European Data Protection Supervisor Publishes Opinion on Big Data and the Enforcement of Fundamental Rights; Emphasizes Concern over Data Monopolies

On September 23 2016, the European Data Protection Supervisor (“EDPS“) published an Opinion on the coherent enforcement of fundamental rights in the age of big data (the “Opinion”). Building upon the preliminary opinion it published in 2014, the EDPS sought to emphasise the importance of the protection of personal data rights in light of the rise of data “monopolies.” With the expansion of the big data economy and the Digital Single Market Strategy, the EDPS suggested that the interface between competition and privacy should be a long-term concern for all data protection authorities.

The Opinion argues that there has been an evolution in the digital age, creating a requirement for new safeguards against potential non-state entities and individuals in addition to the existing protections against interference from the state. The EDPS suggests that many of the world’s most valuable companies owe much of their success to the amount and quality of personal data under their control and the innovative ways they can utilise it to predict and shape human behaviour. Personal information has been compared to currency in a recent European Commission proposal for digital contracts, and the Opinion similarly argues that personal data is now both a “factor of completion” for companies and has a clear economic value.

The EDPS has also highlighted the existence of market concentration in data control. In its June 2014 privacy workshop, there were particular concerns raised about data monopolies which allow companies to supposedly obtain a “permanence” in their digital assets. The Opinion highlights a similar fear of the EDPS, that that there is a lack of cohesion between data protection regulators and competition and consumer regulators. Although it acknowledges that a single law could not be enforced across many legal areas, the EDPS argues that the regulatory jurisdictions are not hermetically sealed from one another. The Opinion suggests an exploitation of the synergies that exist between the fields of law to create a closer relationship between regulatory authorities. In a joint report on Competition Law and Data published in May 2016 by the French and German competition authorities, it was argued that “privacy issues cannot be excluded from consideration under competition law simply by virtue of their nature.”

The Opinion also addresses the barriers consumers face when seeking to avoid tracking or retain control of their personal data. Issues such as weak encryption of private content, “cookie walls” (websites which deny access unless the individual consents to generalised tracking) and the limited availability of privacy-enhancing alternatives provide further potential threats to privacy and data protection rights.

Having considered all of these trends and issues, the EDPS elected to separate its recommendations into three parts:

1. Protection of the individual in big data mergers – the Opinion supports the current trend in EU merger control for greater scrutiny of less established digital companies which have accumulated significant quantities of personal data that they have not yet monetised. The EDPS has stated that it will support regulatory authorities with expert advice on how to assess consumer welfare in such acquisitions.
2. The creation of a Digital Clearing House – a voluntary network of contact points in regulatory authorities at national and EU level who are responsible for the regulation of the digital sector.  The Clearing House would suggest the most appropriate legal regime for a case, which “theories of harm” might exist during a merger control, regulatory solutions for certain markets and identify synergies between enforcement bodies. The criteria to join the network would include:
   1. a shared aim of mutually enhancing their respective enforcement activities and of delivering the best outcome for individuals’ rights and welfare, whether as consumers or data subjects; and
   2. a willingness to share information and to collaborate within the boundaries of legal competences and respecting the confidentiality of investigatory activities.
3. The creation of a common area on the web – a space to be created by the EU for individuals to interact without fear of being tracked or concerns that unfair inferences may be made about them. Unlike existing “digital enclosures,” this would need to be a genuinely common area with appropriate safeguards and full respect of the fundamental rights in the EU Charter. Services that are already offered without tracking and profiling, such as those created by civil society or developer initiatives, could serve as a model and a pool of experience for the promotion of new approaches. The Opinion recommends that this should be accompanied by clarification from EU authorities on how to implement existing protection instruments such as the World Wide Web Consortium’s Do Not Track standard. The EDPS thinks that the creation of such a common space will enhance consumer choice by providing a further viable alternative to the “ubiquitous” free technologies which rely on tracking and personal data mining as a means of generating revenue.

The EDPS clearly believes that more needs to be done to protect privacy and other fundamental rights in the age of big data.  Its Opinion emphasises the need for cohesion amongst regulators across all sectors and areas of law but particularly between data protection, competition and consumer protection regulators. The Opinion also proposes solutions to what it sees as the limited choice that consumers currently face, between “free” services offering weak privacy and less popular paid-for services with enhanced privacy. It remains to be seen whether the Opinion’s recommendations will be adopted, and if they are, if they will help to solve the issues it identifies.