This is a chapter from the book Data Ethics – The New Competitive Advantage by Gry Hasselbalch and Pernille Tranberg published September 2016.
Several significant lawsuits prompting large-scale media debate and political discourse have focused on American tech giants’ treatment of European law and European legislators’ enforcement of it (or lack thereof). Key questions have been raised as to the legal jurisdiction of these tech companies’ practices. Which rules and laws should they follow, particularly in relation to the collection and processing of data, and their practices relating to tax matters or competition challenges? Business cultures and cultural approaches have been clashing also.
Data has become a many-faceted legal issue and a cultural and intergovernmental matter. These tensions are symptomatic of the type of processes that emerge from global conditions, which in turn create conflict between local systems, laws and cultures. But new global standards and agreements are emerging. Global standards are being negotiated and roles, rights and responsibilities being distributed. The new European Data Protection Regulation will most likely be approached as a paradigm and, as such, it’s already being looked to accordingly by governments, businesses and organisations around the world. In addition, the way in which data and the commercial concentration of it is viewed in the context of EU competition law (together with American anti-trust laws, the worlds’ most influential competition regulation system) will establish a precedence for the way competition is negotiated internationally.
Competition in the Global Data Era
Nettby. In this millennium’s first decade, a thriving social network called Nettby cropped up in Norway. It was an open place where anyone could create a page and publish images, express opinions and interests, and share other information. In your guestbook, friends and everyone else wrote messages, and you could read what others had written. There were thousands of groups discussing everything from politics to child care. Users were moderators or volunteers, while Nettby itself had nine employees. Over 800,000 people inhabited Nettby; it was a solid success. It’s main shareholder, VG, exported Nettby to Sweden and laid out a plan to expand to the rest of Europe. But in 2010, Nettby closed (Nettby, no.wikipedia.org, 2016). One reason was that some municipalities in Norway blocked access to Nettby in schools in 2009 because students simply spent too much time on the social network. Everything started to go downhill and users left Nettby in favour of other social networks – particularly Facebook that the municipalities never blocked access to.
Nettby is one of several European social media companies that did not survive the web’s first commercial chapter. In Holland there was Hyves, which had over 10 million users at its peak but closed in 2013 because its online community moved to Facebook and Twitter. In Denmark there was Arto, which, considering the country’s size and e-readiness in 2007, had a good half a million users. Arto ended up a ghost town before it finally closed in 2016 (“Et af Danmarks første Sociale Medier Lukker”, Finans, 2016). In the UK there was Friends Reunited (Friends Reunited website to close down, BBC, 2016). They thrived, struggled, then finally gave up.
Similar stories unfolded in other European nations. Though the Internet globalised the market, cultural values and laws remained local. Companies all over the world suddenly faced new global opportunities without the global rules to match, not to mention cultural values. And with so many different European languages they lacked a large, common, domestic market to grow in before going global. Some European companies consequently lost the international competition battle; they were fighting on uneven footing with companies moving forward under less strict data protection standards, innovation practices adapted to operate within legal grey areas, and more fiercely-competitive business cultures. One might argue that for many years, unresolved issues of jurisdiction and special deals, such as the Safe Harbour Agreement, created a free space in Europe, especially for the US-based Internet industry. This free space is becoming more and more restricted, however. Years – and a series of judgments and lawsuits – later, it’s much more apparent that jurisdiction is not limited to the physical position of a company and its servers, but includes the places where users are located.
Europe vs Facebook
As a result of the discussions and international pressure from the EU regarding new tech companies’ jurisdictions and responsibilities towards European citizens, Facebook announced in 2008 that it was moving its international headquarters from Palo Alto in Silicon Valley to Ireland. From that day forth, the Irish Data Protection Commission became the main authority overseeing Facebook’s handling of all data pertaining to European users. The Irish Data Protection Commission offices sit above a small, lonely grocery store in a minor Irish town. It has limited resources and is evidently not very well-equipped to enforce legislation which involves the protection of data belonging to millions of European Facebook users. Unsurprisingly, it has also been criticised for not flexing a bit more muscle when dealing with the social networking juggernaut. One of its most outspoken critics, Austrian advocate Max Schrems, filed a complaint, Europe v Facebook, against Facebook Ireland Ltd. with the Irish Data Protection Commissioner. The Commissioner rejected the complaint, and Schrems then filed an application for judicial review in the Irish High Court, which passed it on to the EU Court of Justice to assess a possible breach of Article 8 (the right to privacy) of the European Human Rights Charter. The main focus was the Safe Harbour agreement and, in light of the PRISM programme revelations, the court ruled this agreement invalid in 2015.
Along with 25,000 other Europeans and the support of many more, Max Schrems has also filed a class-action suit against Facebook regarding its privacy policy, its participation in the NSA PRISM program, data use via Facebook Graph, apps, and tracking via like-buttons, big data systems for monitoring users, and the failure to comply with user requests for access to their data. The case, also referred to as EU v. Facebook, was at first rejected by the court in Austria, which pointed out the case should be pursued in Ireland. However, it has now been brought to a higher court in Austria via the appeals process.
With the EU General Data Protection Regulation, the responsibilities of European Data Authorities have been reinforced. Each member state is to establish a Supervisory Authority (SA) to hear and investigate complaints and sanction offences, with each nation’s SA helping the other’s and the organisation of joint operations.
Belgium vs Facebook
The Belgian data protection authority (the Privacy Commission) has also filed a suit against Facebook. It believes Facebook violates European data protection law by tracking EU residents who do not have profiles on the social network through use of the DATR cookie. The Belgian Privacy Commission won its first case, and Facebook had stopped tracking non-users there, but the social media giant then appealed the case. In June 2016, the Belgian appeals court rejected the filing on the grounds that Ireland has jurisdiction – a major victory for Facebook. (Facebook wins privacy case against Belgian data protection authority, Reuters, 2016).
A number of other European data protection authorities, with the French first and foremost, support the Belgian Privacy Commission. In February 2016, the French data protection authority (CNIL) ordered Facebook to stop tracking people who do not have a profile on the site and to halt parts of their data transfers to the USA.
Germany vs Facebook
The Germans have attempted to enforce their national data protection legislation in relation to Facebook also. For example, the data protection authority in Schleswig-Holstein tried to prevent Facebook from applying its real name policy to German citizens. The authority maintained that Germans have a legal right to anonymity, but Facebook won the case by claiming that the trial should be held on its home turf in Ireland. Later, the data protection authority in Hamburg made an administrative decision and declared that Germans have the right to use names other than their own on Facebook. The Director of the Hamburg authority, Johannes Caspar, eventually lost the case against Facebook in the German Court, which agreed that the matter should be settled in Ireland. The case’s fate is now in the hands of the EU court reviewing the decision.
The Germans, however, are not letting go. In March 2016, the Bundeskartellamt, which has more resources than the local data authorities, initiated proceedings to investigate suspicions that Facebook, with its specific terms of service regarding user data, has abused its presumably dominant position in the social networking market. The German competition regulator is working closely with other European authorities and the EU Competition Commissioner, Margrethe Vestager. At a meeting in Copenhagen (“Facebook privacy issues may not be competition matters”, Reuters, September 9th 2016) in September 2016 she said:
“The German authority is concerned that Facebook may have forced its users to accept privacy terms that aren’t in line with the data protection rules.”
Privacy in the EU and the USA
European and American approaches to the right to privacy and data protection are fundamentally different. The US law professors Daniel J. Solove and Paul M. Schwartz have suggested that the difference lies in the underlying philosophy, which includes the very defintion of what personal data is, and thus in the way data protection and privacy are implemented: “Besides functioning differently, EU and U.S. privacy law have different underlying goals and different structures. As an initial matter, EU law views privacy as a fundamental right, while U.S. law considers it one interest that is balanced against others. It may even be secondary to other concerns, such as freedom of speech.” (Reconciling Personal Information in the United States and European Union, Paul M. Schwartz and Daniel J. Solove, 102 Cal. L. Rev. 877, 2014).
In Europe the right to privacy is defined directly in several legal instruments – the EU Charter of Fundamental Rights and the European Convention on Human Rights. In addition, the EU Charter has a right to data protection, and the Council of Europe’s Convention 108 is only about data protection. The right to privacy, however, is only indirectly mentioned in the US Constitution‘s 4th amendment, which describes people’s right “…to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…”, essentially a protection against governmental interference. The word privacy is not mentioned anywhere in the US constitution, while the right to freedom of expression is the constitution’s 1st amendment and as such has generally been given more weight. Fundamentally in the United States, the right to privacy has first and foremost been defined as a consumer right and is more a question of risk management for most companies.
Data protection legislation in Europe is detailed (Chap. 9), applies to both public and private companies, and provides broad coverage with few exceptions. In the United States, the Federal Trade Commission (FTC) is the body charged with preventing “unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” (U.S. Code § 45 – Unfair methods of competition unlawful; prevention by Commission). In matters of privacy, the FTC has to enforce privacy promises made in the marketplace.
In general, data protection in the United States consists of several laws aimed at specific industries. There is COPPA, which regulates the use of data on children, and HIPPA, which regulates the use of health data. There are special regulations regarding financial activities and credit companies, as well as those specific to individual states. There’s also the Federal Trade Act (FTA) which prohibits unfair company practices throughout the country. The FTC (which enforces the FTA), has brought forth more than 100 cases related to privacy and data security and smacks offenders with heavy fines for unfair or deceptive practices.
American privacy regulation is based on corporate self-regulation. A company promises to treat, collect and protect data in an ethical way and the FTC only steps in, often with heavy fines, if it does not fulfil what it pledged to do. In the United States, regulation happens in retrospect, only after an issue has occurred (e.g. a hack, a data leak or other), while in the EU, the approach so far has been mostly preventive with detailed data protection laws with very low fines for violations. That being said, the new EU data protection regulation will surely bring about a change.
All in all, the difference between the two in terms of data legislation enforcement is as big as the ocean which separates them. But there has been some effort to reconcile their contrasting approaches. EU Commission Director of Fundamental Rights and Union Citizenship, Paul Nemitz, stated as much quite clearly at the European privacy conference CPDP 2015:
“In the best of worlds we would have shared European data protection rules with US enforcement.”
Privacy Professionals
In the book Privacy on the Ground, Kenneth A. Bamberger and Deirdre K. Mulligan explain how the basic difference in approach plays out among data protection and privacy professionals in the US and Europe. They interviewed professionals in charge of data protection at large private companies in Germany, Spain, France, the UK and the USA. While the Spanish tend to see privacy as legal text and an extra burden, the French are active in a way which is similar to the Germans: by addressing regulations and by making privacy a corporate social responsibility. The English in turn perceive privacy as the Americans do, as a competitive factor that can increase digital trust. The authors make another interesting observation: despite differences in their cultural environments and respective data protection regulations, German and US privacy professionals appeared to have the strongest privacy management practices. They describe privacy as an important strategic area that goes much deeper than just compliance with the law, becoming a social value and a core social responsibility.
The Right to be Forgotten
The Internet and its search engines have created public, historical traces on individuals, providing facts about a person from both the present and the past. While this information is important for us to access all the relevant information about a person we may want to hire for a job, trade with or live next to, it can also violate that person’s right to privacy.
In Europe, an individual’s control over historical information in public archives has always been part of the way in which privacy is managed.
If someone has been convicted of a crime but later acquitted, he or she has had the ability to ‘delete’ that criminal past from publicly accessible archives and start fresh. In the US, there’s a clear emphasis on the public’s right to information and freedom of expression, which has been taken one step further with the Internet. Searchable digital archives on previously convicted felons and online portals that review teachers, boyfriends and girlfriends are not uncommon. The ‘right to be forgotten’ or ‘the right to erasure’ debate in Europe exemplifies the fundamental differences on each side of the pond in what level of control an individual has over his or her historical data in public archives.
In 2014, the EU Court of Justice ruled on this very issue with its ‘Right to be Forgotten’ judgement (RTBF). A man asked the newspaper La Vanguardia to remove a link to an old article about an auction notice on his foreclosed house, related to a debt he later paid. The Spanish Data Protection Agency refused his claim, but agreed to his complaint about Google‘s links to the article and asked the search engine to remove them. Google then brought the Data Protection Agency’s decision to the national court which referred the case to the EU Court of Justice. There it was decided that Google and other search engines are in fact data controllers of the content they link to (as they are indexing and thereby processing it). Any failure to react to such complaints and, in relevant cases, delete links to the information in question would be deemed a serious infringement of a citizen’s right to privacy and data protection under the EU Charter of Fundamental Rights. Though the verdict does underline the importance of information of public interest, in essence it emphasises the individual’s right to privacy via control of historical personal data. As a result of the judgment, hundreds of thousands of Europeans requested that Google remove links from its search results, which many perceive as the main portal for creating a digital profile of a person.
Sale to Third Parties
One important difference between European and US privacy legislation is that American companies, in many areas, do not have to obtain consent to resell customer data to third parties. In the US, data on people is traded more freely by so-called data brokers, among others. In the EU, however, all websites with cookies have to obtain informed consent from users before collecting data – a rule with the good intention of informing users and ensuring their consent, but which unfortunately has perhaps ended up blinding Europeans to their right to consent, as many just tick the cookie consent box to access a website. In many ways, the whole idea of consent, heavily emphasised in the new EU data regulation, has been watered down. When you register for a website, for example a social media site, you allow it to use your data for wide range of purposes (which includes trading your data) without thinking twice.
The New Data Monopoly
In today’s digital infrastructure, data has become a company asset. It has a status similar to that of oil, steel and railways during the Industrial Revolution, where competition law was practically invented. Although American authorities dropped an antitrust action against Google, the European Commission has been running a similar case against Google Search for years, and in 2016 Android became a new focus area, as did Google Shopping. In essence, Google is accused of favouring its own services and thus hampering competition on its platforms, forming, in other words, a monopoly.
Margrethe Vestager (Interviewed for the book December, 2015), the European Commissioner for Competition, is particularly aware of data as a determining power factor in the digital economy: “We are not used to treating personal data as profit, and now suddenly it’s a means of payment that we can’t see the exact value of when we pay. This is one of the reasons why data and big data in particular needs to be viewed as an asset, an economic factor – just like we do with turnover. We need to ensure that the users paying with data for ‘free services’ have the same rights as when they pay with money”.
She continued: “Privacy is a fundamental right and important for our right to self-determination. We must decide with whom we share our data and for what purposes. There is no price on privacy, and many say that they don’t care. Personally I think that is crazy, and I think we need a legal framework that protects our data.”
Vestager doesn’t think that it is companies from the US where the data protection regulation is less strict that necessarily are the ‘bad guys’: “It’s not important who owns a company or from which country it comes from. What matters is the company’s conduct. We are not at war with anyone. We are looking at conduct to ensure that it doesn’t have an effect on pricing or innovation in a way that is harmful to the consumer.[…]In the EU we have some considerations in regards to work conditions, the environment, tax payment and respect for data protection law. We have a European culture and a regulated market economy in Europe that considers these things. This is, in my opinion, crucial.”
On face value she doesnt think that the competition law will fix the problems regarding the challenges to privacy, even with the new EU Data Protection regulation. But; “if a company’s concentration and use of data destroys competition, we will need to ensure a level playing field.”
Within the past few years, European politicians have been increasingly looking at global companies’ data practices as factors with a direct impact on competition. As data becomes more and more valuable, a heavier spotlight will be put on corporate accumulation and capitalisation of data. The data monopoly’s effects on competition can be described accordingly:
- Winner-takes-all. Number one on the market takes it all, e.g. Google dominates 90% of the European online search market.
- Closed platforms. It’s difficult and expensive for consumers to change service providers, e.g. to leave Apple’s platform.
- Acquisitions. Big businesses acquire smaller competitors before they grow too big, e.g. Facebook’s acquisition of Instagram or Amazon’s of Zappos. Within the artificial intelligence field we are seeing five companies, Google, Amazon, Facebook, Apple and Microsoft, buying up most AI-start-ups. (“Why AI consolidation will create the worst monopoly in US history”, TechChrunch, 2016)
Ousted by ‘Free’
Between 2001 and 2005, the Danish web analytics firm Netminers was doing quite well. There were other players on the global market, and competition was fair. However, in 2005 Google acquired the US web analytics firm Urchin. Google Analytics, GA, was soon to follow: a web analytics tool ‘freely’ available for everyone, even for those who aren’t Google’s own customers. This changed the market for Netminers and other web analytics providers charging money for their services. Some of the providers went bankrupt; others managed to reinvent their services. Netminers decided to bet on the larger customers in the high-end market that Google had not yet conquered, but that was only a question of time. Today, Google controls 80% of the market for web analytics.
Netminers’ CEO, Christian Vermehren (Interviewed for the book March 2016), believes that these are unequal conditions for competition: “If you have a dominant position in a market and dump the prices below the production costs, we need to ask if this is legal according to anti-trust law. […] The other thing is the personal data and cookie regulations. If you have Google Analytics on your site, then you can’t say anything about what the purpose of your data collection is, although it’s a requirement, because you have no idea about how Google uses this data. These sites should actually have a data processing agreement with Google, but Google does not offer this.”
Netminers. The Danish company Netminers sells web analytics tools and offers businesses personalised dashboards with segmentation tools to optimise their websites. Although in direct competition with Google Analytics, Netminers is slightly different because customers have control over the data collected and they get a data processing agreement – required by law – with the company. After years of fierce competition with ‘free’ Google Analytics, Netminers are experiencing a growing interest in its services, precisely because of the need for businesses to control their data. Several Danish public institutions have chosen Netminers’ product over GA.
Balkanisation and Protectionism
In a completely different ballpark, there’s China. In July 2015, the Chinese government imposed a series of laws that encourage companies to develop products for the national market, using local suppliers. All new digital services and components which arrive from the international market are copied, developed and replaced by a local Chinese version – with Chinese governmental support. The Chinese already have their own Amazon, Facebook and Google. They have Alibaba, WeChat, Weibo and Huawei. The fact that China operates in a protectionist manner is perhaps not surprising. For years, Europe has embraced the global tech industry’s local investments and even the transfer of companies from the Continent to California. But we see emerging protest. More and more Europeans are asking for equal enforcement of stricter data protection legislation. Germany and France have built their own national networks; Schlandnet and Sovereign Cloud. France also invests millions of euros in start-ups to develop the national digital infrastructure. Australia, China, India and Russia have adopted legislation barring their citizens’ personal data from being moved out of the country, causing cloud companies to build data centres within local boundaries. And Germany does not want its nationals’ sensitive personal data placed in the cloud services of companies headquartered in the USA.
Microsoft vs USA
The US government has sought to gain access to American-run corporate servers located outside its borders. But in July 2016, Microsoft won in New York’s 2nd Circuit Court of Appeals, in a case brought about by the US government’s demand for access to emails involved in a narcotics case. With the judgment, Microsoft has been exonerated from handing over emails or other data stored on its servers outside the United States, in this case in Ireland. The verdict is of critical importance, especially for the economic potential of American companies in Europe. The four largest cloud services in the EU are from the US and they control 40% of the entire European market.(“U.S. Tech Firms Dominate Cloud Services in Western Europe”, The Wall Street Journal, 2016). Despite a balkanisation trend, their market shares are increasing; they’ve built new, large data centres in the EU, large enough to offer data storage which is very cheap, flexible and – after the Microsoft judgment – also safe from NSA access. If US companies were unable to protect European data on European soil, they would be quite badly off. What remains is for the US government to ask for access via the government in the country holding the data. In Microsoft’s case, Ireland said that it would have been open to help the US government, but that it never was asked in the first place. (“US cannot force Microsoft to hand over emails stored abroad, court rules”, The Guardian, 2016) Microsoft has already protected against the risk that the US government could be granted access to data on European soil by partnering with T-Systems to deliver a cloud service under German jurisdiction (Chap. 4).