Crucial Developments to European Data and Privacy in Merger Control

This is an Insight article, written by a selected partner as part of GCR's co-published content. Read more on Insight

Data has become a cause célèbre of competition policy. Dubbed the ‘new oil’ by The Economist in 2017, companies with data at the heart of their business models now make up seven of the world’s 10 most valuable companies.[2] Responding to the economic change engendered by the rise of the data economy, competition regulators, practitioners and academics have assessed how novel competition concerns may arise in data-intensive markets, whether regulators have the tools to tackle such concerns and the potential implications for remedies.[3] Competition regulators have also had to grapple with the sometimes competing pressures of data regulation, notably data protection rules for personal data, when regulating markets in data-intensive sectors.[4]

This chapter outlines developments in European merger control policy concerning data and data protection. The past three years have seen the European competition regulators put key ideas concerning data-intensive markets into practice. In particular, the conditional clearances by the European Commission (the Commission) of Google/Fitbit (2020) and LSEG/Refinitiv (2021) have set new ground rules that the Commission has subsequently put into practice in cases including S&P/IHS Markit (2021), Microsoft/Nuance (2021) and Facebook/Kustomer (2022). These cases articulate new theories of harm pertaining to data markets, develop the relationship between competition law and data protection, and contain new access and behavioural remedies for concerns pertaining to data.[5] The Commission’s investigation into Amazon/iRobot (ongoing) is also poised to shed further light on the issues.

Setting the scene: what do we mean by ‘data’ and the interplay between competition and data protection?

All businesses collect and use data. But this begs the question: what do we mean by ‘data’ for merger control purposes if all mergers involve data? As the Commission’s expert report on digitalisation opined, it is ‘futile’ to analyse ‘data’ in the abstract: the importance of data varies depending on the relevant market, while the likelihood of competition concerns depends on the characteristics of the data under scrutiny and the relevant market. For merger control policy, this means that ‘data’ concerns are focused on markets where (1) the merged entity would have market power for data where it is either the ‘product’ or a significant input and (2) where data is driving the competitive assessment.

Merger control concerns pertaining to data are, moreover, not specific to any particular sector. The use of data in digital markets has no doubt been a key focus of regulatory scrutiny. But ‘data-intensive’ markets are not synonymous with digital markets. Financial data in wholesale markets has, for example, long been a product sold by a range of firms and subject to significant competition scrutiny; personal data has been a key input for providing personal financial products such as credit and insurance; and the Commission’s digitalisation report highlights data as a core input factor for production processes and logistics as well as smart products and services.[6]

Data-intensive markets are also dynamic: technological developments such as the internet of things and the rise of artificial intelligence also mean that data is becoming an increasingly important facet of more conventional businesses such as mobility and healthcare, such that data may well feature more heavily in the review of transactions in those sectors in the future.

A consequence of European competition regulators probing data-intensive markets with growing frequency is also an increasing assessment of how data regulation (1) sets the boundaries in which competition in data-intensive market takes place and (2) imposes limits on competition policy. Data regulation is not, however, a single body of legislation applicable to all data: data protection, for example, concerns personal data but does not regulate the swathes of industrial data that are of increasing importance with the development of products such as autonomous vehicles. Data regulation is also evolving, with the EU Data Governance Act, which recently entered into force, and the proposed Data Act likely to have an impact on competitive dynamics in the future.[7] The implications of data protection on competition policy concerning personal data have elicited particular interest owing to a perception that the regulatory framework of the General Data Protection Regulation (GDPR) has hampered effective competition.

European regulators’ expanding jurisdictional powers to capture transactions in data-intensive markets

Transactions in data-intensive markets are already frequently captured by the jurisdictional thresholds of the EU Merger Regulation (EUMR) as well as the Member States’ merger control regimes.[8] European regulators are, however, introducing reforms to give themselves leeway to intervene in a wider set of transactions. Their targets are ‘killer acquisitions’: transactions involving the acquisition of fast-growing, high-value firms with limited turnover that will or may challenge existing incumbents (notably in pharmaceutical and technology markets).[9] The reforms are thus not targeted at data-intensive markets nor intended to capture data-specific theories of harm; however, the focus on digital markets and, in particular, companies with high-value data means that data-intensive markets are prime candidates for review.[10]

European regulators have, however, expanded their jurisdictional powers in different ways.

The Commission’s approach has been to resurrect the use of the existing Article 22 referral process, which had until recently fallen into abeyance. Article 22 EUMR permits one or more Member States to request the Commission to review transactions that affect trade between Member States and threaten to significantly affect competition in the relevant Member State.[11]

While the Commission has discretion over whether to accept such referrals, it previously discouraged them where the relevant Member State lacked jurisdiction to review the transaction under its own national merger control rules. The Commission’s Article 22 Guidance Paper (2021) announced a policy change to ‘encourage and accept referrals’ where (1) the conditions for referral are met and (2) the turnover of ‘at least one of the undertakings concerned does not reflect its actual or future competitive potential’ (irrespective of whether the referring Member State has original jurisdiction under its own merger control rules).[12]

The approach meant that the European Union did not have to amend the jurisdictional thresholds in the EUMR while simultaneously giving the Commission a residual power to pick and choose when to intervene in perceived potential killer acquisitions in digital, pharma and other high-tech markets (provided that at least one Member State is willing to issue a referral).

While the specific target may not be data-intensive markets, the Commission’s focus on digital markets means that such markets are likely to receive greater scrutiny: the Article 22 Guidance Paper highlights access or ownership of data as a key criterion in assessing an undertaking’s competitive potential, while the Commission’s Phase II review of Facebook’s acquisition of Kustomer following an Article 22 referral from Austria focused on, inter alia, access to data in digital advertising markets.[13]

Following the General Court’s endorsement of the Commission’s Article 22 policy change in its landmark Illumina/Grail ruling in July 2022, the Commission is now on firmer ground to review a greater proportion of transactions in data-intensive markets (although Ilumina’s appeal against the judgment is still pending before the Court of Justice, so there will remain some uncertainty over the policy until the outcome of this appeal).[14] The Commission’s renewed Article 22 policy will moreover soon be strengthened by Article 14 of the Digital Markets Act, which requires gatekeepers to inform the Commission of any transactions where the merging entities or the target provide core platform services or any other services in the digital sector or enable the collection of data, irrespective of whether it is notifiable under the merger control rules of the European Union or any of its Member States.[15] Commissioner Margrethe Vestager already publicly announced the Commission’s intention to alert Member States of pending transactions identified through this new tool and to invite them to refer potentially below threshold transactions to the Commission on this basis where appropriate.[16]

Germany and Austria have, in contrast, introduced transaction value-based jurisdictional thresholds to complement their existing turnover-based thresholds in 2017. Although the use of transaction value thresholds provides clear boundaries for the expansion of Germany’s and Austria’s merger control thresholds in contrast to the Commission’s Article 22 reforms, their main objective is the same: capturing killer acquisitions by large players in the pharmaceutical, digital and other high-tech sectors.[17] The thresholds are therefore likely to capture acquisitions of nascent businesses in data-intensive markets; indeed, Germany’s Explanatory Memorandum for the reforms specifically cites Facebook/WhatsApp (2014) as the type of transaction that the new thresholds are intended to bring within scope.[18]

That said, in practice, the thresholds have had limited effect: since their introduction in Germany, only 32 transactions were notified pursuant to the new threshold out of 5,355 notified cases (with a slightly higher proportion in Austria).[19]

The practical consequence of the reforms, and similar reforms being contemplated elsewhere, has, however, the same broad implications: (1) merger control authorities have greater scope to probe transactions in data-intensive markets and (2) the acquisitions of nascent data-focused businesses, particularly by large digital platforms, may now trigger filings or attract discretionary intervention where previously they would not have been reviewable.

Emergence of a quasi-horizontal ‘data’ theory of harm in European merger control

Turning to substance, the Commission and the national competition authorities have previously investigated transactions in data-intensive markets involving conventional unilateral and coordinated effects.[20] The Commission’s decision in Google/Fitbit put forward, however, a quasi-horizontal theory of harm, whereby the acquisition of complementary data can strengthen an entity’s market power in downstream markets or give rise to foreclosure concerns.[21] The Commission subsequently explored the same concern in Facebook/Kustomer, but ultimately concluded that the data that Meta would obtain from Kustomer’s customers, if any, would be insufficiently significant to raise concerns. There was no risk of Meta foreclosing access to such data because the data was readily available on the market (contrary to the situation in Google/Fitbit), access to the data was dependent on agreements with Kustomer’s business customers, and businesses will continue to have an incentive to share their commercial data with both Meta and rival advertising platforms in order to measure and optimise their ad campaigns’ performance.[22] Also, the Commission’s ongoing in-depth investigation in Amazon/iRobot centres around the question whether the data collected by iRobot’s robot vacuum cleaners would provide Amazon with an important competitive advantage, raising barriers to entry and expansion for Amazon’s rival online marketplace (and related advertising) service providers.[23]

The theory of harm has roots over the past decade: the Commission had explored similar concerns in Facebook/WhatsApp and Microsoft/LinkedIn (2016) before dismissing them. In Google/Fitbit, the Commission found that Google’s acquisition of Fitbit’s health and wellness data would have strengthened Google’s existing market power for digital advertising, in particular its dominant position for search advertising. The novelty of the theory of harm is that it assessed horizontal unilateral effects, notwithstanding that:

  • neither Fitbit nor Google made their respective data available to third parties (i.e., there was no conventional antitrust market for the relevant data); and
  • the two data sets were complementary inputs rather than substitutable data sets (Fitbit’s services generated health and wellness data whereas Google’s range of data includes, notably, data generated by users’ search queries but is not focused on health and wellness data).

Fitbit was not active in the downstream markets for digital advertising, and the Commission did not seek to characterise it as a potential entrant. As such, the Commission’s decision establishes that combining ostensibly complementary data sets may nevertheless increase a firm’s market power in a downstream market, irrespective of whether the undertakings concerned make the underlying data available to third parties or compete in the relevant downstream market.[24]

This has raised three conceptual challenges for merger control as applied to data-intensive markets: (1) whether and, if so, how to define antitrust markets for untraded ‘data’; (2) the conditions for such quasi-horizontal concerns to arise; and (3) how to balance the efficiencies with any potential anti­competitive effects.

A new approach to market definition where data is an important input

The market definition for conventional data markets, where data is traded between counterparties as the ‘product’, is well established.[25]

This does not hold for the Commission’s data theory of harm in Google/Fitbit, which poses significant challenges for conventional market definition as it concerns the effects of combining data sets divorced from any real market. The Commission’s ongoing evaluation of its market definition notice analyses the difficulties posed by such concerns, namely that there is, in principle, no plausible antitrust market on which to assess the horizontal effects absent supply and demand for the data.[26]

To overcome this bar, commentators have proposed defining hypothetical markets. First put forward by Federal Trade Commission Commissioner Pamela Jones Harbour in her dissenting opinion for the clearance of Google/DoubleClick (2008), the proposal has attracted support from a number of corners.[27] Using this approach, regulators would define hypothetical markets for data used for the same purpose in downstream markets (e.g., data used for targeting advertising).

The Commission also briefly assessed the effects of Microsoft/LinkedIn in a ‘hypothetical market’ for the supply of data used for online advertising.[28] The practical challenge posed by such hypothetical data markets is determining their boundaries absent any direct evidence of supply and demand.

The alternative approach is to simply assess the effects of non-traded inputs, such as data on downstream markets in the competitive assessment. The Commission took this approach in Google/Fitbit: considering the effects of Fitbit’s data in its competitive assessment of the effect of the merger on digital advertising markets. The approach is consistent with the Commission’s Digitalisation Report, which advocated ‘less emphasis on analysis of market definition’ in digital markets and ‘more emphasis on theories of harm and identification of anti-competitive strategies’.[29] This has the benefit of sidestepping the conceptual question of whether antitrust markets exist only where there is supply and demand for the relevant product or innovation.[30]

However, ignoring market definition in these circumstances arguably omits the rigour of confirming that the data under scrutiny is sufficiently likely to increase market power for the relevant downstream market (as well as the relevant competing types of data). For some, at least, this results in an uneasy compromise and leaves open the prospect that the Commission’s conclusions may not be the final word in the debate.[31]

What are the conditions for the Commission to substantiate the theory of harm?

The Commission’s articulation of a quasi-horizontal data theory of harm for the first time in Google/Fitbit left open a number of questions on the conditions for such concerns to arise. Its finding of competition concerns in Google/Fitbit rested on five broad findings:

  • Google had significant market power in a number of digital advertising markets;
  • Fitbit’s health and wellness data was a valuable input and would ‘strengthen’ Google’s position in such markets;
  • Google’s competitors in such markets could not obtain straightforward access to similar data;
  • there was no plausible prospect of significant countervailing buyer power from Google’s digital advertising customers; and
  • the long-term anticompetitive effects of the diminution of such competition outweighed the short-term benefits from Google being able to offer superior digital advertising services to consumers.[32]

The unconventional context means that the theory of harm raises a number of practical questions for when such concerns are capable of arising. Given that neither Fitbit nor its data exercised a competitive constraint per se on Google for digital advertising, by how much must the complementary data strengthen the market position of the undertaking active in the downstream market? How should the balancing exercise between short-term benefits and long-term harm be conducted? In particular, to what extent does the uncertainty around any putative longer-term harm mean that it is discounted against the more certain short-term benefits?

These questions also raise more practical questions: do the conceptual difficulties posed by the theory of harm mean that the Commission is likely to invoke it only in limited circumstances? For example, is it relevant only where the relevant undertaking holds a dominant position in the downstream market and the data is unique? Or does the theory of harm have much wider application?

Efficiencies and efficiency offences when combining different data sets

A final challenge posed by the Commission’s theory of harm is assessing merger efficiencies in circumstances when combining the merging parties’ data frequently enables firms to improve their related products. As the Commission recognised in Microsoft/LinkedIn, integrating Microsoft’s and LinkedIn’s data sets offered the merged entity the prospect of delivering products ‘based on a dataset to which otherwise no one would have access’.[33]

However, under the Commission’s theory of harm in Google/Fitbit, the ability to combine data to offer improved products was both an efficiency (the merging parties could offer a higher-quality product than would have been the case absent the merger) and the source of the unilateral anticompetitive effects (the merger raised barriers to entry and thereby strengthened the merging parties’ market position).

The Commission observed in Google/Fitbit that the theory of harm accordingly entails an arguably axiomatic balancing exercise between the alleged anticompetitive and procompetitive effects of the transaction. Google itself submitted that this meant that the Commission bore the burden of both ‘quantifying the efficiency’, which gave rise to the alleged anticompetitive effects, and proving that the efficiency ‘would be outweighed by the anticompetitive effects’. While the Commission did not seek to quantify either the harm or the anticompetitive effects, the Commission did assess and conclude that the short-term efficiencies derived from the transaction because of ‘better ads targeting’ were ‘likely’ more than outweighed by the long-term effects on innovation.[34]

Input foreclosure concerns in data-intensive markets

In keeping with the increasing importance of data as an input for a range of (digital) markets, the Commission has continued to focus on whether mergers may give rise to input foreclosure concerns resulting from a loss of access to key data sets. In Google/Fitbit, the Commission found that Google would have the ability and incentive to foreclose access to Fitbit’s health and wellness data with the risk of anticompetitive foreclosure of businesses offering digital healthcare. In LSEG/Refinitiv, the Commission found that the LSEG would have the ability and incentive to foreclose access to data generated by LSEG’s venues, its FTSE Russell UK equity indices and Refinitiv’s WM/R FX benchmark data with the risk of foreclosure in downstream markets for consolidated data feeds, desktop services and index licensing.[35]

Similar concerns also played a role in S&P Global/IHS Markit, where the Commission’s market investigation revealed that S&P Global would have the ability and incentive to (partially) refuse access to IHS Markit’s ‘LoanX ID’ loan identifiers, which enable firms to track loan pricing and loan reference data products to rival providers of leveraged loan market intelligence where S&P Global was active.[36]

To evaluate its data foreclosure concerns in Google/Fitbit, the Commission applied a conventional input framework, namely whether:

  • the merged entity would have the ability to foreclose or degrade access to the relevant data, in particular because the data is an important input and the merged entity would have significant market power for its supply;
  • the merged entity would have the incentive to foreclose or degrade access to the relevant data to benefit its own services in related markets; and
  • foreclosure in such markets would have anticompetitive effects.[37]

In assessing whether Google would have the ability to foreclose access to important user health and wellness data, the Commission acknowledged that businesses in digital health would still have access to user data from other wearable original equipment manufacturers, including Apple, Garmin, Samsung, Polar and Suunto. The Commission still, however, concluded that Google had sufficient ability to foreclose by withholding or degrading access to Fitbit’s user data, in part because ‘a number of players’ accessed such data through Fitbit’s web application programming interface (API).[38] In so doing, the decision articulates a low threshold for establishing that a firm would have significant market power for data where, in particular, such data is already available to the market.

In contrast, in LSEG/Refinitiv, the Commission found that Refinitiv’s WM/R FX benchmarks had associated network effects that made the benchmarks unique;[39] thus, notwithstanding the presence of similar FX data sets, the Commission concluded that the use of such data in downstream markets – notably for index licensing – meant that the merged entity would have had significant market power.[40] The Commission similarly pointed to IHS Markit’s LoanX IDs benefiting from network effects, which meant that it was a de facto market standard for loan identifiers and one of the reasons why it constituted a ‘very important input’ for downstream loan market intelligence.[41]

In relation to incentives, the Commission in both LSEG/Refinitiv and Google/Fitbit considered the ability of the relevant parties to selectively degrade the quality of access to data as a salient factor in assessing whether the merged entities would have an incentive to foreclose. It considered this scenario in relation to Refinitiv’s rivals’ access to LSEG’s venue data,[42] as well as in relation to rival downstream digital healthcare providers’ access to Fitbit’s users’ data, through degraded access to its web API.[43] Flowing from the inherent flexibility that characterised the data under scrutiny, the ability to selectively degrade access meant that the merged entities would have had the ability to target any foreclosure strategy at their respective competitors and thus reduce any potential costs of a foreclosure strategy (and hence make it more attractive).

In S&P Global/IHS Markit, the Commission also cited possible partial foreclosure strategies in the past as evidence of S&P Global’s potential ability and incentive to foreclose access to LoanX IDs post-merger.[44]

While sometimes treated as an afterthought, the Commission’s assessment of anticompetitive effects in Google/Fitbit exhibited a focus on the nature of the firms that foreclosure would allegedly impact and what that would mean for effects on dynamic competition. The Commission specifically highlighted that interruption of access to Fitbit’s web API would negatively affect, in particular, ‘start-ups and small players that . . . would capitalise even on relatively small amounts of Fitbit users’ data to compete and contribute to innovation and diversification of the digital healthcare’.

In so doing, the Commission seemingly drew a causal link between the potential foreclosure effects of the merger on small and medium-sized enterprises and deleterious effects on innovation and product diversification. Applied more broadly, the Commission’s stance implies that the risk of input foreclosure of smaller players in fast-growing and dynamic markets may attract particular scrutiny given its perceived negative effects on innovation.

Remedy design in a data-driven age

Increasing scrutiny of data-intensive markets is also driving new approaches to the suitability and design of remedies. Commissioner Margrethe Vestager opined that the ‘equally important’ and often more difficult part of competition policy ‘is finding the right remedies’.[45] Such sentiments are particularly apposite for data and data-intensive markets where the greater prevalence of vertical and conglomerate concerns means access and other behavioural remedies are more frequently potential options.

The most novel development is the ‘data silo’ remedy in Google/Fitbit, which addressed the Commission’s horizontal concerns over the aggregation of Google’s and Fitbit’s data for digital advertising markets. Google committed to hold Fitbit’s health and fitness data separate from Google’s advertising business in a virtual storage environment for a period of 10 years (extendable by a further 10 years).[46] The concept as such is not new: the Commission has previously accepted hold separate remedies to address bundling concerns.[47] The novelty is its use to address allegedly (quasi-)horizontal concerns in relation to data.[48]

The Commission’s Remedies Notice stipulates that commitments concerning a merged entity’s future conduct are acceptable only ‘exceptionally in very specific circumstances’.[49] The novelty of the theory of harm is thus mirrored in the novelty of the remedy, which, as Commissioner Vestager has commented, is intended to function as a de facto structural remedy (albeit time-limited).[50] As such, the remedy breaks new ground and offers a potential new approach for managing concerns relating to the aggregation of (complementary) data sets.

While more conventional, the Commission’s data access and interoperability remedies in Google/Fitbit, LSEG/Refinitiv and Meta (formerly Facebook)/Kustomer nevertheless illustrate an emphasis on preserving a level playing field despite the complexities of (some) data markets. First, the commitments contain extensive future-proofing measures in keeping with their extended duration: in particular, both data access remedies can expand to capture data outside the scope of the commitment at the time of the Commission’s decision. For example, the web access API in Google/Fitbit, which grants third parties access to Fitbit’s health and wellness data, requires Google not only to provide access to data currently collected through Fitbit’s services but to update the types of data available during the lifetime of the commitment.[51] Similarly, the commitments accepted in Meta (formerly Facebook)/Kustomer not only cover existing messaging channel API functionalities but also require Meta to make future new or improved functionalities available to third-party customer relationship management providers.[52]

Second, both sets of commitments embed the principle of non-discriminatory access to key data inputs alongside the merged entity. In so doing, the non-discrimination provisions seek to protect a level playing field and the quality of access for third parties (an important factor when, for some data, factors such as latency are critical for maintaining competitiveness).

The use of access and behavioural remedies for concerns pertaining to data is also part of a wider debate on whether there is greater scope for use of access and behavioural remedies.[53] While such remedies, in principle, preserve access to key data inputs while simultaneously allowing merging parties to realise the potential efficiencies of their transactions, some regulators have indicated their opposition to a greater use of behavioural remedies to solve data-related concerns.

The Australian competition regulator rejected the remedies accepted by the Commission in Google/Fitbit as too behavioural and complex, a position supported by the head of the UK regulator. They also attracted rare criticism from the European Parliament in its annual report on competition policy.[54]

The outcome is, as yet, unclear. But data access and other behavioural remedies cannot be viewed in isolation. The EU’s Digital Markets Act provides, for example, for far-reaching data access remedies, and a number of the Commission’s ongoing cases in digital markets may result in data access remedies. The success of these remedies is likely to dictate the degree to which such remedies become commonplace in data markets in the future.

The role of privacy and data protection in the competitive assessment of mergers

The increased merger control scrutiny of data-intensive markets has also increasingly posed questions of the relationship between competition law and European data protection rules (most notably the GDPR). As European Competition Commissioner Vestager put it at the European Data Protection Supervisor’s conference in June 2022:

when it comes to digital markets the wider link between competition and privacy will always be there. After all, the more concentrated markets become, the more consumer data is held in the hands of fewer and fewer businesses – and the higher are the risks for privacy.

The topic is relevant for mergers concerning personal data that are subject to European data protection rules and has raised three issues:

  • the degree to which privacy is a relevant parameter of competition (as a facet of competition on the ‘quality’ of products and services);
  • the implications of data protection rules for assessing competitive dynamics and the implications of mergers in data-intensive markets; and
  • the implications of data protection rules for merging parties and the Commission when designing and assessing remedies.

The Commission’s Google/Fitbit decision has shed significant light on, if not quite settled, these questions for European merger control purposes.

The Commission’s conclusions in Google/Fitbit significantly limit, in the first instance, the relevance of privacy as a potential parameter of competition. A number of participants in the proceedings had raised concerns that the merger would reduce competitive pressure pertaining to privacy.[55] Such concerns channelled the Bundeskartellamt’s Facebook (2019) decision, which had held that Facebook’s collection and use of user data had exploited a dominant position by violating European data protection rules, raising whether competition law is a de facto means of enforcing data protection.[56]

The Commission reasoned, however, that commercial decisions concerning privacy would be subject to the GDPR, which ‘provides a high standard of privacy and data protection . . . and leaves little room for differentiation’.[57] While not definitive, the Commission’s broad reasoning indicates a developing policy position concerning the boundary between merger control and data protection.[58] The stance was also seen at the EU institutional level when Commissioner Vestager decided that it would not be appropriate to give the European Data Protection Board a formal role in the review of Google/Fitbit.[59]

The Commission also adopted a more robust position that European data protection rules do not protect against competition concerns arising in relation to data, by preventing effective data integration between the merging parties. In Microsoft/LinkedIn, the Commission opined that the advent of the GDPR might limit Microsoft’s ability to integrate personal data collected by its services with those of LinkedIn, nevertheless conducting an assessment of the relevant data overlap because the potential risk to competition could not be entirely ruled out.[60]

However, in Google/Fitbit, the Commission ‘predicated’ its assessment on the parties being able to ‘lawfully combine their datasets’.[61] The Commission then went further to observe that, even if this assumption did not hold, its assessment ‘would be the same’, but that the merging parties would be ‘accountable for any breach’ of European data protection rules. The gist of the Commission’s position seems to be that, notwithstanding any ambiguity over the implications of European data protection rules for integration of data sets, it will assume that such integration is possible. This has significant practical implications as it suggests that merging parties will need to be wary of relying on data protection rules, and indeed other data regulation, as a shield to potential competition concerns.

Successfully relying on data protection rules to rebut such concerns seems to work only in specific circumstances and if corroborated with strict contractual obligations. In Microsoft/Nuance, for example, the Commission was comfortable that Microsoft would not be able to foreclose Nuance’s rival healthcare software providers as the latter was under strict contractual and data protection obligations not to use the healthcare information transcribed via its software for other purposes than the actual provision of its transcription service.[62]

Finally, data protection sets limits on the remedies that parties can submit to address competition concerns in merger control proceedings. The limitations imposed by data protection are well illustrated by the web API access commitment in Google/Fitbit, which conditioned third-party access to Fitbit’s health and wellness data on privacy and security requirements.[63] That remedies must be compatible with wider regulation is unsurprising.

Data protection rules have, however, significant practical implications as they limit, inter alia, firms from sharing personal data with other third parties. In so doing, the rules set boundaries on what is feasible for data access and interoperability remedies that might otherwise be practical solutions to competition concerns pertaining to data-intensive markets.


The past three years have seen significant developments in how European merger control policy applies to data-intensive markets: the Commission’s recent decisions have set a new precedent on market definition for data markets, the theories of harm that may be relevant and the remedies that can solve such concerns.

The Commission is, however, likely to have ample opportunity to develop its approach. The intensifying shift towards digital commerce, the growth of the internet of things and the need for vast amounts of data in new products such as autonomous vehicles are all driving the increased use of data and, in turn, are likely to result in the Commission reviewing more transactions involving data-intensive markets.


1 Gerwin Van Gerven is a senior counsel, Annamaria Mangiaracina and Will Leslie are partners, and Lodewick Prompers is a counsel at Linklaters LLP. The views in this chapter are those of the authors and should not be attributed to Linklaters LLP, its lawyers or any of its clients. The authors are grateful to Florian Jonniaux for his invaluable contribution and editorial work and Sophia Foon for her assistance.

2 The Economist, ‘The world’s most valuable resource is no longer oil, but data’ (6 May 2017), available at; Statista, ‘The 100 largest companies in the world by market capitalization in 2021’ (31 May 2021), available at

3 Notable examples include Youenn Beaudouin, Simon Genevaz, Sean Mernagh, Aiste Slezeviciute, ‘Merger Enforcement in Digital and Tech Markets: an Overview of the European Commission’s Practice’ (December 2022), European Commission Competition policy brief, Issue 02/2022, available at; Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer, ‘Competition policy for the digital era – Final report’ (2019) (Commission digitalisation report), available at; UK Digital Competition Expert Panel, ‘Unlocking digital competition’ (2019) (Furman report), available at; Geoffrey Parker, Georgios Petropoulos and Marshall van Alstyne, ‘Platform mergers and antitrust’ (January 2021) Bruegel working paper 01/2021, available at; Jörg Hoffmann and Germán Johannsen, ‘EU Merger Control & Big Data – On Data-Specific Theories of Harm and Remedies’ (2019), Max Planck Institute for Innovation and Competition Research Paper Series No. 19-05, available at; and Anca D Chirita, ‘Data-Driven Mergers Under EU Competition Law’ (June 2018), available at

4 See, for example, OECD Competition Committee, ‘Consumer data rights and competition – Summaries of contributions’ (July 2020), DAF/COMP/WD(2020)59; Maria C Wasastjerna, ‘The Implications of Big Data and Privacy on Competition Analysis in Merger Control and The Controversial Competition-Data Protection Interface’ (2019) 30(3) European Business Law Review pp. 337–366; and Gabriela Zanfir-Fortuna and Sînziana Ianc, ‘Data Protection and Competition Law: The Dawn of “Uberprotection”’ (December 2018), available at

5 Google/Fitbit (Case M.9660) [2020] OJ C 194/7; LSEG/Refinitiv Business (Case M.9564) [2021] OJ C 434/9; S&P Global/IHS Markit (Case M.10108) [2022] OJ C 49/3; Microsoft/Nuance (Case M.10290) [2021] OJ C 296/1; and Meta (formerly Facebook)/Kustomer (Case M. 10262).

6 See, for example, Thomson Corporation/Reuters Group (Case Comp/M.4726) [2008] OJ C 212/5; Blackstone/Thomson Reuters F&R Business (Case M.8837) [2018] OJ C 123/1 and, most recently, LSEG/Refinitiv Business (n 5).

7 The Data Governance Act entered into force in June 2022 and applied from 24 September 2022. See Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act). See also the Commission’s ‘Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)’ COM(2022) 68 final.

8 A recent example of a case that was directly caught by the EU Merger Regulation (EUMR) turnover thresholds is Google/Fitbit (2020) (n 5). Importantly, the Commission, Member State merger control authorities and notifying parties themselves have also increasingly used the different referral mechanisms under the EUMR to refer transactions in data-intensive markets to the Commission for review where they did not meet the EUMR’s turnover thresholds but met those of one or more Member States. Several of the Commission’s landmark merger control decisions in data-intensive markets have followed this route, including Microsoft/GitHub (Case M.8994) [2018] OJ C 428/1, Apple/Shazam (Case M.8788) [2018] OJ C 417/4; Amadeus/Navitaire (Case M.7802) [2016] OJ C 151/1; Facebook/WhatsApp (Case M.7217) [2014] OJ C 417/4; Google/DoubleClick (Case COMP/M.4731) [2008] OJ C 184/10; TomTom/TeleAtlas (Case COMP/M.4854) [2007] OJ C 237/6; and Nokia/Navteq (Case COMP/M.4942) [2007] OJ C 13/8.

9 Notable examples are the Commission’s updated Article 22 referral guidance (discussed in Section 2) and the UK government’s current stakeholder consultation on its proposed new bespoke jurisdictional thresholds for firms with strategic market status (SMS firms), which would include a transaction value threshold in the region of £100 million or £200 million (UK government consultation document, ‘A new pro-competition regime for digital markets’ (July 2021) Paragraphs 178–181, available at The US Federal Trade Commission (FTC) has described such acquisitions as a ‘buy-or-bury’ in its ongoing antitrust complaint accusing Facebook of having unlawfully acquired a series of innovative competitors with mobile features over the past decade, such as Instagram and WhatsApp. See FTC, ‘FTC Alleges Facebook Resorted to Illegal Buy-or-Bury Scheme to Crush Competition After String of Failed Attempts to Innovate’ (August 2021), available at

10 See, for example, in European Commission, ‘Guidance on the application of the referral mechanism set out in Article 22 of the Merger Regulation to certain categories of cases’ C(2021) 1959 final, Paragraphs 9 and 19.

11 The Article 22 mechanism, or the ‘Dutch clause’, was introduced in the EUMR in 1989 because certain Member States, such as the Netherlands, lacked a national merger control regime at that time.

12 C(2021) 1959 final (n 10), Paragraph 8 and see also the European Commission’s recent Q&A guidance note ‘Practical information on implementation of the “Guidance on the application of the referral mechanism set out in Article 22 of the Merger Regulation to certain categories of cases”’, 12 December 2022, available at

13 ibid., Paragraph 19; see, also, Meta (formerly Facebook)/Kustomer (n 5).

14 Judgment of 13 July 2022, Illumina and Grail v. Commission, T 227/21, ECLI:EU:T:2022:447.

16 Speech of Commissioner Vestager at the International Bar Association 26th Annual Competition Conference in Florence ‘Merger control: the goals and limits of competition policy in a changing world (September 2022)’, available at

17 Explanatory Notes from the German legislator to the ninth amendment to the German Competition Act (2016) pp. 70 et seq., available at

18 ibid., p. 71.

19 For more detailed information, see Annual Activity Report 2017/2018 and Annual Activity Report 2019/2020 as well as the Information Memorandum from the German government (January 2021) p. 4, available at For more detailed information, see the annual activity reports of the Bundeswettbewerbsbehörde in 2018, available at; 2019, available at; and 2020, available at

20 See, among other cases, Publicis/Omnicom (Case COMP/M.7023) [2014] OJ C 84/1 and Telefónica UK/Vodafone UK/Everything Everywhere/JV (Case COMP/M.6314) [2012] OJ C 66/4.

21 As previously also outlined in the Commission digitalisation report (n 3) p. 110.

22 Meta (formerly Facebook)/Kustomer (n 5), Paragraphs 561, 578 and 585. See also Youenn Beaudouin, Simon Genevaz, Sean Mernagh and Aiste Slezeviciute, ‘Merger Enforcement in Digital and Tech Markets: an Overview of the European Commission’s Practice’ (December 2022), European Commission Competition policy brief, Issue 02/2022, p.10, available at

23 Commission, ‘Mergers: Commission opens in-depth investigation into the proposed acquisition of iRobot by Amazon' (2023) IP/23/3702.

24 Google/Fitbit (n 5), Paragraphs 419, 421, 422 and 427–429.

25 The Commission has notably defined a range of financial data markets in significant detail in, for example, Thomson Corporation/Reuters Group (n 7); Blackstone Group/Thomson Reuters F&R Business (n 7) and LSEG/Refinitiv (n 5), Paragraphs 17 ff. and S&P Global/IHS Markit (n 5), Paragraphs 22–26. It has also done so in relation to car navigation data in TomTom/Tele Atlas (n 9) Paragraphs 17–38 and 45–51 and Nokia/Navteq (n 9) Paragraphs 64 and 89. Note that, in these cases, the data sets concerned are traded or licensed to intermediate business customers who use them as an input for their own downstream product or service. There is also a wider debate on zero price markets and whether user data forms ‘payment in kind’ for such services. In the absence of any price, the Commission has used analytical tools such as the SSNDQ test (small but significant non-transitory decrease in quality) as a hypothetical model to assess the boundaries of the relevant market for such services. A good overview on this separate debate is provided in Pierre Hausemer et al., ‘Support study accompanying the evaluation of the Commission Notice on the definition of relevant market for the purposes of Community competition law – Final report’ (2021) pp. 63–72, available at

26 P Hausemer et al. (2021) (n 25) p. 91.

27 Dissenting Statement of Commissioner Pamela Jones Harbour, Google/DoubleClick, FTC File No. 071-0170 (December 2007) p. 9.

28 Case M.8124 Microsoft/LinkedIn (Case M.8124) [2016] C(2016) 8404 final, Paragraph 179.

29 EC digitalisation report (n 3) p. 46.

30 In Facebook/WhatsApp (n 8), Paragraphs 70–72, the Commission held that it should not investigate possible separate markets for the provision of user data because neither Facebook nor WhatsApp provided these as stand-alone products or services to advertisers or other third parties.

31 Google/Fitbit (n 5), Paragraphs 399 and 427.

32 Google/Fitbit (n 5), Paragraph 428.

33 Microsoft/LinkedIn (n 28), Paragraph 249.

34 Google/Fitbit (n 5), Paragraphs 427–429.

35 LSEG/Refinitiv (n 5), Paragraphs 903–949.

36 S&P Global/IHS Markit (n 5), Paragraphs 411–418 and 512–547.

37 See, for example, the assessment in Microsoft/LinkedIn (n 28), Paragraphs 246–277.

38 Google/Fitbit (n 5), Paragraphs 511 and 516.

39 LSEG/Refinitiv (n 5), Paragraph 1724.

40 LSEG/Refinitiv (n 5), Paragraphs 1734–1781.

41 S&P Global/IHS Markit (n 5), Paragraphs 413–414, 519 and 521.

42 IP/21/103 (n 32); LSEG/Refinitiv (n 5), Paragraphs 940–947.

43 Google/Fitbit (n 5), Paragraphs 515–520.

44 S&P Global/IHS Markit (n 5), Paragraph 541.

45 Speech of Commissioner Vestager at the Florence Competition Summer Conference, ‘Defending competition in a digital age’ (June 2021), available at

46 Access to this environment will be restricted (through internal firewalls) and logged, and these restrictions must be auditable by the monitoring trustee.

47 See, for example, Wegener/PCM/JV (Case COMP/M.3817) [2005] OJ C 191/3, EDF/Louis Dreyfus (Case No. COMP/M.1557) [1999] OJ C 323/11 and American Home Products/Monsanto (Case No. IV/M.1229) [1998] OJ C 109/4.

48 Since Google did not sell wearables, and Fitbit’s position in the market was not significant, the Commission found that the merger did not lead to meaningful overlaps on the wearables market itself. But it did have concerns that combining the companies’ data might harm competition, if Google could use Fitbit’s health and fitness data for advertising. Although Google is not allowed to access Fitbit’s health and fitness data for advertising, it can do so for other purposes, as the Commission’s theory of harm related only to advertising.

49 European Commission notice on remedies acceptable under Council Regulation (EC) No. 139/2004 and under Commission Regulation (EC) No. 802/2004 [2008] OJ C 267/01, Paragraph 17.

50 See also the Speech of Commission Vestager at the Florence Competition Summer Conference, ‘Defending competition in a digital age’ (June 2021).

51 Google/Fitbit (n 5), paragraphs 974–976.

52 Meta (formerly Facebook)/Kustomer (n 5), Paragraph 677 and Commitments, Paragraph 3.

53 See, for example, recently in keynote speech of Commissioner Vestager at the International Forum of the Studienvereinigung Kartellrecht: ‘Recent Developments in EU merger control’ (May 2023), available at"> and Youenn Beaudouin, Simon Genevaz, Sean Mernagh and Aiste Slezeviciute, ‘Merger Enforcement in Digital and Tech Markets: an Overview of the European Commission’s Practice’ (December 2022), European Commission Competition policy brief, Issue 02/2022, pp. 12–13, available at

54 On the other hand, the remedies garnered support from a large majority of national competition authorities in the advisory committee meeting that preceded the adoption of the Commission’s decision (only two of the 15 Member State authorities present voted against). This suggests that national competition authorities in the European Union are not hostile to behavioural remedies in digital markets.

55 Google/Fitbit (n 5), Recital 452.

56 Bundeskartellamt, ‘Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate data processing’ (B6-22/16) [2019].

57 Google/Fitbit (n 5), Paragraph 452, footnote 300.

58 Facebook/WhatsApp (n 8), Paragraph 164.

59 Aoife White and Hamza Ali, ‘Google-Fitbit probe isn’t for Data Watchdogs, Vestager says’, Bloomberg (25 February 2020).

60 Microsoft/LinkedIn (n 28), Paragraphs 177–179.

61 Google/Fitbit (n 5) Paragraphs 410–412.

62 Microsoft/Nuance (n 5), Paragraphs 150–164.

63 Google/Fitbit (n 5), Paragraphs 977 and 980 and Commitment A.2 ‘Web API Access Commitment’, Paragraph 7.

Unlock unlimited access to all Global Competition Review content