Speech at the Conference of the Data Protection Supervisor
Brussels, 16 June 2022
Ladies and gentlemen,
I’m honoured to speak here today. To start with, I’d like to applaud the work of the European Data Protection Supervisor, and of the national agencies both in the EU Member States and across the world. Their job is to protect the data and privacy of our citizens. The author Katherine Neville put it best when she said “privacy – like eating and breathing – is one of life’s basic requirements.”
In this light, the European Union has something to be very proud of. A decade ago, the EU put in place a foundation stone for modern privacy legislation. Our digital citizens’ rights, the GDPR, not only shifted the debate on data protection and privacy within Europe, it also changed minds and laws across the globe. When it comes to data protection, Europe showed its willingness and ability to lead the global debate, setting a course for others to follow.
Digital Markets Act
Data is an important element of competition in digital markets and an important part of our work as regulators. We need to address common issues such as the interplay between data protection and competition. Privacy and competition sometimes go together, sometimes they don’t. This requires a dialogue between regulators. This is why I am happy to be here today.
This is especially true as the new Digital Markets Act is close to becoming law in Europe. The DMA is a big step towards protecting further the digital interests of consumers, and ensuring a level playing field for the business users of gatekeeper platforms.
Its architecture is based on central enforcement at EU level, which makes sense because it targets a limited number of companies, active across the EU with similar business practices. So a harmonized European approach is necessary; but the close cooperation of national competition authorities and coordination with other regulators is equally as important. We believe the DMA architecture is the right one when dealing with large global digital platforms. It also inspired the architecture of the Digital Services Act for the Very Large Online Platforms.
As enforcers of competition law, we have all seen the role of data in digital markets. The ability to store data, combined with the reach and breadth created by powerful network effects, can enable large platforms to hunker down in their strongholds and, in worst case, to abuse their market power. Data can raise barriers to entry and it can also be used in anti-competitive ways.
This is exactly why we opened a case against Amazon in November of 2020. Our concern is that Amazon’s dual role as a platform and a seller on its own platform, means it could use business customer’s data to launch products, set prices and optimise inventory in a way other competitors could not. A similar concern has been found in the case we opened against Meta in the Marketplace case in June 2021. Both cases are ongoing, but in the meantime, they have already inspired a similar provision in the DMA, on data use covering such ‘dual-role’ situations.
Another important provision in the DMA relates to the way data can be collected and used by gatekeepers. The final DMA provision builds on the initial Commission proposal banning the combination of data across services without effective consent. However it goes further, by limiting the possibility to track users and process the data for advertising purposes without effective consent. I am very happy about this provision. This is because it addresses the concerns of the European Parliament about tracking and targeted advertising. But it also reflects concerns we heard from stakeholders as part of a preliminary investigation on user tracking practices by Facebook.
Successful enforcement of the Digital Markets Act will depend on leveraging your expertise on this and other issues. Over the past years, we have put in place a good dialogue with the Supervisor and with the national data protection agencies. Because we have opted for a central enforcement model for the DMA, it will become increasingly important to build on that good dialogue for the purposes of a coherent and future-proof application of personal data related obligations. The High-Level Group to be created in the context of the DMA will be a very useful forum for coordination.
Other Competition Policy relating to data
Dialogue is vital on many fronts. The Digital Markets Act does not signal an end to competition enforcement. On the contrary, we are continuing to enforce competition rules in digital markets, using all of our traditional instruments in antitrust, merger control and State aid. These cases nearly all have data relevant aspects.
One interesting example is the Google AdTech case where we assess Google’s policies and whether information on user behaviour is treated in a way that gives an advantage to Google’s own advertising intermediation service. More specifically we are looking into the Privacy Sandbox, the phase out by Google Chrome of third party cookies that track users. The question here is who will have access to what data and whether the new practices could distort competition in the ad tech sector by favouring Google when it comes to having access to data.
This is why it’s important that we maintain our dialogue with data protection agencies when data plays an important part of the competition assessment, as we have done in the past.
One example from merger control is the Google Fitbit case, which we cleared with some conditions, including a data silo separating the data collected from Fitbit users from any other Google data used for advertising. We took into consideration the views of the EDPS and the relevant data protection agencies when working on the remedies.
And I can tell you already that these will not be the last cases we look at, in which data issues are pivotal. Because when it comes to digital markets the wider link between competition and privacy will always be there. After all, the more concentrated markets become, the more consumer data is held in the hands of fewer and fewer businesses – and the higher are the risks for privacy. In this sense, competition policy is often on the side of protecting privacy rights. At the same time, effective enforcement of citizens’ privacy choices will also create more opportunities for competitors in the marketplace to differentiate. However, we need to be vigilant when practices leading to greater privacy may also lead to a greater concentration of power over data.
Data Act and Data Governance Act
Finally, the dialogue and cooperation on data protection extends well beyond competition policy. It must cover the full range of digital policies we are designing. The Digital Services Act takes more important steps towards protecting users’ rights. These include banning the use of sensitive personal data to target adverts, and granting users the right to opt out of content recommendations based on profiling.
Another notable policy is the Data Act, which will establish harmonised rules on access for data generated by connected devices. This is an important step for us to take. Not only does it safeguard European innovation and competitiveness, it also anticipates exactly the kinds of data issues the digital transition will inevitably bring about.
The next step is the Data Governance Act, to facilitate data sharing by creating neutral data intermediaries. This will allow SMEs to access the data they need to innovate, and to enable the safe reuse of some types of public sector data.
We have taken careful note of the recent joint opinion of the Supervisor and the Data Protection Board, in particular on the principle that data must be processed according to European values, and on ensuring seamless compatibility between the Data Act, the Data Governance Act and GDPR.
This is entirely aligned with our ambition and our thinking. The point of this architecture is not to circumvent privacy concerns, but precisely the opposite. By putting in place a transparent and harmonised system for EU citizens, we are creating a safe and democratic framework – one that provides all our citizens with an equal level of protection. And by maintaining our dialogue and cooperation with the data supervisory authorities, we can ensure the highest standards of care are adhered to.
What is important, is that the right principles are put in place, and that a good process is set up to enforce those principles. This is why the role of the data protection supervisory authorities is so important: as enforcers on those aspects for which personal privacy concerns are at stake.
This is vital for the success of the data regulatory architecture. But more to the point: it is vital for the whole digital transition. After all, the digital transition will only be a success if we succeed in building trust. All of us must feel that we, our families and our communities are benefitting from new technologies and products, and that our privacy – that “basic requirement of life” – is being fully protected.
Eight years ago, the Supervisor at the time, Peter Hustinx, issued an Opinion on the interaction between competition, data protection and consumer protection. This Opinion is worth re-reading today, because so much of what he talked about is still relevant.
There’s a lot to unpack. But perhaps one of the biggest points it makes is the importance of collaboration between policymakers in the respective fields of competition, data protection and consumer protection. At the time, that was something Supervisor Hustinx felt was missing.
I hope you will agree that today, as we put in place a wide-ranging architecture for our digital future, we have a unique opportunity to find those synergies; to continue the dialogue, and to work together towards our common goals of growth, innovation and the welfare of individual consumers.