Consumer data is ubiquitous in the modern economy, and computing power allows for the speedy collection and analysis of data. Market participants are using big data in a variety of ways to deliver innovative products and services, which raises important questions about how to protect consumer privacy interests without stifling procompetitive innovation. A panel of Morgan Lewis competition and privacy lawyers discuss the evolving debate, with an emphasis on the different legal and regulatory approaches in the United States and Europe.
Key Takeaways
- Should competition law be used to address privacy concerns? US and European enforcement agencies have taken different approaches.
- US enforcers have relied on an adversarial (litigation) process to vindicate antitrust concerns, mostly guided by the consumer welfare standard (i.e., a focus on lower prices and greater output). European enforcers have relied on regulatory enforcement, mostly guided on a desire to protect effective competition, consumer choice, and low prices.
- The intersection between privacy, big data, and competition has led the US agencies to create task forces to study this tension. Using competition law to vindicate privacy interests could make it harder for innovative companies to thrive with new products or technology-based offerings. That could potentially result in less competition.
- Many in the United States believe it’s not an antitrust issue if a company holds a lot of data. For example, data is not a barrier to entry because it is readily accessible to others in the market, data changes constantly, and thus has a relatively brief useful life, and data is becoming cheaper to store and process.
- In Europe, however, in order to both protect deep-rooted privacy concerns, and to maximize choice for consumers, enforcers focus on the competitive advantage holding data might confer and are open to limiting the amount of data a company can aggregate and use.
- European enforcers rely on both antitrust and privacy laws, and increasingly impose rules on why, how, and on what basis a company can collect and share data (e.g., access or interoperability requirements under antitrust rules, or transparency and consent requirements under the GDPR).
- Similar to the GDPR, in June 2018, California enacted a unique consumer privacy law called the California Consumer Privacy Act (CCPA) that creates a new private right of action for security breaches and potential statutory damages. It’s expected to affect more than 500,000 US companies doing business in California.
Note: This presentation was one of the most popular in the 2019 Technology May-rathon webinar series.