One might be surprised to read that data protection rules might also impact the competitive assessment of a concentration within merger control proceedings. Nonetheless, the clash of these two universes can be increasingly seen with respect to mergers pertaining to the digital sector. The most recent example is the EC's probe of the VERIZON/YAHOO deal.1 Both Verizon and Yahoo used certain data generated by user activity on their websites, apps and other services such as their ad networks to improve their online advertising services (eg sold to advertisers and publishers) and better target advertising on websites and apps.
The EC saw two potential issues concerning these online advertising services as a result of the combination of the two datasets previously held independently by Verizon and Yahoo: (i) the increased market power of the merged entity; and (ii) the elimination of competition based on the data that existed between Verizon and Yahoo prior to the merger.
In the end, the EC has not deemed this combination of datasets to raise serious competitive concerns. One of the notable reasons for this conclusion was the applicable data protection regime. The EC noted that any combination of the said datasets could only be implemented to the extent allowed by applicable data protection rules. Both Verizon and Yahoo were subject to such rules with respect to the collection, processing, storage and usage of personal data, which, subject to certain exceptions, limit their ability to process the datasets they maintain.
The EC also took account of the newly adopted General Data Protection Regulation ("GDPR") which would limit the parties' ability to access and process users' personal data in the future, since the new rules will strengthen the existing rights while giving individuals more control over their personal data (ie easier access to personal data, right to data portability, etc).2
Another recent example of data protection rules coming into play within the competitive assessment came to light during the EC's assessment of an envisaged joint venture between Sanofi and Google.3 The joint venture was meant to offer services for the management and treatment of diabetes, including data collection, processing and analysis. In its competitive analysis, the EC addressed concerns voiced over the ability of the parties to lockin patients by limiting or preventing the portability of their data towards alternative services.
The Commission dismissed these claims by inter alia pointing to the GDPR, which will provide the users with the right to request portability of their personal data. Data subjects have the right to receive a copy of their data in a structured and commonly used machine-readable format, as well as the right to transmit their data to another controller or to request the controller to transmit their data directly to another controller. In light of this, the EC considered the power of locking-in patients to the services of the joint venture to be unlikely in the foreseeable future.4
While data protection rules play an increasingly important role in assessing concentrations in the digital sector, there is a general worry as to whether the EC gets to assess such concentrations in the first place. In its recent opinion, the European Data Protection Supervisor noted that the EU merger control rules focus on companies which meet certain turnover thresholds, unless cases are referred by national competition authorities. Nonetheless, there are indications that proposed acquisitions of less established digital companies, which may have accumulated significant quantities of personal data that have yet to be monetised, will face greater scrutiny.5 However, such acquisitions can normally only be caught by merger control rules if alternative means of establishing jurisdiction, such as transaction value thresholds, are introduced. Such rules have already been adopted in Germany and Austria. The future will show whether the EU will follow this approach and what role data protection will assume within the competitive assessment of concentrations in the years to come.
1 COMP/M.8180 – VERIZON/YAHOO, rec 80 et seq.
2 Also see COMP/M.8124 – Microsoft/LinkedIn, rec 167 et seq; the EC recently used similar reasoning in COMP/M.8251 BITE/TELE2/TELIA LIETUVA/JV, rec 85 et seq, with respect to data collection on customers within the provision of mobile payment services.
3 COMP/M.7813 SANOFI/GOOGLE/DMI JV, rec 63 et seq.
4 Also see COMP/M.7337 IMS HEALTH/CEGEDIM BUSINESS, rec 218.
5 European Data Protection Supervisor, Opinion 8/2016 of 23 September 2016, EDPS Opinion on coherent enforcement of fundamental rights in the age of big data, p 14 et seq.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.