This paper explains why ‘big data’ matters and why privacy is now lost as a social norm. The European Data Protection Supervisor initially suggested a consumer protection approach to data owned by monopolists. It relied on the essential facility doctrine of intervention where a smaller entrant is foreclosed because it cannot access the data owned by the monopolist. Both the report and the doctrine are now of little help to competition authorities. Instead, the paper will evaluate the legal framework to clarify the scope of application of the data protection rules and elucidate whether competition intervention has any merit in its own right. Articles 7 and 8 of the EU Charter of Fundamental Rights and the former Directive 95/46/EC will be mentioned before the paper fully engages with the recent developments in the area of data protection. In particular, drawing on the risks associated with data processing in both Directive EU/2016/680 and Regulation EU/2016/679, the paper seeks to determine how price discrimination can actually happen in the form of abuse of personal data. The latter carries an economic significance, as through the misuse of such data, consumers can be left worse off when bargaining or shopping online. Further risks associated with the processing of personal data concern health, which could, in turn, raise life insurance premium rates. In other cases, personal data can reveal a particular economic situation, personal preferences or interests, reliability, or behaviour, which could make price discrimination much easier.
The new regulation mentions the risks associated with online activity and the need to overcome different rules on the protection of personal data, which could distort competition. The major provision is one which explains that the regulation does not apply to a ‘purely personal or household activity’, including social networking and online activity. This is to be interpreted in the sense that data protection and supervision do not have as a purpose safeguarding the online privacy of individuals. This is significant since many influential commentators have long held that competition law should not become a regulatory tool for intervention in the area of personal data protection. Nonetheless, the regulatory approach to data processing aims primarily to protect employees from businesses that process personal data and that could lawfully disclose such data to the competent authorities in the wake of various investigations. However, the present framework can easily be abused or misused. It is broad on potential data subjects, as it includes ‘persons possessing relevant information or contacts’. So anyone’s personal data could be saved for unknown purposes.
The paper moves on to critically review the position of mere silence or inaction in the case of default settings of social networks or web browsers to review the position of informed consent under the new regulation. The paper argues that recent theories of informed consent place particular emphasis upon the degree of sophistication and the length of privacy policies, rather than affirmative box ticking. There are hidden ‘small prints’ or pitfalls, such as ‘improving customer experience’, which make it possible to process personal data without a just cause.
The paper examines Windows 10, Google, Facebook, Linked-In, Instagram, Snapchat, and Whisper’s privacy policies to establish compliance with data protection and reveal which distinctive categories of personal data are being processed. Existing evidence of price discrimination will be used to extract the pitfalls associated with social platforms based on trust and the potential abuse of consumer confidence that such data is safe from being shared with third parties. Although there are warnings regarding the selling of data, the paper will remain focused on the big data owned by the three main companies, namely, Google, Facebook, and Microsoft. The selling of personal data could potentially lead competition authorities to uncover the bid-rigging of markets for personal data, which could extend competition intervention to include more ‘secretive’ social media, such as Whisper, Snapchat, or Instagram. Installed software and browsers can also be used as a means to improve users’ experience, but the processing of sensitive and confidential data has little to do with this purpose.
The paper agrees with the merits of the dissenting opinions by the late Commissioner Rosch and Commissioner Jones Harbour, albeit the paper argues that the EU Commission’s intervention is warranted by the enactment of the new rules on data protection, in particular, by what these rules have now left outside their material scope. Relying on Stiglitz’s theory of economic inequality, the paper argues in favour of considering data as the new currency in two-sided markets. While Google’s sale of its users’ privacy to third parties has famously been described as ‘Googlestroika’, namely, a ‘privacy derivative’, this zero-priced product remains problematic through the sharing of personal data with third parties.
In conclusion, the paper adds the abuse of personal data to the non-exhaustive list of abuse of dominance. The latter happens on online platforms, which are outside the scope of data protection laws. Such platforms misuse the trust and confidence of individual users by making them reveal personal data and by encouraging users to voluntarily consent to the transfer of personal data to third parties. Personal preferences or choices are later shared with advertisers and sellers and used to engage in price discrimination. Ultimately, data protection laws are useless in practice, as they solely highlight the need to educate consumers and raise awareness. There is, therefore, one active remedy left: the intervention of competition policy. Indeed, online price discrimination and booking manipulation based on users’ personal data is now a social norm.