top of page
  • Lakshmi Nambiar

Data Protection Aspects in Merger Reviews

[Lakshmi is a student at National Law School of India University, Bangalore.]

To a large extent the rule in India, the EU, and the US has been to separate competition law from privacy and relegate privacy issues to the data protection authority. However, recent cases such as the Competition Commission of India (CCI) order in the WhatsApp Privacy Policy case and the European Union decision in the Microsoft/LinkedIn merger have highlighted the impossibility of separating the two in certain cases, especially when privacy and competition laws are intertwined.

The question that then arises is when we can validly bring privacy concerns within the jurisdiction of competition law, and how they are to be addressed. In this piece, I argue that when determining whether a combination has an appreciable adverse effect on competition, we must consider the effect of the combination on privacy-friendly substitutes in the relevant market(s).

Potential Harms in a Data-Driven Merger

Mergers, specifically in digital platforms, can potentially result in two main privacy-related harms to competition in these markets. The first is that such mergers could result in a lowering of the quality of the product being offered. Second, such mergers can reduce competition for greater privacy protection.

Lowering of the quality of privacy

In several digital markets, consumers are offered “free” products, though this is often at a heavy cost to personal privacy. As a consequence, in these markets, the effect of a merger on the price of a product (which is taken as a parameter of competition) is either completely absent or negligible. The effect of combinations in such markets can often be seen through non-price parameters, such as the effect on quality or privacy. The merged entity, by virtue of gaining some benefit through the merger in the relevant market(s), could disregard privacy factors leading to a drop in the quality of the product. For example, in the Google/DoubleClick merger a possible consequence of the use of “deep” and “broad” tracking that was brought in due to the merger would result in a drop in the quality of search results for consumers who highly value their privacy. In such a scenario, recognition of other non-price parameters of competition in merger reviews becomes extremely important, because it is through these non-price means that consumers compensate these platforms.

Reduced competition on privacy protection

Mergers have the potential to reduce competition on aspects of privacy by enhancing the network effects and lock-in effects that exist in digital platforms. Network effect refers to how as more people use a particular product the value of the product increases (in digital platforms, this is due to greater data inputs from users). Mergers can help in ensuring a larger market usage and share of a particular product which can therefore increase the quality of the product even further. Lock-in effect refers to how switching to another product is harder or meaningless unless a majority of the users of the original product also switch.

When mergers enhance network and lock-in effects, the merged entity’s user base increases significantly which drives out existing, privacy-protective competitors. Further, this also creates high barriers for potential privacy-protective competitors from entering the market. A good example of this is the Microsoft/LinkedIn merger, wherein the merger assisted LinkedIn in its growth (by pre-installing LinkedIn on Windows platforms, for example), and network effects helped tip the market for professional social media in LinkedIn’s favour. This could prevent the growth of alternatives to LinkedIn which offer greater privacy protection. Therefore, mergers have the potential to reduce competition on aspects of privacy.

Taking this a step further, mergers also have the effect of reducing incentives to compete on the parameter of privacy. To penetrate these markets, newer firms often require large amounts of data – something that large or dominant companies already have a significant advantage over. Further, firms which are dominant in the market are aware that having weaker privacy policies that enable them to collect larger amounts of data can improve their efficiencies and quality. Consumers, on the other hand, while concerned about privacy to some extent, are unable to easily see the costs of privacy harms (unlike they would be able to with, say, price). Here, there is a misalignment of incentives – while consumers want greater privacy, social media platforms have an incentive to undermine privacy to improve their product, which they can get away with because the costs to privacy infringement are hard to see. Mergers amongst large firms which do not put privacy first result in an entrenchment of bare-minimum privacy compliance as the standard in these markets. This results in there being no incentive to innovate and find a better balance between privacy and quality/efficiency, and in a suppression of privacy-enhancing tools and privacy-friendly products. This harms consumers by resulting in less than optimal choices when it comes to privacy in these sectors.

The Facebook/WhatsApp merger provides an example of a combination of both of these harms. The merger was cleared by the Federal Trade Commission (FTC) on the condition that WhatsApp would honour its privacy policy (which did not use user information for ad targeting) and not change it without user consent. However, WhatsApp later announced that it would share some of its member information with Facebook (which does use user information for ad targeting). The merger review, in this case, failed to account for potential future degradation of privacy, resulting from the merger of these two entities. The network and lock-in effects (which were enhanced by the merger) in this case prevented a shift to more privacy-friendly platforms, and in the long run, the effect of the merger is a reduction in privacy in the product, as well as a lack of viable alternatives, thus affecting competition.

How Competition Law Can Help

The reason that these harms must be addressed in merger review in competition law is that these harms affect competition in the market as a whole (going beyond individual breaches of privacy), and competition law has the potential to help remedy this. As of now, privacy breaches do not result in a majority of consumers quitting the platform and switching to competitors, as can be seen in the WhatsApp Privacy Policy case. There is no incentive for these companies to radically change their policies or offer greater choice when it comes to privacy. What is needed is meaningful competition in these markets which would ensure a switch to a privacy-friendly rival in cases of data breaches, and greater dissemination of information as a consequence of greater competition, as a way for platforms to differentiate themselves.

Specifically, in the case of mergers in these markets, competition law needs to consider the effect the merger can have on privacy-friendly substitutes in the relevant market(s). Section 20(4) of the Competition Act 2002 requires us to look at the “extent of effective competition likely to sustain in a market” and the “extent to which substitutes are available or are likely to be available in the market”. When it comes to mergers in markets for social media and telecommunication services, as highlighted above, “effective competition” must look at competition with privacy as an important parameter; and “substitutes” must include privacy-friendly substitutes. This is because, in the relevant market, privacy is an important parameter of competition that consumers value and require optimal choices in.

Ultimately, whether or not a combination must be blocked will be the result of balancing between pro-competitive and anti-competitive effects. However, in considering what those effects might be, we cannot ignore the role that privacy has to play in competition.

Related Posts

See All


bottom of page