Privacy Harms in Platform Mergers: Lessons from Brazil

By Victor Oliveira Fernandes¹

I. Introduction

In recent years, several antitrust authorities have expressed more significant concerns about privacy degradation in digital markets.² Influent commentators argue that antitrust and privacy policies are now converging in their goals to protect individuals against the asymmetry of economic powers.³ More conservatively, one can assert at least that two regimes might clash at their margins, just as long observed between antitrust and intellectual property or consumer protection legislation.⁴

It is challenging to draw theories of harm of mergers reviews related to data protection legislation’s infringements. At first glance, there is a mismatch in the nature of the harm caused by platforms under each legal regime. While data protection laws are concerned with risks to intimacy under the lens of individual entitlement, under a more economic approach, antitrust is concerned with the impacts on consumer surplus or total surplus.⁵ However, when addressing dominant platform mergers, two instances of intervention may overlap in unexpected ways.

This brief contribution explores how the Brazilian competition authority (“CADE”) handles claims of infringements of the General Personal Data Protection Law (Law 13709/2018) in platform merger reviews. We claim that, in recent cases, CADE has dealt with privacy as a quality parameter of competition both in digital and non-digital markets. From this perspective, one possible unilateral effect of the merger might be lessening the competitive pressure for more protective user terms and conditions on the platform.

CADE’s approach has produced rulings that similarly to European Commission’s decisions, cut off concerns related to data protection law’s violation from antitrust merger control. Moving toward more interventionist outcomes would require overcoming theoretical and practical obstacles explored in this article. Addressing these obstacles depends on normative choices that, in the end, redefine the very boundaries of antitrust policy.

II. Privacy Degradation in Platforms as a Quality Parameter for Antitrust Harm

The dominant scholarship considers that, while digital platforms do not compete on price, offering a digital service with more privacy-protective terms and conditions can be an essential competitive advantage.⁶ Thus, in a digital market where customers significantly value privacy protection levels, an increase in concentration resulting from a merger may diminish competitors’ incentives to offer services with more protective terms and conditions of use for users..⁷

Under this logic, consumers could be harmed if, in a post-merger scenario, the digital platform were to collect significantly more consumer data without giving any meaningful compensation.⁸ Alternatively, there would also be customer harm if the platform could combine the data collected by the merged companies to employ it in data processing activities other than those consented to by users.⁹

The theory of harm rejects the idea that privacy could be seen as a mere “product” or “input” of the economic relationship with digital platforms.¹⁰ Even if it is not reducible to a monetary value, degradation of privacy, in terms of quality, would also constitute a loss of consumer welfare capable of triggering antitrust intervention.¹¹

The flip side of this theory of harm is that no antitrust harm occurs when data protection legislation prevents abusive behavior. When the antitrust authorities reach that the decrease or restriction of quality can constitute a violation of data protection law, it is presumed that such a risk must be addressed by the data protection agencies. In this scenario, the alleged risk of decreasing levels of privacy in the market through the violation of data protection legislation cannot be assumed. Consequently, such a risk cannot be taken as the sole basis for rejecting the merger. .

Somehow this theory of harm has been dominant in EU Competition Law so far. In the Facebook/WhatsApp merger, for example, the European Commission concluded that risks of personal data collected by WhatsApp being inadvertently used for targeting Facebook ads would fall outside the scope of competition law and be addressed more appropriately within the scope of the legal data protection regime.¹² Similar conclusions were reached in the Apple/Shazam merger. The Commission noted that even though data collected by Shazam in third-party apps were competitively sensitive, the European GDPR provisions would prevent Apple from using them for other purposes outside users’ consent.¹³The EU approach has become the main reference point for analyzing privacy conditions in merger control. While there is a growing concern on the part of the authority to investigate these arguments, the European Commission has been cautious about jumping to very assertive conclusions about violations of data protection laws.

III. CADE’s Case Law on Mergers Reviews Involving Privacy Concerns

The same “privacy-as-quality” theory of harm based on quality considerations seems to be followed in some recent CADE decisions. This perspective is in accordance with the Brazilian Antitrust Law (Law no. 12.529/2011), which treats quality as a relevant competition parameter.¹⁴ In addition, quality considerations are expressly addressed as a crucial element of the analysis in the Horizontal Merger Guidelines.¹⁵ In a recent ruling prohibiting a merger between two private universities in Brazil, CADE’s Tribunal asserted that the merger should be blocked, beyond other reasons, because it could lessen the quality of high superior education in the affected markets.¹⁶

CADE reviewed some recent mergers involving platforms considering the risks of the merger to raise the incentives of merged firms to degrade privacy. There are at least three rulings in its case law that reflect how the authority is open to handle with these concerns.

The first case, from April 2021, is the merger between Hub Prepaid Participações S.A. and Magalu Pagamentos Ltda. Magalu Pagamentos is a payment institution that used to provide captive payment services to Grupo Magazine Luiza, one of the largest online retailers in Brazil. The acquired company, Hub Prepaid Participações S.A., is a payment institution regulated by the Central Bank of Brazil (“BACEN”). It operates as a Banking as a Service (“BaaS”) platform and provides prepaid card processing services, serving customers in various segments such as retail, mobile, financial institutions, and fintech.

The privacy-related concerns in the case were raised by the rival MercadoPago.com, which operates as a payment platform controlled by the website Mercado Livre, one of the largest marketplaces in Brazil and a face-to-face competitor to Magalu Pagamentos. MercadoPago.com argued that in 2016, it closed an agreement with the Hub Group, which would have transferred significant data about users and shopkeepers of the Mercado Livre marketplace to this group. Therefore, MercadoPago.com argued that if CADE approved the merger, the Magalu Group would have more significant incentives to access the data previously transferred by Mercado Pago to the Hub Group, granting the merger firm a competitive advantage against the Mercado Livre website in the marketplace market.

CADE’s Tribunal dismissed this claim. The vote-reporter of the decision considered the alleged risks not viable as the operation would not authorize Hub to violate contractual, legal, and regulatory obligations.¹⁷ The vote-reporter pointed out that the LGPD would reinforce “the impossibility that the personal data discussed here, related to the customers of Mercado Pago, be passed on and processed by third parties without the consent of their holders and/or without the observance of various procedures and principles” (unofficial translation).¹⁸

A second case, formed in May 2021, involved a joint venture between the telecommunications firm Claro S.A. and the company Serasa S.A., which operates mainly as credit analysis and risk management business in Brazil. The agreement intended to transfer Claro S.A.’s users’ data so that Serasa S.A. could use it as input for its credit cycle protection and fraud prevention solutions. In return, Serasa S.A. would invest in technologies and solutions that could add value to Claro S.A.’s data.¹⁹

CADE’s General Superintendence concluded that the joint venture did not raise relevant competition concerns, among other reasons, because the transferable data object would be obtained through other channels in the market.²⁰ In addition, the General Superintendence considered that: “it is not up to CADE to analyze whether the partnership agreement under analysis and the respective exclusivity clauses are in accordance or not with the General Law of Personal Data Protection (Law n° 13.709/2018), the Positive Registration Law (Law n° 12.414) or Decree n° 9936/2019” (unofficial translation).²¹ Also, it was asserted that CADE’s approval of the transaction “deals only with the competition issue and does not entail an analysis of merit as to the adherence or not of the Applicants to the abovementioned regulations, whose compliance monitoring is the responsibility of the respective governmental authorities.” (unofficial translation).²²

Finally, it is also worth mentioning the approval, in June 2021, of the merger between STNE Participações and Linx. The former operates in the provision of payment services and intended to acquire all the activities of the latter, which operates as a cloud-based technology company, focused on the provision of enterprise management software through the software as a service business model.

In this case, rivals challenged the transaction before the CADE Tribunal. They argued that, after the merger, STNE Participações would gain access to sensitive managerial and commercial data, especially related to the commercial relationship between the retailers and their customers and suppliers, as well as between the retailers and other acquirers that integrate their products to LINX’s commercial management software.²³ Rivals also claimed that other acquirers, including those linked to banking institutions, would not be capable of accessing data with the same granularity, detail, and ease of information obtained by the merging parties.²⁴

Nevertheless, the CADE Tribunal considered that the data would not be competitively sensitive, mainly because the information it contained, owned by the establishments, could already be accessed by other players in other ways, such as via reconciliation of receivables or via Open Banking policy.²⁵ In addition, the vote-reporter observed an asymmetry of information that worked against rivals not vertically integrated with banks, as with Stone.²⁶

These rulings suggest that the Brazilian authority is taking a cautious approach when dealing with privacy concerns in platforms merger reviews, in line with the European Commission’s experience. Several reasons justify this choice.

First, there are significant hurdles in making an objective assessment based, for example, on theories of harm of excessive data collection, as discussed by some renowned scholars.²⁷ Moreover, unlike in the EU Competition Law, it is still unclear whether the Brazilian antitrust legislation leaves room for exploitative abuse infringements.²⁸

Second, even when privacy is treated as a “quality” dimension of competition, the thresholds for antitrust intervention are still distinct from those that inform the  enforcement of data protection legislations. Under the antitrust regime, privacy, like any other non-price competitive factor, may or may not be relevant to competition in a specific market. In other words, whether privacy is a relevant quality factor for consumers is a highly factual question, which does not necessarily overlay with the standards underlying the data protection legal regime.

Third, at least in this initial stage, CADE appears to be deferential to the scope of the data protection authority’s jurisdiction. Even though this agency is taking its first steps in Brazil, the direct application of the LGPD by CADE could raise questions about the limits of its legal authority.

IV. Final Remarks

The main theoretical approaches to internalizing privacy concerns in merger review can be tackled under the Brazilian competition law in a manner consistent with the assumptions of Law 12.529/2011. There are, however, normative, and methodological obstacles that will be posed to CADE in the assessment of individual cases.

In examining some platform markets, it is difficult to define which counterfactual parameter will be considered by the authority both in assessing market power and in assessing the unilateral effects of a merger. Also, even when data is a relevant competitive asset in some markets, its availability from other sources may remove concerns related to the merger. All these difficulties may end up driving the enforcement of the antitrust and data protection agencies in opposite directions. Maturing the cooperation between the authorities then appears to be a critical step for the future.

Click here for a PDF version of the article

1 Victor Oliveira Fernandes is a Commissioner at the Administrative Council for Economic Defense (“CADE”). He is also a Law Professor at the Brazilian Institute of Teaching, Development, and Research, where he teaches Economic and Competition Law. He holds a Ph.D. in Commercial Law from the University of São Paulo.

1 Autorité de la Concurrence & Bundeskartellamt, Competition Law and Data 22–25 (2016); Competition and Markets Authority – CMA, Online Platforms and Digital Advertising: Market Study Final Report 437 171–181 (2020); Australian Competition & Consumer Commision, Digital Platforms Inquiry 7 (2019).

3 Francisco Costa-Cabral & Orla Lynskey, Family ties: The intersection between data protection and competition in EU law, 54 Common Mark. Law Rev. 11–50, 21–22 (2017). (“data protection and competition law are therefore distinct but intertwined fields of law that share several normative concerns”) and Maria Wasastjerna, Competition, Data and Privacy in the Digital Economy: Towards a Privacy Dimension in Competition Policy? 139 (2020). (“both systems seek to protect the welfare of the individual and overcome power asymmetries”).

4 Erika M Douglas, The New Antitrust/Data Privacy Law Interface, 2280 Yale Law J. Forum 647–684, 658 (2021).

5 Maureen K. Ohlhausen & Alexander P. Okuliar, Competition, Consumer Protection, and the Right [approach] to Privacy, 80 Antitrust Law J. 121–156, 154–155 (2015).

6 James Mancini & Cristina Volpin, Quality Considerations in Digital Zero-Price Markets, OECD Backgr. Pap. DAF/COMP(2018)14 46, 7 (2018).

7 U.S. House of Representatives. Subcommittee on Antitrust, Investigation of Competition in Digital Markets. Majority Staff Report and Recommendations 1–450 18 (2020). (“in the absence of genuine competitive threats, dominant firms offer fewer privacy protections than they otherwise would, and the quality of these services has deteriorated over time”) and Samson Y. Esayas, Competition in (data) privacy: ’zero’-price markets, market power, and the role of competition law, 8 Int. Data Priv. Law 181–199, 181 (2018). (“market power may be exerted by reducing the level of data privacy”).

8 Nicholas Economides & Ioannis Lianos, Restrictions on Privacy and Exploitation in the Digital Economy: A Market Failure Perspective, 1 NET Inst. Work. Pap. no. 20-05 1–74, 7 (2020).

9 Mark MacCarthy, Privacy as a Parameter of Competition in Merger Reviews, 72 Fed. Commun. Law J. 1–44, 22–25 (2020). (“consumer harm can take the form of a post-merger failure to satisfy consumer privacy preferences that were satisfied before the merger”)

10 Frank Pasquale, Privacy, Antitrust and Power, 20 Georg. Mason Law Rev. 1009–1024, 1016 (2013).

11 Viktoria H.S.E. Robertson, Excessive Data Collection: Privacy Considerations and Abuse of Dominance In The Era of Big Data, 57 Common Mark. Law Rev. 161–190, 166 (2020). (“reduction in privacy may affect the quality of a product and thus, ultimately, consumer welfare”).

12 European Commission. Case M.7217 – Facebook/WhatsApp. Commission decision pursuant to Article 6(1)(b) of Council Regulation No 139/2004, p. 36, 2014. § 164.

13 European Commission. Case M.8788 – Apple/Shazam. Commission decision pursuant to Article 6(1)(b) of Council Regulation No 139/2004, p. 1-74, 2018, parag 238.

14 According to art. 88, § 6, item I, line “b”, of the law, CADE may authorize mergers that, even generating an elimination of a substantial part of competition in a given market, improve the quality of goods and services.

15 Brazil. Conselho Administrativo De Defesa Econômica. Guia De Análise De Atos De Concentração Horizontal., 2016, P. 8.

16 Brazil. Conselho Administrativo De Defesa Econômica. Ato de Concentração nº 08700.001020/2014-26 (Kroton Educacional S.A. e Estácio Participações S.A.). Voto-vogal do Conselheiro Paulo Burnier da Silveira (SEI 0356426), 2017, parágrafos 12 e 13.

17 Brazil. Conselho Administrativo de Defesa Econômica. Ato de Concentração nº 08700.000059/2021-55. Voto-relator da Conselheira Paula Farani de Azevedo Silveira (SEI 0893999), § 86.

18 Brazil. Conselho Administrativo de Defesa Econômica. Ato de Concentração nº 08700.000059/2021-55. Voto-relator da Conselheira Paula Farani de Azevedo Silveira (SEI 0893999), § 84.

19 Brazil. Conselho Administrativo de Defesa Econômica. Ato de Concentração nº 08700.006373/2020-61, Parecer 10/2021/CGAA2/SGA1/SG (SEI 0899461), § 8.

20 Brazil. Conselho Administrativo de Defesa Econômica. Ato de Concentração nº 08700.006373/2020-61, Parecer 10/2021/CGAA2/SGA1/SG (SEI 0899461), § 77.

21 Brazil. Conselho Administrativo de Defesa Econômica. Ato de Concentração nº 08700.006373/2020-61, Parecer 10/2021/CGAA2/SGA1/SG (SEI 0899461), § 75.

22 Brazil. Conselho Administrativo de Defesa Econômica. Ato de Concentração nº 08700.006373/2020-61, Parecer 10/2021/CGAA2/SGA1/SG (SEI 0899461), § 75.

23 Brazil. Conselho Administrativo de Defesa Econômica. Ato de Concentração nº 08700.003969/2020-17, voto-relator do Conselheiro Sérgio Costa Ravagnani (SEI 0921910), § 176.

24 Brazil. Conselho Administrativo de Defesa Econômica. Ato de Concentração nº 08700.003969/2020-17, voto-relator do Conselheiro Sérgio Costa Ravagnani (SEI 0921910), § 177.

25 Brazil. Conselho Administrativo de Defesa Econômica. Ato de Concentração nº 08700.003969/2020-17, voto-relator do Conselheiro Sérgio Costa Ravagnani (SEI 0921910), § 219.

26 Brazil. Conselho Administrativo de Defesa Econômica. Ato de Concentração nº 08700.003969/2020-17, voto-relator do Conselheiro Sérgio Costa Ravagnani (SEI 0921910), § 219.

27 See, for instance, Robertson, supra note 10 at 178. (“the abuse of excessive data collection may be based on an analogy with excessive prices, where personal data that a user divulges in return for digital services is understood to represent that user’s counter-performance”) and Miriam Caroline Buiten, Exploitative Abuses in Digital Markets: Between Competition Law and Data Protection Law, J. Antitrust Enforc. 1–19, 6–7 (2020).

28 See, for instance, Eduardo Pontual Ribeiro & César Mattos, The Brazilian Experience with Excessive Pricing Cases: Hello, Goodbye, in Excessive Pricing and Competition Law Enforcement. 173–188 (Yannis Katsoulacos & Frédéric Jenny eds., Internatio ed. 2018). (arguing that discussions about the legal inefficacy of exploitative abuses in Brazilian competition law led to the removal of the practice from the new antitrust legislation enacted in 2012).