One of the key sources of tech firms’ power is their data advantage. Privacy and competition law are two tools that, used in concert, can effectively curb this source of some of tech firms’ most harmful behavior. Doing so requires strategic calibration of the effects of each on digital markets and on the broader public, implementing a policy approach that takes in to account the benefits firms seek to take advantage of via information asymmetries.
In this section we identify two domains in which these dynamics are currently playing out: data mergers and adtech. These provide an illustrative example for analysis of the tech industry playbook and a path forward.
Privacy and competition law are too often siloed from one another, leading to interventions that easily compromise the objectives of one issue over the other. Firms are taking advantage of this to amass information asymmetries that contribute to further concentration of their power. Rather than accept the silos of legal expertise and precedent, it’s clear that privacy and competition regulators need to work in concert to regulate an industry that draws on invasive surveillance for competitive benefit.1Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer, “Competition policy for the digital era”, European Commission, 2019; Autorité de la concurrence and Bundeskartellamt, “Competition Law and Data”, Bundeskartellamt, May 10, 2016; Competition & Markets Authority and the Information Commissioner’s Office, “Competition and Data Protection in Digital Markets: A Joint Statement between the CMA and the ICO,” May 19, 2021; Subcommittee on Antitrust, Commercial, and Administrative Law of the Committee on the Judiciary of the House of Representatives, “Investigation of Competition in Digital Markets,” July 2022; Australian Competition & Consumer Commission, “Digital Platforms Inquiry: Final Report and Executive Summary,” video, July 26, 2019; and the Competition Commission, “Online Intermediation Platforms Market Inquiry: Provisional Summary Report,” July 2022.
Considered in isolation, traditional antitrust and privacy analyses could indeed lead in divergent directions. But, as Maurice Stucke and Ariel Ezrachi underscore in their work, competition can be toxic.2Maurice E. Stucke and Ariel Ezrachi, Competition Overdose: How Free Market Mythology Transformed Us from Citizen Kings to Market Servants (New York: HarperCollins, 2020) As Stucke puts it, “in the digital platform economy, behavioral advertising can skew the platforms’, apps, and websites’ incentives. The ensuing competition is about us, not for us. Here firms compete to exploit us in discovering better ways to addict us, degrade our privacy, manipulate our behavior, and capture the surplus.”3Maurice E. Stucke, “The Relationship between Privacy and Antitrust,” Notre Dame Law Review Reflection 97, no. 5 (2022): 400–417. Scholars in the EU have taken this line of thinking as far as to explore how competition law could be enforced as a substitute for data protection law given the endemic nature of such practices within digital markets.4Giuseppe Colangelo and Mariateresa Maggiolino “Data Protection in Attention Markets: Protecting Privacy Through Competition?”, Journal of European Competition Law & Practice, April 3, 2017. And though privacy measures that aim to curb data collection are in some instances a significant step toward curbing tech firms’ data advantage, they only go so far —for example, some proposals that focus on third-party tracking in isolation offer a giant loophole that enables tech firms to entrench their power.5Maurice E. Stucke, “The Relationship between Privacy and Antitrust,” Notre Dame Law Review Reflection 97, no. 5 (2022): 400–417.
Bringing privacy and competition policy into closer consideration can, at best, offer a complementary set of levers for tech accountability that work in concert with one another to check the power of big tech firms.6Peter Swire, “Protecting Consumers: Privacy Matters in Antitrust Analysis,” Center for American Progress, October 19, 2007. If left unattended, pursuing privacy and competition in isolation will enable corporate actors to “resolve” critiques through self-regulatory moves that ultimately expand and entrench, rather than limit, concentrated tech power.7See Cudos, “The Fable of Self-Regulation: Big Tech and the End of Transparency,” n.d.; and Rys Farthing and Dhakshayini Sooriyakumaran, “Why the Era of Big Tech Self-Regulation Must End,” Australian Quarterly 92 no. 4 (October–December 2021): 3–10.
We see this playing out in two domains in particular: data mergers and adtech.
Data Mergers & Acquisitions: Competition analysis must account for how firms leverage commercial surveillance tools and strategies to amass power
Competition enforcers have largely now converged in agreement that data plays a critical role in digital markets and that regulators need to attend to how data practices shape information asymmetries and market power.8See Federal Trade Commission, “Remarks of Chair Lina M. Khan as Prepared for Delivery,” IAPP Global Privacy Summit 2022, Washington, D.C., April 11, 2022; Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer, “Competition policy for the digital era”, European Commission, 2019; Autorité de la concurrence and Bundeskartellamt, “Competition Law and Data”, Bundeskartellamt, May 10, 2016; The United States Department of Justice, “Assistant Attorney General Jonathan Kanter of the Antitrust Division Delivers Remarks at the Keystone Conference on Antitrust, Regulation & the Political Economy”, The United States Department of Justice, March 2, 2023; Federal Trade Commission, “FTC Hearing #6: Privacy, Big Data, and Competition”, FTC, November 6-8, 2018. It then follows that competition analysis must account for how firms leverage commercial surveillance tools and strategies to their competitive advantage and to the detriment of user privacy.9Katharine Kemp, “Concealed data practices and competition law: why privacy matters”, European Competition Journal 16, no. 2-3 (2020): 628-672; Reuben Binns and Elettra Bietti, “Dissolving Privacy One Merger at a Time: Competition, Data and Third Party Tracking“, Computer Law & Security Review, 36
One primary means through which tech firms have grown their market power is through the consolidation of data they are able to collect—and when they can’t do so on their own, they buy their way in. Google’s acquisition of DoubleClick in 2008 was a bellwether case that led to a practice now widespread in the industry: the acquisition of firms in order to gain an information advantage.10See Louise Story and Miguel Helft, “Google Buys DoubleClick for $3.1 Billion,” New York Times, April 14, 2007; and Steve Lohr, “This Deal Helped Turn Google into an Ad Powerhouse. Is That a Problem?” New York Times, September 21, 2020.
Google-DoubleClick was itself not a conventional data merger. Google acquired DoubleClick because its own publisher ad server had failed to gain traction in the adtech industry.11Tony Yiu, “Why Did Google Buy DoubleClick?” Towards Data Science, Medium, May 5, 2020. Through DoubleClick, Google gained control of both the market-leading publisher and ad server, and an advertising exchange. And at the time of the acquisition, Google emphasized that its privacy policies prohibited the company from combining its own data streams with those obtained from other websites. But the company quietly walked back this internal policy in 2016 – notably, a point at which the company had amassed greater market power and thus was less exposed to the risk users would flock to a competitor platform.12Justin Wise, “Val Demings repeatedly presses Google’s Pichai on ‘staggering’ consolidation of consumer data”, The Hill, July 29, 2020. Following the change, Google could combine all its user data into a single user identification that it could integrate into its buying tools to enable uniquely precise targeting of particular users—an extremely valuable advantage for Google Ads’ advertising clients.13See United States et al. v. Google LLC, Case 1:23-cv-00108 (United States District Court for the Eastern District or Virginia, Alexandria Division, January 24, 2023). This also made it harder for publishers to track users themselves by masking these user identifiers.14United States et al. v. Google LLC at 39. These negative effects led publishers to complain that the acquisition was anticompetitive; the FTC, however, opted not to block the merger from going forward.15Federal Trade Commission, “Statement of Federal Trade Commission Concerning Google/DoubleClick”, FTC File No. 071-0170, December 20, 2007.
|2007||Google – DoubleClick||$3.1 B||Yes|
|2013||Facebook – Onavo||$120 M||Yes|
|2014||Facebook – WhatsApp||$19 B||Yes|
|2016||Microsoft – LinkedIn||$26.2 B||Yes|
|2018||Apple – Shazam||$400 M||Yes|
|2019||Google – Fitbit||$2.1 B||Yes|
|2020||Facebook – Giphy||$315 M||No*|
|2022||Alphabet – BrightBytes||Unknown||Yes|
|2022||Amazon – OneMedical||$3.9B||Yes|
|2022||Amazon – iRobot||$1.7 B||No**|
*CMA forced to sell
**Under review by CMA, EU and FTC
More explicit instances of data mergers followed, including instances where companies used nonpublic data obtained through an acquisition in order to shape their decisionmaking. In a notable example, Facebook’s acquisition of the virtual private network (VPN) Onavo enabled the company to gain competitive insights by monitoring users’ network traffic: internal documents released by UK regulators demonstrate that Facebook was closely tracking the market reach of Facebook’s competitors by drawing on Onavo traffic data.16See Karissa Bell, “‘Highly Confidential’ Documents Reveal Facebook Used VPN App to Track Competitors,” Mashable, December 5, 2018; and UK Parliament, “Note by Damian Collins MP, Chair of the DCMS Committee,” December 5, 2018. Facebook then paid users between the ages of 13 and 35 up to $20 per month to sign up for a rebranded version of Onavo called “Facebook Research” to enable the company to gather even more granular data on their usage habits. Apple eventually blocked the app for breaking Apple’s policies,17Josh Constine, “Apple Bans Facebook’s Research App That Paid Users for Data,” TechCrunch, January 30, 2019. but the data Facebook collected from Onavo played a significant role in Facebook’s decision to acquire WhatsApp, in one of the most famous cases of a larger firm buying and neutralizing a fast-growing competitor, thereby further extending its reach and collection of data.18Ariel Ezrachi and Maurice E. Stucke, Virtual Competition: The Promise and Perils of the Algorithm-Driven Economy (Cambridge, MA: Harvard University Press, 2019), 43.
Competition Law Requires Understanding How Data Impacts Market Behavior
Given the clear anti-competitive effects of such mergers, the question that follows is why they were allowed to proceed. Traditional merger analysis offers some foothold for making such claims: the legal analysis involved in competition cases usually involves some form of harm identification to evaluate whether a merger deserves closer scrutiny or is likely to substantially lessen competition or create a monopoly. Given the nature of digital markets, data can take shape as an element of a company’s market power – and as Elettra Bietti argues, this may best be framed in terms of a firm’s ability to produce and capture data through its control over infrastructure.19Elettra Bietti, “Data, Context and Competition Policy“, Promarket, March 31, 2023. This makes understanding companies’ data collection practices relevant to competition law: understanding how firms use commercial surveillance to monitor users, competitors, and the market at large is crucial to account for how these firms build their competitive advantage.20Lina M. Khan, “Sources of Tech Platform Power,” Georgetown Law Technology Review 2, no. 2 (2018): 325–334; Howard A. Shelanski, “Information, Innovation, and Competition Policy for the Internet”, University of Pennsylvania Law Review, Vol. 161 (2013), 1663-2013, provides an earlier perspective that nevertheless concludes that competition policy must account for nonprice effects and consider the cost of underenforcement of competition laws in digital markets.
Merger enforcement is increasingly taking such an analysis into account, but the shift has been incremental. For example, while then relatively novel, testimony submitted to the FTC at the time of the proposed DoubleClick acquisition argued that the Commission should consider potential harms under two standard elements of a merger analysis: by examining how the privacy harms enabled by the acquisition could reduce consumer welfare and lead to a reduction in the quality of a good or service—both elements that would fit easily into the FTC’s framework for examining the merger.21Peter Swire, “Protecting Consumers: Privacy Matters in Antitrust Analysis,” Center for American Progress, October 19, 2007. The FTC opted not to take up these considerations, and allowed the acquisition to move forward with few restrictions, and in a similar decision the European Commission affirmed it saw a clear separation between the applicability of EU antitrust laws and data protection rules for evaluating the merger.22Giuseppe Colangelo and Mariateresa Maggiolino “Data Protection in Attention Markets: Protecting Privacy Through Competition?”, Journal of European Competition Law & Practice, April 3, 2017.
More recently, a 2019 market study by the UK’s Competition and Markets Authority (CMA) on online platforms and digital advertising concluded that the lack of controls over the collection and use of personal data by big tech firms indicates that these firms do not face strong enough competitive constraints.23Competition and Markets Authority, “Online Platforms and Digital Advertising Market Study,” July 3, 2019. And regulators are already integrating an analysis that accounts for the role of data into their competition cases. For example, in 2021, when the CMA rejected Meta’s attempt to acquire Giphy, it acknowledged that the merger would enable Meta to increase its market power by changing the terms of access, such as requiring that Giphy customers like TikTok, Twitter, and Snapchat give up more data from UK users in order to access Giphy GIFs.24Competition and Markets Authority, “CMA Orders Meta to Sell Giphy,” October 18, 2022. And in a concurring statement issued alongside the Federal Trade Commission’s decision not to block a merger between Amazon and One Medical, Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya cautioned that Amazon now has access to potentially private health information, because US privacy rules on health related data (HIPPA) exempt ‘de-identified’ data writ large that can nevertheless be used by the company to its own advantage. The statement underscores that the lack of a purpose limitation in HIPPA “cuts against longstanding American information policy”.25Federal Trade Commission, “Statement of Commissioner Alvaro M. Bedoya Joined by Commissioner Rebecca Kelly Slaughter Regarding Amazon.com, Inc.’s Acquisition of 1Life Healthcare, Inc.”, FTC, February 27, 2023.
Merger Guideline Updates Could Be A Boost for Effective Enforcement
One of the hindering factors in a more muscular enforcement of merger law to curb data practices is a lack of resources for enforcement agencies, as the frequency of such mergers increases exponentially. This has led regulators in both the US and EU to seek more powerful tools to enable them to more effectively tackle the challenge of data mergers, specifically by seeking tools that would enable them to intervene at earlier stages before harms to competition have occurred.
For example, the FTC and Justice Department are currently considering modernizations to the merger guidelines that may similarly allow antitrust enforcers to intervene before harms to competition are affected (known as the ‘incipiency standard’),26Andrew I. Gavil, “Competitive Edge: The silver lining for antitrust enforcement in the Supreme Court’s embrace of “textualism”” Equitable Growth, July 28, 2021; Baker, Jonathan ; Farrell, Joseph; Gavil, Andrew; Gaynor, Martin; Kades, Michael; Katz, Michael; Kimmelman, Gene; Melamed, A.; Rose, Nancy; Salop, Steven; Scott Morton, Fiona; and Shapiro, Carl, “Joint Response to the House Judiciary Committee on the State of Antitrust Law and Implications for Protecting Competition in Digital Markets” Congressional and Other Testimony, 18, 2020. and to further enable them to more effectively handle digital markets, zero-price (“free”) products, multi sided markets, and data aggregation.27Federal Trade Commission, “Federal Trade Commission and Justice Department Seek to Strengthen Enforcement Against Illegal Mergers,” January 18, 2022. The Platform Competition and Opportunity Act, part of the package of antitrust bills currently before the US Congress, would declare acquisitions of direct and potential future competitors presumptively invalid, shifting the burden of proof to dominant platforms to demonstrate why a merger would not be anticompetitive.28 Platform Competition and Opportunity Act of 2021, H.R. 3826, 117th Congress (2021–2022). And the European Commission (EC) amended its merger referral guidelines to create a lower burden of proof for authorities to justify tests of merger deals for lack of competitiveness in digital markets, enabling them to intervene earlier on by encouraging national competition authorities to refer mergers to the EC when at least one of the companies concerned does not reflect its future competitive potential.29European Commission, “Communication from the Commission: Commission Guidance on the Application of the Referral Mechanism Set Out in Article 22 of the Merger Regulation to Certain Categories of Cases, Official Journal of the European Union 113 (2021): 1–6. A proposal by the UK government in discussions around the DMA would have gone even further to reverse the burden of proof in digital mergers for dominant firms, though it was ultimately not adopted, see Christopher T. Marsden and Ian Brown, “App stores, antitrust and their links to net neutrality: A review of the European policy and academic debate leading to the EU Digital Markets Act.” Internet Policy Review, Vol 12, no. 1 (2023).
Adtech: Bright-line rules restricting first-party data collection for advertising purposes will effectively tackle toxic competition
Critiques of business models that rely on surveillance and profiling of consumers have reached a crescendo in recent years.30See Federal Trade Commission, “Remarks of Chair Lina M. Khan as Prepared for Delivery,” IAPP Global Privacy Summit 2022, Washington, D.C., April 11, 2022; Carissa Véliz, “Privacy Is Power: Why and How You Should Take Back Control of Your Data,” International Data Privacy Law 12, no. 3 (August 2022): 255–257; Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (New York: Public Affairs, 2020); Kylie Jarrett, Feminism, Labour and Digital Media: The Digital Housewife (London: Routledge, Taylor et Francis Group, 2017); Lina Dencik and Javier Sanchez-Monedero, “Data Justice,” Internet Policy Review 11, no. 1 (January 14, 2022); Safiya Umoja Noble, Algorithms of Oppression: How Search Engines Reinforce Racism (New York: NYU Press, 2018); ); Haleluya Hadero, “As Amazon Grows, So Does Its Surveillance of Consumers,” Chicago Tribune, August 23, 2022,; Chris Gilliard, “The Rise of ‘Luxury Surveillance,’” Atlantic, October 18, 2022; BBC, “Google Sign-Up ‘Fast Track to Surveillance,’ Consumer Groups Say,’ June 30, 2022; Natasha Lomas, “Meta’s Surveillance Biz Model Targeted in UK ‘Right to Object’ GDPR Lawsuit,” TechCrunch, November 21, 2022; and Katherine Tangalakis-Lippert, “Amazon’s Empire of Surveillance: Through Recent Billion-Dollar Acquisitions of Health Care Services and Smart Home Devices, the Tech Giant Is Leveraging Its Monopoly Power to Track ‘Every Aspect’ of Our Lives,” Business Insider, August 28, 2022. While some bolder advocacy proposals suggest a complete ban on behavioral targeting business models,31 Congresswoman Anna G. Eshoo, “Eshoo, Schakowsky, Booker Introduce Bill to Ban Surveillance Advertising,” press release, January 18, 2022. or require divestment of ownership across multiple parts of the digital advertising ecosystem,32 Senator Mike Lee, “Lee Introduces Digital Advertising Act,” press release, May 19, 2022. a large majority of regulatory regimes33 State of California Department of Justice, Rob Bonta, Attorney General, “California Consumer Privacy Act (CCPA),” February 15, 2023; General Data Protection Regulation. and legislative proposals34See American Data Privacy and Protection Act, H.R. 8152, 117th Congress (2021–2022); and Banning Surveillance Advertising Act of 2022, H.R. 6416, 117th Congress (2021–2022). have instead homed in on restricting the collection of third-party data through cookie tracking.
Big Tech firms have swiftly responded to these headwinds by supporting, and even leading, this transition away from third-party tracking toward first-party collection of users’ data.35See Brian X. Chen and Daisuke Wakabayashi, “You’re Still Being Tracked on the Internet, Just in a Different Way,” New York Times, April 6, 2022; and Perry Keller, “After Third Party Tracking: Regulating the Harms of Behavioural Advertising Through Consumer Data Protection,” May 4, 2022, 4. In lieu of longstanding methods of third-party data collection, large firms are exploiting the fact that they directly control the vast majority of the environment in which data is collected: they are able to take advantage of the network effects associated with the scale at which they operate by collecting, analyzing, and using data within platforms they wholly own and control.36Michael Veale, “Adtech’s New Clothes Might Redefine Privacy More than They Reform Profiling,” Netzpolitik.org, February 25, 2022. This is a product of an environment in which these firms are so dominant that it is virtually impossible not to use their systems.37See Kashmir Hill, “I Cut the ‘Big Five’ Tech Giants from My Life. It Was Hell,” Gizmodo, February 7, 2019; and Nordine Abidi and Ixart Miquel-Flores, “Too Tech to Fail?” Faculty of Law Blogs, University of Oxford, July 13, 2022.
Companies like Google might best be characterized as ecosystems:38Whether or not the largest cloud providers are characterized as ecosystems is the focus of an ongoing study by the UK’s Ofcom. See Ofcom, “Cloud Services Market Study,” October 6, 2022. “the providers of the very infrastructure of the internet, so embedded in the architecture of the digital world that even their competitors [have] to rely on their services,” as journalist Kashmir Hill put it.39Kashmir Hill, “I Tried to Live without the Tech Giants. It Was Impossible,” New York Times, July 31, 2020. Maintaining an ecosystem enables dominant firms to derive insights from multiple points in a market, and to leverage them across their lines of business. Concerns that this harms competition have led competition enforcers to conclude that some intervention may be needed to level the playing field in arenas such as mobile apps40See National Telecommunications and Information Administration, United States Department of Commerce, “Competition in the Mobile App Ecosystem,” February 1, 2023; and Competition and Markets Authority, “Mobile Ecosystems Market Study,” June 15, 2021. and cloud computing.41See Ofcom, “Cloud Services Market Study”, Ofcom, 6 October, 2022; Authority for Consumers & Markets, “Market Study into Cloud Services,” September 5, 2022; Autorité de la concurrence, “The Authorité de la concurrence Starts Proceedings Ex Officio to Analyse Competition Conditions in the Cloud Computing Sector,” January 27, 2022; Japan Fair Trade Commission, “Report Regarding Cloud Services,” June 28, 2022; and Fair Trade Commission, “KFTC Announces Results of Cloud Service Market Study,” December 28, 2022.
Given this state of affairs, Big Tech firms no longer need third-party tracking—in fact, shifting to first-party tracking only helps reinforce their dominant position, building a moat that can stave off any potential incipient competitors. Policy stances that focus primarily on third-party tracking are already out of date in light of this situation. Without more aggressive approaches to curbing first-party data collection and its anticompetitive effects, we could find ourselves in a world where concentration of power in the tech industry is greatly increased, rather than limited, by efforts at privacy accountability.
The Privacy Sandbox Effect
Google’s Privacy Sandbox offers a useful case in point. The company has historically relied heavily on the use of third-party cookies for targeted advertising, which has been central to how it makes money.42Sarah Myers West, “Data Capitalism: Redefining the Logics of Surveillance and Privacy,” Business & Society 58, no. 1 (January 2019): 20–41. Following the passage of the General Data Protection Regulation (GDPR) and other data protection regulations indicating behavioral advertising would be under the regulatory spotlight, Google began to develop a strategy that would enable the company to reduce its reliance on third-party cookies given increasing regulatory constraints, but nevertheless maintain its control of the market.43David Eliot and David Murakami Wood, “Culling the FLoC: Market Forces, Regulatory Regimes and Google’s (Mis)steps on the Path Away from Targeted Advertising,” Information Polity 27, no. 2 (2022): 259–274. This culminated in Google’s announcement of its Privacy Sandbox initiative:44Google, The Privacy Sandbox. a self-regulatory move aimed at heading off more stringent forms of regulation that could directly target its capacity to draw inferences about and profile consumers.
The announcement soon led to complaints by publishers that the proposed moves would serve to undermine their ability to generate revenue through advertising by limiting their ability to target users, and that this would ultimately entrench Google’s market power.45Competition and Markets Authority, “CMA to Investigate Google’s ‘Privacy Sandbox’ Browser Changes,” press release, January 8, 2021. This prompted the UK Competition and Markets Authority to open an investigation into these concerns. The CMA informed Google that its proposals would likely amount to an “abuse of dominance position.” Under UK law, this describes a situation when one or a group of enterprises uses its dominant position in a market to either directly exploit consumers or exclude other competitors from the market.46Office of Fair Trading, “Abuse of a Dominant Position: Understanding Competition Law,” December 2004.
Following a traditional competition analysis, the likely outcome would be to require more widespread sharing of the data Google collects with publishers: it would treat data as an essential resource to the market, and the cure would be to ensure that it was more widely available to other market players. But such a remedy would carry widespread harms to consumer privacy—harms that would necessarily exploit consumer interests and lead to a race to the bottom by expanding, rather than limiting, commercial surveillance practices. An integrated analysis would thus institute curbs to these kinds of data collection practices in the first place, ensuring that nobody, regardless of their market position, gets to benefit from the exploitation of consumers’ data, whether collected via third-party or first-party tracking.47See for example Maurice E. Stucke, “The Relationship between Privacy and Antitrust,” Notre Dame Law Review Reflection 97, no. 5 (2022): 400–417. Stucke’s analysis is consistent with the FTC’s recently updated policy statement on its Section 5 Unfair Methods of Competition authorities. See FTC, “Policy Statement Regarding the Scope of Unfair Methods of Competition Under Section 5 of the Federal Trade Commission Act, Commission File No. P221202,” November 10, 2022.
To avert enforcement action by the CMA, Google offered a set of commitments that it hoped would bring the proposed framework into compliance with UK competition law. Arguably the strongest of these commitments was the implementation of “data silos” to ensure that Google has the same level of access to data that others do—a commitment very much in line with a traditional competition analysis. But even here, it will be challenging for enforcement agencies to ensure that Google is following through on this promise: they’ve set up an internal monitoring committee that will ostensibly audit the system for compliance, but this puts the burden on the regulator rather than on Google to avert any harms, and it remains unclear how effective this regime will be or what will happen when/if it fails. Other commitments included offering consultation with third parties about Privacy Sandbox, enabling the CMA to test the effects of its implementation of Privacy Sandbox proposals via a monitoring trustee, and “incorporating user controls” into the system. In exchange for accepting the voluntary commitments, the CMA agreed not to continue its investigation.48Competition and Markets Authority, “Case 50972 – Privacy Sandbox – Google Commitments Offer,” February 4, 2022. But in the absence of a more structural separation or bright-line rules, we’re essentially left having to either take Google’s word for it, or developing expensive and untested inspection tools to evaluate whether they do what they say they will do.
Looking to the realm of cybersecurity may be instructive: security professionals have long expressed concerns about tech monopolies because they create a single target and point of failure that can have significant downstream consequences if breached. A report produced in 2003 by the Computer and Communications Industry Association, a group of leading security experts, warned that Microsoft’s employment of software designs that lock users in to their products led to a dangerous environment in which the world’s dominant operating system was riddled with vulnerabilities, exposing its end users to viruses.49See Robert Lemos, “Report: Microsoft Dominance Poses Security Risk,” September 24, 2003; and Danny Penman, “Microsoft Monoculture Allows Virus Spread,” September 25, 2003.
As the researchers noted, “Microsoft must not be allowed to impose new restrictions on its customers—imposed in the way only a monopoly can do—and then claim that such exercise of monopoly power is somehow a solution to the security problems inherent in its products. The prevalence of security flaws in Microsoft’s products is an effect of monopoly power; it must not be allowed to become a reinforcer.”50“Cyberinsecurity: The Cost of Monopoly: How the Dominance of Microsoft’s Products Poses a Risk to Security,” AUUGN 24, no. 4 (December 2003): 49. The report is particularly notable not only given our present-day climate, but also for its depiction of how dominant tech firms are incentivized to present solutions to problems caused by monopoly power that reinforce their monopoly power. The researchers cautioned that regulators must treat security policy as intertwined with competition policy, not separate from it.
Today, many other policy domains in focus for the tech accountability community are similarly intertwined with competition. In addition to security, privacy, content moderation, and algorithmic discrimination— among others— at once shape and are shaped by competition dynamics within digital markets. Yet the effects of concentration in the tech industry are rarely integrated into policy analysis across these domains, and antitrust remains largely separated from other tech policy arenas both in terms of the regulatory regimes and the expertise needed to engage with them. In order to seek accountability more effectively within the tech industry, these silos must necessarily be broken down to gain a clear picture of the larger whole.
Regulators are already moving swiftly to ensure that issues relating to privacy and competition work in concert, or at least stay in conversation with one another.51Examples include the European Data Protection Supervisor’s 2014 workshop on Privacy, Consumers, Competition and Big Data, the FTC’s updated statement on Unfair Methods of Competition, FTC, “Policy Statement Regarding the Scope of Unfair Methods of Competition Under Section 5 of the Federal Trade Commission Act”, November 10, 2022; its announcement of revisions to the Merger Guidelines, FTC, “Federal Trade Commission and Justice Department Seek to Strengthen Enforcement Against Illegal Mergers,” press release, January 18, 2022, Competition and Markets Authority, “CMA-ICO Joint Statement on Competition and Data Protection Law,” May 19, 2021; and Australian Competition & Consumer Commission, “Digital Platform Services Inquiry 2020–25: September 2022 Interim Report,” November 11, 2022. But civil society has a long way to go to catch up: we need a more robust advocacy effort that melds these concerns, for example by fighting for restrictions on first-party data collection given their impact on both privacy and competition, or by advocating for merger scrutiny where a firm is attempting to expand its market power through buying its way into a data advantage. It’s crucial that policy advocacy acknowledges the interplay between these domains and pushes for measures in which one does not compromise the other.