Antitrust officials are beginning to think about privacy as an antitrust issue. Coming out of a meeting on September 25 between the Justice Department and state attorneys general, Jim Hood, Mississippi’s AG, said:
‘We were unanimous. Our focus is going to be on antitrust and privacy. That’s where our laws are.’
Some antitrust reformers such as Marshall Steinbaum and Maurice E. Stucke echo this idea, urging antitrust authorities to consider a merger’s likely effect on privacy when conducting an antitrust review.
In many ways, it is a surprising and startling concept. Antitrust has to do with preserving competition so as to promote consumer economic welfare. Privacy has to do with protecting consumers from harm resulting from the collection, dissemination and use of their data. How can ensuring reasonable competitive conduct in markets advance consumer privacy interests? It seems like a classic case of apples and oranges.
But, it is worth building the idea out a little bit to see what’s behind it. Start from the notion that large collections of data are intrinsically a privacy risk. People want privacy, not because they are superstitious or irrational, but because they want to be protected against a large, but indefinite, range of harms. The more an organization knows about people, the more vulnerable they are to these harms. In privacy scholar Paul Ohm’s famous phrase, no one wants his worst enemy to have access to a ‘database of ruin,’ that is a comprehensive record of his life, activities, preferences, values, beliefs, hopes and dreams.
Now consider marketplace conduct that systematically amasses data of individuals. The larger the data set the more dangerous it is to people. If a single company gains control over this data set either through unilateral marketplace conduct or through merger, it is in the position to do considerable harm to the privacy interests of a very large number of people and it has a monopoly or close to a monopoly in this data. Efforts to gather this data must, therefore, be subject to a test of reasonableness under the antitrust laws. And mergers must be evaluated by whether the resulting data sets pose an unacceptably high risk of damage to the privacy interests of individuals.
I think this is the intuition behind the idea of restraining firm conduct or mergers because they pose or increase privacy risks. It was likely behind the dissent from FTC Commissioner Pamela Harbour in the approval of the Google-DoubleClick merger. She said:
‘The truth is, we really do not know what Google/DoubleClick can or will do with its trove of information about consumers’ Internet habits. The merger creates a firm with vast knowledge of consumer preferences, subject to very little accountability.’
She objected to the merger analysis used that relied on traditional antitrust principles because it ‘does not reflect the values of the consumers whose data will be gathered and analyzed’ and because it contains ‘no adequate proxy for the consumers whose privacy is at stake.’ As a result, she prefers an approach that would ‘make privacy ‘cognizable’ under the antitrust laws, and thus would have enabled the Commission to reach the privacy issues as part of its antitrust analysis of the transaction.’
The antitrust laws certainly allow and indeed require enforcement authorities to consider data issues. Section 7 of the Clayton Act, for instance, prohibits mergers that would be likely ‘substantially to lessen competition, or to tend to create a monopoly.’ That standard can be applied to combinations of data sets post-merger and fully authorizes antitrust authorities to examine data issues.
Data sets are assets needed for business activity, and if through anticompetitive market conduct or through merger, a company can obtain a monopoly on data that its competitors need in order to do business then the antitrust authorities can and should act. The standard in these cases is whether there is as much and as good data left over for competitors to fully engage in their business operations.
In the Google-DoubleClick case, for instance, the FTC majority examined the data issues in the context of the online advertising market and concluded that ‘the evidence failed to show that the accessibility to Google of any additional data would likely enable it to exercise market power.’ It found that the combined dataset would not constitute ‘an essential input to a successful online advertising product’ because several competitors have ‘have access to their own unique data stores.’
European competition authorities use a similar standard in merger reviews involving merged data sets. For instance, in 2016, the European Commission approved the Microsoft merger with LinkedIn, saying:
‘The combination of their respective datasets does not appear to result in raising the barriers to entry/expansion for other players in this space, as there will continue to be a large amount of internet user data that are valuable for advertising purposes and that are not within Microsoft's exclusive control.’
There is one way for antitrust authorities to consider privacy in merger reviews. Companies differ in their data practices; some might be more protective of privacy than others. If potentially competitive companies merge, then this diversity of privacy practices could be lost. Agencies should examine this non-price aspect of competition, just as much as they should examine diminished quality, selection or service in evaluating a merger.
Antitrust authorities need to pay attention to another data issue that was raised at the recent FTC workshops on competition and consumer protection in the 21st century by both Jason Furman, former head of the Council of Economic Advisers and Nobel-prize winning economist Joseph Stiglitz – the possibility that there might be returns to scale in data analysis. Certain insights might emerge from the new techniques of machine learning only with sufficient data. This phenomenon could give those with more data a competitive advantage, not only with respect to price and output, but also with respect to innovation in data analytics which could translate into improved products or services.
Antitrust authorities have the authority and the responsibility to look into these data issues in so far as they affect non-price aspects of competition such as diversity of privacy practices and innovation.
But, going beyond these competition issues to review conduct or mergers based on non-competition issues like privacy itself is a bridge too far. It simply won’t pass muster under current antitrust standards.
The FTC majority said as much in approving the Google-DoubleClick merger. It expressed reservations about intervening ‘in transactions for reasons unrelated to antitrust concerns, such as concerns about environmental quality or impact on employees.’ It said clearly that ‘the sole purpose of federal antitrust review of mergers and acquisitions is to identify and remedy transactions that harm competition’ and concluded that the Commission lacks ‘legal authority to require conditions to this merger that do not relate to antitrust.’
This does not mean that our privacy laws are fully adequate as they are. In fact, the time is ripe for Congress to step up to the plate and pass a broad privacy law that establishes strong consumer protections to insulate people from consumer harms associated with the unreasonable collection, dissemination or use of personal information.
There is an irony that the agency best positioned to implement and enforce such a new privacy law is the Federal Trade Commission, which also has authority to enforce the antitrust laws. Under Section 5 of the FTC Act, the Commission is empowered to prohibit ‘unfair or deceptive acts or practices.’ They have already exercised this authority in numerous cases to protect consumers whose privacy has been invaded.
Congress can solidify and extend this authority by making it clear in the new privacy legislation that unreasonable or harmful data practices are violations of the prohibition on unfair or deceptive practices.
Keeping antitrust in its own policy arena is not a recipe for consumer abuse. The antitrust laws are a very powerful tool of national public policy, but they are also designed for a very narrow purpose, which is to preserve competition so as to vindicate the consumer interest in high quality, low-priced and innovative goods and services. Other tools of policy, including a new national privacy law enforced by the FTC, will be needed to defend consumer privacy interests.
