When should data be shared? Now seems as good a time as any to reflect, as we approach the season of giving, on such a question.
The EU first adopted data protection rules to facilitate the free flow of personal data across the internal market and to safeguard individual rights. It placed obligations on the person controlling and benefiting from the data processing, and conferred rights on the individuals concerned by the data. One of the first principles is that all processing has to be lawful – so people must have agreed to the processing (consent), or the processing must be judged to be reasonable, unobjectionable and routine (legitimate interest), or it must be essential to provide a service (necessary to perform a contract). Otherwise it must be in service of a clear public interest. If lawful and subject to appropriate precautions, data should in principle flow freely between controllers in the EU, because that is generally acknowledged to be a good thing for European growth, innovation, competitiveness and integration.
Some have more to share than others
The last two decades have, by common consent, seen enormous concentration of data, and the monetisable knowledge on which it is based, in the hands of a few private corporations. These companies are based outside the EU and, as private actors, are beholden ultimately to their shareholders. They serve as gatekeepers to the internet, able to control the digital public space, and determine through secret, proprietary means what people can and cannot see - whether it is recommended content or products, commercial ads, political messages or news items. This puts at stake not only the future of privacy, but also choice and innovation in digital markets. The concentration of data has therefore become a problem for competition.
So it is understandable that a growing body of economists now argue for allowing and encouraging voluntary sharing or pooling of data between competitors in a market, and for remedies to competition cases which require dominant firms to grant their competitors access to their data. It is surely true that the most highly valued companies in the world today have been able to achieve and entrench their dominance through their ability to collect and convert into value massive amounts of data, particularly personal data, which enables the development of profiles that in turn enable targeting. But can these troves of data be considered essential for competing on one or more neighbouring digital markets?
Is it really just about the data?
The first challenge to answering such a question is the opacity of the companies in question. Nobody outside those companies, including enforcement authorities, really knows what and how much data they control and process. Only this week, an initiative by academics and industry called Social Science One felt compelled to admit failure in their attempts to get the biggest social media company to allow access to its data by independent, bona fide, scientific researchers, who wish to analyse how disinformation spreads on their platform. (The company, dubiously, asserts that the GDPR presents an obstacle to such accountability.)
Second, even were these companies more transparent about the data they hold, it is far from clear whether data sharing or dispersal would open up greater competition in these concentrated markets. Dispersal of data does not equal dispersal of power. Data is an input to the broader infrastructure of processing equipment, algorithmic sophistication, human talent and lobbying and legal resources which overall determines the powerful positions of these big players. Their strategic market conduct aims to entrench and expand their powerful positions. Rather than focusing simply on data, we need a better and more holistic understanding of the impact of this conduct on the structure of the market.
Sharing data means data protection
Third, if it were demonstrated that sharing large volumes of datasets would indeed boost competitiveness of European companies and consumer choice, such a solution would have to be compliant with applicable data protection rules, insofar as personal data are concerned. Both voluntary data pooling and data access as a competition remedy imply one company transferring large volumes of data to others. There are already several cases (including those listed in the EDPS 2016 Opinion on Coherent Enforcement) in which a competition authority, advised by the local data protection authority, instructed a company or companies in the energy sector to disclose part of their customer databases to competitors, except where an individual opted out. If data were shared in this way, the new controllers receiving this data would have the same obligations as the original controller, having to comply for instance with the principle of purpose limitation and ensuring data subjects can exercise their rights.
Moreover, the transfer of data itself, as well as its use by competitors, would represent processing operations requiring a legal basis. Consent would have to be informed, specific and freely-given, and so is unlikely to be appropriate. More likely, sharing of data would require a specific public interest grounds, set down in a legal instrument or the determination of a competent authority. The necessity, proportionality and predictability would always need to be demonstrated for giving access to large volumes of personal data. How will the competitors be identified and the purposes for the use of the data be defined? Multiplication of the numbers of competitors means multiplication of controllers. The risk is heightened further where the datasets include special categories of data revealing political views, religion, health and sexual orientation.
More competition, better data protection
This area is worthy of further discussion. It was indeed on the agenda of a recent meeting of the Digital Clearinghouse involving data protection, consumer and competition watchdogs. Competition and privacy communities need to cooperate to identify together solutions which are pro-competitive and pro-privacy. There is strong evidence that highly competitive markets – which are lacking in the digital space – provides for competition between business models and a race-to-the-top on data protection standards. So authorities could collaborate in the assessment of proposed mergers to avoid further concentration and degradation of choice and privacy.
The right to data portability under Article 20 of the GDPR could in theory deconcentrate markets as with telephone number portability in the EU following the 2002 Universal Services Directive. However, this is hampered by the lack of competition in markets for social media, ecommerce and search. Interoperability, where a customer could communicate freely between platforms as emails can be exchanged irrespective of the email service provider, is another solution under discussion in competition circles. Or certain data processing by the dominant company could be simply prohibited as uncompetitive and incompatible with data protection rules. This was the case with the Belgian national lottery in September 2015, where the company was fined for using for incompatible purposes the personal data it had acquired as a public monopoly and which was not available to competitors.
More than ever, there is a need to illuminate new paths for rewarding more sustainable business models that do not rely on the ubiquitous and constant tracking of human behaviour and relationships, a practice which has already damaged trust in digital services. Many European-based privacy enhancing technologies and ‘personal information management’ solutions are already in development or on the market. The EU can be faithful to its values and offer a thriving, and sustainable, digital environment, giving a stimulus to European innovators and champions with the energy and ideas to compete with the biggest companies from other parts of the world.
So perhaps the more urgent need is to share ideas, instead of rushing to share people’s data.