The importance of ensuring the privacy and protection of personal data has resulted in the development of legislation, such as Protection of Personal Information Act 4 of 2013 (POPIA) in South Africa and the Data Protection Act 24 of 2019 (DPA) in Kenya. Given the sensitivity of personal data and the growth of data analytics and sectors dependent on data-driven decision making, there have been growing calls for data protection and data privacy to be an important parameter of competition analysis.
Developments and cases
There has been a push by various regulators to incorporate privacy and data protection issues in competition regulation, particularly in merger assessments.
In 2014, the European Data Protection Supervisor (EDPS) issued a preliminary opinion titled “Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the digital economy” in which the EDPS advocated for a more joined-up approach to data protection with competition regulators.
In 2015, the UK’s Competition and Markets Authority published a report on the commercial use of consumer data and the interactions between competition and privacy outcomes. The report investigated the benefits of collecting consumer data and found that, despite economic growth opportunities, there is a prevalent risk of consumer data being used to manipulate markets and discriminate against different consumers. The report also noted that this risk is heightened when a firm has significant market power.
In 2016, a joint report between the German and French competition authorities, also considered the interplay between competition law and data. While it noted that privacy concerns are not “within the scope of intervention of competition authorities”, it also stated that:
“… privacy policies could be considered from a competition standpoint whenever these policies are liable to affect competition, notably when they are implemented by a dominant undertaking for which data serves as a main input of its products or services.”
The aim of including data protection considerations in merger assessments is to ensure the protection of consumers from a reduction in the quality of data protection and privacy. A reduction in quality of data protection could occur if an acquirer firm alters its data protection policies post-merger or merges its data sets with those of the target firm.
In light of this, there has been a progressive push by regulators to assess the impact of mergers on consumers and consumer data. However, these regulators still consider that data privacy issues fall outside the realm of competition law and should be addressed by data protection regulators rather than competition regulators.
With respect to several mergers, the European Commission (EC) has held that privacy related concerns as such do not fall within the scope of EU competition law but can be considered in the competition assessment to the extent that consumers see it as a significant factor of quality, and the merging parties compete on this factor.
In 2018, the EC considered the merger between Apple Inc and Shazam and looked at the role of consumer data in the various markets that the two entities operated in. The EC also considered Apple’s ability to use its user data to strengthen Shazam’s position in respect of online advertising. However, the EC was of the view that this would not significantly impede competition given that there are a number of larger market players that could compete in this regard.
In 2020, the EC assessed the merger between Google and Fitbit and considered the impact of the combination of data held the merging entities. The EC found no evidence that privacy was a parameter of competition in the relevant market and the EC did not factor privacy in its substantive assessment of the transaction. In addition, the EC indicated that any initiative of the parties in relation to privacy and data protection would have to follow the EU’s General Data Protection Regulation 2016/679, which provides a high standard of protection.
Lessons for Kenya and South Africa
In the Google/Fitbit merger, the EC noted that it should be “careful not to see a competition issue where there is a privacy issue” and that privacy issues should be left in the domain of data protection regulators. While this may be accurate, a linear approach to the regulation of data privacy and competition could result in shallow or insufficient regulatory oversight. There has been criticism of the EC’s stance with respect to data protection and its failure to engage in an in-depth and well-rounded assessment of the data protection dimension.
Kenya and South Africa have recently enacted data protection legislation to protect the personal data collected, processed and stored by businesses operating in their jurisdictions. In this regard, it is only a matter of time before data-protection issues in mergers will be the subject of the analysis by Competition Authority of Kenya (CAK) and the South African Competition Commission (Commission).
Competition legislation in both Kenya and South Africa calls for regulators to ensure that any potential mergers would not have negative impacts on consumers, and this allows the CAK and the Commission a window to access data-protection and privacy issues in mergers.
It would not be unusual for the CAK and the Commission to adopt a similar approach to the EC and seek to separate data privacy issues from competition assessment. Both the DPA and POPIA provide for the establishment of industry regulators tasked with ensuring compliance with data privacy rules (i.e. the Office of Data Commissioner in Kenya and the Information Regulator in South Africa).
To ensure well-rounded assessments of mergers in Kenya and South Africa, competition and data protection regulators would need to co-operate to set out clear and efficient mechanisms to define and assess the interplay between merger enforcement and data protection. Both the CAK and the Commission have entered memoranda of understanding with regulators in various other sectors and it may be useful to take a similar co-operative approach with the Office of Data Commissioner and the Information Regulator. Such co-operation will allow the regulators to answer key emerging issues between merger enforcement and data protection.
It will be interesting to see the approaches adopted by the CAK and the Commission to the assessment of data-protection issues in mergers and its alignment with global practice