Privacy Considerations in European Merger Control: A Square Peg for a Round Hole

This article is part of a Chronicle. See more from this Chronicle

Richard Pepper, Paul Gilbert, May 29, 2015

It is now trite to observe the amount of data generated by modern society. Statistics abound about the data-rich environment created by technological advances and the digital economy:

  • every couple of days, humanity now generates 5 exabytes of data; this roughly corresponds to the volume of data produced in the entire period between the dawn of time and 2003;
  • every day, we create 2.5 quintillion bytes of data—so much that 90% of the data in the world today has been created in the last two years alone.

These data may be personal: social media content, eMail addresses, employment histories, financial information, shopping habits, and so on. Commercial enterprises (online and offline) proactively collect these types of data to improve their services, design and target marketing, and sell to third parties. This raises real questions about how to protect personal data against unauthorized or inappropriate use. The European institutions have recognized this challenge and are progressing towards a more stringent, harmonized data protection regime through the proposed General Data Protection Regulation.

Several observers have also called for privacy to play a greater role in merger control, including under the European Merger Regulation. Notably, in a 2014 preliminary opinion, the European Data Protection Supervisor criticized the European Commission for not assessing market power by reference to “control of commercialisable personal information” and instead adopting “a purely economic approach to the [Google/DoubleClick] case” where it failed to consider “how the merger could have affected the users whose data would be further processed by merging the two companies’ datasets … that were not envisioned when the data were originally submitted.” In doing so, the Commission was said to have “neglected the longer term impact on the welfare of millions of Users in the event that the combined undertaking’s information generated by search (Google) and browsing (DoubleClick) were later processed for incompatible purposes.”

This paper argues that privacy concerns should not enjoy specific privileges under the European Merger Regulation and there are no sound policy reasons that support their introduction. It observes the ways in which privacy issues are already taken into account in the Commission’s substantive assessment, and it highlights the risks that arise from an over-emphasis on access to data in merger control.