The Yale Law Journal

VOLUME
130
2020-2021
Forum

The New Antitrust/Data Privacy Law Interface

18 Jan 2021

abstract. Antitrust theory portrays data privacy as a factor, like quality, that improves with competition. This Essay argues that view is an incomplete account of the new interface between antitrust and data privacy. The more complex reality is that, over the last twenty-five years, data privacy has also become a separate area of legal doctrine. In that capacity, data privacy law may clash at the margins with antitrust—much like intellectual property or consumer protection law did before it. The Essay sheds new light on this tension at the interface of antitrust and data privacy. It provides a descriptive, historical and comparative account of the friction emerging between these areas of law in the digital economy, where data access can both drive competition and reduce privacy. The Essay then lays out a new approach to analyze claims of conflicting data privacy and competition interests, one that emphasizes the accommodation of both areas of law.

Introduction

Antitrust law and data privacy law are powerful forces shaping the treatment of digital information. Both are converging on the companies that hold and use our data—digital platforms like Facebook, Google, Apple and Amazon.1 These entities are perennial favorites of Federal Trade Commission (FTC) data privacy enforcement,2 and of the strict new European data protection regime.3 At the same time, these digital giants face antitrust scrutiny from federal and state antitrust authorities,4 both Houses of Congress,5 and international competition law enforcers6 for their data-driven competition practices.

We are only beginning to theorize this new convergence of digital data privacy and antitrust law. This Essay argues that, so far, our understanding of the new antitrust/data privacy law interface is incomplete. It provides a descriptive, historical and comparative account of the tension appearing between antitrust and data privacy law, which has been overlooked by existing theories.

Part I explains why this intersection of law is new, then describes the two main theories on the antitrust/data privacy law interface. One insists on doctrinal separation between these areas of law, and the other treats privacy as an element of quality in antitrust analysis. Both theories emphasize complementarity between privacy and competition.

Part II argues that these theories are incomplete in two related ways. First, the interests of data privacy and antitrust law are not always complementary—they can be in tension, proof of which is developed throughout this Essay. Competition may be enhanced by data access, while data privacy is eroded by it. Second, and relatedly, these theories ignore the interaction of antitrust with data privacy law as a separate, and potentially opposing, area of new legal doctrine—not merely as a factor within antitrust analysis.

The recent Ninth Circuit decision, HiQ v. LinkedIn, provides an example of this new tension.7 LinkedIn terminated HiQ’s access to user profile data on the LinkedIn social network. LinkedIn argued that HiQ violated user privacy settings through its collection and dissemination of profile data in data analytics software.8 HiQ argued the termination was, in fact, unfair competition—that HiQ competed with LinkedIn to supply such software, and LinkedIn selectively banned it to eliminate a rival.9 The Ninth Circuit upheld a preliminary injunction that granted HiQ continued access to LinkedIn user profile information.10 This effectively guaranteed that HiQ could continue to override user privacy settings, in the name of competition.11 The Ninth Circuit remedy is difficult to reconcile with the FTC’s privacy law enforcement against other digital platforms for their failure to honor user privacy settings—settings much like those disregarded by HiQ.12

Part III of this Essay offers a foundational shift in thinking about the new antitrust/data privacy interface. It paints a picture of the emerging tension between antitrust and data privacy law, first with specific examples where data privacy and competition are facing off on digital platforms. It then contextualizes the tension, situating it within the history of consumer protection law and the comparative European legal landscape. Both perspectives suggest an impending clash between data privacy and antitrust law. This Part concludes with an early-stage observation: faced with tradeoffs between competition and privacy, the tendency of theoretical, institutional and evidentiary biases will likely be to prefer competition—as occurred in the HiQ v. LinkedIn case.

Part IV proposes the first analytical framework to address tension between antitrust and data privacy law. When there are claims of legitimate, but conflicting, data privacy and competition interests, the proposal treats both doctrines as relevant to determining the scope of permitted conduct. Neither antitrust law nor data privacy law is presumed to have primacy. Instead, the importance of the interests at stake are evaluated with reference to each area of law. This proposal is modeled on theory from other, more established doctrinal intersections with antitrust law, such as patent and consumer protection law.

I. existing theories on the antitrust/data privacy interface

This Part provides a short history to illustrate why the interaction between antitrust law and data privacy is new. It then explains the two most commonly articulated, but opposing, theories on the antitrust/data privacy interface. Lastly, it describes the tendency of both theories to emphasize complementarity between these two areas of law.

These theories are new, as the intersection of law is itself quite new. It is only in the last twenty-five years that the FTC has established the “new common law of
privacy.”
13 The rise of the agency as the de facto federal data privacy regulator occurred in lockstep with the emergence of the internet, from the mid-1990s to the present.14 Individuals were suddenly engaging in a myriad of new electronic activity, placing their data online in ever-growing amounts. Spotty, sector-specific privacy legislation left large swathes of that new online activity unprotected by any data privacy laws.15 Congress urged the FTC to fill these gaps, which the agency did using its general consumer protection authority under section 5 of the FTC Act. Section 5 empowers the FTC to prevent unfair or deceptive acts or practices in the marketplace.16 The FTC began to police companies’ false or misleading promises regarding the collection, use, and sale of consumers’ personal data. Over time, these efforts expanded and developed into a body of standards that seek to protect consumers’ reasonable expectations of privacy. An early internet company was among the FTC’s first enforcement targets,17 and the agency has continued to focus on digital companies and their privacy practices ever since.

The novelty of the interface between antitrust law and data privacy is best illustrated in the context of monopoly enforcement.18 Consider that the rise of data privacy law coincides precisely with a twenty-year absence of monopolization enforcement by U.S. antitrust agencies. Around the time data privacy law began to take hold, “the anti-monopoly provisions of the Sherman Act went into a deep freeze from which they have never really recovered.”19 The last significant government anti-monopoly case ended around 2001.20 Monopolization enforcement has unthawed only very recently, with a case filed against Google in late 2020.21 This coincidence of timing—quiet in anti-monopolization enforcement while data privacy law bloomed—means that these areas of law are only now beginning to coexist in American law. The theories of their interaction are thus new, and still developing.

A. Existing Theories: Separatist and Integrationist Views

The first theory on this legal interface casts data privacy as beyond the purview of antitrust law.22 This “separatist” perspective emphasizes the historical and doctrinal separation between the FTC’s competition mandate and its consumer protection mandate.23 It advocates for the continued delineation between data privacy (which is rooted in the consumer protection mandate) and antitrust law. Separatist theory views each of these areas of law as protecting against distinct legal harms. Antitrust law is seen as best suited to address conduct harmful to overall consumer welfare or economic efficiency in the marketplace.24 Data privacy law, in contrast, is seen as a better fit for ensuring that individual consumers receive the benefit of their bargains, given its focus on informed choice and reasonable consumer expectations.25 The central concern of separatists is that the incorporation of privacy considerations into antitrust analysis will create confusion in the application of antitrust law’s consumer welfare standard.26

The second widely articulated view on the interface between antitrust and data privacy posits that antitrust analysis ought to consider data privacy whenever it is an element of quality-based competition. This “integrationist” approach incorporates data privacy into longstanding antitrust analytical frameworks.27 It starts from the well-established position that consumer welfare is improved by competition that is based not only on price, but also on non-price factors, like quality.28It then interprets the concept of “quality” broadly, to encompass privacy-based competition.

When the facts indicate that “[c]ompanies compete to offer more or less privacy to users,”29 the integrationist view considers whether mergers or misconduct are likely to impact that privacy-based competition. For example, consider two internet browser companies who seek to merge. If, pre-merger, those companies compete to offer consumers better online privacy protection, then their combination could reduce the privacy options available to consumers in the market post-merger. Integrationist theory would consider that reduction in privacy-as-quality in its assessment of whether the merger will substantially reduce competition. If, instead, there was no privacy-based competition between the merging parties, then integrationist theory would deem any privacy concerns related to the merger to be beyond the purview of antitrust law.30

To date, integrationist theory is the most developed and accepted view on the interaction between antitrust law and data privacy.31The FTC,32 DOJ,33 and European competition authorities34 have adopted this integrated view and have applied it in merger cases. Several scholars have also expressed support for integrationist theory.35

B. Existing Theories Emphasize Complementarity

Under both the separatist and integrationist theories, agencies and scholars have tended to emphasize complementarity between antitrust and data privacy interests. Separatist theory casts these areas of law as puzzle pieces, “complementary [in] nature,” but not overlapping.36 In the same vein, the typical example used to describe integrationist theory is a merger analysis that casts data privacy as correlated with competition. As in the browser example above, integrationist theory considers whether a transaction is likely to lessen pressure on the merging firms to compete based on privacy, resulting in fewer privacy-protective product options for consumers post-merger.37 This reflects a relationship where competition drives privacy, and when one declines, so does the other. Recent characterizations of digital market power and abuse of dominance similarly link the decline of competition with the erosion of data privacy.38

Policy discussions reflect this same complementarity narrative. A favorite example of antitrust agencies is the presumed positive effect of data portability rights on competition.39 Data privacy laws around the world have begun to grant consumers the right to move their digital data from one online service provider to another, referred to as “data portability.”40 Antitrust agencies often point to such data portability rights as positive for competition.41 In the absence of portability, the thinking is that consumers may hesitate to switch to a competing digital service because that would mean leaving their data behind on the old service. When consumers are empowered to port their data, the assumption is that this encourages consumers to switch to new services, which fuels new entry and digital competition.

If this prevailing narrative of complementarity always holds true, that is incredibly convenient for the enforcement of both antitrust and data privacy law against the same digital platforms. It creates a cohesive legal landscape, in which each doctrinal area can pursue its respective enforcement goals without any question of which to prefer.

As the next Part of this Essay argues, however, the assumption of complementarity is unlikely to hold in every interaction between competition and data privacy, particularly in the digital economy. It is a largely unexamined assumption, made as part of emerging theories on this new intersection of law.

II. acknowledging non-complementarity: data privacy law as a distinct and opposing legal doctrine

What if instead of complementarity, there was a negative correlation between competition and data privacy—what if more competition could result in less privacy (or vice versa)? Varying the scenarios above, what if the merger instead combined two digital advertising firms, and the result was less competition to collect and use consumer data for targeted ads? What if, in exercising their data portability rights, consumers instead chose to port their data in the opposite direction, from new entrants to the incumbent digital platforms that offer larger networks?42 Data portability could cement monopolies rather than promote competition.

This non-complementarity creates two challenges for antitrust analysis. First, it raises a variation on the familiar question of how to evaluate tradeoffs between different dimensions of product quality.43 Product design changes may cause privacy to decrease, but at the same time, improve other elements of product quality. How does antitrust analysis evaluate the effects on consumer welfare when there are multiple different dimension of quality? Antitrust has faced similar questions before in its evaluation of non-price effects, albeit outside of the privacy context.44

Second, non-complementarity raises the problem of antitrust law and data privacy law pursuing opposing interests. Data privacy does not exist only as an element of quality within antitrust analysis. Data privacy law is also a distinct area of doctrine that, at times, pursues interest at odds with the antitrust goal of promoting competition. In that sense, data privacy law is much like intellectual property or consumer protection law. The difference is that, while we have long examined these other interfaces with antitrust law,45 we have scarcely begun to consider the equivalent interaction with data privacy law. The remainder of this Essay addresses this second dilemma, because it is novel and it is not addressed by existing theories.

Separatist and integrationist theories both lack an explanation of how antitrust law interacts with data privacy law in its capacity as a distinct area of legal doctrine. Though separatist theory acknowledges privacy as a distinct area of law, it assumes away any interaction by insisting that antitrust and data privacy are separate. But, the fact that two areas of law are doctrinally separate does not preclude their meeting. Separate doctrinal areas of law often interact with antitrust law. It is correct to say, for example, that antitrust law and patent law are historically and doctrinally separate, but equally correct to observe the significant judicial and scholarly thought devoted to their interaction. Likewise, antitrust law and consumer protection law are separate in U.S. legal doctrine, but interact at their edges.46 The same is now true for data privacy law and antitrust law.

Integrationist theory leaves a similar gap. When there is no privacy-as-quality competition, integrationist theory dismisses data privacy as outside the ambit of antitrust analysis. In fact, data privacy may remain highly relevant, as a separate area of law that seeks disparate treatment of consumer data and reduces competition.

The central disagreement between the two existing theories is whether data privacy is properly considered a factor in antitrust analysis. This is a valid question. However, it is not the only question at this intersection of law. Regardless of whether or not data privacy is integrated into antitrust analysis as a quality-type factor, it remains true that these two areas of law may intersect.

To be clear, this is not an argument that there is a hard conflict of law wherein antitrust law requires action that privacy law prohibits (or vice versa).47 Rather, it is a contention that these two areas of law are increasingly interacting, and, at times, that they pursue opposing interests.

In the digital economy, this potential for antitrust and data privacy to pursue opposing interests is particularly apparent. From an antitrust perspective, consumer data plays an undeniably significant role in digital competition. Leading digital platforms rely on collection and analysis of masses of data about consumers to drive their services, like search and social media—and to drive their profits as well.48 The companies that collect and monetize digital data in the smartest ways win the race to compete, attracting users, and benefit from the network effects that characterize many of these online services. New theories of anti-competitive harm focus on this data-driven competition, and the power gained by digital platforms through their control and accumulation of data.49

From a data privacy perspective, much of that same information is personally identifiable and thus limited in its collection, use, and sale by the FTC’s new common law of data privacy. The FTC’s enforcement of section 5 has long been directed at internet companies, including the digital platforms that collect and use our data to compete.

When privacy law restricts the collection and use of information, that creates potential tradeoffs with the benefits of data-driven competition. For example, Catherine Tucker observes that increased privacy regulation decreases data sharing between firms, which she predicts will reduce competition in online advertising.50 Early research on the General Data Protection Regulation (GDPR), a tough new European data privacy protection law, suggests that improved consumer control over personal data may also reduce competition in consumer data-intensive markets, because it limits data
sharing.
51 The FTC itself has begun to recognize this tradeoff between data competition and privacy.52

Enforcers, courts and digital platforms are left with two opposing legal pressures on the treatment of personal data. What happens if data privacy law encourages conduct that antitrust law or policy discourages, or even prohibits? When, and to what extent, should competition be traded at the margins for data privacy—or vice versa? The preoccupation with complementarity in existing theories has left enforcers, courts and companies with little insight on how to address these questions.

This is not to say that complementarity is an inaccurate description of the antitrust/data privacy interface—only that it is incomplete. As described above on the prevailing views, the interests of both areas of law can certainly be complementary. Nor does this Essay contend that every new antitrust case will pit data competition against data privacy, or even that most cases will. Information at issue in a given case may well be non-personal and unprotected by data privacy law. Or, competition may be driven by factors other than data in a particular market.

However, it is precisely the cases of tension, not complementarity, that will present agencies and courts with the most complex analytical challenges. Those cases will demand new analysis of tradeoffs between antitrust law and data privacy law. Further, those cases are likely to involve the complex businesses of digital platforms, which operate at the new nexus of antitrust and data privacy law. Despite this layered complexity, non-complementary interactions of privacy and antitrust have seen scant attention.

III. understanding tensions at the new antitrust/data privacy law interface

This Part completes the picture of the new antitrust/data privacy law interface, by providing a descriptive, historical and comparative account of the tension between these areas of law. It begins with specific examples where competition and data privacy are increasingly at odds in the digital economy: business justifications and data access remedies. Then, it adds broader legal context, with the history of the antitrust/consumer protection law interface, and a comparative account of this intersection of law in the European Union. Both suggest tension on the horizon between antitrust and data privacy. This Part concludes with the early-stage observation that, when presented with tradeoffs between data privacy and competition, the existing theories, institutional mandates and early law indicate a likely bias toward competition over privacy.

A. Examples of Non-Complementarity Emerging in the Digital Economy

There are at least two specific areas of tension emerging between data privacy and antitrust law in the digital economy. First, digital platforms are invoking data privacy as a business justification to defend against allegations of anti-competitive conduct. Second, scholars and agencies are calling for remedies that grant access to the data held by digital platforms. Such remedies implicate data privacy interests when they compel disclosure of consumers’ personal data. Neither of these scenarios is addressed by existing theories. They fall within the lacuna of antitrust and data privacy law interaction as separate doctrinal areas of law, in a manner that is non-complementary.

1. Data Privacy as a Business Justification for Alleged Anti-Competitive Conduct

Dominant firms are invoking data privacy as a pro-competitive business justification for alleged exclusionary conduct. For Sherman Act sections 1 and 2 misconduct subject to a rule of reason standard,53 the defendant may escape liability by proving it had a valid business justification for the alleged anticompetitive conduct.54 The plaintiff must first establish a prima facie case that the defendant engaged in anti-competitive conduct. If this is shown, then the defendant is afforded the opportunity to prove that it had a pro-competitive business justification for its conduct. Where the defendant establishes such a business justification, the court will typically find there is no antitrust law violation.55 In the past, intellectual property rights and consumer protection interests have both been invoked as business justifications—now the same is occurring for data privacy interests.

For example, the Ninth Circuit case HiQ v. LinkedIn described in the introduction to this Essay pitted HiQ’s claims of anti-competitive exclusion against LinkedIn’s justification of user data privacy protection.56 The plaintiff, HiQ, scraped data from individual consumers’ LinkedIn social network profiles, which the company then used to power its “people analytics” software.57 Although LinkedIn initially permitted this access to user data, it later blocked HiQ from LinkedIn servers.58 HiQ claimed its business could not survive without access to this LinkedIn user data. It argued the block constituted unfair competition, in service of LinkedIn’s own plans to introduce competing data analytics software.59

LinkedIn defended its termination of HiQ’s by invoking user privacy interests in profile data on the LinkedIn social network.60 HiQ, it argued, was violating user data privacy by disregarding user profile settings.61 LinkedIn is commonly used for professional networking. Changes to user profile information may therefore indicate an impending job search and employee departure. In fact, that was the premise of HiQ’s software—alerting employers as to which of their employees are at risk for leaving their job, based on changes to the employee’s LinkedIn profile.62 The problem, LinkedIn argued, is that users had purposefully engaged a privacy setting called “do not broadcast” in order to prevent such profile changes from being automatically broadcast to their professional social network, including their employers’ email
inbox.
63 Regardless of whether users had engaged the “do not broadcast” setting, HiQ was reporting those very same profile changes to employers.

Both the district and circuit courts considered whether LinkedIn users had expectations of privacy over their public LinkedIn profile data. Ultimately, the courts were skeptical of LinkedIn’s claim of user privacy protection, finding little concrete evidence of the privacy harm LinkedIn claimed would occur to users from HiQ’s continued access to their profile information.64 The Ninth Circuit upheld a preliminary injunction that required LinkedIn to restore HiQ’s access to consumer profile data.65 The injunction makes no mention of consumer data privacy settings, or how they might be accommodated for in the terms of HiQ’s access.

This judicial skepticism toward user data privacy interests in hiQ v. LinkedIn is at odds with the FTC’s regular efforts to protect similar consumer interests in online privacy settings. The FTC has pursued both Google and Facebook,66 among other companies, for gathering data in violation of user data privacy settings, or for misrepresenting users’ ability to rely on such settings to control who sees their information.As part of the new common law of data privacy, the FTC expects that digital platforms will honor user privacy settings—settings much like those disregarded by HiQ. If LinkedIn itself had violated the “do not broadcast” setting in the same manner as HiQ, LinkedIn could easily have faced section 5 FTC Act enforcement for misleading consumers about their ability to control the dissemination of their profile information.67 Yet HiQ, a third-party with whom users may have no relationship, was given a court order enabling it to overrule consumers’ chosen privacy settings. This remedy prefers data-driven competition over data privacy, at least at this preliminary stage of relief, with little explanation as to why that is better for consumers.68

Other digital platforms are similarly invoking data privacy as a business justification in response to allegations of anti-competitive conduct. Google, Apple and Facebook each face separate, but thematically similar, litigation or investigations alleging the companies excluded competing applications from their online platforms in violation of antitrust law.69 For both Apple and Google, the claim is that competing apps have been barred from their respective online app stores—or at least, that the digital giants have refused to allow competitors access on terms equivalent to those of their own vertically integrated app offerings.70 For Facebook the allegation is that the company excluded competing apps from its titular social media service, and the rich supply of user data that such access provides.71 Though it is not yet clear which, if any, of these allegations amount to violations of antitrust law,72 they are far from throwaway competitor complaints—European competition authorities are investigating some of the allegations against Apple,73 and a complainant against Google has already obtained a preliminary injunction that ensured its access to Google’s app store.74 Importantly here, these digital giants have responded to the allegations by invoking their need to protect user data privacy and security, as justification for the impugned conduct.75

The allegations made by Tile, an app company, against Apple exemplify the pattern of privacy/competition tension arising in these cases. Tile makes hardware and a related application that enables users to track important objects, such as wallets or house keys. In Tile’s complaint to European competition authorities, and in the recent House Report on Competition in Digital Markets, the company alleges that Apple impaired the ability of the Tile app to compete by favoring Apple’s own, rival tracking app called “Find My.”76 Apple forces the Tile app to use the default “off” setting for consumer location tracking on Apple’s popular mobile devices. Apple’s own Find My app, in contrast, is allowed to use a default “on” settings for user location tracking.77 Since users tend to accept default settings on apps, this seemingly small difference makes it much easier for Apple’s app to obtain user location data. Both the Tile and Apple apps require that location data to operate—and to compete. In response to Tile’s allegations, Apple has invoked its role in protecting user privacy, and cast itself as safeguarding sensitive user location data from third-party apps like Tile.78Apple claims the disparate treatment is merited, because Apple stores its app data locally on mobile device while Tile does not, creating greater potential privacy and security risks for user data on the Tile app.79

The Apple/Tile dispute presents legitimate and difficult questions about the tradeoffs between competition and data privacy. The FTC has recognized the privacy sensitivity of consumer location data, much like the data Tile and Apple both collect.80 The agency has also emphasized the privacy significance between opt-out and opt-in consent to the collection of location data.81 At the same time, it is plausible that competition between location-based apps would suffer from a lack of access to that same data. The main question will be whether overall competition is affected by Apple’s conduct, or if it only impacts Tile. Assuming that could be shown, but also that Apple is legitimately protecting user privacy, how will privacy be accounted for in the antitrust analysis (if at all)?

Antitrust analysis has not yet addressed whether user data privacy protection is cognizable as a business justification. Separatist theory, by assuming away any interaction between these areas of law, does not reach this question. Integrationist theory could be applied to assess whether the asserted protection of data privacy improves consumer welfare, and is thus a potentially valid business justification.82 However, no court, agency, or scholar has yet broached this analysis. Regardless, it is evident that these emerging scenarios do not fit into the existing narrative of antitrust/data privacy complementarity. Instead, they pit claims of anti-competitive conduct against the asserted business justification of consumer data privacy protection.

2. Antitrust Behavioral Remedies May Grant Access to Private Consumer Data

Antitrust behavioral remedies are another area of emerging yet largely unaddressed tension between antitrust and data privacy law. Scholars and some agencies are calling for antitrust remedies that compel access to, or disclosure of, consumer information held by digital platforms as a means of restoring online competition.83 For example, the head of the EU competition authority warns that “as data becomes increasingly important for competition, it may not be long before the Commission [the EU-level competition authority] has to tackle cases where giving access to data is the best way to restore competition.”84 Litigation against digital platforms, particularly monopolization claims, may well end in behavioral remedies that grant rivals compulsory access to the user data held by those platforms.

Although data access remedies have been granted in past merger and conduct cases against technology companies,85 contemporary remedies are distinguishable in their potential privacy impacts. Antitrust cases of old granted access to corporate information, such as business plans or technical data, like application programming interfaces.86 The defendant company owned and controlled the competitively important information, and therefore the compelled disclosure had no implications for privacy—it merely restored competition (or at least was expected to do so).

This is in stark contrast to the competitively important data held by today’s technology giants, much of which relates to individual consumers and their potentially private online activities. Our search histories, social media activity and other online behavior fuel the services of, and competition with, many digital platforms. At the same time, the FTC’s frequent pursuit of digital platforms under its de factoprivacy authority indicates consumer privacy interests in large swathes of the data these companies hold. If access to such data is necessary to restore competition with digital platforms, that access may well erode the privacy of consumers. Mandated access seems at odds with FTC efforts to ensure consumers can control the collection and use of their private online data. There is little agency, judicial, or scholarly discussion of whether an antitrust data access remedy might be conditioned on consumer consent to disclosure, or whether consumer privacy interests even extend to such remedial disclosure of
data.
87

Are consumers better served by a remedy that increases data-driven competition, or by the incremental data privacy that remedy wears away? Again, the assumption of complementarity between data privacy and antitrust does not hold for this remedies dilemma. Data privacy law seems to be pursuing interests at odds with antitrust law, and cannot be reduced to a factor within the antitrust analysis.

B. Historical and Comparative Legal Contexts Foretell Tension Between Data Privacy and Antitrust Law

This Section argues that the tension emerging between antitrust and data privacy is predictable when considered in the broader historical and international legal context. First, it argues that antitrust law has a history of tension at its interface with consumer protection law, and that portends similar interactions with data privacy law. Second, it examines the European treatment of tension at the equivalent intersection of competition and data protection law, and argues that it foretells similar interactions in U.S. law.

1. The Antitrust/ Consumer Protection Law Interface Suggests Tension is Likely with Data Privacy Law

Though under-acknowledged, the tradeoffs between data privacy and competition are predictable based on the history of interaction between consumer protection law and antitrust law. Since U.S. data privacy law arose from consumer protection law—both are based on enforcement of section 5 of the FTC Act— we can expect that similar interactions will occur where data privacy meets antitrust law.

Much like data privacy, consumer protection law is often cast as complementary with antitrust.88 The goal of antitrust is to advance consumer welfare through
competition.
89 This is often consistent with consumer protection law, which seeks to protect individual consumers from unfair and deceptive practices in the marketplace.90 Generally, the protection of consumers ought to improve their welfare. Antitrust law and consumer protection law have been called “sisters under the skin,” reflecting this macro-level similarity in their goals.91

Despite this, competition and consumer protection law can also clash at the margins.92 When consumer protection efforts stray too far into the marketplace, that can constrain rivals’ ability to compete, and cause a corresponding reduction in consumer welfare.93 On the other hand, competition entirely unbridled by consumer protection law leads to deceptive and unfair commercial conduct, which also harms consumers. Maximum consumer welfare lies somewhere between the extremes of each area of law. The result, as FTC Commissioner Julie Brill describes, is an overall legal intersection that is not just complementary but rather multi-modal: “Sometimes the principles at the heart of these two areas of law point to conflicting results, while at other times they work in harmony towards the same end.”94

The FTC has brought several challenges to trade and professional association rules that exemplify this potential for the two areas of law to point to conflicting results. Under its competition mandate, the FTC has long advocated against professional association rules that restrain the association members’ ability to advertise or to engage in other pro-competitive conduct. The agency has challenged the rules of associations of funeral directors,95 lawyers,96 doctors,97 chiropractors,98 dentists99 and optometrists100 as conspiracies in restraint of trade or other violations of section 5 of the FTC Act.

In some cases, the challenged rule is an obvious cover for industry collusion, and “no elaborate industry analysis is required to demonstrate the anticompetitive character of [the] agreement.”101 In these cases, there is no genuine tension between competition and consumer protection, because there is no genuine consumer protection interests at stake.

However, other cases, like California Dental Association v. FTC,102raise a difficult and legitimate conflict between competition and consumer protection interests. The defendant dental association enacted rules that limited member dentists from advertising about price discounts and service quality unless the dentists included extensive disclosures.103 Applying an abbreviated rule-of-reason (“quick look”) analysis, the Ninth Circuit affirmed the FTC’s conclusion that the association rules violated section 5 of the FTC Act.104 The onerous rules unreasonably restricted truthful advertising, which reduced ad-based price and quality competition for dental services, to the detriment of consumers.105

The Supreme Court reversed. The Ninth Circuit had too quickly dismissed the dental association’s justification of consumer protection.106 The dental association argued its advertising rules were important to prevent members from engaging in false or misleading advertising about pricing or quality, which protected consumers from unsubstantiated dental advertising claims.107 The Supreme Court concluded that the dental services market was characterized by “striking” information asymmetries between dentists and patients, which made it challenging for patients to make informed decisions.108 It was plausible that in such a market, the association’s advertising rules did, in fact, protect consumers, by making it easier for patients to comparison shop and by preventing dentists from making misleading advertising claims.109 The Supreme Court even speculated that the consumer protection benefits of the association rules might outweigh their costs to competition, though this determination was left to the lower court on remand.110 The Supreme Court vacated and remanded for further consideration under a more searching rule-of-reason standard.111

On remand, the Ninth Circuit found that the dental association had strong evidence of consumer protection effects from the advertising restrictions.112 Consistent with the Supreme Court’s suggestion, the Circuit also found that the pro-competitive benefits of consumer protection from the association’s rules outweighed the FTC’s limited evidence of anti-competitive effects.113

This saga of association advertising rules illustrates the tension at the margins between consumer protection and competition-driven consumer welfare. Though often explained as complementary, competition and consumer protection interests were at odds in this case.

A similar tension has appeared more recently, in the FTC’s opposition to state and municipal regulation of online funereal supply114 and online ride-sharing.115 States and municipalities have passed new regulations for these online industries with the intent of protecting consumer health and safety.116 The FTC is concerned that the new regulations will limit these online entrants from competing with industry
incumbents,
117 such as taxis (for online ride-sharing), and traditional brick and mortar funeral homes (for online funeral supply). The FTC has opposed certain new regulations through litigation118 and counseled regulatory restraint through agency advocacy.119 As in California Dental, consumer protection and competition are at odds at the margins in these matters. The FTC draws the appropriate tradeoff between the two interests at a different point than certain state and municipal actors.

This history of tradeoffs at the edges of consumer protection and competition suggests similar interactions will arise between data privacy and antitrust law. Data privacy law is a subcategory of consumer protection law in the United States. Such closely related areas of law are likely to have similar modes of interaction with antitrust. Like the intersection with consumer protection, we might expect that competition and data privacy are complementary in many cases—which perhaps explains why theories have focused on such complementarity so far. But we should also expect to see certain cases in which data privacy and antitrust interests are at odds at the margins.

Such tension is already emerging in the digital economy when privacy is asserted as a business justification for anti-competitive conduct, and in calls for remedies that grant access to data on digital platforms.120 Further, it is easy to imagine a scenario akin to that of California Dental,where data privacy, rather than consumer protection, is invoked in defense of allegedly collusive conduct. An association might, for example, adopt a new privacy-enhancing rule that prohibits its members from using consumer data for targeted online advertising. Like the challenged rules in California Dental, such a restriction could also be cast as reducing ad-based price competition.

Where data privacy and competition are notcomplementary, the consumer welfare tradeoffs are likely to be complex. The winding history of cases like California Dental and the recent FTC actionon online industry regulation, suggest that various courts, agencies, and branches of government may also differ on where to draw the appropriate balance between the interests of competition and data privacy.121 Given this impending complexity, it is time to consider how to navigate tension at the new antitrust/data privacy interface.

2. The European Competition Law/Data Protection Interface Indicates Tension on the U.S. Horizon

The European Union experience at the intersection of data privacy and antitrust law foretells tension between these two areas of law in the United States.

The obligations and the enforcement of European data protection law and competition law tend to be more robust than their U.S equivalents. Data privacy is a fundamental right in the European Union, protected by constitutional law and, as of May 2018, the wide-reaching new privacy regulation, GDPR.122 This rights conception often translates into stronger data privacy protections than those afforded by U.S. law, where the jurisprudential roots are only as deep as consumer protection doctrine. For example, the European Union prohibits processing of personal information by default; protected data may only be collected, transferred, and used when permitted by law. American privacy law takes the opposite baseline position—data use is de facto permitted, unless the law states otherwise.123

European competition law, particularly the prohibition on abuse of dominance, is also more onerous than its Sherman Act equivalent.124 For example, European competition law imposes special obligations on dominant firms, which makes it easier to bring unilateral conduct cases under E.U. law.125 There is no equivalent U.S. legal obligation on monopolist firms. European competition authorities have also been significantly more active than their U.S. counterparts in pursuing abuse of dominance cases against large technology platforms. The European Commission has several ongoing investigations into technology giants,126 and has already imposed multiple fines on Google for abuse of dominance.127

In the face of more robust antitrust and data protection laws, European competition agencies and scholars have already begun to examine the interaction of these two areas of law in earnest.128 There is a new but growing body of literature and agency reporting that maps the varying modalities of interaction between competition and data protection law, including potential conflicts. The scholarship recognizes that data protection and competition law can be either complementary or in tension,129 considers whether GDPR would prohibit data processing for the purposes of an antitrust data access remedy, 130 and considers whether data privacy may constitute a business justification for anti-competitive conduct.131 There is little consensus on these emerging issues, but this European work acknowledges and begins to theorize the tension between antitrust and data privacy law in a manner absent from the U.S. dialogue.

Some might explain away this European experience as inapplicable to U.S. law and policy. As canvassed above, there are legitimate distinctions to be drawn between U.S. and E.U. law. In particular, the existence of data privacy as a right in European Union law may strengthen the rationale for considering privacy in antitrust analysis.132 These differences may lead some to conclude that tension is not under-acknowledged in the United States, as this Essay argues, but rather nonexistent.

However, it would be a mistake to assume these differences render the European experience irrelevant. Both U.S. data privacy law and anti-monopolization law are undergoing eras of expansion. These developments nudge the American legal landscape closer to that of the European Union, and renders the E.U.’s equivalent interactions of law increasingly instructive, even if not identical to the United States.

The expansion of U.S. data privacy law is apparent by many different measures. There have been numerous proposals to enact omnibus federal data privacy protection legislation,133 and the concept has raised bipartisan support. In the interim, the FTC is expanding the new common law of data privacy, moving beyond the agency’s early enforcement of company privacy promises to require more robust, baseline privacy protections rooted in consumers’ reasonable expectations of privacy.134 The scope of data considered “personal,” and thus subject to such reasonable expectations, is ever-expanding, as we better understand the potential for cross-identification and de-anonymization in digital environments.135 State data privacy law is also expanding, with the first ever broad-based data privacy protection statute enacted in California in 2018,136 and other states passing recent biometric and facial-recognition data protection laws.137

At the same time, there is renewed agency and political will to enforce U.S. antitrust laws.138 Some scholars label this rise of both U.S. data privacy regulation and antitrust law the “Brussels Effect,” referring to the exportation of EU legal standards through their influence on foreign nations.139The European experience at this interface of law is thus relevant to the U.S. The European perspective indicates that, as antitrust and data privacy become “bigger” in the U.S., the interaction between these areas of law will become more expansive and complex as well. The European literature also confirms that not all of these newfound interactions will be complementary, as U.S. theories have so far tended to presume.

If privacy becomes a personal and fundamental right in the United States, as some argue it should be,140 that would even raise the potential for a European-style hard conflict between the obligations imposed by data privacy law and those under antitrust law. Certainly the “rights talk” conception of European privacy law has been spilling over into U.S. political discourse and state legislation.141 But, even if data privacy remains a consumer protection interest in U.S. law, the current expansion of that interest will present growing tradeoffs with data-driven competition. Though the magnitude of the collision may be less than in the European Union, we can expect to see similarly expanding tension at the interface of U.S. antitrust law and data privacy.

C. Competition is Likely to be Preferred over Data Privacy

The necessary implication of tension at the new antitrust/data privacy interface is that choices will have to be made between competition and privacy interests. This Section suggests that competition is likely to be preferred over privacy and observes very early indications this may already be occurring—whether or not that preference is justified, or even acknowledged.

Existing theories and institutional context create a “competition first” perspective at the intersection of antitrust and data privacy. The leading theory—the integrationist view—treats data privacy as a factor to be subsumed into existing antitrust understanding. 142 This makes sense, given that the origin of the theory is, of course, antitrust law. However, this also builds into the analysis a perspective of competition primacy. The institutions involved reinforce this primacy. It is predominantly agencies of
antitrust,
143 not of data privacy, that are considering the implications of this intersection of law. The mandate of antitrust agencies is to advance competition, not privacy. In fact, antitrust agencies have expressed skepticism as to whether they have jurisdiction over interests of data privacy.144 In this theory and agency context, the tendency will thus be to prefer competition when faced with a data privacy tradeoff.

Competition primacy is predictable from the courts as well, because data privacy harms remain emergent and often ill-defined in law.145 The FTC has faced resistance from courts on jurisdictional grounds when it alleges only soft, nonfinancial privacy harms, such as risk of identity theft, in its complaints.146 Amorphous privacy harms can be difficult to substantiate with adequate evidence, and so tend to be afforded minimal weight in balancing against more readily articulated and evidenced harms—like those to competition. Daniel J. Solove observes a similar phenomenon where data privacy is being balanced against other (non-antitrust) interests like free speech or data security, which are more readily articulated and weighed against ill-defined data privacy interests.147

Though in its early stages, this hypothesis of bias seems to be emerging in cases like HiQ v. LinkedIn. The Ninth Circuit found LinkedIn presented “little evidence” of the claimed consumer privacy interests in social media profile data and settings.148 Even if users have privacy interests in their LinkedIn data, the court found that those interests were not significant enough to outweigh HiQ’s interest in continuing its business, at least at the preliminary injunction stage.149

All of this may mean countervailing data privacy interests are prone to being too easily discounted, much like the consumer protection interests were in the sagaof California Dental. Particularly at this early stage of understanding the antitrust/data privacy law interface, we should resist an automatic preference for competition. Any such preference would rely on unexamined assumptions that competition is always preferable to privacy in its effects on consumer welfare, which seems like a premature conclusion. Instead, where competition is preferred, that preference ought to be considered and justified with an analysis that accounts for both interests. Acknowledging the tradeoffs between data privacy and competition that are emphasized in this Essay is a necessary first step to develop such an analysis.

IV. a proposal for analysis at the new antitrust/data privacy law interface

This Part proposes an initial approach to analyze claims of tension at the new antitrust/data privacy law interface. This proposal begins to fill in the gaps left by existing theories by considering how antitrust law and data privacy law interact as separate, non-complementary doctrinal areas of law.

When a legitimate but countervailing privacy interest is raised in an antitrust
dispute,
150 the analytical starting point should be to grant equal billing to both areas of law. This means that in determining the scope of permitted conduct, neither antitrust law nor privacy law would be presumed to have primacy over the other. Nor would conduct that is encouraged or required by one area of law be considered necessarily immune from the other area of law. Instead, the importance of the respective interests at stake in antitrust and data privacy should be considered and then weighed against each other.

In practice, application of this approach will require courts and agencies to delve into the strength of the specific data privacy and competition interests at stake. This would include considering, on one hand, the centrality or importance of the principle being invoked in data privacy law, and, on the other hand, the degree to which competition is impeded by the alleged misconduct. Traditional antitrust assessments of anti-competitive effects and market power would remain relevant, but potentially offsetting legal considerations related to data privacy would also be considered. Those offsetting considerations would be determined with reference to data privacy law, and the reasonable expectations of privacy recognized in it. This analysis could look much like the rule-of-reason analysis in California Dental, where the court considered how the specific market context informed the strength of the claimed consumer protection interests. The difference is that the analysis here would be specific to data privacy harms, rather than general consumer protection considerations.

This proposed analytical paradigm is modeled on approaches that have developed over time at the intersections of antitrust with other major doctrinal areas of law, like patent and consumer protection. For example, over their shared history, patent and antitrust law have long vacillated between primacy of one area of law or the other, as reflected in various judicial presumptions and agency guidance.151 However, as theories of this intersection developed over time, many of these simplifying presumptions were dropped.152 In their place, the most recent Supreme Court case on the antitrust/patent interface emphasizes that both patent and antitrust policies are relevant to determining the scope of conduct permitted by a patent rights holder.153 The decision expressly rejects a lower court approach that assumed primacy of patent law and instead encourages courts to seek an “accommodation” that strikes a balance between patent and antitrust.154

Under this approach, the interests of both areas of law are recognized, and shape their intersection. If antitrust law oversteps and impedes efficient, legitimate uses of patent rights, it can undermine patent law-created incentives for innovation. Conversely, if patents are upheld despite being invalid or overbroad in their enforcement, those patent “rights” disrupt competition, by discouraging follow-on innovation with unmerited licensing costs and litigation.155

Cases like California Dental reflect a similar approach of accommodation at the antitrust/consumer protection interface, though it is not described this way in the decision. When consumer protection is invoked without justification, or strays too far, it impedes the value-driving effects of competition and harms consumer welfare.156 When competition is unbridled by the limits on deception and unfairness imposed by consumer protection law, that competition reduces, rather than improves, consumer welfare. These areas of law and policy are mutually defining, with each reining in the other.

The approach proposed here affords similar, mutual relevance to each area of law in shaping the antitrust/data privacy interface. It recognizes that if data privacy interests are over-expanded or interpreted beyond their appropriate scope, that interferes with legitimate and beneficial uses of data to compete. Such an interpretation of data privacy would undermine the benefits to consumers from the use of their data, such as free and personalized digital services. Conversely, if antitrust law or competition policy oversteps, going too far in their compromise of legitimate data privacy protections in the name of competition, that also harms consumers.

This accommodative approach makes sense for the new antitrust/data privacy interface. It draws on the wisdom of more extensively theorized intersections between antitrust and other areas of law. At the same time, it corrects for an otherwise-likely bias of theories, agencies and courts toward a preference of competition over data privacy.157 Instead of allowing this unexamined competition primacy, the proposed approach reorients to a starting position that grants equal billing to both areas of law. It automatically prefers neither. As courts and agencies become more familiar with the antitrust/data privacy law interface, their repeated analysis of similar conduct may enable presumptions or shorter-form analysis of related consumer welfare tradeoffs. Until then, this Essay calls for an approach that considers the strength of the interests at stake in both areas of law.

Conclusion

We are only beginning to understand the interactions between data privacy, competition, and related law. So far, antitrust theories have either cast data privacy as a quality-like factor within antitrust analysis, or dismissed privacy as an entirely separate legal issue.Under both views, data privacy interests tend to be explained away as complementary with those of competition.

Such characterizations may often be accurate, but this Essay argues they are also incomplete. Particularly for digital services, antitrust and data privacy law share a multi-modal interface, at times complementary, and at times in tension. By focusing only on complementarity, existing theories leave unexamined the more complex situations where data privacy is traded at the margins for data-driven competition, or vice versa. In particular, theories tend to overlook the role of data privacy law as a distinct area of legal doctrine that, at times, pursues interest at odds with those of antitrust law.

This Essay adds a new facet to our understanding of the antitrust/data privacy interface, with a descriptive, historical and comparative account of tension between the two areas of law. It presents the related history between antitrust and consumer protection law, and describes the comparative European legal perspective. Both indicate an impending clash on the horizon between these two areas of law. This reality of tension is already materializing in claims that data privacy is a business justification for anti-competitive conduct and in calls for antitrust remedies that grant access to potentially private consumer data.

This Essay concludes with a proposed approach to analyzing tension at the new antitrust/data privacy interface. The proposal is premised on wisdom from other, more established doctrinal intersections with antitrust law. Where claims of legitimate, but conflicting, data privacy and competition interests are made, this proposal calls for both doctrines to be treated as relevant in determining the scope of permitted conduct. Neither privacy nor competition is presumed to have primacy. Instead, this approach evaluates the importance of the interests at stake in each area of law with reference to the specific conduct and context of the case. This proposal corrects for early indications that competition may be granted automatic primacy over data privacy. Instead, this proposal offers a more nuanced analysis of the new antitrust/data privacy interface that befits its importance to the digital economy.

Erika M. Douglas is an Assistant Professor of Law at Temple University, Beasley School of Law.