ݺߣ

ݺߣShare a Scribd company logo

The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD discussion

OECD Directorate for Financial and Enterprise Affairs
OECD Directorate for Financial and Enterprise Affairs

This presentation by Katharine Kemp, Associate Professor at the Faculty of Law & Justice at UNSW Sydney, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp. This presentation was uploaded with the author’s consent.

1 of 15
Download to read offline
The Intersection Between Competition and Data Privacy Assoc Professor Katharine Kemp, Faculty of Law & Justice, UNSW Sydney OECD Roundtable, June 2024
The ‘subjective preference’ myth • Myth: privacy is just a ‘subjective preference’. A minority of consumers value privacy, but most don’t, so consumers should just make their own choices. • Privacy degradation is an objective cost imposed on consumers: increases the attack surface of data for breaches and misuse; increases the risk of identity crimes, scams, fraud, discrimination, exclusion, manipulation and humiliation.
The ‘privacy paradox’ myth • Myth: consumers say they value privacy, but they continue to use services with poor privacy terms, so consumers must not truly value privacy. • A misapplication of ‘revealed preference theory’, since consumers do not have a clear understanding of privacy terms and their future consequences or real choices about use of services.
The ‘democratizing data’ myth • Myth: the solution is to ‘democratize the data’ so that all firms have access to the data, creating a level playing field. • Inappropriate for personal data. We should not ‘democratize’ personal data any more than we should democratize kidneys. • Naïve to argue that data can simply be anonymized. Ongoing re- identification risks, plus truly anonymized data does not level playing fields.
‘Concealed data practices’ • “Occur when suppliers’ terms provide weak privacy protections for consumers while the extent of those terms, the resultant data practices and the consequences of these data practices are concealed from consumers.” • “Permit the collection, retention, use and/or disclosure of personal information, beyond that which is necessary for the provision of the service in question and beyond the reasonable expectations of the consumer.” Kemp, “Concealed Data Practices” (2020) European Competition Journal
CDPs undermine competitive process • Decrease privacy quality / raise quality-adjusted price. • Aid in creating and extending market power by means other than superior efficiency. • Make it unlikely markets will self-correct, especially in digital markets with network effects and economies of scope from data. • Hinder privacy-enhancing rivals since nature and extent of harms from concealed data practices are hidden. • Exacerbate the effects of exclusionary conduct. Kemp, “Concealed Data Practices” (2020) European Competition Journal
The perils of the regulatory relay in data privacy © Reuters: Dylan Martinez
Lessons from Google / Double Click “[W]hy would Google pay billions of dollars for DoubleClick, in an effort to keep DoubleClick out of the hands of competitors, if Google does not intend to combine the two firms’ valuable datasets?” In the matter of Google/DoubleClick F.T.C. (2007) Dissenting Statement, Commissioner Pamela Jones Harbour
Lessons from Google / Double Click • 2007: Google stated it did not plan to combine the firms’ datasets. • 2007: FTC majority decided not to impose data / privacy conditions on the merger. Left to privacy enforcement. • Google’s post-merger privacy policy stated, “We will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.” • 2016: Google deleted this promise from its privacy policy.
Lessons from Google / Double Click • Google then spent substantial time and resources designing “a ‘Consent Bump’ that would make it more likely that users would ‘click’ on the option to agree” to the datasets being combined. • In the process, Google removed all references to “privacy” from the consent request and titled it “Some new features for your account”. • 2022: Federal Court of Australia held Google’s ‘Consent Bump’ was not misleading.
Level playing field of compliance vs lawless data grab
Need for early data protection enforcement • Unsanctioned data protection breaches can create first mover / incumbent advantages – eg, AI foundation models. • Rivals expect to follow suit. • Meta: “We are confident that our approach complies with privacy laws, and our approach is consistent with how other tech companies are developing and improving their AI experiences in Europe (including Google and Open AI)”.
Difficulties in legal transplants • Bundeskartellamt (Meta) approach: recognise exploitative abuses; some jurisdictions only recognise exclusionary. • US FTC approach: the same agency can pursue competition and consumer privacy actions; consumer protection is not equivalent to privacy as a fundamental right.
Privacy justifications for monopolization, or de facto privacy regulators
Testing privacy justifications • ‘Internal data free-for-all’ vs restrictions on rivals’ use of data. • Dominant firm’s internal combination of data and failure of purpose limitation may preference own data practices. • The objective should be data protection compliance by all. • Difficulty where genuine increase in competition on privacy quality occurs in different market to restriction on competition.

More Related Content

The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD discussion

  • 1. The Intersection Between Competition and Data Privacy Assoc Professor Katharine Kemp, Faculty of Law & Justice, UNSW Sydney OECD Roundtable, June 2024
  • 2. The ‘subjective preference’ myth • Myth: privacy is just a ‘subjective preference’. A minority of consumers value privacy, but most don’t, so consumers should just make their own choices. • Privacy degradation is an objective cost imposed on consumers: increases the attack surface of data for breaches and misuse; increases the risk of identity crimes, scams, fraud, discrimination, exclusion, manipulation and humiliation.
  • 3. The ‘privacy paradox’ myth • Myth: consumers say they value privacy, but they continue to use services with poor privacy terms, so consumers must not truly value privacy. • A misapplication of ‘revealed preference theory’, since consumers do not have a clear understanding of privacy terms and their future consequences or real choices about use of services.
  • 4. The ‘democratizing data’ myth • Myth: the solution is to ‘democratize the data’ so that all firms have access to the data, creating a level playing field. • Inappropriate for personal data. We should not ‘democratize’ personal data any more than we should democratize kidneys. • Naïve to argue that data can simply be anonymized. Ongoing re- identification risks, plus truly anonymized data does not level playing fields.
  • 5. ‘Concealed data practices’ • “Occur when suppliers’ terms provide weak privacy protections for consumers while the extent of those terms, the resultant data practices and the consequences of these data practices are concealed from consumers.” • “Permit the collection, retention, use and/or disclosure of personal information, beyond that which is necessary for the provision of the service in question and beyond the reasonable expectations of the consumer.” Kemp, “Concealed Data Practices” (2020) European Competition Journal
  • 6. CDPs undermine competitive process • Decrease privacy quality / raise quality-adjusted price. • Aid in creating and extending market power by means other than superior efficiency. • Make it unlikely markets will self-correct, especially in digital markets with network effects and economies of scope from data. • Hinder privacy-enhancing rivals since nature and extent of harms from concealed data practices are hidden. • Exacerbate the effects of exclusionary conduct. Kemp, “Concealed Data Practices” (2020) European Competition Journal
  • 7. The perils of the regulatory relay in data privacy © Reuters: Dylan Martinez
  • 8. Lessons from Google / Double Click “[W]hy would Google pay billions of dollars for DoubleClick, in an effort to keep DoubleClick out of the hands of competitors, if Google does not intend to combine the two firms’ valuable datasets?” In the matter of Google/DoubleClick F.T.C. (2007) Dissenting Statement, Commissioner Pamela Jones Harbour
  • 9. Lessons from Google / Double Click • 2007: Google stated it did not plan to combine the firms’ datasets. • 2007: FTC majority decided not to impose data / privacy conditions on the merger. Left to privacy enforcement. • Google’s post-merger privacy policy stated, “We will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.” • 2016: Google deleted this promise from its privacy policy.
  • 10. Lessons from Google / Double Click • Google then spent substantial time and resources designing “a ‘Consent Bump’ that would make it more likely that users would ‘click’ on the option to agree” to the datasets being combined. • In the process, Google removed all references to “privacy” from the consent request and titled it “Some new features for your account”. • 2022: Federal Court of Australia held Google’s ‘Consent Bump’ was not misleading.
  • 11. Level playing field of compliance vs lawless data grab
  • 12. Need for early data protection enforcement • Unsanctioned data protection breaches can create first mover / incumbent advantages – eg, AI foundation models. • Rivals expect to follow suit. • Meta: “We are confident that our approach complies with privacy laws, and our approach is consistent with how other tech companies are developing and improving their AI experiences in Europe (including Google and Open AI)”.
  • 13. Difficulties in legal transplants • Bundeskartellamt (Meta) approach: recognise exploitative abuses; some jurisdictions only recognise exclusionary. • US FTC approach: the same agency can pursue competition and consumer privacy actions; consumer protection is not equivalent to privacy as a fundamental right.
  • 14. Privacy justifications for monopolization, or de facto privacy regulators
  • 15. Testing privacy justifications • ‘Internal data free-for-all’ vs restrictions on rivals’ use of data. • Dominant firm’s internal combination of data and failure of purpose limitation may preference own data practices. • The objective should be data protection compliance by all. • Difficulty where genuine increase in competition on privacy quality occurs in different market to restriction on competition.