What is the most effective EU law framework for regulating 'Big Tech' companies online?

Author: Kayla Smith

Introduction

This thesis will examine what the most effective EU law framework is for regulating ‘Big Tech’ companies that operate in an online capacity, such as Facebook, Amazon, and Google. In today’s media-saturated world, and especially in the time of the current coronavirus crisis, we are spending an ever-increasing amount of time on the Internet. For example, in 2019, the average person in Italy spent around 45 hours per month on Facebook alone – and this figure was prior to the global coronavirus pandemic; one can only imagine how drastically it must have risen since worldwide lockdowns were implemented. In the digital space, it is not only goods that are being bought and sold, but our personal data as well, and without being curbed by European law, ‘Big Tech’ companies such as Google, Facebook and Amazon have been able to exploit our presence online by accumulating vast amounts of our personal data, through their own apps and websites in addition to third-party aggregates. This is of particular significance today, given the mass migration of people to the online sphere during the pandemic. One framework that could be implemented in order to regulate such ‘Big Tech’ companies online is competition law proper under EU law. Art. 102 TFEU, which prohibits abuse by a dominant position in a relevant market, would perhaps be best suited to this endeavour given the powerful position of ‘Big Tech’ companies in the online world. One problem with this Article that has led to its lack of employment in the New Media Age is the question of whether or not ‘Big Tech’ companies do in fact hold a dominant position. This is particularly poignant when the necessary prerequisite of a “relevant market” is taken into consideration. Market definition has become problematic in light of rapid technological advancements, as it is difficult to determine exactly what the market is in an online space – is it the market for Internet services, for Internet users, for personal data, for attention, or is there no market at all? This lack of a clearly defined market has been a great issue in enforcing Art. 102 TFEU online, and has had unfortunate repercussions in market abuse by ‘Big Tech’ companies. Moreover, it is not just the market definition issue that has led to issues with enforcement of Art. 102 TFEU in the digital world, as another criterion that must be fulfilled for its implementation is that of abuse. If there is no abuse by a dominant company online, then there is no problem for competition law to solve. Traditional industrial economics and competition law has looked at changes in prices for goods and services as an indicator of abuse, but, since many online services are offered for free, this abuse is harder to spot and often takes the form of privacy violations and disclosure of personal data, which competition law is not conventionally equipped to deal with. Therefore, whilst the TFEU may once have been sufficient in regulating competition in the internal market, the situation is no longer as simple as differentiating between apples and bananas. Another framework that will be discussed is the General Data Protection Regulation. Personal data has become a major part of how companies operate online, and, as such, the GDPR must be considered in its effectiveness as a framework for combatting ‘Big Tech’ companies in the online world. The GDPR was drafted to protect people’s personal data – something that is now at the heart of companies that operate online, and outlines ways to protect this personal data as well as enforcement mechanisms and fines for companies that fail to do so. As such, it is certainly a valuable instrument to regulate ‘Big Tech’ companies online. Whilst the legal framework is sound, in reality, the Data Protection Authorities who implement the GDPR are often underpaid and overworked, making application of the Regulation more difficult. Whatever the best framework is for regulation of ‘Big Tech’ companies online, one thing is clear: without regulation, there are incalculable quantities of personal data being exploited on a daily basis in the EU by tech-giants that retain their dominant position in the online world. There are both social and economic implications of the failure to regulate such companies online: firstly, immense quantities of our personal data are being shared without permission, causing detrimental effects to our consumer welfare; and secondly, competition is being hindered dramatically since smaller companies and start-ups are entirely unable to enter the online sphere that has already been dominated by the “persistence of today’s digital leaders.” The digital environment used to be far more competitive, with different companies rising and falling with the booms and busts of the dot com era. However, the big players in the online market have now been dominant in their respective sectors of the Internet for over ten years, underscoring the fact that competition is practically now non-existent.

Methodology

Therefore, the research question that this thesis examines is: What is the most effective EU law framework for regulating 'Big Tech' companies that operate in an online capacity?

In order to answer this question, an objective benchmark for measuring ‘effectiveness’ must be set. ‘Effectiveness’, then, for the purposes of this thesis, shall be gauged in terms of:

• Application – how easy is it to apply this framework to regulate ‘Big Tech’ companies online

• Enforcement - public or private and which is more suited for application to online companies

• Deterrence - what are the applicable fines and will these deter future offences

• Overall effectiveness - can this instrument be readily applied to online situations and how will it help consumers

An explanation of platform technologies will be given, and the deficiencies of existing competition law under Art. 102 TFEU will be addressed. The criteria for implementation of this Article are also looked at, illustrating that until it can be proven that ‘Big Tech’ companies do hold a dominant position online, that this position is in a relevant market and that there is an abusive practice, competition law falls short when applied online. The private enforcement of this instrument and the difficulties related to implementation will also be discussed. In addition, the creative interpretation of the TFEU by Member States in such judgments as the German competition authority’s Facebook case will be reviewed. Next, the General Data Protection Regulation will be assessed in its effectiveness as an EU law instrument to regulate ‘Big Tech’ companies online. The public enforcement of this instrument will be compared to the private enforcement of the TFEU, as well as the efficacy of only having to prove that a violation of personal data has taken place. Information asymmetry is a crucial part of this, though, as without knowledge or care about what is being done with our personal data, it is unlikely that cases will be brought under the GDPR. Finally, the conclusion will weigh up the two instruments and, based on the objective benchmarks outlined above, determine what the most effective EU law framework is for regulating ‘Big Tech’ companies online.

Section 1: How do ‘Big Tech’ companies operate online?

Most major online platforms offered are ‘free’ – at least in terms of money. However, these platforms have shifted to a business model where consumers do not pay in cash for the use of their services, but in personal data. In fact, “numerous companies [now] base their business models on the collection and monetization of consumer data”. Whilst, prima facie, this appears to be a win for consumers as it saves them money, the real concern runs far deeper. The modern issue facing consumers in an online world is the distribution of their personal data, as this is how many companies now make money from their ‘free’ services. These platforms operate following a plan known as a “data-as-payment” model, where, as the moniker suggests, no pecuniary payments are required to use the online service, but, instead, one’s personal data is harvested and sold for advertisement revenue to the highest bidder. The collection of data can indeed be seen as a positive, as it makes for a better experience online for users: advertisements are more personalised and relevant to the user, and the whole service evolves to become more tailored to the user’s interests and needs. This is, undoubtedly, one of the many benefits of these ‘free’ online services that the vast majority of the population uses on a daily basis. When searching the web for something, it is certainly helpful that the advertisements that pop up are, more often than not, related to something you are interested in. When watching YouTube videos, the personal data that has been collected from you as a user absolutely makes the suggested and related content at least somewhat close to areas that interest you. Perhaps one of the most striking examples of personal data being used to build a better experience for users is that of Instagram. The ‘explore’ function in particular is often extremely good at predicting where one’s interests lie, and this serves to make the whole service more beneficial to the user. This is because it is not truly ‘predicting’ at all, but rather using personal data that has been gathered across a myriad of other online services in order to build up a collection of possible interests and pursuits of users. If this were the end of the story, there would be no damage done at all, with quite the opposite effect of improvement for consumers instead. However, the fact of the matter is that, unfortunately, this façade of helping to make their services more customised and personalised to consumers through the use of their personal data is masking something far more dangerous. Many ubiquitous online services use web tracking through cookies, which is “the unseen and unauthorised extraction, storage, analysing, selling, buying and auctioning of personal online data”. The implications of this are immense, as it means that even third-party online services that you may never have heard of may quite possible have heard of you, through buying your personal data from a company you do use. This seems an extraordinarily high price to pay for browsing social media, the Web, or watching videos online. Therefore, it must be emphasised that whilst online services market themselves as ‘free’, the cost in personal data is staggering. Take, for example, the Atlas software that Facebook uses. This software gives Facebook access to, for starters, all of the personal data that you as a user input into the service. Naturally, this includes all of the likes on posts, all the pages and people that you follow and everything that you interact with on the app or website. In addition, Atlas is able to mine even more data from many other apps that users frequent. This data is then sold and doled out to anybody that is inclined to pay a high enough price for it. One of the major issues with this is the aspect of information asymmetry of how data is used online. The general public is unaware of the full extent of data mining that is occurring on the Internet, and, worryingly, around 1 in 3 Europeans are willing to share personal data such as date of birth, citizenship and home addresses with private companies. Because it is often unclear at best what data will be shared by such companies, it is frequently difficult for people to decide that they are prepared to have their data divulged in return for using a service. This issue is multi-faceted, as not only do users not know what personal data of theirs is being bought and sold, but they are also, for the large part, unaware what their data is being used for. Consumers of online services are indubitably being exploited by the collection and marketing of their private personal data online, and the problem with ‘Big Tech’ companies is that they have come to control such a large amount of platforms and services online, and this “concentration of power” intensifies the harm that is done when they fail to live up to European standards of rights such as privacy. This dominance online is highlighted by the fact that it is next to impossible to circumvent using services or platforms controlled by Facebook, Amazon or Google when one goes online. Facebook’s acquisition of both WhatsApp and Instagram has given it dominance in the social media and communications fields, and Google searches account for 90% of all Internet searches worldwide. On top of that, software developed by Google runs three-quarters of the world’s smartphones. One solution to deal with this online market domination, then, is through utilising European competition law frameworks.

Section 2: Article 102 TFEU

Application

In order to apply Art. 102 TFEU to situations online, certain criteria need to be met. Firstly, the dominance of ‘Big Tech’ companies needs to be demonstrated. Next, it must be shown that they are dominant in a relevant market. Finally, it needs to be shown that their practice is abusive.

1. Dominance

The dominance of ‘Big Tech’ companies online has been outlined above, perhaps most emphatically by the fact that avoidance of using technology or services by one of these companies online is next to impossible. Moreover, these companies have also grown to such an extent that start-ups cannot enter the market, and those that are successful are often purchased by ‘Big Tech’ companies and either killed off or used and advanced in their own name, such as the acquisition of Instagram by Facebook, allowing the company to dominate the social networking market.

2. The ‘market’ definition of Art. 102 TFEU

Article 102 of the Treaty on the Functioning of Europe stipulates that: “Any abuse by one or more undertakings of a dominant position within the internal market or in a substantial part of it shall be prohibited as incompatible with the internal market”. Because of this wording, the TFEU has struggled to be relevant in the digital era, as Internet services are difficult to pin down into any one market, and consumers are not affected in the conventional way of price hikes and other monetary issues that come with dominance of companies in a market due to the ‘free’ nature of these platforms and services. One problem, then, with implementing Art. 102 TFEU online comes down to pinpointing the market that is relevant to the online world. One line of thinking regarding this is that there is a market for “platforms providing online services”. Whilst this is quite a broad definition, it is still useful as it provides a definition of the market that big tech companies do ‘dominate’. This definition can be broken down further to also include a “market of social networking services”, and this is highly pertinent to companies such as Facebook. If this “market of social networking services” was to be taken as the definition of the relevant market under Art. 102 TFEU, then it could be seen that Facebook is certainly the dominant player in that market, controlling Facebook, Instagram and WhatsApp. Using the “market of social networking services” then would mean that Facebook does hold a dominant position on that market, and, moreover, it is abusing that position. The abuse is not in a monetary sense, rather a personal data sense. As Facebook holds a monopoly on the market of social networking services, it has access to far more personal data of its consumers than other companies would be able to have. This leads to Facebook not only being able to create a more tailored and personal experience online for its users, which cements the users and keeps them using the service; but this also deters competition as other companies without such a dominant position online are unable to keep up with the ocean of personal data – bringing advertising revenue and a better user experience on the platform - that Facebook has collected, and thus competition is adversely affected. For the other big players online, Google and Amazon, the term “social networking services” does not strictly apply, as the service offered by those platforms is less about social interaction and more about other Internet services. Perhaps a good term for the relevant market of Google then is “Internet services” and “online advertising space”, and Amazon is “online shopping” or “online marketplace”. Once the delineations of these markets has been established, it is not a far leap to see that the dominant positions that the relevant companies hold are being abused.

3. Abusive Practice

The next issue with the application of Art. 102 TFEU online is that there is no price element that is traditionally sought when checking for abuse by a dominant position in a market. As will be discussed in the next section extensively, there is a lack of a literal price paid in money by consumers to use the online services in question. However, the price is oftentimes now paid in personal data instead of a literal fee, and this causes serious concerns for consumer welfare, one of the goals of Art. 102 TFEU. This thesis therefore puts forward the argument that, in order for online application of Art. 102 TFEU, the traditional price component of the test for abuse by a dominant position in a relevant market should be expanded to also include less conventional understandings of the term “price”, such as the price that is paid in terms of personal data to use a service through accepting cookies and long-winded terms and conditions. As has been pointed out, after all, “competition does not disappear merely because the undertakings offer their product for ‘free’”, and consequently, interpretation of competition law under the TFEU should be expanded to also include such seemingly free services. With a relevant market being so defined as to also include the ‘market of social networking services’, the ‘market of Internet services’, and the ‘market of online shopping’; and the price constituent enlarged to additionally comprise imparting personal data, it can be seen that the TFEU can be applied to online platforms and services with a marginally broader interpretation than is currently being adopted. Whilst these markets are not as narrow as those markets that have previously been found to be in contradiction of competition law under the TFEU, this can be seen more as a mark of the times than anything else. Because the Internet is so broad and far-reaching, it is only logical that the markets that stem from it are difficult to categorise and therefore more extensive and inexact, but this does not and should not mean that they are able to escape competition law under the TFEU.

The Purpose of Art. 102 TFEU and its implementation online

To suggest implementing Art. 102 TFEU to situations of market abuse online – something rather rare – it is helpful to examine the purpose of the Article. A cornerstone theory of the reason for regulating competition under Art. 102 TFEU is consumer welfare. It has been noted that “the underlying goal of Article 102 is consumer welfare”, and that because competition leads to a better range of choices and advantages for consumers, laws regulating competition have, at their heart, protection and benefits for consumers. Consumer welfare is, therefore, a crucial keystone of Art. 102 TFEU. Whilst in theory this sounds promising for such issues as personal data protection for digital service users, in practice, consumer welfare has so far not been at the forefront of implementation of this Article. The travaux préparatoires of the drafters of this Article was examined and found to have consumer protection as a main goal of Art. 102 TFEU, which further underscores the want of the Commission to protect consumers from the adverse effects of unregulated competition, such as increased prices and lack of choice and variety in products. However, at the time this treaty was drafted, it could not be anticipated that the price consumers would pay would not be monetary, but instead in terms of their personal data in an online world. Traditionally, market abuse was noticeable when consumers paid a price for the dominant position of a company. However, major online platforms such as Facebook and Google are completely ‘free’, with users paying instead with the divulgence of their personal data, and this could be a reason why these companies’ dominance so often flies under the radar of the TFEU. Moreover, the 2009 Guidance on Art. 102 TFEU mentions consumer welfare under several of its sections, reinforcing the concept that consumer welfare is at the core of this Article. The Commission, then, is rather forthcoming with proliferating the idea that the goal of this regulation is to protect the consumers. However, when consulting the actual practice of the Commission in carrying this ideal out, there is a distinct lack of cases that actually deal with issues of “individual consumer harm [that] have been discussed in Article 102 cases”. A major quarrel with the consumer welfare aspect of Art. 102 TFEU is that it has not been coherent and consistent in its implementation in market abuse cases. This was particularly evident in the notable cases of British Airways v Commission and Corp v Commission, in which references to damage to consumer welfare were conspicuously absent. Consequently, it can be noted that Art. 102 TFEU’s “goal of consumer welfare is unclear.” This certainly puts the consumer at a disadvantage when it comes to the protection that this Article is supposed to offer, and it follows then that the massive and often unknown cost of personal data that users are bearing has not historically been a major concern of the TFEU. It can be seen that the current Treaty does not do enough to protect against market abuse online. This market abuse has disadvantageous and harmful effects for both consumers and other competitors, and has not been adequately addressed under the current Treaty as of yet. For competitors, it has become next to impossible to enter the online ‘market’, as competing with tech-giants such as Amazon, Facebook and Google is practically impossible. For consumers, the price is often less easily noticeable. At surface value, it appears that we as online users receive many services for free - navigating the web, watching videos online, finding routes to destinations with real-time maps, using email services and social media to keep up with friends, relations and colleagues and so much more. However, the price of using these digital services is our personal data which is used to “generate advertising revenue” for companies, and this is ultimately an enormously high price to pay. Consumer protection, as a goal of Art. 102 TFEU, ought then to extend to the protection of personal data that is being exploited by the dominant position of many companies in the online space. Though monetary exchanges are not made, and thus the traditional “price dimension” that regulators and enforcers are used to is no longer in play, the exchange of personal data and so-called ‘attention’ that users give up to companies in order to use their services online is hugely damaging to consumers, especially when the fact that many people do not know the true worth of their personal data is taken into consideration. Overall, then, it seems that application of Art. 102 TFEU to regulate ‘Big Tech’ companies online is proving rather difficult. In particular, the lack of a traditional price element makes the use of this Article quite challenging in online markets, as without a clear abuse – such as predatory pricing or price hikes – it is hard to pinpoint an infringement and invoke Art. 102 TFEU. The hazy and indistinct nature of online markets also compounds the difficulties of application of the Article; and though consumer welfare is a goal of Art. 102 TFEU, again it relates to the more traditional idea of protection from unfair prices.

Enforcement

There are both public and private enforcement possibilities available under EU competition law. Private enforcement shall be focused on for the purposes of this thesis, as one of the issues to address is the effectiveness for consumers and those affected by the dominance of ‘Big Tech’ companies online. Private enforcement under competition law has been possible since the Courage judgment of 2001, where it was decided that individuals could also act against each other, not just against Member States. Private enforcement of competition law in the EU stems from Directive 2014/104/EU, which governs actions for damages suffered as a result of breaches of competition law and is carried out by national courts. However, in order to invoke this, one has to be aware of and able to prove the damage that has been done, and because of the massive information asymmetry that exists online, with consumers not knowing how much of their data they have given up or what that data is used for, this is problematic. Moreover, proving that there has been damage suffered is “very burdensome as the claimant does not have access to the internal documents of the alleged abusive companies” , and thus proving to a court that there have indeed been damages suffered as a result of an abusive practice of a ‘Big Tech’ company will be challenging indeed. Moreover, cases will not emerge under private law unless people have a strong enough interest to bring them to the national courts, and as has already been demonstrated, many people in the EU are unaware or simply do not care that their privacy and data has been breached to such a large extent by a few dominant companies. Finally, these damages also take the form of, once again, a more traditional outlook of a monetary component, and thus applying them to personal data violations and putting a price on that will not be easy for national courts. Private enforcement is therefore quite difficult for individuals under Art. 102 TFEU.

Deterrence

Under private law claims for violations of competition law provisions, the claimant can receive damages for actual loss caused by the infringement as well as loss of profit; however, proving the extent of these damages will be very difficult. For one, finding out what you have missed out on as a result of selling and buying of your personal data is next to impossible. For example, if you have been denied more affordable healthcare because you use an app to help you quit smoking and that app has sold your data on to a healthcare provider, how would you ever be in a position to know? The Commission also has the legal basis to fine companies for infringements under Art. 103 TFEU - and is possibly in a better position to act than individuals who have less knowledge about the violations - and the maximum fine is capped at 10% annual turnover. Unfortunately, in practice, the Commission is not so quick to bring the full force of competition law down on offenders, and rarely uses the full 10% fine. There has, however, been an increasing amount of fines brought against ‘Big Tech’ companies, and this “has certainly made senior executives more anxious about compliance, but it does not appear to have reduced the number of instances of offending conduct.” Therefore deterrence, as outlined by EU competition law, is somewhat hindered by, on the one hand, people’s lack of knowledge about their personal data and what it is being used for, and, on the other, the massive amount of revenue of ‘Big Tech’ companies making them less worried with compliance. The challenges related to application, enforcement and deterrence of Art. 102 TFEU can perhaps best be solved by using a different framework – the GDPR.

Section 3: The General Data Protection Regulation

The General Data Protection Regulation (GDPR) immediately comes to mind when one thinks of legal protection for personal data. However, due to the fact that those who carry out the work and implementation of the GDPR, such as Data Protection Authorities and Supervisory Authorities in Member States, are critically underfunded and under-resourced, the Regulation is not as effective as it could be; and it has been noted that, indeed, “Europe’s governments are failing the GDPR by failing to allocate sufficient resources or manpower”. However, this is not an issue with the framework itself, but with policy makers who have not afforded enough resources to an instrument that could prove vital in regulating ‘Big Tech’ companies online.

Application

The GDPR, which has been in effect since 2018, certainly contains many lofty ideals when it comes to data protection. As it was drafted far more recently than the TFEU, it is fair to say that it has a more current approach to dealing with data in an online world, and was drafted with more knowledge about the dangers of ‘free’ online services and the damage to consumer welfare that ‘Big Tech’ companies could have. On paper, Chapter Three on the ‘Rights of the Data Subject’ certainly seems to offer much protection to users and consumers of online services. There are many articles guaranteeing the protection of personal data and the right to object to processing of such data. However, the issue of information asymmetry recurs here, as many Europeans are not aware of the full extent of rights that they have under the GDPR. Moreover, even those citizens who are aware of their rights and do take their cases to the relevant Data Protection Authorities often find that those Authorities are already hugely burdened by cases as it is, and so processing of new cases can take quite some time. Moreover, it has been demonstrated recently that the GDPR is, in effect, somewhat unsuccessful at curbing the power of tech-giants. In fact, a US study has revealed that, instead of restraining the monopolies of the most prominent companies, “since the implementation of the GDPR, Google, Facebook and Amazon have [actually] increased their market shares in the EU”. In addition, when cases brought under the GDPR are successful, the fines administered are nominal in comparison to these gargantuan companies’ revenues. For example, in 2019, the French Data Protection Authority (CNIL) fined Google LLC under the GDPR for, amongst other things, its failure to receive consent from users before processing their personal data. CNIL had received complaints through various organisations from over 10 000 people who had objected to the dispensation of their personal data, and thus the action against Google began. The fine that was agreed on was the sum of €50 million, which sounds immensely impressive. Unfortunately, in advertisement revenue alone, Google makes well over €100 million a day, and therefore this fine roughly equates to about 12 hours of work for the company. The problem is that even fines in the billions would only cost these companies a few weeks’ worth of revenue to settle, as their position in the online market is so dominant that they are able to maintain a high income from advertising revenue and selling of personal data. The monopoly position that such companies as Google, Facebook and Amazon enjoy is so strong that fines in the millions of dollars are nothing more than a sharp slap on the wrist. Compliance with the GDPR is not at the forefront of these companies’ business plans. Regrettably, for the user, this puts them at a distinct disadvantage when it comes to protection of their personal data online. In addition, consumers are disadvantaged by the lack of competition and monopolisation of internet services, as they do not really have a choice in what services they use, as any competing products are either made obsolete by the existing companies, or bought up and amalgamated into those monopoly companies. This is significant for consumers, as it means that, if they want to use online services, which have become increasingly necessary in the coronavirus pandemic, then they are forced to put up with whatever conditions are stipulated by these companies, as there exist no competing companies that users could turn to. Overall, though, the GDPR was made to be applied to situations involving personal data, especially those online, and is therefore a very strong framework for individuals to rely on in circumstances of privacy violations of personal data by ‘Big Tech’ companies.

Enforcement

Enforcement is where the GDPR pulls well ahead of competition law. The GDPR has a system of public enforcement by Data Protection Authorities (DPAs), who have been granted “investigative powers” to check if a violation has occurred, and these powers also give them the ability to “request access … to all information necessary” to reach a decision, and this is vital as it includes access to data and processing apparatus of suspected violators. This is incredibly useful in terms of enforcement, as it mitigates the information asymmetry that would otherwise exist by forcing ‘Big Tech’ companies to disclose this usually closely guarded information. Not only that, but DPAs are tasked specifically with dealing with breaches of the GDPR, and therefore are more concentrated on issues particular to the online world such as personal data infringements, as opposed to the more general and traditional competition law focus of economic harm. In addition, where competition law requires a claimant to prove complex aspects of the violation including that damage was done and the practice of the defendant was abusive, the GDPR is more aptly applied. If your data has been “misused, disclosed destroyed or lost and you have suffered financial loss or distress” as a result, then it becomes possible for you to reach out to national DPAs with a simple online ‘postcard’ system and claim compensation under Art. 6 GDPR in conjunction with Art. 82 GDPR. The GDPR allows for claims for both material and non-material damages, giving a more far-reaching effect to the instrument than competition law has. This highlights the different material scope that the GDPR has compared to competition law under the TFEU, focusing on the violation itself taking place, and not solely the abusive practices of companies.

Deterrence

The GDPR has the power to dole out administrative fines under Arts. 82 and 83. Under Art 83(4) and 83(5) GDPR, administrative fines start at 2% of annual turnover and are capped at 4% (or €20 million, whichever is highest). Whilst this may seem to be a lesser sum than the 10% offered under competition law, it is important to remember that, on average, the fines under competition law roughly equate to those under the GDPR as the Commission does not usually hit companies with the full 10% fine. Importantly, the fact that individuals can receive compensation – and that it is comparatively easier than receiving compensation under competition law – highlights the strength of the GDPR as a regulatory framework. Moreover, this possibility to claim material and non-material damages can be seen as incentive to get more people to claim under the GDPR, which, in turn, will lead to more cases and hopefully more deterrence as ‘Big Tech’ companies realise that more and more people in the EU are unhappy with their online activities and will not stand by silently any longer.

Member State solutions to regulating ‘Big Tech’ companies online

In assessing the law of the European Union, it is often useful to examine its application in Member States, as Europeanisation is an ongoing two-way process, with Union law being shaped from the bottom up as well as vice versa. Judgments originating in Member States can have enormous value in sculpting EU law, as they give a reflection of how states interpret and use EU law to solve issues on a national level. A novel ruling that seems to apply both the principles behind the GDPR and Art. 102 TFEU comes from the competition authority in Germany, the Bundeskartellamt. In its judgment against Facebook in 2017, the Bundeskartellamt found that Facebook had abused its dominant position online with its exploitative privacy policies. The German competition authority found that connecting consent (to cookies and other privacy policies) to data collection in order to use the service online qualified as abuse of a dominant position in an online marketplace, for the reason that consumers cannot simply switch to another service or platform online, as no other is as prominent or serves the same purpose as Facebook. At a cursory glance, this may seem like a radical interpretation of the competition law enshrined in Art. 102 TFEU, as the Commission has not been as broad in its interpretation of the scope of the Article. However, this is “not bending competition law to the heteronomous task of protecting users’ personal data”, rather, it is a way for German courts to find a solution to anti-competitive activities in the digital marketplace. This judgment is very interesting, as, to a large extent, it connects competition law and data protection concerns. This is a landmark judgment, especially for the purposes of this thesis, as it highlights the idea that in the digital world there is no longer room for a narrow interpretation of EU competition law if we wish to have a healthy, competitive online marketplace. In contrast, the European Commission has not had data protection – and therefore consumer welfare, to a degree – at the forefront of its competition law decisions. Indeed, the Commission has stated explicitly in its past judgments that “any privacy related concerns flowing from the increased concentration of data … do not fall within the scope of EU competition laws”. This makes the Bundeskartellamt’s judgment all the more innovative, as it expands on existing competition laws to make them more applicable to the digital environment of today.

Conclusion

Personal data has come to obtain a monetary value online, due to the fact that advertisers pay to know more about consumers so they can target their advertisements more effectively, and, in turn, online platforms can charge more for the placement of such advertisements. Users of such online services have no choice but to consent to this data collection if they wish to use the service, and, because of the market dominance of the companies that provide these services, users cannot simply switch to a less intrusive platform. However, traditional competition law is not so easily applied to these contemporary issues, and thus the GDPR provides a more effective framework for regulating ‘Big Tech’ companies that operate online.

1. In terms of application, the GDPR was drafted for the use of protecting people’s personal data and privacy in the quickly changing online world, and is therefore easily invoked to deal with such modern issues. In contrast, Art. 102 TFEU was drafted with more traditional parameters for application that simply do no exist online, and application to such situations requires far more creative interpretation by the Commission and national competition authorities (as demonstrated in the German Facebook case).

2. Enforcement of the frameworks is also in the GDPR’s favour, with the public enforcement and ‘postcard’ system of notifying national DPAs of violations proving relatively successful so far, despite the under-sourced workforces. Moreover, the issue of over-worked DPAs is solved easily enough – by Member States allocating more resources to this sector, they will help protect citizens as well as regulate ‘Big Tech’ companies. On the other hand, the massive issue of information asymmetry still exists, and people need to know the rights that are protected online by the GDPR and care enough to do something about it. However, information asymmetry is just as large a problem under the private enforcement of Art. 102 TFEU, without the simple ‘postcard’ procedure of the GDPR even when individuals are concerned.

3. Deterrence under the GDPR and Art. 102 TFEU is relatively comparable, as the full force of the 10% fine on annual turnover offered by the latter is rarely employed, making the sum of the fine under this framework similar to the 2-4% fine of the GDPR. Additionally, the possibility to claim damages, both material and non-material, exists under the GDPR, which may be an incentive for individuals whose rights have been infringed upon to act and stand against ‘Big Tech’ companies. Under competition law, one can only be compensated for economic damage, and, again, this is only if the national competition authority agrees that the TFEU can be utilised in the situation.

Overall then, after weighing up the two most relevant frameworks to regulate ‘Big Tech’ companies online, the GDPR comes out at the forefront, as it is easier to apply without major changes, and will result in greater compensation for users that have suffered as a result of the market dominance of companies that have collected and sold their data without consent.

Areas for Future Research

The Digital Markets Act (DMA) is an important legislative proposal from Commission. Once it has been officially approved by the European Council and the European Parliament, this proposal will enter into force as a Regulation, and this is expected to be in around June 2022. This document highlights the fact that Commission has noted its own prior oversight of competition online, and may be interesting to study in the future in its role as an effective regulator of ‘Big Tech’ companies.

Bibliography

Primary Sources

Treaties

Consolidated version of the Treaty on the Functioning of Europe (TFEU) [2012] OJ C326/47

Secondary Sources

Regulations

EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1

Commission, ‘Regulation of the European Parliament and of The Council on contestable and fair markets in the digital sector (Digital Markets Act)’ (Proposal) COM(2020) 842 final, 15 December 2020

Guidelines

Guidance on the Commission's enforcement priorities in applying Article 82 of the EC Treaty to abusive exclusionary conduct by dominant undertakings: Information from European Union Institutions and Bodies (2009) OJ C C 45/07 (24 February 2009),

Judgments

Case C-27/76 United Brands Company and United Brands Continentaal BV v Commission of the European Communities (United Brands) [1976] ECR I-209

Case C-453/99 Courage Ltd v Bernard Crehan and Bernard Crehan v Courage Ltd and Others [2001] ECR I-06297

Case C-95/04 British Airways v Commission [2007] ECR 1-2331; Corp v Commission [2004] ECR 11-03601

European Commission, Facebook/Whatsapp, 3 October 2014, Case N. Comp./M. 7217, para. 164.

Bundeskartellamt, ‘Preliminary Assessment in Facebook Proceeding: Facebook’s collection and use of data from third-party sources is abusive’ (2017) <http://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2017/19_12_2017_Facebook.pdf?__blob=publicationFile&v=3>, accessed 22 April 2021

Journals

Akman P, ‘Searching for the Long-Lost Soul of Article 82EC’ (2009) 29 Oxford Journal of Legal Studies 267

Bashor T, ‘Protection Or Protectionism: A Critical Analysis of Article 102 TFEU’ (2019) 8 Manchester Review of Law, Crime and Ethics 139

Börzel TA, ‘Member State Responses to Europeanization’ (2002) 40 JCMS: Journal of Common Market Studies 193

Brockhoff J and others, ‘Google/DoubleClick: The First Test for the Commission’s Nonhorizontal Merger Guidelines’ (2008) 2 Competition Policy Newsletter 53

Crutzen R, Ygram Peters G-J and Mondschein C, ‘Why and How We Should Care about the General Data Protection Regulation’ (2019) 34 Psychology & Health 1347

Eben M, ‘Market Definition and Free Online Services: The Prospect of Personal Data as Price’ (2017) 14 Journal of Law and Policy for the Information Society 227

Elvy S-A, ‘PAYING FOR PRIVACY AND THE PERSONAL DATA ECONOMY’ (2017) 117 Columbia Law Review 1369

Forrester I, ‘A Challenge for Europe’s Judges: The Review of Fines in Competition Cases’ [2011] European Law Review

Peacock SE, ‘How Web Tracking Changes User Agency in the Age of Big Data: The Used User’ (2014) 1 Big Data & Society 1

Rat D, ‘Commitment Decisions and Private Enforcement of EU Competition Law: Friend or Foe?’ (2015) 38 World Competition 527

Schneider G, ‘Testing Art. 102 TFEU in the Digital Marketplace: Insights from the Bundeskartellamt’s Investigation against Facebook’ (2018) 9 Journal of Competition Law and Practice 13

Szyszczak E, ‘Controlling Dominance in European Markets Dedicated to Lord Gordon Slynn of Hadley Part II’ (2009) 33 Fordham International Law Journal 1738

Books

Bernard E. Harcourt, Exposed : Desire and Disobedience in the Digital Age (Harvard University Press 2015) <http://search.ebscohost.com.proxy-ub.rug.nl/login.aspx?direct=true&db=nlebk&AN=1133805&site=ehost-live&scope=site> accessed 8 April 2021

Sokol D and Comerford R, ‘Does Antitrust Have a Role to Play in Regulating Big Data?’ in D Daniel Sokol and Roger D Blair (eds), The Cambridge Handbook of Antitrust, Intellectual Property, and High Tech (Cambridge University Press 2017) <https://www.cambridge.org/core/books/cambridge-handbook-of-antitrust-intellectual-property-and-high-tech/does-antitrust-have-a-role-to-play-in-regulating-big-data/4733BEE73FB7B1FE03364FB83D102184> accessed 21 April 2021

Turner JD and Quinn W (eds), ‘The Dot-Com Bubble’, Boom and Bust: A Global History of Financial Bubbles (Cambridge University Press 2020) <https://www.cambridge.org/core/books/boom-and-bust/dotcom-bubble/690BD009D795B9557E4A9B44A0D40FF9> accessed 15 April 2021

Whish R and Bailey D, Competition Law (Oxford University Press 2015)

Web Articles, Blog Posts and Press Releases

‘Almost Two Years of GDPR: Celebrating and Improving the Application of Europe’s Data Protection Framework’ (DIGITAL EUROPE, 21 January 2020) <https://www.digitaleurope.org/resources/almost-two-years-of-gdpr-celebrating-and-improving-the-application-of-europes-data-protection-framework/> accessed 12 April 2021

Anderson J and Mariniello M, ‘Regulating Big Tech: The Digital Markets Act’ (Bruegel, 16 February 2021) <https://www.bruegel.org/2021/02/regulating-big-tech-the-digital-markets-act/> accessed 13 April 2021

Brown D, ‘Big Tech’s Dominance around the Globe Is Something to Be Worried About’ Business Standard India (5 September 2020) <https://www.business-standard.com/article/technology/big-tech-s-dominance-around-the-globe-is-something-to-be-worried-about-120090500246_1.html> accessed 18 May 2021

‘European Data Protection Authorities Are Woefully Underfunded’ (Teiss, 30 April 2020) <https://www.teiss.co.uk/europe-data-protection-authorities-underfunded/> accessed 8 April 2021

European Union Agency for Fundamental Rights., Your Rights Matter: Data Protection and Privacy : Fundamental Rights Survey. (Publications Office 2020) <https://data.europa.eu/doi/10.2811/292617> accessed 9 April 2021

‘GDPR Claims | Data Breach Compensation | Forbes Solicitors’ <https://www.forbessolicitors.co.uk/personal/data-breach-claims.htm> accessed 19 May 2021

Hanselaer S, ‘The CNIL’s Restricted Committee Imposes a Financial Penalty of 50 Million Euros against GOOGLE LLC’ (European Data Protection Board, 21 January 2019) <https://edpb.europa.eu/news/national-news/2019/cnils-restricted-committee-imposes-financial-penalty-50-million-euros_en> accessed 12 April 2021

‘How Big Tech Companies Gain and Maintain Dominance’ Reuters (7 October 2020) <https://www.reuters.com/article/us-usa-tech-antitrust-congress-factbox-idUSKBN26R3RD> accessed 18 May 2021

Layton R, ‘The 10 Problems of the GDPR’ <https://www.judiciary.senate.gov/download/03/12/2019/layton-testimony> accessed 24/05/2021

Marr B, ‘The Amazing Ways Instagram Uses Big Data And Artificial Intelligence’ (Forbes) <https://www.forbes.com/sites/bernardmarr/2018/03/16/the-amazing-ways-instagram-uses-big-data-and-artificial-intelligence/> accessed 9 April 2021

‘Online Personal Data: The Consumer Perspective’ <https://www.communicationsconsumerpanel.org.uk/online-personal-data/online-personal-data-1> accessed 9 April 2021

Parker P, ‘Google Bringing In More Than $100 Million Per Day Via AdWords’ <https://searchengineland.com/google-bringing-in-100-millionday-via-adwords-says-study-137583> accessed 12 April 2021

‘The CNIL’s Restricted Committee Imposes a Financial Penalty of 50 Million Euros against GOOGLE LLC | CNIL’ (CNIL, 21 January 2019) <https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc> accessed 12 April 2021

Tidey A, Lazaro A and Parrock J, ‘Digital Service Act: EU Vows to “put Order into Chaos” with Tech Laws’ (euronews, 15 December 2020) <https://www.euronews.com/2020/12/15/digital-services-act-brussels-unveils-landmark-plans-to-regulate-tech-companies> accessed 15 April 2021

Tolsma, ‘GDPR-Data Protection Authority Enforcement Methods’ (Deloitte Switzerland) <https://www2.deloitte.com/ch/en/pages/risk/articles/gdpr-data-protection-authority-enforcement-methods.html> accessed 19 May 2021