valley companies.
Before, these regulators could easily step in to review takeovers because companies’ revenues hit a certain threshold that triggered regulatory oversight. But the influx of data, a commodity that often does not have a specific financial value on its own, has made it hard, if not impossible, for officials to use traditional antitrust laws when reviewing such data-driven cases.
That has forced competition agencies to think outside the box, making it unclear where privacy rules stop and antitrust law begins.
Since early 2020, the European Commission has opened investigations or filed charges against the likes of Amazon and Facebook over how these firms have used digital information to tilt the scales unfairly in their favor compared with rivals. The firms deny wrongdoing. In 2019, Germany’s federal cartel office also ordered Facebook to stop combining data from its different social networks and messenger services on competition grounds — a case that was sent to Europe’s top court for review in March.
Still, even competition agencies can’t agree on everything.
British and Australian regulators have voiced their concerns about how Google may unfairly use data acquired from its acquisition of FitBit, the wearables company. But the Commission approved the deal after Google said it would not include people’s sensitive health data in its online advertising products and would not incorporate that information into the company’s broader pool of user data.
Even some close to the Commission question if that approach is correct.
“We are creating a system that is out of control,” said Tommaso Valletti, the Commission’s former chief competition economist and now a professor at Imperial College London, who has been critical of Brussels’ approval of the Google-FitBit deal. “We don’t understand the consequences of data. GDPR is a great concept. But its implementation is lacking, it’s becoming meaningless.”
Antitrust officials are only just warming up. It’s an open question whether their activities will be a boon for people’s privacy rights or allow companies to sidestep Europe’s data protection rules.
Already, France’s agency is probing whether Apple’s new privacy standards, which restrict outside groups’ ability to collect iPhone users’ data, fall afoul of the country’s competition rules. The U.K.’s watchdog — one that just signed a cooperation agreement with its data protection counterpart to share data on potential cases — is investigating Google’s similar move to limit how others can access people’s digital information. Both companies deny wrongdoing.
Australia, which is considering legal action to block Google’s deal for FitBit, has similarly voiced its concerns about Big Tech’s use of data. Rod Sims, the country’s antitrust enforcer, has claimed the search giant misled people when it collected their location data via smartphones, while saying that Google’s dominance over the online advertising, or adtech, industry has given it unrivaled access to people’s digital information in ways that may harm competition.
“Data is central,” Sims told POLITICO, adding his agency had not decided how best to proceed on its data-focused investigations. “Google has leveraged its data and acquisitions to dominate adtech. It’s clear that it has leveraged its access to data.”
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.