Clash of data protection laws and competition laws?
The economic value of data driven businesses has grown massively in the last few years. Access to data, (personal and non-personal) and the power to decide who may access the data have become crucial in several new business models that rely partly or fully on such data, including businesses that require large scales of data to train artificial intelligence algorithms.
On the one hand, once data becomes a limited resource that is required to drive businesses and develop new markets, competition authorities get involved. Under certain conditions, competition laws can require the data “controllers” to grant access to their data to third parties. For example, the merger control proceedings of the EU Commission regarding the acquisition of LinkedIn by Microsoft dealt, inter alia, with the competitive role of data and raised the question of whether access to a merged data pool must be granted to third parties post-merger.
On the other hand, data protection laws, in principle, restrict the use of personal data by companies, including the transfer of such data or the disclosure to third parties.
Access to data under the amended German competition law
This tension between data protection laws and competition law has also to be taken into account with regard to the new draft amendment to the German Act against Restraints of Competition (GWB) [German Read]. The draft amendment provides several amended or new provisions under which companies can be obliged to grant access to their personal and non-personal data:
- One of the proposed provisions deals with the question of whether data should be regarded under specific circumstances as an “essential facility” or not. In short, when companies which have a dominant position collect data (including data of natural persons), they might be obliged under certain circumstances to allow access to the data to third parties.
- In addition, according to the draft amendment, an obligation to provide access to data can also apply to undertakings even if they do not have a market dominant position but control data on which other undertakings depend for their own business activities.
- Another provision in the draft proposal addresses so called “tipping effects” on multi-sided markets or network markets (in particular digital platform markets). Such markets are characterised by (direct and indirect) positive network effects. Due to these network effects, the value of the platform/network increases, if more users join and interact on the platform/network. This self-strengthening effect triggers concentration tendencies that can result not only in the development of large platforms/networks but also in the tipping of the market into a monopoly. Against this background, the draft amendment provides that undertakings with superior market power on multi-sided markets or network markets may not impede other undertakings to achieve positive network effects if this leads to a serious threat that effective competition is restricted to a not insignificant extent. Again, if this regulation should become effective, platform/network operators will have to carefully comply with whether they are allowed to refuse access to their data.
Data silos due to data protection laws
At the same time, data protection laws have become more and more strict in their goal to provide the individual with full control of its data. The General Data Protection Regulation (GDPR) in the EU, the California Privacy Act (CCPA) and other laws restrict the use of personal data by companies, including the transfer of such data or the disclosure to third parties, and demand data silos where controllers have to protect the data against any access.
In addition, while the proposed amendment to the GWB does not make a distinction between personal and non-personal data, the (legal) framework that applies besides the proposed amendments is completely different. In particular, in German law the concept of property is not applicable to data. Therefore, protection of data is usually subject to confidentiality agreements or the protection under statutory laws for business and trade secrets. However, any disclosure of business or trade secrets will jeopardize the statutory protection and will also cause a breach of contract with non-disclosure agreements concerning the data.
Avoiding Scylla and Charybdis
It is not quite clear yet in which way the German legislator intends to resolve the described conflict of objectives, i.e. whether and, if so, to what extent companies can rely on the broad protection of personal data and therefore the general prohibition to allow access to personal data without a proper legal basis. The reasoning to the proposed draft amendment clarifies in this regard that in case of a right to access to personal data, a consent of the users to which the data refers to can be additionally required. In addition, the reasoning clarifies that the right to data access under competition law shall not constitute an additional legal basis for the processing of personal data under Art. 6 GDPR.
In any case, the amendment should avoid the situation that the companies have to deal with Skylla and Charybdis: On the one hand, they face massive fines for data protection violations, on the other hand, the FCO will enforce violations of the GWB.