How to deal with data while complying with antitrust law
August 2019 | SPECIAL REPORT: COMPETITION & ANTITRUST
Financier Worldwide Magazine
August 2019 Issue
Data has been described as the new asset class of today’s economy. Companies increasingly collect, analyse and report vast volumes of data. This increasing collection of data and the ability to produce insights from it has important consequences in the field of competition compliance.
A number of speeches and studies from competition authorities have focused on the use of data as a currency in the digital economy, and on how extracting data from customers could amount not only to a breach of privacy laws but also of competition laws, in particular for large platforms with dominant positions in consumer-facing markets.
The decision of the German competition authority (Bundeskartellamt) of February 2019 against Facebook concerning an abuse of dominance in its linking of data between services was adopted in this context and underscores that the management of personal data by large platforms seems set to grow as a centre of attention for antitrust authorities.
However, platforms and tech companies are not the only operators that should be aware that data management may give rise to antitrust scrutiny in terms of compliance, with articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) which prohibit agreements between competitors and abuses of dominance.
This article looks at two specific areas where data is relevant, with respect to competition compliance: the management of data across vertically integrated businesses and rules concerning the use of personal data during competition investigations and internal audits.
The use of data in vertically integrated businesses
The sharing of data across vertically integrated businesses is increasingly likely to attract the attention of competition authorities as an article 101 (agreements between undertakings) or article 102 (abuse of dominance) issue.
The phenomenon of businesses holding large amounts of data which could be commercially sensitive has already been a concern for antitrust authorities regarding vertical mergers for some time.
In Google’s acquisition of ITA Software Inc, for instance, the US Department of Justice (DOJ) cleared the merger only on condition that firewalls were established between Google, the acquirer and relevant entities in ITA to prevent information sharing. ITA was a provider of software for online travel comparison sites. Google’s downstream travel search business, however, planned to launch a price comparison platform which would compete with ITA’s customers. The DOJ alleged in its theory of harm that, among other things, Google’s flight comparison business could gain access to competitors’ commercially sensitive information through the ITA acquisition, such as their margins and plans for new services. The merger was cleared only with conditions including that Google firewalled competitively sensitive information held by ITA from personnel involved in Google’s travel search service.
The European Commission will likely scrutinise data management practices from vertically integrated businesses beyond the merger control context. This interest is likely to concern a large number of industries where commercially sensitive data is held by different subsidiaries within the group.
An example of potentially problematic sharing of data within integrated groups would be a company that manufactures and sells machines, and is also active in the maintenance of these machines. If there is a risk that the group would be dominant in either the manufacturing market or the maintenance market (to the extent that they are separate), the sharing of data collected by either business to leverage the group’s presence on the other business could potentially be challenged by competition authorities.
This risk exposure raises important practical issues since it involves a self-assessment of the relevant markets and whether the group holds a dominant position on such markets – an exercise that is always difficult for antitrust authorities, and even more so for private businesses.
To avoid the competition law risks involved in holding data across vertically integrated groups, groups should be alive to situations where data held by one of their business units could amount to strategic information for another business unit. Groups will need to develop policies and practices, including firewalls between businesses, to ensure such potentially sensitive data is quarantined within the appropriate business units.
Managing personal data during competition investigations and internal audits
Data and competition law also interact in the way businesses manage the personal data they hold during antitrust investigations and compliance procedures.
Antitrust investigations are typically heavily data intensive, and authorities often request significant amounts of documents be provided in relation to their investigations. Such requests can be very far reaching and typically involve providing all documents produced by a given employee within a certain time period, or all documents containing certain keywords.
Businesses need to provide data, both to comply with such requests, but also to conduct their own audits to verify internal antitrust compliance in a preventive manner. However, this may give rise to tensions with supranational and national privacy laws, which increasingly tend to protect personal data.
In the European Union (EU), the General Data Protection Regulation (GDPR) came into force in May 2018 and sets rules for businesses’ management of any personal data connected to the EU, even where a business is established outside the EU or data is stored outside the EU. The term ‘personal data’ is given a broad definition to include any data which can be linked to an individual and will therefore carry much of the data typically looked at in an antitrust investigation or audit, such as emails or phone records. Sanctions for breaches of the GDPR can amount to the higher of €20m or 4 percent of annual worldwide turnover.
In addition to the pan-European GDPR, a network of national employment, labour, whistleblower, and other privacy laws also regulate the treatment of personal data and must be considered during antitrust investigations and audits. French employment law, for instance, requires that emails marked in the subject line as ‘private’ or ‘personal’ are not to be opened or reviewed. The opening in bad faith of correspondence with ‘personal’ or ‘private’ in their subject line can amount to a breach of criminal law.
In complying with data requests from competition authorities, businesses should be in a position to make clear from the start the data protection limitations imposed on them by the GDPR and other applicable laws. During an investigation, every decision concerning the release of data should be documented.
Ahead of managing internal antitrust investigations, such as mock dawn-raids and audits, businesses should ensure that internal investigation guidelines and policies reflect GDPR requirements and those of other applicable laws of the relevant jurisdictions. To comply with the principles set out in the GPDR, in collecting or reviewing data for antitrust compliance purposes, businesses should strive to ensure that personal data collection is limited to what is necessary, that appropriate safeguards are followed, and that any personal data is not used beyond the purpose for which it is collected.
Katrin Schallenberg is a partner, Sara Ortoli is an associate and Roland Scarlett is a trainee solicitor at Clifford Chance. Ms Schallenberg can be contacted on +33 1 44 05 24 57 or by email: firstname.lastname@example.org. Ms Ortoli can be contacted on +33 1 44 05 51 30 or by email: email@example.com. Mr Scarlett can be contacted on +33 1 44 05 52 49 or by email: firstname.lastname@example.org.
© Financier Worldwide
Katrin Schallenberg, Sara Ortoli and Roland Scarlett