Data and Privacy in EU Merger Control
Data has become a cause célèbre of competition policy. Dubbed the ‘new oil’ by The Economist in 2017, companies with data at the heart of their business models now make up seven of the world’s 10 most valuable. Responding to the economic change engendered by the rise of the data economy, competition regulators, practitioners and academics have assessed how novel competition concerns may arise in data-intensive markets, whether regulators have the tools to tackle such concerns, and the potential implications for remedies. Competition regulators have also had to grapple with the sometimes competing pressures of data regulation, notably data protection rules for personal data, when regulating markets in data-intensive sectors.
This Chapter outlines developments in European merger control policy concerning data and data protection. The past 12 months have seen the European competition regulators put key ideas concerning data-intensive markets into practice. In particular, the European Commission (the Commission)’s conditional clearances of Google/Fitbit (2020) and LSE/Refinitiv (2021) have set new ground rules. These cases articulate new theories of harm pertaining to data markets, develop the relationship between competition law and data protection and contain new access and behavioural remedies for concerns pertaining to data.
Setting the scene: what do we mean by ‘data’ and the interplay between competition and data protection?
All businesses collect and use data. But this begs the question: what do we mean by ‘data’ for merger control purposes if all mergers involve data? As the Commission’s expert report on digitalisation opined, it is ‘futile’ to analyse ‘data’ in the abstract: the importance of data varies depending on the relevant market while the likelihood of competition concerns depends on the characteristics of the data under scrutiny and the relevant market. For merger control policy, this means that ‘data’ concerns are focused on markets where (1) the merged entity would have market power for data where it is either the ‘product’ or a significant input and (2) where data is driving the competitive assessment.
Merger control concerns pertaining to data are, moreover, not specific to any particular sector. The use of data in digital markets has no doubt been a key focus of regulatory scrutiny. But ‘data-intensive’ markets are not synonymous with digital markets. Financial data in wholesale markets has, for example, long been a product sold by a range of firms and subject to significant competition scrutiny; personal data has been a key input for providing personal financial products such as credit and insurance; and the Commission’s digitalisation report highlights data as a core input factor for production processes and logistics as well as smart products and services. Data-intensive markets are also dynamic: technological developments such as the internet of things and rise of artificial intelligence also mean that data is becoming an increasingly important facet of more conventional businesses such as mobility and healthcare, such that data may well feature more heavily in the review of transactions in those sectors in the future.
A consequence of European competition regulators probing data-intensive markets with growing frequency is also an increasing assessment of how data regulation (1) sets the boundaries in which competition in data-intensive market takes place and (2) imposes limits on competition policy. Data regulation is not, however, a single body of legislation applicable to all data: data protection, for example, concerns personal data but does not regulate the swathes of industrial data that are of increasing importance with the development of products such as autonomous vehicles. Data regulation is also evolving, with proposals such as the EU’s Data Governance Act and Data Act likely to impact competitive dynamics in the future. The implications of data protection on competition policy concerning personal data have elicited particular interest due to a perception that the regulatory framework of the General Data Protection Regulation (GDPR) has hampered effective competition.
European regulators’ expanding jurisdictional powers to capture transactions in data-intensive markets
Transactions in data-intensive markets are already frequently captured by the jurisdictional thresholds of the EU Merger Regulation (EUMR) as well as the Member States’ merger control regimes. European regulators are, however, introducing reforms to give themselves the leeway to intervene in a wider set of transactions. Their targets are ‘killer acquisitions’: transactions involving the acquisition of fast-growing, high-value firms with limited turnover that will or may challenge existing incumbents (notably in pharmaceutical and technology markets). The reforms are thus not targeted at data-intensive markets nor intended to capture data-specific theories of harm. However, the focus on digital markets and, in particular, companies with high-value data means that data-intensive markets are prime candidates for review.
European regulators have, however, expanded their jurisdictional powers in different ways.
The Commission’s approach has been to resurrect the use of the existing Article 22 referral process which had until recently fallen into abeyance. Article 22 EUMR permits one or more Member States to request the Commission to review transactions that affect trade between Member States and threaten to significantly affect competition in the relevant Member State. While the Commission has discretion over whether to accept such referrals, it previously discouraged them where the relevant Member State lacked jurisdiction to review the transaction under its own national merger control rules. The Commission’s Article 22 Guidance Paper (2021) announced a policy change to ‘encourage and accept referrals’ where: (1) the conditions for referral are met and (2) the turnover of ‘at least one of the undertakings concerned does not reflect its actual or future competitive potential’ (irrespective of whether the referring Member State has original jurisdiction under its own merger control rules).
The approach meant that the EU did not have to amend the jurisdictional thresholds in the EUMR while simultaneously giving the Commission a residual power to pick and choose when to intervene in perceived potential ‘killer’ acquisitions in digital, pharma and other hi-tech markets (provided at least one Member State is willing to issue a referral). While the specific target may not be data-intensive markets, the Commission’s focus on digital markets means that such markets are likely to receive greater scrutiny: the Article 22 Guidance Paper highlights access or ownership of data as a key criterion in assessing an undertaking’s competitive potential while the Commission’s ongoing Phase 2 review of Facebook’s acquisition of Kustomer following an Article 22 referral from Austria focuses on, inter alia, access to data in digital advertising markets. The Commission’s Article 22 policy change is, however, not yet fully established with the Article 22 referral of Illumina/Grail (2021) currently under challenge before the EU’s General Court. The outcome of the challenge, and any future challenges, will shape the likelihood of the Commission reviewing a greater proportion of transactions in data-intensive markets.
Germany and Austria have, in contrast, introduced transaction-value based jurisdictional thresholds to complement their existing turnover-based thresholds in 2017. Although the use of transaction-value thresholds provide clear boundaries for the expansion of Germany’s and Austria’s merger control thresholds in contrast to the Commission’s Article 22 reforms, their main objective is the same: capturing ‘killer’ acquisitions by large players in the pharmaceutical, digital and other hi-tech sectors. The thresholds are, therefore, likely to capture acquisitions of nascent businesses in data-intensive markets. Indeed, Germany’s Explanatory Memorandum for the reforms specifically cites Facebook/WhatsApp (2014) as the type of transaction that the new thresholds are intended to bring within scope. That said, in practice, the thresholds have had limited effect: since their introduction in Germany, only 32 transactions were notified pursuant to the new threshold out of 5,355 notified cases (with a slightly higher proportion in Austria).
The practical consequence of the reforms, and similar reforms being contemplated elsewhere, has, however, the same broad implications: (1) merger control authorities have greater scope to probe transactions in data-intensive markets and (2) the acquisitions of nascent data-focused businesses, particularly by large digital platforms, may now trigger filings or attract discretionary intervention where previously they would not have been reviewable.
The emergence of a quasi-horizontal ‘data’ theory of harm in European merger control
Turning to substance, the Commission and the NCAs have previously investigated transactions in data-intensive markets involving conventional unilateral and coordinated effects. The Commission’s decision in Google/Fitbit put forward, however, a quasi-horizontal theory of harm, whereby the acquisition of complementary data can strengthen an entity’s market power in downstream markets or give rise to foreclosure concerns.
The theory of harm has roots over the last decade: the Commission had explored similar concerns in Facebook/WhatsApp and Microsoft/Linkedin (2016) before dismissing them. In Google/Fitbit, the Commission found that Google’s acquisition of Fitbit’s health and wellness data would have strengthened Google’s existing market power for digital advertising, in particular its dominant position for search advertising. The novelty of the theory of harm is that it assessed horizontal unilateral effects notwithstanding that:
- neither Fitbit nor Google made their respective data available to third parties (i.e., there was no conventional antitrust market for the relevant data); and
- the two data sets were complementary inputs rather than substitutable data sets (Fitbit’s services generated health and wellness data whereas Google’s range of data includes, notably, data generated by users’ search queries but is not focused on health and wellness data).
Fitbit was not active in the downstream markets for digital advertising and the Commission did not seek to characterise it as a potential entrant.
As such, the Commission’s decision establishes that combining ostensibly complementary data sets may nevertheless increase a firm’s market power in a downstream market irrespective of whether the undertakings concerned make the underlying data available to third parties or compete in the relevant downstream market. This has raised three conceptual challenges for merger control as applied to data-intensive markets: (1) whether and, if so, how to define antitrust markets for untraded ‘data’; (2) the conditions for such quasi-horizontal concerns to arise; and (3) how to balance the efficiencies with any potential anticompetitive effects.
A new approach to market definition where data is an important input
The market definition for conventional data markets, where data is traded between counterparties as the ‘product’, is well established.
This does not hold for the Commission’s data theory of harm in Google/Fitbit, which poses significant challenges for conventional market definition as it concerns the effects of combining data sets divorced from any real market. The Commission’s ongoing evaluation of its market definition notice analyses the difficulties posed by such concerns; namely, that there is, in principle, no plausible antitrust market on which to assess the horizontal effects asbent supply and demand for the data. To overcome this bar, commentators have proposed defining hypothetical markets. First put forward by FTC Commissioner PJ Harbour in her dissenting opinion for the clearance of Google/DoubleClick (2008), the proposal has attracted support from a number of corners. Using this approach, regulators would define hypothetical markets for data used for the same purpose in downstream markets (e.g., data used for targeting advertising). The Commission also briefly assessed the effects of Microsoft/Linkedin in a ‘hypothetical market’ for the supply of data used for online advertising. The practical challenge posed by such hypothetical data markets is determining their boundaries absent any direct evidence of supply and demand.
The alternative approach is to simply assess the effects of non-traded inputs, such as data on downstream markets in the competitive assessment. The Commission took this approach in Google/Fitbit: considering the effects of Fitbit’s data in its competitive assessment of the effect of the merger on digital advertising markets. The approach is consistent with the Commission’s Digitalisation Report, which advocated ‘less emphasis on analysis of market definition’ in digital markets and ‘more emphasis on theories of harm and identification of anti-competitive strategies.’ This has the benefit of sidestepping the conceptual question of whether antitrust markets only exist where there is supply and demand for the relevant product or innovation. However, ignoring market definition in these circumstances arguably omits the rigour of confirming that the data under scrutiny are sufficiently likely to increase market power for the relevant downstream market (as well as the relevant competing types of data). For some, at least, this results in an uneasy compromise and leaves open the prospect that the Commission’s conclusions may not be the final word in the debate.
What are the conditions for the Commission to substantiate the theory of harm?
The Commission’s articulation of a quasi-horizontal data theory of harm for the first time in Google/Fitbit has also left open a number of questions on the conditions for such concerns to arise.
The Commission’s finding of competition concerns in Google/Fitbit rested on five broad findings:
- Google had significant market power in a number of digital advertising markets;
- Fitbit’s health and wellness data was a valuable input and would ‘strengthen’ Google’s position in such markets;
- Google’s competitors in such markets could not obtain straightforward access to similar data;
- there was no plausible prospect of significant countervailing buyer power from Google’s digital advertising customers; and
- the long-term anticompetitive effects of the diminution of such competition outweighed the short-term benefits from Google being able to offer superior digital advertising services to consumers.
The unconventional context means that the theory of harm raises a number of practical questions for when such concerns are capable of arising. Given that neither Fitbit nor its data exercised a competitive constraint per se on Google for digital advertising, by how much must the complementary data strengthen the market position of the undertaking active in the downstream market? How should the balancing exercise between short-term benefits and long-term harm be conducted? In particular, to what extent does the uncertainty around any putative longer-term harm mean that it is discounted against the more certain short-term benefits? These questions also raise more practical questions: do the conceptual difficulties posed by the theory of harm mean that the Commission is only likely to invoke it in limited circumstances? For example, is it only relevant where the relevant undertaking holds a dominant position in the downstream market and the data is unique? Or does the theory of harm have much wider application?
Efficiencies and efficiency offences when combining different data sets
A final challenge posed by the Commission’s theory of harm is assessing merger efficiencies in circumstances when combining the merging parties’ data frequently enables firms to improve their related products. As the Commission recognised in Microsoft/LinkedIn, integrating Microsoft’s and LinkedIn’s data sets offered the merged entity the prospect of delivering products ‘based on a dataset to which otherwise no one would have access’. However, under the Commission’s theory of harm in Google/Fitbit, the ability to combine data to offer improved products was both an efficiency (the merging parties could offer a higher quality product than would have been the case absent the merger) and the source of the unilateral anticompetitive effects (the merger raised barriers to entry and thereby strengthened the merging parties’ market position).
The Commission observed in Google/Fitbit that the theory of harm accordingly entails an arguably axiomatic balancing exercise between the alleged anticompetitive and pro-competitive effects of the transaction. Google itself submitted that this meant that the Commission bore the burden of both ‘quantifying the efficiency’, which gave rise to the alleged anticompetitive effects and proving that the efficiency ‘would be outweighed by the anticompetitive effects’. While the Commission did not seek to quantify either the harm nor the anticompetitive effects, the Commission did assess and conclude that the short-term efficiencies derived from the transaction, due to ‘better ads targeting’, were ‘likely’ more than outweighed by the long-term effects on innovation.
Input foreclosure concerns in data-intensive markets
In keeping with the increasing importance of data as an input for a range of (digital) markets, the Commission has continued to focus on whether mergers may give rise to input foreclosure concerns resulting from a loss of access to key data sets. In Google/Fitbit, the Commission found that Google would have the ability and incentive to foreclose access to Fitbit’s health and wellness data with the risk of anticompetitive foreclosure of businesses offering digital healthcare. In LSE/Refinitiv, the Commission similarly found that the LSE would have the ability and incentive to foreclose access to data generated by LSE’s venues, its FTSE Russell UK equity indices and Refinitiv’s WM/R FX benchmark data with the risk of foreclosure in downstream markets for consolidated data feeds, desktop services and index licensing.
To evaluate its data foreclosure concerns in Google/Fitbit, the Commission has applied a conventional input framework, namely whether:
- the merged entity would have the ability to foreclose or degrade access to the relevant data, in particular because the data is an important input and the merged entity would have significant market power for its supply;
- the merged entity would have the incentive to foreclose or degrade access to the relevant data to benefit its own services in related markets; and
- foreclosure in such markets would have anticompetitive effects.
In assessing whether Google would have the ability to foreclose access to important user health and wellness data, the Commission acknowledged that businesses in digital health would still have access to user data from other wearable OEMs including Apple, Garmin, Samsung, Polar and Suunto. The Commission still, however, concluded that Google had sufficient ability to foreclose by withholding or degrading access to Fitbit’s user data, in part, because ‘a number of players’ accessed such data through Fitbit’s web API. In so doing, the decision articulates a low threshold for establishing that a firm would have significant market power for data where, in particular, such data is already available to the market. In contrast, in LSE/Refinitiv, the Commission found Refinitiv’s WM/R FX benchmarks had associated network effects that made the benchmarks unique. Thus, notwithstanding the presence of similar FX data sets, the Commission concluded that the use of such data in downstream markets – notably for index licensing – meant that the merged entity would have had significant market power.
In relation to incentives, the Commission in both LSE/Refinitiv and Google/Fitbit considered the ability of the relevant parties to selectively degrade the quality of access to data as a salient factor in assessing whether the merged entities would have an incentive to foreclose. It has considered this scenario in relation to Refinitiv’s rivals’ access to LSE’s venue data, as well as in relation to rival downstream digital healthcare providers access to Fitbit’s users’ data, through degraded access to its Web API. Flowing from the inherent flexibility that characterised the data under scrutiny, the ability to selectively degrade access meant that the merged entities would have had the ability to target any foreclosure strategy at their respective competitors and thus reduce any potential costs of a foreclosure strategy (and hence make it more attractive).
While sometimes treated as an afterthought, the Commission’s assessment of anticompetitive effects in Google/Fitbit exhibited a focus on the nature of the firms that foreclosure would allegedly impact and what that would mean for effects on dynamic competition. The Commission specifically highlighted that interruption of access to Fitbit’s web API would negatively affect, in particular, ‘start-ups and small players that . . . would capitalise even on relatively small amounts of Fitbit users’ data to compete and contribute to innovation and diversification of the digital healthcare’. In so doing, the Commission seemingly drew a causal link between the potential foreclosure effects of the merger on small and medium-sized enterprises and deleterious effects on innovation and product diversification. Applied more broadly, the Commission’s stance implies that the risk of input foreclosure of smaller players in fast growing and dynamic markets may attract particular scrutiny given its perceived negative effects on innovation.
Remedy design in a data-driven age
Increasing scrutiny of data intensive markets is also driving new approaches to the suitability and design of remedies. Commissioner Margrethe Vestager recently opined that the ‘equally important’ and often more difficult part of competition policy ‘is finding the right remedies.’ Such sentiments are particularly apposite for data and data-intensive markets where the greater prevalence of vertical and conglomerate concerns means access and other behavioural remedies are more frequently potential options.
The most novel development is the ‘data silo’ remedy in Google/Fitbit, which addressed the Commission’s horizontal concerns over the aggregation of Google’s and Fitbit’s data for digital advertising markets. Google committed to hold Fitbit’s health and fitness data separate from Google’s advertising business in a virtual storage environment for a period of 10 years (extendable by a further 10 years). The concept as such is not new: the Commission has previously accepted hold separate remedies to address bundling concerns. The novelty is its use to address allegedly (quasi-)horizontal concerns in relation to data. The Commission’s Remedies Notice stipulates that commitments concerning a merged entity’s future conduct are only acceptable ‘exceptionally in very specific circumstances.’ The novelty of the theory of harm is thus mirrored in the novelty of the remedy, which, as Commissioner Vestager has commented, is intended to function as a de facto structural remedy (albeit time-limited). As such, the remedy breaks new ground and offers a potential new approach for managing concerns relating to the aggregation of (complementary) data sets.
While more conventional, the Commission’s data access and interoperability remedies in both Google/Fitbit and LSE/Refinitiv nevertheless illustrate an emphasis on preserving a level playing field despite the complexities of (some) data markets. First, the commitments contain extensive future-proofing measures in keeping with their extended duration: in particular, both data access remedies can expand to capture data outside the scope of the commitment at the time of the Commission’s decision. For example, the web access API in Google/Fitbit, which grants third parties access to Fitbit’s health and wellness data, requires Google not only to provide access to data currently collected through Fitbit’s services but to update the types of data available during the lifetime of the commitment. Second, both sets of commitments embed the principle of non-discriminatory access to key data inputs alongside the merged entity. In so doing, the non-discrimination provisions seek to protect a level playing field and the quality of access for third parties (an important factor when, for some data, factors such as latency are critical for maintaining competitiveness).
The use of access and behavioural remedies for concerns pertaining to data is also part of a wider debate on whether there is greater scope for use of access and behavioural remedies. While such remedies, in principle, preserve access to key data inputs while simultaneously allowing merging parties to realise the potential efficiencies of their transactions, some regulators have indicated their opposition to a greater use of behavioural remedies to solve data-related concerns. The Australian competition regulator rejected the remedies accepted by the Commission in Google/Fitbit as too behavioural and complex, a position supported by the head of the UK regulator. They also attracted a rare criticism from the European Parliament in its annual report on competition policy. The outcome is, as yet, unclear. But data access and other behavioural remedies cannot be viewed in isolation. The EU’s proposed Digital Markets Act provides, for example, for far-reaching data access remedies and also a number of the Commission’s ongoing cases in digital markets may result in data access remedies. The success of these remedies is likely to dictate the degree to which such remedies become commonplace in data markets in the future.
The role of privacy and data protection in the competitive assessment of mergers
The increased merger control scrutiny of data-intensive markets has also increasingly posed questions of the relationship between competition law and European data protection rules (most notably the GDPR). The topic is relevant for mergers concerning personal data subject to Europe’s data protection rules and has raised three issues:
- the degree to which privacy is a relevant parameter of competition (as a facet of competition on the ‘quality’ of products and services);
- the implications of data protection rules for assessing competitive dynamics and the implications of mergers in data-intensive markets; and
- the implications of data protection rules for merging parties and the Commission when designing and assessing remedies.
The Commission’s Google/Fitbit decision has shed significant light on, if not quite settled, these questions for European merger control purposes.
The Commission’s conclusions in Google/Fitbit significantly limit, in the first instance, the relevance of privacy as a potential parameter of competition. A number of participants in the proceedings had raised concerns that the merger would reduce competitive pressure pertaining to privacy. Such concerns channelled the Bundeskartellamt’s Facebook (2019) decision, which had held that Facebook’s collection and use of user data had exploited a dominant position by violating European data protection rules: raising whether competition law is a de facto means of enforcing data protection. The Commission reasoned, however, that commercial decisions concerning privacy would be subject to the GDPR, which ‘provides a high standard of privacy and data protection . . . and leaves little room for differentiation’. While not definitive the Commission’s broad reasoning indicates a developing policy position concerning the boundary between merger control and data protection. A stance also seen at the EU institutional level where Commissioner Vestager decided that it would not be appropriate to give the European Data Protection Board a formal role in the review of Google/Fitbit.
The Commission also adopted a more robust position that European data protection rules do not protect against competition concerns arising in relation to data, by preventing effective data integration between the merging parties. In Microsoft/Linkedin, the Commission had opined that the advent of the GDPR might limit Microsoft’s ability to integrate personal data collected by its services with those of LinkedIn: nevertheless conducting an assessment of the relevant data overlap because the potential risk to competition could not be entirely ruled out. However, in Google/Fitbit, the Commission ‘predicated’ its assessment on the parties being able to ‘lawfully combine their datasets’. The Commission then went further to observe that, even if this assumption did not hold, its assessment ‘would be the same’ but that the merging parties would be ‘accountable for any breach’ of European data protection rules. The gist of the Commission’s position seems to be that, notwithstanding any ambiguity over the implications of European data protection rules for integration of data sets, it will assume that such integration is possible. This has significant practical implications as it suggests that merging parties will need to be wary of relying on data protection rules, and indeed other data regulation, as a shield to potential competition concerns.
Finally, data protection sets limits on the remedies that parties can submit to address competition concerns in merger control proceedings. The limitations imposed by data protection are well-illustrated by the web API access commitment in Google/Fitbit, which conditioned third-party access to Fitbit’s health and wellness data on privacy and security requirements. That remedies must be compatible with wider regulation is unsurprising. Data protection rules have, however, significant practical implications as they limit, inter alia, firms from sharing personal data with other third parties. In so doing, the rules set boundaries on what is feasible for data access and interoperability remedies that might otherwise be practical solutions to competition concerns pertaining to data-intensive markets.
The past 12 months have seen significant developments in how European merger control policy applies to data-intensive markets: the Commission’s decisions have set new precedent on market definition for data markets, the theories of harm that may be relevant and the remedies that can solve such concerns. The Commission is, however, likely to have ample opportunity to develop its approach. The intensifying shift towards digital commerce, the growth of the internet of things, and the need for vast amounts of data in new products such as autonomous vehicles are all driving the increased use of data and, in turn, likely to result in the Commission reviewing more transactions involving data-intensive markets.
1 Gerwin Van Gerven and Annamaria Mangiaracina are partners, and Will Leslie and Lodewick Prompers are managing associates at Linklaters LLP. The views in this chapter are those of the authors and should not be attributed to Linklaters LLP, its lawyers or any of its clients. The authors are grateful to Florian Jonniaux for his invaluable contribution and editorial work, and Kevin Eisenschmidt for his assistance.
2 The Economist, ‘The world’s most valuable resource is no longer oil, but data’ (6 May 2017), available at https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data; Statista, ‘The 100 largest companies in the world by market capitalization in 2021’ (31 May 2021), available at https://www.statista.com/statistics/263264/top-companies-in-the-world-by-market-capitalization/.
3 Notable examples include Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer, ‘Competition policy for the digital era – Final report’ (2019) (Commission digitalisation report), available at https://ec.europa.eu/competition/publications/reports/kd0419345enn.pdf; UK Digital Competition Expert Panel, ‘Unlocking digital competition’ (2019) (Furman report), available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/785547/unlocking_digital_competition_furman_review_web.pdf; Geoffrey Parker, Georgios Petropoulos and Marshall van Alstyne, ‘Platform mergers and antitrust’ (January 2021) Bruegel working paper 01/2021, available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3763513; Jörg Hoffmann and Germán Johannsen, ‘EU Merger Control & Big Data – On Data-Specific Theories of Harm and Remedies’ (2019), Max Planck Institute for Innovation and Competition Research Paper Series No. 19-05, available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3364792; and Anca D Chirita, ‘Data-Driven Mergers Under EU Competition Law’ (June 2018), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3199912.
4 See, e.g., OECD Competition Committee, ‘Consumer data rights and competition – Summaries of contributions’, (July 2020), DAF/COMP/WD(2020)59; Maria C Wasastjerna, ‘The Implications of Big Data and Privacy on Competition Analysis in Merger Control and The Controversial Competition-Data Protection Interface’ (2019) 30(3) European Business Law Review pp. 337–366; and Gabriela Zanfir-Fortuna and Sînziana Ianc, ‘Data Protection and Competition Law: The Dawn of “Uberprotection”’ (December 2018), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3290824.
5 Google/Fitbit (Case M.9660)  OJ C 194/7 and LSEG/Refinitiv Business (Case M. 9564)  (not yet published).
6 See e.g., Thomson Corporation/Reuters Group (Case Comp/M.4726)  OJ C 212/5; Blackstone/Thomson Reuters F&R Business (Case M.8837)  OJ C 123/1 and most recently LSEG/Refinitiv Business (n 5).
7 See as announced in the European Commission Communication, ‘A European strategy for data’ COM(2020) 66 final and the European Commissions ‘Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act)’ COM(2020) 767 final.
8 A very recent example of a case that was directly caught by the EUMR turnover thresholds is Google/Fitbit (2020) (n 5). Importantly, the Commission, Member State merger control authorities, as well as notifying parties themselves have also increasingly used the different referral mechanisms under EUMR to refer transactions in data-intensive markets to the Commission for review where they did not meet EUMR’s turnover thresholds but met those of one or more Member States. Several of the Commission’s landmark merger control decisions in data-intensive markets have followed this route, including: Microsoft/GitHub (Case M.8994)  OJ C 428/1, Apple/Shazam (Case M.8788)  OJ C 417/4; Amadeus/Navitaire (Case M.7802)  OJ C 151/1; Facebook/WhatsApp (Case M.7217)  OJ C 417/4; Google/DoubleClick (Case COMP/M.4731)  OJ C 184/10; TomTom/TeleAtlas (Case COMP/M.4854)  OJ C 237/6 and Nokia/Navteq (Case COMP/M.4942)  OJ C 13/8.
9 Notable examples are the Commission’s updated Article 22 referral guidance (discussed in Section 2) and the UK government’s current stakeholder consultation on its proposed new bespoke jurisdictional thresholds for firms with strategic market status (SMS Firms), which would include a transaction-value threshold in the region of £100m or £200m (UK Government consultation document, ‘A new pro-competition regime for digital markets’ (July 2021) Paras. 178–181, available at https://www.gov.uk/government/consultations/a-new-pro-competition-regime-for-digital-markets). The US FTC has described such acquisitions as a ‘buy-or-bury’ in its ongoing antitrust complaint accusing Facebook of having unlawfully acquired a series of innovative competitors with mobile features over the last decade, such as Instagram and WhatsApp. See FTC, ‘FTC Alleges Facebook Resorted to Illegal Buy-or-Bury Scheme to Crush Competition After String of Failed Attempts to Innovate’ (August 2021), available at https://www.ftc.gov/news-events/press-releases/2021/08/ftc-alleges-facebook-resorted-illegal-buy-or-bury-scheme-crush
10 See, e.g., in European Commission, ‘Guidance on the application of the referral mechanism set out in Article 22 of the Merger Regulation to certain categories of cases’ C(2021) 1959 final, Paras. 9 and 19.
11 The Article 22 mechanism, or the ‘Dutch clause’, was introduced in the EUMR in 1989 because certain Member States such as the Netherlands lacked a national merger control regimes at that time.
12 C(2021) 1959 final (n 11), Para. 8.
13 ibid., Para. 19.
14 See European Commission daily update, 20 April 2021, available at https://ec.europa.eu/commission/presscorner/detail/en/mex_21_1846.
15 Explanatory Notes from the German legislator to the ninth amendment to the German Competition Act (2016) pp. 70 et seq., available at https://dserver.bundestag.de/btd/18/102/1810207.pdf.
16 ibid., p. 71.
17 For more detailed information, see Annual Activity Report 2017/2018 and Annual Activity Report 2019/2020 as well as the Information memorandum from the German Government (January 2021) p. 4, available at https://dserver.bundestag.de/btd/19/261/1926136.pdf. For more detailed information see the Annual Activity Reports of the Bundeswettbewerbsbehörde in 2018, available at https://www.bwb.gv.at/fileadmin/user_upload/Downloads/taetigkeitsbereich/Taetigkeitsbericht_der_BWB_2018_final.pdf, 2019 available at https://www.bwb.gv.at/fileadmin/user_upload/PDFs/BWB_Taetigkeitsbericht_2019.pdf and 2020, available at https://www.bwb.gv.at/fileadmin/user_upload/Downloads/taetigkeitsbereich/BWB_Taetigkeitsbericht_2020_barrierefrei.pdf.
18 See, among others, in Publicis/Omnicom (Case COMP/M.7023)  OJ C 84/1 and Telefónica UK/Vodafone UK/Everything Everywhere/JV (Case COMP/M.6314)  OJ C 66/4.
19 As previously also outlined in the Commission digitalisation report (n 3) p. 110.
20 Google/Fitbit (n 5) Paras. 419, 421, 422, 427-429.
21 The Commission has notably defined a range of financial data markets in significant detail in, e.g., Thomson Corporation/Reuters Group (n 7); Blackstone Group/Thomson Reuters F&R Business (n 7) and LSE/Refinitiv (n 5). It has also done so in relation to car navigation data in TomTom/Tele Atlas (n 9) Paras. 17–38 and 45–51 and Nokia/Navteq (n 9) Paras. 64 and 89. Note that, in these cases, the data sets concerned are traded or licensed to intermediate business customers who use them as an input for their own downstream product or service. There is also a wider debate on zero price markets and whether user data forms ‘payment in kind’ for such services. In the absence of any price, the Commission has used analytical tools such as the SSNDQ test (small but significant non-transitory decrease in quality) as a hypothetical model to assess the boundaries of the relevant market for such services. A good overview on this separate debate is provided in Pierre Hausemer e.a., ‘Support study accompanying the evaluation of the Commission Notice on the definition of relevant market for the purposes of Community competition law – Final report’ (2021) pp. 63–72, available https://ec.europa.eu/competition-policy/system/files/2021-06/kd0221712enn_market_definition_notice_2021_1.pdf.
22 P Hausemer e.a. (2021) (n 21) p. 91.
23 Dissenting Statement of Commissioner Pamela Jones Harbour, Google/DoubleClick, FTC File No. 071-0170 (December 2007) p. 9.
24 Case M.8124 Microsoft/LinkedIn (Case M.8124)  C(2016) 8404 final, Para. 179.
25 EC digitalisation report (n 3) p. 46.
26 In Facebook/WhatsApp (n 9) Paras. 70–72, the Commission held that it should not investigate possible separate markets for the provision of user data because neither Facebook nor WhatsApp provided these as stand-alone products or services to advertisers or other third parties.
27 Google/Fitbit (n 5), Paras. 399 and 427.
28 Google/Fitbit (n 5), Para. 428.
29 Microsoft/LinkedIn (n 24), Para. 249.
30 Google/Fitbit (n 5), Paras. 427–429.
31 See e.g., the assessment in Microsoft/LinkedIn (n 24) Paras. 246–277.
32 Google/Fitbit (n 5), Paras. 511 and 516.
33 See Commission, ‘Mergers: Commission clears acquisition of Refinitiv by London Stock Exchange Group, subject to conditions’ (2021) IP/21/103.
34 IP/21/103 (n 32).
35 IP/21/103 (n 32).
36 Google/Fitbit (n 5) Paras. 515–520.
37 Speech of Commissioner Vestager at the Florence Competition Summer Conference, ‘Defending competition in a digital age’ (June 2021), available at https://protect-eu.mimecast.com/s/ozpeCjDltnzr6YtGoY6y?domain=ec.europa.eu.
38 Access to this environment will be restricted (through internal firewalls) and logged, and these restrictions must be auditable by the monitoring trustee.
39 See for example Wegener/PCM/JV (Case COMP/M.3817)  OJ C 191/3, EDF/Louis Dreyfus (Case No. COMP/M.1557)  OJ C 323/11 and American Home Products/Monsanto (Case No. IV/M.1229)  OJ C 109/4.
40 Since Google didn’t sell wearables, and Fitbit’s position in the market was not significant, the Commission found that the merger did not lead to meaningful overlaps on the wearables market itself. But it did have concerns that combining the companies’ data might harm competition, if Google could use Fitbit’s health and fitness data for advertising. Although Google is not allowed to access Fitbit’s health and fitness data for advertising, it can do so for other purposes, as the Commission’s theory of harm only related to advertising.
41 European Commission notice on remedies acceptable under Council Regulation (EC) No. 139/2004 and under Commission Regulation (EC) No. 802/2004,  OJ C 267/01, Para. 17.
42 See also the Speech of Commission Vestager at the Florence Competition Summer Conference, ‘Defending competition in a digital age’ (June 2021).
43 See in particular Intel/McAfee (Case COMP/M.5984)  OJ C 98/1, Paras. 297 ff. and Daimler/BMW/Car sharing JV (Case M.8744)  OJ C 142/19, Paras. 335 et seq.
44 On the other hand, the remedies garnered support from a large majority of national competition authorities in the advisory committee meeting that preceded the adoption of the Commission’s decision (only two of the 15 Member State authorities present voted against). This suggests that national competition authorities in the EU are not hostile to behavioural remedies in digital markets.
45 Google/Fitbit (n 5), recital 452.
46 Bundeskartellamt, ‘Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate data processing’ (B6-22/16) .
47 Google/Fitbit (n 5) Para. 452, footnote 300.
48 Facebook/WhatsApp (n 9) Para. 164.
49 Aoife White and Hamza Ali, ‘Google-Fitbit probe isn’t for Data Watchdogs, Vestager says’, Bloomberg (25 February 2020).
50 Microsoft/LinkedIn (n 24) Paras. 177–179.
51 Google/Fitbit (n 5) Paras. 410–412.
52 Google/Fitbit (n 5) Paras. 977, 980 and Commitment A.2 ‘Web API Access Commitment’, Para. 7.