Master's Thesis - UvA Scripties
-
Upload
khangminh22 -
Category
Documents
-
view
9 -
download
0
Transcript of Master's Thesis - UvA Scripties
Universiteit van Amsterdam
Summer Semester 2017
Master’s Thesis
International and European Law: European Union Law (LLM track)
Superplatforms, Fundamental Rights and the Regulatory Trilemma: To Regulate Or Not to
Regulate?
by
Nuutti Tanner
25.07.2017
1st supervisor: Prof. Dr. Christina Eckes
Faculty of Law, European Law
2nd
supervisor: Dr. Katalin Cseres
Faculty of Law, European Law
II
Table of Contents
ABSTRACT .................................................................................................................................................................. IV
LIST OF ABBREVIATIONS ............................................................................................................................................ VI
1. INTRODUCTION ...................................................................................................................................................... 1
2. SURVEILLANCE CAPITALISM AND THE PHENOMENA CREATED BY IT ....................................................................... 2
2.1 RISE OF SURVEILLANCE CAPITALISM ............................................................................................................................... 3
2.2 BIG DATA AND BIG ANALYTICS .......................................................................................................................................... 3
2.3 THE ROLE OF NETWORK EFFECTS ....................................................................................................................................... 5
2.3.1 Network effects of scale ................................................................................................................................... 6
2.3.2 Network effects of scope .................................................................................................................................. 6
2.4 SOURCES OF DATA AND THE RISE OF “SUPERPLATFORMS” ...................................................................................................... 7
2.5 CONCENTRATION OF DATA .............................................................................................................................................. 9
3. PROBLEMS CREATED BY SURVEILLANCE CAPITALISM AND AVENUES TO SOLVE THESE PROBLEMS......................... 9
3.1 REGULATORY TRILEMMA ............................................................................................................................................... 12
3.2 ENFORCEMENT THROUGH DATA PROTECTION LAW ............................................................................................................. 13
3.2.1 Stricter conditions for consent ........................................................................................................................ 14
3.2.2 Privacy policies ............................................................................................................................................... 14
3.2.3 The right to be forgotten ................................................................................................................................ 15
3.2.4 Data portability .............................................................................................................................................. 15
3.2.5 Right to object to marketing and profiling ..................................................................................................... 16
3.2.6 Data protection by design and by default ...................................................................................................... 16
3.2.7 The shortcomings of the GDPR ....................................................................................................................... 17
3.3 ENFORCEMENT THROUGH COMPETITION LAW ................................................................................................................... 20
3.3.1 Competences of the competition authorities to deal with data protection issues ......................................... 21
3.3.2 Classic competition abuses, data-driven industry, and the absence of illegality ........................................... 22
3.3.2.1 101 violations .............................................................................................................................................................22
3.3.2.2 102 violations .............................................................................................................................................................23
3.3.2.3 “Frenemy” dynamic ...................................................................................................................................................25
3.4 REFLECTIONS ON THE CURRENT ENFORCEMENT TOOLS AVAILABLE ......................................................................................... 27
4. FUTURE CHALLENGES, THREATS, AND OPTIONS ....................................................................................................28
4.1 EFFICIENCIES CREATED FOR INDIVIDUAL USERS ................................................................................................................... 28
4.2 EFFICIENCIES CREATED FOR GOVERNMENTS ...................................................................................................................... 29
4.3 INTERNET OF THINGS ................................................................................................................................................... 30
4.4 DIGITAL BUTLER .......................................................................................................................................................... 31
4.5 INABILITY TO INTERVENE ............................................................................................................................................... 32
III
4.6 REFLECTIONS AND FUTURE IMPLICATIONS ......................................................................................................................... 33
5. CONCLUSION .........................................................................................................................................................35
LIST OF LITERATURE .................................................................................................................................................. VII
CASES ...................................................................................................................................................................... XIII
LEGISLATION ............................................................................................................................................................ XIV
IV
Abstract
Data has changed the world we live in. Data-driven superplatforms such as Google, Facebook, and
Apple rule today’s economy and are therefore in an unprecedented position to alter the way people
view the world, as they have effectively become the gateway and the gatekeepers to the internet.
This raises serious concerns over people’s freedom of expression and information – a fundamental
right under the primary law of the EU – and thus a critical study of EU’s capabilities to curtail the
concentration of data to the hands of the few is essential.
Since the contemporary EU legislative framework has yet to effectively regulate these
superplatforms and their actions, an evaluative research methodology was chosen to conduct this
study. The study criticizes the shortcomings of the current legislative framework and discusses the
practical obstacles barring effective enforcement, whilst also offering recommendations concerning
the potential future course of action to be taken in this pressing matter. Since data-driven business
overarches all fields of life, these matters are discussed at the intersection of law, technology,
politics, behavioral psychology, and economics.
The research question of this thesis is two-dimensional: First, whether there are basis to regulate
the practices of the superplatforms and which legislative framework would be the best to do so; and
second, whether there is political will and technical capability to do so to begin with.
To answer the first half of the research question, it has to be concluded that despite the clear
demand for regulation, the current enforcement tools at the disposal of the EU data protection and
competition authorities are inadequate to effectively regulate the platforms. These tools are either
ineffective, failing to alter the behavior of the regulated entities, or over-regulating, killing the
incentive to innovate.
To achieve effective regulation, it is recommended that data protection and competition law
authorities cooperate in order to stop the concentration of data into the hands of the few extremely
powerful superplatforms. First this would happen through competition authorities’ recognition of
data as a source of market power and the exercise of effective, data-orientated merger control, and
second, through the realization that the efficiencies created by the actions of the superplatforms are
easily refuted by the negative effects they impose on the society, as they hamper people’s freedom of
expression and information.
Second half of the research question can be answered by stating that due to the efficiencies created
by the superplatforms for the people and governments alike, there is no political will to effectively
V
regulate these superplatforms. Moreover, the technical capability to do so is non-existent, as the
self-learning algorithms are currently several steps ahead of the people who designed them, let
alone the authorities.
Currently the only thing the authorities can do is to wait for the technology to develop, and to count
on the superplatforms doing the right thing. It is a dismal position to be in, as the IoT and the
digital butler are going to raise the intrusiveness of big data collection into new spheres.
VI
List of abbreviations
Charter Charter of Fundamental Rights of the European Union
CJEU Court of Justice of the European Union
ECHR European Convention of Human Rights
ECtHR European Court of Human Rights
ECJ European Court of Justice
EU European Union
GDPR General Data Protection Regulation
IoT Internet of Things
SEME Search Engine Manipulation Effect
TFEU Treaty on the Functioning of the European Union
1
1. Introduction
Today people of the world face a threat they have never faced before. This threat is not something
external, but instead rises from our own creation. This threat is data, and it has changed our reality
forever.
Data-driven superplatforms such as Google, Facebook and Apple rule today’s economy. They have
won over their respective markets due to the data-advantage and the subsequent network effects
they have created, and are running away from the rest of the competition. Aided with the ever-
growing amount of big data at their disposal through the constant acquisitions of smaller businesses
in the field of the Internet of Things, these undertakings are concentrating world’s data into the
hands of the few.
Data leads to knowledge, and knowledge is power. Therefore the superplatforms are in an
unprecedented position to alter the way people view the world, as they have effectively become the
gateway and the gatekeepers to the internet. This raises serious concerns over people’s freedom of
expression and information – a fundamental right under the primary law of the EU – and thus a
critical study of EU’s capabilities to curtail the concentration of data to the hands of the few is
essential.
Since the contemporary EU legislative framework has yet to effectively regulate these
superplatforms and their actions, an evaluative research methodology was chosen to conduct this
study. The study criticizes the shortcomings of the current legislative framework and discusses the
practical obstacles barring effective enforcement, whilst also offering recommendations concerning
the potential future course of action to be taken in this pressing matter. Since data-driven business
overarches all fields of life, these matters are discussed at the intersection of law, technology,
politics, behavioral psychology, and economics.
The research question of this thesis is: Can the superplatforms’ business practices based around big
data and big analytics be curtailed in order to protect people’s freedom of expression and
information? This question is two-dimensional; first, are there basis to restrain these practices in
order to protect people’s freedom of expression and information, and what would be the right and
the most effective avenue to do so?1 And second, is it already too late for effective intervention due
1 Here the “right” avenue refers to the rules which in theory ought to solve the problem at hand as they were designed
precisely for that purpose, these namely being the EU data protection rules.
2
to the efficiencies created by these platforms, and the lack of political will and technical capabilities
to do so?
The thesis is outlined in the following manner: Chapter 2 provides the key insight to the world of
surveillance capitalism, big data, big analytics and network effects, and the inspiration for this study
– the concentration of data into the hands of the few. Chapter 3 describes and criticizes the
contemporary legislative framework of the EU from the points of view of data protection and
competition law respectively, and answers the first half of the research question. Chapter 4 will
conclude the thesis by analyzing the causes for the absence of effective regulation, by looking ahead
for the future challenges and threats faced by the enforcement authorities, and by answering the
second half of the research question.
The hypothesis of the thesis is that the best route to effective regulation involves tight cooperation
between EU’s data protection and competition law authorities in the form of renewed approach to
data as a source of market power. This involves halting the concentration of data into the hands of
the few via effective data-orientated merger control, and acknowledgement of the fact that the
efficiencies created by the superplatforms are easily outweighed by the harm they cause to the
society by hampering people’s freedom of expression and information. That said, at the moment
governments’ and people’s dependence on these superplatforms combined with the lack of technical
capability to foster algorithm accountability, makes effective enforcement impossible, leaving us to
the mercy of the superplatforms.
2. Surveillance capitalism and the phenomena created by it
This chapter is going to analyze the developments and phenomena that have changed – and will
continue to change – the world we live in. Understanding the immense magnitude of these changes
is paramount in order to affect a meaningful change at the legislative level. Surveillance capitalists,
armed with big data, big analytics and network effects – and the trends created by these entities –
are the talk of this chapter.
3
2.1 Rise of surveillance capitalism
Gone are the days when the world of business was ruled by raw material monopolies or traders at
the stock exchange.2 Today, this world is ruled by data and the undertakings in the position to
collect and utilize it on a large scale.3 As will be explained later on in this chapter, this world is
dominated by a handful of immensely powerful online platforms, which have risen to this position
with the help of network effects.4 Indeed, in every field of data-driven business, one dominant
undertaking seems to have taken hold of the market. These undertakings include Google in the
search engine market, Facebook in the social networking market, Amazon in the online shopping
market, and Google and Apple in the mobile operating system market.5
These undertakings and their business models are based around two-sided markets, where
individuals provide data for the platform through search queries, social media activities and
numerous other ways6, and the advertisers interested in this data then pay for the platform for this
data, as well as for the advertisement space on the platform.7 This targeted advertising is the key
concept in order to understand the immense power wielded by these platforms. Any other form of
advertising has become obsolete, since being able to direct one’s advertisements to the exact
demographics – or even individuals – who are interested in the product saves large amounts of
money.8 This on the other hand incentivizes these dominant platforms to advance their data
collection techniques even further. The next subchapter discusses the role big data and big analytics
play in this context.
2.2 Big data and big analytics
Data is defined as “factual information (as measurements or statistics) used as a basis for
reasoning, discussion, or calculation”.9 From this definition it is easy to infer that data can be
immensely useful for advertisers when targeting their customers. Data has been used rather
2 Zuboff S., Google as a Fortune Teller: The Secrets of Surveillance Capitalism, Frankfurter Allgemeine Feuilleton,
05.03.2016, http://www.faz.net/aktuell/feuilleton/debatten/the-digital-debate/shoshana-zuboff-secrets-of-surveillance-
capitalism-14103616.html ,accessed-26.04.17. 3 Ibid.
4 See chapter 2.3,pp.5-6.
5 Ezrachi A.,Stucke M.E., Virtual Competition: The Promise and Perils of the Algorithm-Driven Economy, Harvard
University Press, 14.11.2016,pp.148-149. 6 See chapter 2.4,pp.7-8.
7 The Autorité de la Concurrence and the Bundeskartellamt, Competition Law and Data, 10.05.2016,pp.10-11,
http://www.bundeskartellamt.de/SharedDocs/Publikation/DE/Berichte/Big%20Data%20Papier.pdf;jsessionid=3049D2
DA2F7B6B0F521558DABC9FEFC3.1_cid387?__blob=publicationFile&v=2 ,accessed-26.04.17. 8 Ibid.,pp.10-11.
9 Merriam Webster online dictionary, “Data”, https://www.merriam-webster.com/dictionary/data ,accessed-26.04.17.
4
effectively for this purpose way before the era of the internet and surveillance capitalism10
, but the
emergence of big data and big analytics have been a game-changer for the industry.11
Big data is defined by the leading authors in the field as the emergence of the “four V’s”12
; these
four V’s stand for volume, velocity, variety, and value of data13
, and are discussed in turn below.
Volume of data refers to the sheer amount of data that can be collected today from individuals as
they operate online.14
This volume has skyrocketed in recent years15
, as the access to the internet is
available to more and more people, and the usage is increasingly moving to mobile devices.16
Velocity refers to the speed at which the data can be processed and utilized by the platforms
collecting it.17
It is noted that the leading undertakings in the data-driven industries are now capable
to “nowcast” events happening at the present moment.18
This grants them an immense advantage
over their competitors, as they can help people to avoid traffic jams, or maybe let an advertiser
know that a consumer is currently searching for a restaurant in their neighborhood.19
These
examples clearly demonstrate that as mobile has become the most popular way to browse the
internet20
, time is of the essence.
Even more important than the first two V’s, is the variety of data collected by the platforms.21
Increasingly large portion of our daily activities is connected to the internet22
, which gives the
platforms – and therefore advertisers – little pieces of information of our daily habits, enabling them
to piece together a puzzle of ourselves, and creating a consumer profile that even us ourselves are
not aware of.23
10
The Autorité de la Concurrence and the Bundeskartellamt.,pp.8-9. 11
Ibid.,p.9. 12
Stucke M.E.,Grunes A.P., Big Data and Competition Policy, Oxford University Press, 02.08.2016. 13
Ibid.,p.43. 14
Ibid.,pp.43-44. 15
OECD, Big Data: Bringing Competition Policy to The Digital Era: Background Note by the Secretariat,
29.11.2016,pp.5-6, https://one.oecd.org/document/DAF/COMP(2016)14/en/pdf ,accessed-26.04.17. 16
Ibid. 17
Stucke M.E.,Grunes A.P.,pp.44-46. 18
OECD, Data-driven Innovation for Growth and Well-being: Interim Synthesis Report, October 2014,p.11,
http://www.oecd.org/sti/inno/data-driven-innovation-interim-synthesis.pdf ,accessed-26.04.17. 19
Stucke M.E.,Grunes A.P.,p.45; Muoio P., Auction.com Launches Real Estate’s First “Nowcast”, 30.10.2015,
https://www.auction.com/blog/auction-com-launches-real-estates-first-nowcast/ ,accessed-26.04.17. 20
StatCounter, Mobile and Tablet Internet Usage Exceeds Desktop For First Time Worldwide, 01.11.2016,
http://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-desktop-for-first-time-worldwide ,accessed-
26.04.17. 21
Stucke M.E.,Grunes A.P.,pp.46-47. 22
See chapter 2.4,pp.7-8. 23
Howarth B., How Tesco's Loyalty Card Transformed Customer Data Tracking, CMO, 21.05.2015,
http://www.cmo.com.au/article/575497/how-tesco-loyalty-card-transformed-customer-data-tracking/ ,accessed-
26.04.17.
5
The fourth V is the value of the data, which is simultaneously the cause and the consequence of the
rapid growth of the first three V’s.24
To be able to extract value from all the data collected from
various sources, the data must be aggregated and analyzed. This process is also known as big
analytics.25
At the center of big analytics are the self-learning algorithms processing the data.26
The
more data these algorithms receive and process, the more they learn, further enhancing their ability
to nowcast and improve themselves.27
This is where network effects come to play.
2.3 The role of network effects
Essentially, network effect refers to the phenomenon where the product’s value rises as more people
start using it.28
In the data-driven industries the network effects, too, are data-driven and therefore
more numerous than in the classic “brick and mortar” industries.
Two traditional types of network effects that can be generated in any industry are the direct network
effect and the indirect network effect.29
A Classic example of the former is the telephone, which
grants more value to every old user as new users join the network.30
Indirect network effect on the
other hand is formed when a two-sided market concentrates towards one platform; a classic
example of this is a gaming console having a lot of popular games, which attracts more players,
hence incentivizing game development on that particular console, and so on.31
In this case, it is
common for the market to “tip” to the favor of the prevailing competitor, effectively closing out
possible competition.32
24
OECD(2016),p.6. 25
European Commission, Case No COMP/M.7023 – PUBLICIS / OMNICOM Commission decision pursuant to
Article 6(1)(b) of Council Regulation No 139/2004, 09.01.2014,para.617,
http://ec.europa.eu/competition/mergers/cases/decisions/m7023_20140109_20310_3566669_EN.pdf ,accessed-
26.04.17. 26
European Data Protection Supervisor, Towards a New Digital Ethics: Data, Dignity and Technology: Opinion
4/2015, 11.09.2015,p.9. https://edps.europa.eu/sites/edp/files/publication/15-09-11_data_ethics_en.pdf ,accessed-
26.04.17. 27
United States Securities and Exchange Commission, Form S-1 Registration Statement Under The Securities Act Of
1933 The Rubicon Project, Inc., 04.02.2014,pp.4,6-7,
https://www.sec.gov/Archives/edgar/data/1595974/000119312514034389/d652651ds1.htm ,accessed-26.04.17. 28
OECD(2016),pp.9-11. 29
Stucke M.E.,Grunes A.P.,p.242. 30
Ibid.,p.242. 31
Court of First Instance, Case T-201/04, Microsoft Corp v Commission of the European Communities, 17 September
2007, ECR II-3601,para.1061; Commission of the European Communities, Commission Decision of 24.03.2004
relating to a proceeding under Article 82 of the EC Treaty (Case COMP/C-3/37.792 Microsoft), 21.04.2004,para.449. 32
Ocello E.,Sjödin C.,Subočs A., ‘What’s Up with Merger Control in the Digital Sector? Lessons from the
Facebook/WhatsApp EU Merger Case’, Competition Merger Brief, February 2015, 1/2015,pp.3-4,
http://ec.europa.eu/competition/publications/cmb/2015/cmb2015_001_en.pdf ,accessed-26.04.17.
6
These traditional network effects exhibit themselves in the data-driven industries as well; Facebook
is a quintessence of the direct network effect, while it and many others – like Google and Apple –
draw in both users and developers with their app stores, creating an indirect network effect.33
While
powerful, these two network effects pale when compared to data-driven network effects of scale
and scope.
2.3.1 Network effects of scale
Network effect of scale is created when the vast volume of data allows the self-learning algorithms
to evolve, all the while creating concretely better product.34
For instance, Google’s search engine
develops with every search query it receives, further attracting even more users towards Google
instead of its competitors due to the more accurate search results.35
Naturally the growing amount of
users also attracts more advertisers to the other side of the platform, which allows Google to further
invest in improving its algorithms. This creates a positive feedback loop on both sides of the
market.36
Here the tipping of the market is even more likely than with the traditional network
effects illustrated above, so for undertakings wishing to compete in these data-driven industries,
achieving a critical mass of users becomes a necessity.37
At certain point the returns to scale start to diminish as the search engine already has such an
immense volume of data to work with.38
In other words, few extra users will not contribute much
when compared to the billions of search queries already being placed every day.39
At this point
network effect of scope becomes important.
2.3.2 Network effects of scope
As mentioned above, out of the four V’s of big data, variety is the most important.40
Data harvested
from numerous sources helps the algorithm to “finish the puzzle”, further contributing to the
33
Ezrachi A.,Stucke M.E.,pp.149-150. 34
OECD(2014),p.29. 35
Ibid. 36
OECD(2016),p.10. 37
Ibid.,p.29. 38
United States Federal trade Commission, Report re Google Inc., 08.08.2012,p.124, https://graphics.wsj.com/google-
ftc-report/img/ftc-ocr-watermark.pdf ,accessed-26.04.17. 39
Stucke M.E.,Grunes A.P.,pp.254-261. 40
Ibid.,pp.46-47.
7
creation of the positive feedback loop on both sides of the market.41
The next subchapter will take a
closer look at these sources of data.
2.4 Sources of data and the rise of “superplatforms”
Collecting data from the users is relatively straightforward for the data-driven platforms, as their
services are based on the input of the said data by the users themselves.42
Using Google as an
example, it is easy to see how the variety of data sources makes all the difference in the data-driven
business.
Google gets a bulk of its data from search queries through its search engine, which dominates the
search engine markets, especially in the EU.43
Since more than a half of all the internet traffic
already happens through mobile devises44
, it is also important to have that field covered. Google has
done this exceptionally well by becoming dominant in the mobile operating system market with its
Android operating system. Besides iPhones, Android is used by practically all phones being sold
today.45
This gives Google a gigantic edge in data collection, as it can geo-track all its users in real
time46
; this is paramount for nowcasting as discussed above.47
But it does not end here. In fact, we have just begun. Google collects data from every app of every
Android phone, Google maps, its Chrome internet browser, Gmail, and YouTube.4849
Additionally,
Google has made several acquisitions in the field of Internet of Things (IoT)50
, striving to broaden
the variety of its collected data.51
Other search engines can only dream of having such unique
41
Report re Google Inc.,p.124. 42
The Autorité de la Concurrence and the Bundeskartellamt.,pp.6-7. 43
Google holds over 90% market share in the EEA. European Commission, Antitrust: Commission sends Statement of
Objections to Google on Android operating system and applications, 20.04.2016, http://europa.eu/rapid/press-
release_IP-16-1492_en.htm ,accessed-26.04.17. 44
Statcounter. 45
IDC, Smartphone OS Market Share, 2016 Q3, http://www.idc.com/promo/smartphone-market-share/os ,accessed-
26.04.17. 46
Stucke M.E.,Grunes A.P.,pp.272-274. 47
Ibid.,p.45. 48
Newman N., Taking on Google’s Monopoly Means Regulating Its Control of User Data, The Huffington Post,
24.09.2013, http://www.huffingtonpost.com/nathan-newman/taking-on-googles-monopol_b_3980799.html ,accessed-
26.04.17. 49
All these are owned by Google. 50
Internet of Things is a network of everyday objects connected to the internet, enabling the devises to improve our
lives and function more effectively. For instance, a refrigerator could send its owner a text, informing her that the
household is running out of milk. European Data Protection Supervisor, Privacy and Competitiveness in the Age of Big
Data: The Interplay Between Data Protection, Competition Law, and Consumer Protection in the Digital Economy,
Preliminary Opinion, 26.03.2014,p.35, https://edps.europa.eu/sites/edp/files/publication/14-03-
26_competitition_law_big_data_en.pdf ,accessed-26.04.17. 51
Lohr S., Google’s Nest to Acquire Dropcam for $555 Million, New York Times, 20.06.2014,
http://bits.blogs.nytimes.com/2014/06/20/googles-nest-to-acquire-dropcam-for-555-million/ ,accessed-26.04.17.
8
datasets at their disposal. Naturally, that dream is not going to materialize, since Google already has
the data-advantage over its competitors and the gap between them is only growing.
Google’s IoT acquisitions are especially alarming, since IoT is projected to grow into a network of
25 billion connected devises by 2020.52
When our everyday objects are sending data about our daily
lives to the superplatforms, they will be able to finish the puzzle.53
The line between our online and
“real” lives is fading rapidly.54
While Google dominates the search engine business, a couple of other remarkable players have
emerged in other sectors of data-driven industry. The most important among these are Apple and
Facebook, which dominate their respective fields of data-driven industry. As with Google, Apple
and Facebook have likewise acquired the data-advantage over their competitors by collecting data
through several means in addition to their “main” field of domination.55
Besides its mobile devises,
safari internet browser and the iOS operating system, Apple controls – and therefore collects data –
through all the apps made for iOS.56
Facebook on the other hand collects data through its social
media platform, Instagram, Facebook Messenger, and WhatsApp.57
These three platforms have
effectively become “superplatforms”, simultaneously benefitting from and supporting the
independent app developers.58
They act as the gateway to the internet for the consumers and as a
gatekeeper for the independent app developers wishing to sell their apps in the major app stores.59
As the superplatforms hold the power to squash any independent competitors as soon as they start
to threaten the superplatform’s own downstream product60
, the best these independent competitors
can wish for is to be acquired by the superplatform for being “too good” to be squashed.61
Unfortunately this concentration of data comes with a heavy price.
52
Gartner, Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015, 11.11.2014,
http://www.gartner.com/newsroom/id/2905717 ,accessed-26.04.17. 53
Evans D., The Internet of Everything: How More Relevant and Valuable Connections Will Change the World, 2012,
https://www.cisco.com/web/about/ac79/docs/innov/IoE.pdf ,accessed-26.04.17. 54
Ezrachi A.,Stucke M.E.,p.19. 55
Stucke M.E.,Grunes A.P.,pp.291-292. 56
Ezrachi A.,Stucke M.E.,pp.159-160. 57
Facebook owns all these social media platforms. 58
Ezrachi A.,Stucke M.E.,p.145. 59
Lianos I.,Motchenkova E., Market Dominance and Search Quality in the Search Engine Market’, 9(2) Journal of
Competition Law & Econonomics, 17.04.2013, (2013) 9 (2),pp.419, 422; Ezrachi A.,Stucke M.E.,pp.156. 60
United States Securities and Exchange Commission, Form 10-K Facebook, Inc., 31.12.2014,pp.11,
https://www.sec.gov/Archives/edgar/data/1326801/000132680115000006/fb-12312014x10k.htm ,accessed-26.04.17. 61
This happened with the mapping service Waze, which now contributes to Google’s pursuit to launch a driverless car
service. Stucke M.E.,Grunes A.P.,pp.146-149.
9
2.5 Concentration of data
Our personal data is concentrating into the hands of very few highly powerful players. IoT is
growing larger by the day, multiplying the volume of data, and growing the variety of data
manifold. The superplatforms are waiting, ready the collect, aggregate, analyze, and utilize all of it.
This proposes significant concerns for people in the EU and around the world, as their privacy,
personal data protection, and therefore freedom of expression and information – all recognized as
fundamental rights in the EU62
– are at jeopardy. Chapter 3 will take a closer look at these concerns
and the tools at the disposal for the authorities to deal with these problems.
3. Problems created by surveillance capitalism and avenues to solve these problems
Democratic societies can only function properly when certain degree of privacy and autonomy are
in place.63
Behavior and opinions outside the mainstream line of thought are a key component to the
political and social development of these democracies.64
When these rights are hindered, chilling of
democratic participation is likely to take place due to the prejudices these non-mainstream thinkers
are likely to face.65
This is why strong protection of privacy66
, personal data67
, and freedom of
expression and information68
is guaranteed under the primary law of the EU. For the purposes of
this thesis, the freedom of expression and information is especially relevant. It is defined by the
Charter of Fundamental Right of the European Union in the following manner:
1. “Everyone has the right to freedom of expression. This right shall include freedom to hold
opinions and to receive and impart information and ideas without interference by public
authority and regardless of frontiers.
2. The freedom and pluralism of the media shall be respected.”69
Article 52(3) of the Charter further links all the rights granted by the Charter to the corresponding
ones of the European Convention of Human Rights (ECHR), ensuring that at least the same level of
62
Charter of Fundamental Rights of the European Union, Official Journal of the European Communities, 18.12.2000, C
364,paras.7,8,11. 63
Hijmans H., The European Union as a constitutional guardian of internet privacy and data protection: The Story of
Article 16 TFEU, Springer, 2016,p.32. 64
Ibid.,pp.32-33. 65
Schneier B., Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, W. W. Norton &
Company, 02.03.2015,pp.95-97. 66
Charter,art.7. 67
Ibid.,art.8. 68
Ibid.,art.11. 69
Ibid.
10
protection is to be guaranteed under the Charter.70
Even though the corresponding article in the
ECHR – article 10 on freedom of expression– is not more elaborate than article 11 of the Charter71
,
the case law of the European Court of Human Rights (ECtHR) details some key aspects in regards
to the freedom of expression and information. For the purposes of this thesis, the level of protection
enjoyed by the various types of freedom of information is highlighted.
There is a hierarchy when it comes to different categories of freedom of information. Right to
receive political information is at the top of this hierarchy72
, whilst the right to disseminate
commercial information lies at the bottom.73
European Commission of Human Rights has also
weighed in on the issue, declaring that the objective of the freedom of information is to keep the
public well informed, rather than to protect the commercial information interests of undertakings.74
Superplatforms are currently the largest media there is, and are constantly growing.75
They
therefore hold a huge power over what people see online.76
Since the internet and effective access to
it facilitate democratic progress worldwide77
, the gateway-position these superplatforms hold
creates serious concerns over the people’s ability to access all the content they want to, as well as
over the freedom and pluralism of the media.78
Online platforms base their restrictive activities to trial-and-error testing79
, using consumers’ own
data input as the resource for their self-learning algorithms to alter the search results, social media
70
Ibid.,art.52(3). 71
Convention for the Protection of Human Rights and Fundamental Freedoms, 01.06.2010,art.10. 72
European Court of Human Rights (ECtHR), Lingens v. Austria, Application Number 9815/82, judgment of
08.07.1986, Ser. A, No. 103; ECtHR, Oberschlick v. Austria, Application Number 11662/85, 23.05.1991, Ser. A, No.
204,paras.57-61. 73
ECtHR, Markt Intern Verlag GmbH and Klaus Beermann v. Germany, Application Number 10572/83, 20.11.1989,
Ser. A, No. 165,para.33. 74
EU Network of Independent Experts on Fundamental Rights, Commentary of the Charter of Fundamental Rights of
the European Union, 2006,p.117, http://ec.europa.eu/justice/fundamental-rights/files/networkcommentaryfinal_en.pdf
,accessed-27.06.17. 75
Mitchell A.,Gottfried J.,Matsa K.E., Facebook Top Source for Political News Among Millennials, Pew Research
Center, 01.06.2015, http://www.journalism.org/2015/06/01/facebook-top-source-for-political-news-among-millennials/
,accessed-27.04.17. 76
See chapters 2.1-2.2,pp.3-4. 77
Communication from the Commission to the European Parliament, the Council, the European Economic and Social
Committee and The Committee of the Regions: Internet Policy and Governance Europe's role in shaping the future of
Internet Governance, 12.02.2014,p.2, http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:52014DC0072&from=EN ,accessed-27.04.17. 78
European Court of Justice (ECJ), C-288/89, Stichting Collectieve Antennevoorziening Gouda and others v
Commissariaat voor de Media, 25 July 1991, EU:C:1991:323,para.23. 79
Koukouvis K.,Cubero R.A.,Pelliccione P., A/B Testing in E-commerce Sales Processes, In: Crnkovic I.,Troubitsyna
E., Software Engineering for Resilient Systems. SERENE 2016, Springer,pp.133-148, 26.08.2016, Lecture Notes in
Computer Science,vol.9823, https://link-springer-com.proxy.uba.uva.nl:2443/chapter/10.1007%2F978-3-319-45892-
2_10 ,accessed-27.04.17.
11
feed, and other platform products.80
This has been proven to affect users’ emotions81
and actions82
,
and therefore possesses the capacity of severely affecting the society in whole, especially when it
comes to politics. All this has been well demonstrated since early 2016 in the form of university-
wide campus protests about the lack of so-called “safe-spaces”83
, and even mandatory issuances of
“trigger warnings” about the course contents at universities.84
This can be easily traced back to the
fact that the millennials – now enrolled in universities – have throughout their lives been influenced
by the selective content provided by search engines and especially social media, where one’s feed
largely depends on what one’s friends seem to like as well. They have rarely faced opposing
opinions in regards to social issues or politics, but as they exit their information bubble when
entering university, they get shocked by the opposing views.85
Naturally the ultimate goal of the online platforms is not to alter the political thinking of the people,
but this just happens to be in their best interest. The more users use the platform, the more data the
platform receives and is able to sell forward to its real customers, the advertisers.86
It is therefore
paramount to keep the users at the platform as long as possible, and this is most effectively done by
showing them what the platform believes they want to see.87
Great examples of this manipulation
are Facebook’s news curation algorithm88
and Google’s – as well as other search engines’ – search
80
See chapter 2.3.1,p.6. 81
Kramer A.D.I.,Guillory J.E.,Hancock J.T.,Experimental evidence of massive-scale emotional contagion through
social networks, PNAS, 17.06.2014,vol.11 no. 24,pp.8788-8790, http://www.pnas.org/content/111/24/8788.full
,accessed-27.04.17. 82
Epstein R.,Robertson R.E., The search engine manipulation effect (SEME) and its possible impact on the outcomes of
elections, PNAS, 18.08.2015,vol.112, no. 33,pp.E4512-E4521, http://www.pnas.org/content/112/33/E4512.full
,accessed-27.04.17. 83
Mostly in the United States, though. Agerholm H., Student protesters campaigning for safe spaces 'block white
students' at Berkeley university, Independent, 27.10.2016, http://www.independent.co.uk/news/world/americas/student-
protesters-campaigning-safe-spaces-block-white-students-from-attending-classes-racism-a7383676.html ,accessed-
27.04.17. 84
Flynn M., The Trouble with Trigger Warnings, The Huffington Post, 22.12.2016,
http://www.huffingtonpost.com/greater-good-science-center/the-trouble-with-trigger_b_13801784.html ,accessed-
27.04.17. 85
El-Bermawy M.M., Your Filter Bubble Is Destroying Democracy, Wired, 18.11.2016,
https://www.wired.com/2016/11/filter-bubble-destroying-democracy/ ,accessed-27.04.17. 86
See chapter 2.3.1,p.6. 87
VPRO, What Makes You Klick (documentary), 16:50-30:35 and 35:50-46:00,
https://www.vpro.nl/programmas/tegenlicht/kijk/afleveringen/2016-2017/what-makes-you-click.html ,accessed-
27.04.17. 88
Thielman S., Facebook fires trending team, and algorithm without humans goes crazy, The Guardian, 29.08.2016,
https://www.theguardian.com/technology/2016/aug/29/facebook-fires-trending-topics-team-algorithm ,accessed-
27.04.17.
12
engine manipulation effect (SEME).89
Google even corrects its users’ searches and suggests certain
search results based on the supposed interests of the particular user.90
As illustrated above, these platforms clearly hinder people’s freedom of expression and information,
and therefore their activities should be regulated in some manner. Since the collection and
utilization of users’ personal data is the root cause of this phenomenon, it is logical to approach the
problem from that point of view. The two main avenues through which a successful restriction of
the powers of these platforms could be achieved are the ones of data protection law and competition
law. This chapter analyses the legislative tools at the disposal of these two authorities in turn, and
strives to answer the first half of the research question of this thesis, namely; are there basis to
restrain the activities of the data-driven online platforms in order to protect people’s freedom of
expression and information, and what would be the right and the most effective avenue to do so?91
3.1 Regulatory trilemma
Before delving into the details of data protection and competition law, it is important to keep in
mind the challenges regulators face when tackling issues such as data-driven platforms. Back in
1988 Gunther Teubner coined the phrase regulatory trilemma, which refers to the difficulty of
creating regulation that A) is not ineffective by failing to change the behavior by the regulated
entity, B) does not kill the whole industry and the innovative process by over-regulating it, and C)
remains hierarchically superior to the regulated entity.92
This trilemma has been transposed to the modern era of data-driven industries by Roger
Brownsword93
, who claims that a regulation in the data-driven industries has three tasks: A) It
cannot impede innovation, but should instead facilitate it94
, B) It has to guarantee that these new
89
Epstein R.,Robertson R.E. 90
This might seem innocent and even useful for the users, but it is about to take a turn to the worse through the
development of the IoT. See chapter 4,pp.28-34. 91
As will be demonstrated in the following chapter, the right avenue and the most effective avenue are not necessarily
the same thing. This is the case particularly since the data protection rules – despite being built for this exact purpose –
fail to curtail the intrusive data collection by the superplatforms. 92
Teubner G., Dilemmas of Law in the Welfare State, Walter de Gruyten & Co., 1988, series A,pp.310-312. 93
Brownsword R., Rules of Law, the Rule of Law, and Technological Management (speech), ACELG annual
conference, 04.11.2016. 94
See chapter 4,pp.28-34. This part is highly analogous with the original trilemma, separated by the fact that the
government regulating the data-driven platforms is at least as dependent on the functioning and development of these
platforms as are the consumers. This gives them a great incentive not to over-regulate.
13
innovations will not harm us95
, and C) It has to guarantee that these new innovations do not impede
our human rights.
The last principle listed by Brownsword is the most crucial one when it comes to the right for data
protection and the freedom of expression and information. As the following subchapters illustrate,
regulating the data-driven industries is not easy while respecting these principles.
3.2 Enforcement through data protection law
As mentioned above, having one’s data protected is a fundamental right recognized by the primary
law of the EU.96
This same status is also enjoyed by the right to privacy, as well as freedom of
expression and information.97
To protect all these rights – either directly or indirectly98
– the EU has adopted the General Data
Protection Regulation (GDPR) which enters into force in May 2018.99
As the regulation will renew
the data protection rules in the EU and unify the various national practices on this field of law100
, it
will be the main subject of this subchapter.
So what were the reasons to update the data protection rules from the old Data Protection Directive
95/46/EC101
, and why was a regulation chosen instead of a new directive?
GDPR was first proposed by the European Commission in 2012 in order to:
1. Eliminate the inconsistencies in national laws;
2. Provide better privacy protection for individuals;
3. Update the law to address today’s privacy challenges created by the internet, social media,
mobile apps, cloud computing, “big data,” and behavioral marketing.
4. Reduce costly administrative burdens for undertakings dealing with multiple data protection
authorities.102
95
Again, analogous with Teubner’s line of thought on effectiveness. 96
Charter,art.8. 97
Charter,arts.7,11. 98
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) (GDPR), Brussels, preamble para.153. 99
Ibid. 100
The Treaty on the Functioning of the European Union (TFEU), 26.10.2012,art.288. Regulations do not require any
implementation measures by the EU member states, as the regulation is directly effective from the day it enters into
force. 101
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, Luxembourg.
14
The fourth reason listed above also answers the question why a regulation was chosen over a
directive. Since these online platforms operate globally, they currently have to satisfy the
requirements of all 28 EU member states separately, whereas the regulation will be directly
effective in all member states.103
The discussion below is limited to the most important changes brought by the GDPR for the
purposes of this thesis, these namely being stricter conditions for consent, privacy policies, the right
to be forgotten, data portability, the right to object to marketing and profiling, and privacy by design
and by default.
3.2.1 Stricter conditions for consent
Just like the current Directive, the GDPR also requires the consent of the data subject104
for the
processing of his data.105
However, the regulation sets much stricter conditions for the acquirement
of this consent. Article 7 of the GDPR defines consent as “freely given specific, informed and
explicit indication of his or her wishes by which the data subject, either by a statement or by a clear
affirmative action, signifies agreement to personal data relating to them being processed.”106
The
onus lies on the data collector, effectively meaning that the consent cannot be implied, but instead
has to be acquired via clicking through the terms and conditions, or some other concrete means
leaving a paper trail.107
Importantly, the data subject also has the right to withdraw his consent
concerning any future processing of his data.108
3.2.2 Privacy policies
Article 12 of the GDPR discusses the privacy policies imposed on the users.109
Privacy policies are
historically known as legalistic jargon that is really difficult for the average consumer to
102
Proposal for a Regulation of the European Parliament and of The Council on the protection of individuals with
regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation),
Brussels, 25.01.2012,pp.17-19,32. 103
TFEU,art.288. 104
GDPR, art.4(1). ”a natural person who can be identified by means reasonably likely to be used by the controller or
by any other natural or legal person” including by reference to “an identification number, location data, online
identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that person”. Noticeable additions to the old definition are the location data and online identifiers. These
bring the definition to level required by today’s mobile-orientated online behavior. 105
Ibid.,art.7. 106
Ibid. 107
Ibid. 108
Ibid. 109
ibid.,art.12.
15
understand, effectively leading consumers to just click “I agree” without bothering to read the
whole text.110
Article 11 demands the use of “transparent and easily accessible policies” in “clear
and plain language”.111
3.2.3 The right to be forgotten
Although this right is covered by the article 17 of the GDPR it was really coined by the case C-
131/12 Google Spain, decided by the ECJ in 2014.112
The case concerned a Spanish citizen’s
request for Google to have certain outdated and embarrassing information about him removed from
the search engine’s search results.113
This request put Google between the rock and the hard place,
as they were effectively forced to make a choice between right to privacy and data protection on the
one hand, and freedom of information on the other.114
The ECJ ended up ruling in the favor of the
applicant, Mr. González, and Google was forced to erase the search results in question.115
The Court
ruled that individuals have the right to require their data to be removed when the data is
“inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the
light of the time that has elapsed”.116
Since the Court gave its judgment, Google has received
hundreds of thousands of requests from individuals who want their data to be removed from the
search results.117
3.2.4 Data portability
Article 20 of the GDPR outlines the right of users to have their data removed from one online
platform into the other.118
The obvious purpose of this new rule is to make changing service
providers easier for consumers, as currently the data gathered to and by the one platform keeps the
users effectively locked in to that platform.119
This will also curtail the market power hoarded by
the superplatforms as the data they have collected is not so exclusive anymore. Right to data
portability makes the access to the crucially important personal data of social media users possible
110
EDPS(2014),p.35. 111
GDPR, art.12. 112
ECJ, C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja
González, 13 May 2014, ECLI:EU:C:2014:317. 113
Ibid.,para.2. 114
Ibid.,paras.81,97. 115
Ibid.,operative part. 116
Ibid.,para.93. 117
Google Transparency Report, European privacy requests for search removals,
https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en ,accessed-27.04.17. 118
GDPR, art.20. 119
On user lock-in, see chapter 3.2.7,pp.18-19.
16
for other competitors on the market, at least in theory. However, as Stucke and Grunes point out,
the data being moved is “third party data” at that point, and therefore inferior in value to the
platform to which it is about to be moved.120
This is due to the fact that in today’s nowcasting-glad,
mobile-driven online environment data becomes outdated really fast.121
Yet a bigger problem is
created by something that cannot be controlled by the legislators in any case, namely the human
element present in the situation.122
3.2.5 Right to object to marketing and profiling
Articles 21 and 22 of the GDPR give the consumers the right to object to profiling done by the
algorithms based on their personal data and direct marketing based on that data.123
The profiling in
this context means profiling based on fully automated means; this is an important improvement
since the automatic profiling engaged in by the algorithms can easily lead people to be categorized
into groups they do not truly belong to, but only seem to belong to, based on their activities on the
platform.124
It remains to be seen how the platforms are going to react to these new provisions,
since targeted advertising is what they get paid for by their clients.125
3.2.6 Data protection by design and by default
This is perhaps the most important new rule introduced by the GDPR. Article 25 of the GDPR reads
as follows:
1. “Taking into account the state of the art, the cost of implementation and the nature, scope,
context and purposes of processing as well as the risks of varying likelihood and severity for
rights and freedoms of natural persons posed by the processing, the controller shall, both at
the time of the determination of the means for processing and at the time of the processing
itself, implement appropriate technical and organisational measures, such as
pseudonymisation, which are designed to implement data-protection principles, such as
data minimisation, in an effective manner and to integrate the necessary safeguards into the
120
Stucke M.E.,Grunes A.P.,pp.81-89. 121
See chapter 2.2,p.4. 122
See chapter 3.2.7,pp.18-19. 123
GDPR, arts.21-22. 124
United States Federal Trade Commission, Big Data: A Tool for Inclusion or Exclusion?, January 2016,pp.iii-iv,
https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-
issues/160106big-data-rpt.pdf ,accessed-27.04.17. 125
See chapter 2.1,p.3.
17
processing in order to meet the requirements of this Regulation and protect the rights of
data subjects.
2. The controller shall implement appropriate technical and organisational measures for
ensuring that, by default, only personal data which are necessary for each specific purpose
of the processing are processed. That obligation applies to the amount of personal data
collected, the extent of their processing, the period of their storage and their accessibility. In
particular, such measures shall ensure that by default personal data are not made
accessible without the individual's intervention to an indefinite number of natural
persons.”126
In effect this article requires the algorithms to be designed in a way that they cannot collect and
analyze data too intrusively. From the outset, this seems like the most effective way to deal with the
issue since the algorithms are responsible for the data collection, which in turn is one of the reasons
why the GDPR was initiated in the first place. Even Gunther Teubner, the originator of the
regulatory trilemma, suggested something like this way before the era of data-driven industries took
off. In the third point of his trilemma where he describes regulation that becomes unenforceable due
to the immense power of the regulated entity, he suggests an “internal regulation” to be employed
instead of ineffective normal regulation.127
He describes this as “strategic intervention into certain
characteristics of the organization’s decision-making process; the so-called structural, as opposed
to the duty-approach”.128
Thus, instead of counting on the platforms to do the right thing and abide
by the law, he calls for concrete restrictions to be put in place from the get-go. This approach is
widely used in several fields of the society already, such as confining the top speed of certain motor
vehicles like mopeds to the legal limit they are allowed to drive.
So the GDPR looks promising from the outset, but what are its shortcomings and why will it likely
fail to ultimately protect the personal data of individuals, and therefore their freedom of expression
and information? The next subchapter will answer these questions in detail.
3.2.7 The shortcomings of the GDPR
While the GDPR introduces many provisions directly enhancing the level of data protection such as
the requirement of clearer privacy policies, stricter conditions for consent, and the right to opt out
from marketing and profiling, these provisions are likely only going to be effective on paper. This is
126
GDPR,art.25(1-2). 127
Dilemmas of Law in the Welfare State,p.317. 128
Ibid.
18
due to the fact that the vast majority of the users of these online platforms do not actually read the
terms and conditions shown to them as they register to the platform for the first time. Moreover,
they have never done this, so they are just accustomed to accept any terms given to them.129
Furthermore, it is not like the consumers have much of an option in this regard, as the contracts they
are required to sign are adhesive in their nature.130
Finally, even if a user gets upset with a service
such as Google’s Gmail and decides to switch to another email service, all his contacts still using
Gmail are indirectly allowing Google to collect the content of the emails he sends to those
people.131
Even if we decide to disregard the previous example and analyze the opportunities created by the
principle of data portability,132
allowing the users to go elsewhere if they are unhappy with the
terms and conditions offered by the platform, it falls short when the human element of this problem
comes into play.133
The users of online platforms, especially social media platforms, are strongly locked in to the
platform.134
Great example of this is Facebook, which has established a dominant position in the
social media market due to its data-advantage, guaranteeing higher quality of service to the users in
the form of targeted content, while simultaneously providing higher quality product for its clients in
the form of more unique datasets.135
Users cannot reasonably be expected to move their data into
some smaller social network, as the quality of their user experience has never been about the
platform’s design or other elements, but about the presence of other users forming the network with
the said user, and his ability to communicate with them effortlessly.136
The social switching costs
created by changing social media platforms are way too high for any individual to bear, unless the
vast majority of his contacts in Facebook also decided to change their social media platforms to the
same alternative platform at the same time.137
129
There is no base line to see what is ”normal” consumer behavior in this context. Birch K., Market vs. contract? The
implications of contractual theories of corporate governance to the analysis of neoliberalism, Ephemera, February
2016,vol.16(1),pp.107-133, http://www.ephemerajournal.org/sites/default/files/pdfs/issue/16-1ephemera-feb16.pdf
,accessed-27.04.17. 130
Ibid. 131
Stucke M.E.,Grunes A.P.,p.99. 132
GDPR, art.20 133
Rubinfeld D.L., Access barriers to Big Data, Arizona Law Review, 08.04.2017,vol.59, issue 339,pp.362-363,
http://arizonalawreview.org/pdf/59-2/59arizlrev339.pdf ,accessed-28.04.17. 134
Stucke M.E.,Grunes A.P.,pp.405-406. 135
See chapter 2.3,p.5. 136
Stucke M.E.,Grunes A.P.,p.247. 137
Ibid.
19
This phenomenon effectively allows the platforms to offer products inferior in quality by not
providing adequate privacy- and data protection for their users. Since providing this protection is
costly for the platforms in the form of research & development, as well as in the form of smaller
advertisement revenue due to less effective targeted advertising, not providing the privacy
protection can be seen as equal to raising one’s prices.138
Since Facebook is dominant in its relevant
market, this has already raised some competition law concerns with the German competition
authorities. Initiating an investigation, the German Cartel office has taken a leap forward and
combined data protection and competition law139
– something the CJEU is yet to have done.
Andreas Mundt, the president of the Bundeskartellamt, stated the following in regards to the
connection of data protection and abuse of dominance in this case:
“Dominant companies are subject to special obligations. These include the use of adequate
terms of service as far as these are relevant to the market. For advertising-financed internet
services such as Facebook, user data are hugely important. For this reason it is essential to
also examine under the aspect of abuse of market power whether the consumers are
sufficiently informed about the type and extent of data collected.”140
Even though this case is only under investigation at the moment and falls strictly under the German
competition law jurisdiction, it certainly is a leap towards the right direction.
The most promising enforcement tool introduced by the GDPR seems to be the concept of data
protection by design and by default, also known as algorithm accountability. This tool, too,
however, has its deficiencies.
First of all, the technical possibility to curtail the capabilities of the self-learning algorithms is a big
question mark at the moment. Even as certain operational limitations can be set to the algorithm by
the programmers at the time of design, the self-learning capabilities of these algorithms make sure
that no human being knows how they operate after a while.141
Second, the article 20(2) of the GDPR states: “The controller shall implement appropriate technical
and organisational measures for ensuring that, by default, only personal data which are necessary
138
Since the products are free, the quality of service is the price of these services. In the end the outcome is the same;
higher profit margins for the dominant undertaking at the expense of the consumers. 139
Bundeskartellamt, Bundeskartellamt initiates proceeding against Facebook on suspicion of having abused its market
power by infringing data protection rules, 02.03.2016,
http://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2016/02_03_2016_Facebook.html
,accessed-27.04.17. 140
Ibid. 141
Ezrachi A.,Stucke M.E.,pp.230-231.
20
for each specific purpose of the processing are processed. That obligation applies to the amount of
personal data collected, the extent of their processing, the period of their storage and their
accessibility.”142
In this case the platforms will argue that since the variety of data is the most
important element in providing most accurate services to the users in the form of nowcasting or
whichever other way, they need to collect all the data available to them, all the time.143
Lastly, legally limiting the capabilities of the algorithms is like asking a giraffe to shorten its neck
or Ford to build all its model-T’s without the conveyer belt.144
Big data and big analytics are the
lifeblood of these platforms, and the single cause behind their current success. Not being allowed to
use one’s greatest asset would greatly hamper innovation on this front, which is something a
regulation should not be doing.145
But perhaps the biggest shortcoming of the GDPR is the point of view from which it approaches the
whole issue. Besides the principle of algorithm accountability – the effectiveness of which has been
questioned above – the GDPR mostly engages in damage control. All its provisions start from the
assumption that the data has already been collected, and that after this collection the abilities of the
platforms to process and utilize this data should be limited. This does not solve the initial problem
outlined in the beginning of the chapter, namely the concentration of all the data into the hands of
the few powerful superplatforms. Furthermore, today most data are analyzed instantaneously due to
the changed nature of online behavior through mobile revolution, nowcasting, and the rise of the
IoT. Luckily, the conduct of the online platforms in possession of big data allows us to consider
what tools the competition law authorities of the EU have at their disposal to deal with this problem,
and therefore indirectly get involved with the protection of personal data and freedom of expression
and information.
3.3 Enforcement through competition law
In addition to the data protection law, competition law of the EU could also be used to control the
power wielded by online platforms. Both data protection law and competition law strive towards the
same outcome when it comes to the superplatforms – namely, trying to prevent the concentration of
data into the hands of the few and hence the possible abuse of the power brought by it.
142
GDPR, art.20(2). 143
See chapter 2.4,pp.7-8. 144
Zuboff S.,(2016). 145
See chapter 3.1,p.12. As acknowledged by Teubner and Brownsword alike.
21
Competition law has taken a more preemptive approach in this field, when compared to the damage
control tactics exercised by the data protection authorities. Competition law does this mostly by
merger control, with which it prevents possibly abusive mergers from happening.146
Data-driven
mergers have appeared to the radar of competition authorities in the past few years, although the
prevention of such mergers has thus far only been successful in the United States.147
In the EU on
the contrary, fierce criticism has been directed towards the European Commission for not
recognizing data as a source of potential market power.148
The critique started pouring in especially
after the merger of Facebook and WhatsApp in 2014 when two of the world’s biggest instant
messaging services merged, Facebook paying a whopping $19 billion for the acquisition despite the
annual revenue of WhatsApp at the time being a mere $10 million.149
It is clear that the reason for
the high price tag was the data Facebook was able to get its hands on through the acquisition.150
At
the time WhatsApp was known for its good privacy protection, whilst Facebook Messenger
collected all the data from its users; In 2015 Facebook announced – not surprisingly – that it will
start collecting data from the users of WhatsApp as well.151
The following subchapters are going to discuss the competences of the competition authorities to
act in the name of data protection, the ways in which data-driven platforms breach EU competition
rules, and the ways in which competition authorities can prevent these violations.
3.3.1 Competences of the competition authorities to deal with data protection issues
At the moment the case law of the CJEU states that there is no basis to include data protection
considerations to the field of EU competition law. Advocate General Geelhoed stated in the case
Asnef-Equifax: “Any problems concerning the sensitivity of personal data can be resolved by other
instruments, such as data protection legislation”.152
This seems a bit counter-intuitive since data in
itself has indeed become an asset to gain market power, as expressed by European Data Protection
146
Council Regulation (EC) No 139/2004 of 20 January 2004 on the control of concentrations between undertakings
(the EC Merger Regulation), Brussels, preamble paras.3-5. 147
The United States Department of Justice, Justice Department and Bazaarvoice Inc. Agree on Remedy to Address
Bazaarvoice’s Illegal Acquisition of PowerReviews, 24.04.2014, https://www.justice.gov/opa/pr/justice-department-
and-bazaarvoice-inc-agree-remedy-address-bazaarvoice-s-illegal-acquisition ,accessed-27.04.17. 148
Stucke M.E.,Grunes A.P.,pp.132-137. 149
Ibid.,p.136. 150
As admitted by Mark Zuckerberg himself. Fiegerman S., Facebook to Buy WhatsApp for $16 Billion, Mashable,
19.02.2014, http://mashable.com/2014/02/19/facebook-whatsapp/#P_swPcbOyiqk ,accessed-27.04.17. 151
Stucke M.E.,Grunes A.P.,p.137. 152
ECJ, C-238/05, Asnef-Equifax, Servicios de Información sobre Solvencia y Crédito, SL, Administración del Estado v
Asociación de Usuarios de Servicios Bancarios (Ausbanc), 23 November 2006, ECLI:EU:C:2006:734,para.56.
22
Supervisor (EDPS) already in 2014.153
The opinion expressed in Asnef-Equifax was nevertheless
reinforced by the Facebook/WhatsApp merger, where the Commission only discussed data in
connection with the advertisement-side of the market.154
So the CJEU has not yet taken the leap to merge the fields of data protection law and competition,
but will most certainly do so in the near future, as cases relating to these matters have been brought
up both by the Commission and the national competition authorities.155
3.3.2 Classic competition abuses, data-driven industry, and the absence of illegality
The basic division of competition law abuses under the TFEU is between articles 101 and 102,
these governing collusive practices and the abuse of dominant position, respectively.156
3.3.2.1 101 violations
The self-learning algorithms employed by the data-driven industries such as online shopping sites
have created a new type of problem under the article 101. As the determination of the existence of
collusive behavior requires the finding of an agreement – a “meeting of the minds” – or intent to act
anticompetitively157
, the authorities are stuck. This is due to the fact that the algorithms can engage
in tacit collusion without an agreement or intent to do so.158
They simply are fulfilling the function
they were designed to fulfill.159
And since these algorithms are self-learning, the programmers
cannot be held responsible for their actions, either. Ezrachi and Stucke demonstrate this with the
example of several gas stations competing for customers by lowering their prices and undercutting
each other one after another.160
In the world without algorithms this would lower the prices and
benefit the consumers, but as the algorithms get involved, they soon realize that the other algorithm
is going to undercut the price anyway and therefore every gas station is better off if no one cuts the
153
EDPS(2014),pp.8-10. 154
European Commission, Case No COMP/M.7217 - FACEBOOK/ WHATSAPP, 03.10.2014,para.166,
http://ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132_EN.pdf ,accessed-
27.04.17. 155
see chapter 3.2.7,pp.18-19 and chapter 3.3.2.2,pp.23-25. 156
TFEU, arts.101-102. 157
Ibid.,art.101. 158
Ezrachi A.,Stucke M.E.,pp.56-60. 159
I.a. profit maximization. Ibid.,pp.74,77-79. 160
Ibid.,pp.57-60.
23
price to begin with.161
But since tacit collusion in itself is not illegal,162
there is nothing the
competition authorities can do about this.
3.3.2.2 102 violations
As the abuse of dominant position under article 102 is concerned, the best example involves Google
and the statements of objections brought against it by the European Commission in 2016.163
In the
April 2016 statement of objections, Google was alleged of having violated EU competition law by
leveraging its dominance on the search engine market and the android operating system market by
i.a.:
1. Requiring manufacturers to pre-install Google Search and Google's Chrome browser and
requiring them to set Google Search as default search service on their devices, as a condition
to license certain Google proprietary apps;
2. preventing manufacturers from selling smart mobile devices running on competing
operating systems based on the Android open source code;
3. giving financial incentives to manufacturers and mobile network operators on condition that
they exclusively pre-install Google Search on their devices.164
The Commission also issued another statement of objections in July 2016, where Google was under
attack for:
1. Requiring third parties not to source search ads from Google's competitors.
2. Requiring third parties to take a minimum number of search ads from Google and reserve
the most prominent space on their search results pages to Google search ads. In addition,
competing search ads cannot be placed above or next to Google search ads.
3. Requiring third parties to obtain Google's approval before making any change to the display
of competing search ads.165
According to the Commission, these competition law breached by Google have helped it to
maintain its dominance in the mobile operating system market as well as in the comparison
161
Ibid. 162
ECJ, C-40/73, Joined cases Coöperatieve Vereniging "Suiker Unie" UA and others v Commission of the European
Communities, 16 December 1975, ECLI:EU:C:1975:174,paras.173-174. 163
Commission statement of objections April; European Commission, Antitrust: Commission takes further steps in
investigations alleging Google's comparison shopping and advertising-related practices breach EU rules, 14.07.2016,
http://europa.eu/rapid/press-release_IP-16-2532_en.htm ,accessed-27.04.17. 164
Commission statement of objections April. 165
Commission statement of objections July.
24
shopping websites market166
, having “weakened or even marginalised competition from its closest
rivals”.167
Google has unofficially responded to these allegations by referring to the power of innovation,
warning about the dangers of the chilling effect any legal proceeding on the aforementioned
grounds could have on it.168
Moreover, Google referred to efficiencies its products create to all sides
of the market.169
As efficiencies can be used to justify otherwise abusive conduct under article 102
TFEU, finding of liability grows even more difficult.170
According to the case law of the CJEU, the European Commission has to take efficiency defenses
into account when investigating case of possible abuse under 102 TFEU.171
The Commission sets
up cumulative criteria to be fulfilled in order for the efficiency gains to be accepted as a justification
for otherwise abusive conduct:
1. “The efficiencies have been, or are likely to be, realised as a result of the conduct. They
may, for example, include technical improvements in the quality of goods, or a reduction in
the cost of production or distribution.
2. The conduct is indispensable to the realisation of those efficiencies: there must be no less
anti-competitive alternatives to the conduct that are capable of producing the same
efficiencies.
3. The likely efficiencies brought about by the conduct outweigh any likely negative effects on
competition and consumer welfare in the affected markets.
4. The conduct does not eliminate effective competition, by removing all or most existing
sources of actual or potential competition. Rivalry between undertakings is an essential
driver of economic efficiency, including dynamic efficiencies in the form of innovation. In its
absence the dominant undertaking will lack adequate incentives to continue to create and
pass on efficiency gains. Where there is no residual competition and no foreseeable threat of
entry, the protection of rivalry and the competitive process outweighs possible efficiency
166
Commission statement of objections April; Ibid. 167
Commission statement of objections July. 168
Walker K., Android: Choice at every turn, 10.11.2016, https://blog.google/topics/google-europe/android-choice-
competition-response-europe/ ,accessed-27.04.17. 169
Ibid. 170
It has to be kept in mind that the competition law does not even recognize data-related issues at the moment. 171
ECJ, C-27/76 United Brands v Commission, 14 February 1978, ECLI:EU:C:1978:22, para.184; ECJ, C-311/84
Centre Belge d'études de marché — Télémarketing (CBEM) v Compagnie luxembourgeoise de télédiffusion (CLT) and
Information publicité Benelux (IPB), 3 October 1985, ECLI:EU:C:1985:394, para.27; Court of First Instance, C-T-
30/89, Hilti v Commission, 12 December 1991, ECLI:EU:T:1991:70, paras102-119; Court of First Instance, T-83/91,
Tetra Pak International v Commission (Tetra Pak II), 6 October 1994, ECLI:EU:T:1994:246, paras136,207; ECJ, C-
95/04 P, British Airways v Commission, 15 March 2007, ECLI:EU:C:2007:166, paras.69,86.
25
gains. In the Commission's view, exclusionary conduct which maintains, creates or
strengthens a market position approaching that of a monopoly can normally not be justified
on the grounds that it also creates efficiency gains.”172
Considering these conditions, it is clear that the efficiencies are being realized and that the en masse
data collection is indeed indispensable for the creation of the product of this quality.173
If this was
not done, there would be no particular difference between the services provided by Google and
DuckDuckGo.174
The data collection is not anticompetitive either, as any competitor of these
superplatforms is in theory free to collect the data to the same extent. But as we know, network
effects have enabled the few superplatforms to win over their respective markets granting them the
data-advantage, de facto closing out the other competitors.175
These superplatforms have the best
algorithms and the data-advantage, and therefore the gap between them and the next competitor is
growing at accelerating rate. So should these dominant undertakings be punished for their success
by forcing them to share their data with their competitors? This does not seem to be the case.176
Lastly, there is no fear over the stagnation of innovation due to the growing dominance, as the ever-
improving product created by network effects and positive feedback loop prevents this from
happening.177
But there is something in these cumulative criteria that deserves closer scrutiny by the competition
authorities. According to the third criterion, the efficiencies should always outweigh the possible
consumer harm created by the abusive conduct.178
So the question is; do the users really gain more
from the high-end search results than they lose through the gradual chipping away of their privacy,
data protection rights, and freedom of expression and information? This is especially the question
when we consider IoT and the even more intrusive data collection introduced by it.179
3.3.2.3 “Frenemy” dynamic
In addition to the traditional violations under articles 101 and 102 TFEU, Ezrachi and Stucke also
identify a new dynamic in which data plays a key role in enhancing the dominance of
172
European Commission, Communication from the Commission — Guidance on the Commission's enforcement
priorities in applying Article 82 of the EC Treaty to abusive exclusionary conduct by dominant undertakings, Official
Journal of the European Communities, C 45, 24.2.2009,paras.28-31. 173
See chapter 3.2.7,p.20. 174
See chapter 4.1,p.28. DuckDuckGo is a search engine that does not collect any data from its users. 175
See chapter 2.3,p.5. 176
The Autorité de la Concurrence and the Bundeskartellamt,p.18. 177
See chapter 2.3,p.5. 178
Article 82 EC enforcement priorities,para.30. 179
See chapter 4.3,pp.30-31.
26
superplatforms.180
In this so-called “frenemy” relationship, the superplatforms take advantage of the
independent apps developed for their platform as long as the apps are useful and do not cause any
trouble for the superplatform.181
But as soon as the independent apps start to threaten the
superplatform’s own competing app or in any other way annoy the superplatform, these apps will be
closed out from the app store or acquired by the superplatform.182
Although the financial outcome
in these two cases can be very different for the independent apps concerned, the end-game from the
superplatform’s point of view is the same – No one can threaten its place at the top of the food
chain.
The frenemy dynamic also raises a question over the status of these superplatforms as essential
facilities.183
This indeed might be de facto the case, but unfortunately the CJEU has set up
draconian cumulative requirements to be fulfilled in order for something to be considered an
essential facility:
1. The facility has to be indispensable for carrying on the business in question;
2. It has to prevent the emergence of a new product for which there is a potential consumer
demand;
3. It has to exclude all competition in the secondary market and be unjustifiable by any
objective means184
; and
4. No alternative products or services exist, and there are technical, legal or economic
obstacles making it impossible or unreasonably difficult for an undertaking striving to
compete on the downstream market to develop, possibly in cooperation with other
companies, these products or services.185
These conditions are not fulfilled in the case of superplatforms since the independent apps are still
in theory able to compete on the market, albeit with immense difficulty.
After examining the various forms in which data-driven industries cause problems for the
competition authorities, it seems that the authorities currently lack the tools to tackle these issues.
Chapter 3.4 will reflect on the lack of enforcement tools available for the data protection and
competition authorities alike, and answers the first half of the research question of this thesis.
180
Ezrachi A.,Stucke M.E.,pp.147-149. 181
Ibid.,pp.151-155. 182
See chapter 2.4,p.8. 183
Hijmans H.,p.268. 184
ECJ, C-418/01, IMS Health GmbH & Co. OHG, 29 April 2004, ECLI:EU:C:2004:257,para.37. 185
ECJ, C-7/97, Oscar Bronner GmbH & Co. KG, 26 November 1998, ECLI:EU:C:1998:569,paras.44-45.
27
3.4 Reflections on the current enforcement tools available
At the moment there are not many tools available for the data protection or competition authorities
in order to effectively restrict the powers of the data-driven online platforms. There is light at the
end of the tunnel nonetheless, illustrated by the case brought against Facebook by the German
Cartel Office186
and the statements of objections issued against Google by the Commission.187
Even
though the effectiveness of the GDPR remains a mystery until it comes into force in 2018, it will
certainly enhance the level of data protection in the EU to some extent.
But as the regulatory trilemma referred to in chapter 3.1 demonstrates, regulating is challenging,
especially in the field of data driven-industries.188
The tools available under the GDPR are likely to
be ineffective due to user lock-in and the existence of strong data-driven network effects189
, or be
too rigid, killing the incentive to innovate.190
To answer the first half of the research question of this thesis, it therefore has to be concluded that
although regulation is badly needed, successfully regulating the data-driven platforms is a really
difficult task that has just begun, and in order to succeed, the data protection authorities and the
competition authorities will have to begin cooperating effectively.
Paramount for the successful enforcement is to keep the data from concentrating into the hands of
the few superplatforms. This would be most effectively achieved by the competition authorities
borrowing a few pages from data protection authority’s playbook, and starting to take data into
account in their investigations. This would first and foremost have to happen through effective data-
orientated merger control, and secondly through the realization that the efficiencies created by the
superplatforms and their abusive conduct are clearly being outweighed by the consumer harm
caused by the superplatforms and their ability to hinder our freedom of expression and
information.191
Until this happens, the future on this front seems grim.
Chapter 4 will discuss future options, developments, and threats in regards to people’s freedom of
expression and information, and the further challenges faced by the EU’s enforcement authorities.
The chapter also strives to answer the second half of the research question; namely, can effective
186
See chapter 3.2.7,pp.18-19. 187
See chapter 3.3.2.2,pp.23-24. 188
See chapter 3.1,p.12. 189
See chapter 3.2.7,pp.18-19. 190
Ibid. 191
See chapter 4,pp.28-34.
28
regulation still be achieved, or has the time to intervene already passed, as people and governments
alike have grown dependent on the existence of these online platforms?
4. Future challenges, threats, and options
As pointed out at the conclusion of the second chapter, the best option to regulate the
superplatforms is through the EU competition law. Besides the fact that the law has not recognized
data protection issues under its jurisdiction, what other obstacles stand in the way of more effective
enforcement?
This chapter is going to discuss the efficiencies created by the actions of the platforms and threats
posed by the rapidly advancing IoT to the people’s freedom of expression and information, and
answers the second half of the research questions, namely; is it already too late for effective
intervention due to the efficiencies created by the platforms, and the lack of political will and
technical capabilities to do so?
4.1 Efficiencies created for individual users
Are these platforms simply “too good to be regulated”? Today that is a serious question, as the
platforms make people’s lives much easier in many ways. Google knows what you want to search
for before you finish typing your search query192
and Facebook conveniently provides you with the
feed it knows will be to your satisfaction.193
As these undertakings have won over the market with
their data-advantage and provide the highest quality of product to the both sides of the market194
,
why would any regulation even be necessary?
It turns out that a small niche of the population still values their privacy more than they value
accurate search results, which has spurred the creation of services like the search engine
DuckDuckGo, whose main utility is that it does not collect any data from its users.195
Naturally the
user experience suffers from this ethical behavior, and will keep large audiences firmly committed
to Google.196
Moreover, even if one switches his search engine to DuckDuckGo, one still would
have to evade YouTube, Gmail, Google Maps, Google Chrome, Android, and all IoT products
192
Epstein R.,Robertson R.E. 193
VPRO. 194
See chapter 2.3,pp.5-6. 195
DuckDuckGo.com’s front page states: “We don’t store your personal info. We don’t track you. Ever”. 196
Stucke M.E.,Grunes A.P.,pp.256-259.
29
Google owns in order to effectively protect his personal data.197
This is becoming increasingly
difficult with the rapid growth of the IoT, as will be discussed in chapters 4.3-4.4.198
An even bigger efficiency – or threat, depending on the point of view from which one looks at the
situation – is formed by the network effects creating and further fueling these platforms.199
Products
with network effects are the rare instance in our society where consumers are better off with less
choice.200
Users benefit as they do not have to use several networks to communicate with their
friends or use several search engines to find information, while the advertisers also benefit as they
receive broader datasets enabling them to engage in more accurate targeted advertising. It is this
wide variety of data that also creates efficiencies for the governments that are supposed to regulate
these platforms, as will be illustrated below.
4.2 Efficiencies created for governments
As became clear through the Snowden revelations in 2013, governments all over the world are
gathering vast amounts of data about individuals with the help of online platforms.201
Indeed,
United States government was heavily involved with the initial creation of Google by funding the
PhD research of Sergey Brin, the co-creator of Google.202
Governments use online platforms as
their intelligence gathering device for the simple reason that these platforms are more capable of
gathering data than the governments would ever be, as the users themselves contribute the data to
these platforms.203
At this point it is good to remember the third principle of the regulatory trilemma, namely that the
law should never submit to the entity it is supposed to regulate.204
In the light of all the
aforementioned details and for the fact that online platforms and governments are heavily involved
with each other through lobbying and other favorable arrangements205
, it has become more and
197
Center for Democracy & Technology, Comments for November 2015 Workshop on Cross-Device Tracking,
16.10.2015, https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-Comments.pdf ,accessed-28.04.17. 198
See chapters 4.3-4.4,pp.30-32. 199
See chapter 2.3,pp.5-6. 200
Gebicka A.,Heinemann A., Social Media & Competition Law, World Competition, 2014/2, volume 37,p.159. 201
Greenwald G.,MacAskill E., NSA Prism program taps in to user data of Apple, Google and others, The Guardian,
07.06.2013, https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data,accessed-27.04.17. 202
Ahmed N., How the CIA Made Google, InsurgeIntelligence, 22.01.2015, https://medium.com/insurge-
intelligence/how-the-cia-made-google-e836451a959e ,accessed-27.04.17. 203
Ahmed N., Why Google Made the NSA, InsurgeIntelligence, 22.01.2015, https://medium.com/insurge-
intelligence/why-google-made-the-nsa-2a80584c9c1,accessed-27.04.17. 204
Dilemmas of Law in the Welfare State,p.312. 205
Ezrachi A.,Stucke M.E.,pp.244-246; Dayen D., The Android Administration, The Intercept, 22.04.2016,
https://theintercept.com/2016/04/22/googles-remarkably-close-relationship-with-the-obama-white-house-in-two-charts/
,accessed-27.04.17.
30
more unclear which entity is more dependent on the other? This begs the question whether there is
political will to effectively regulate these platforms to begin with?206
207
Moreover, the efficiencies
discussed above are going to grow even greater with the emergence of the IoT, as will be elaborated
in the following chapter.
4.3 Internet of Things
As mentioned in chapter 2.4, IoT is growing rapidly and is estimated to reach 25 billion devises by
the year 2020.208
The peculiar thing about IoT when compared to the “normal” data-driven
industries is that whereas with these normal platform products the collected data makes them better,
with IoT the collected data makes the whole product. The whole concept of IoT is the connection of
everyday devises to the internet in order to collect data; if the data collection is taken out of the
equation, we are left with ordinary toothbrushes and refrigerators.209
Here the whole dynamic of data collection changes. The users do not choose to voluntarily give
away their data anymore, but instead the data is simply taken from them, since the IoT products
they are using are dependent on the data in order to exist.210
Here the talk about better privacy terms, stricter conditions for consent, and collecting only what is
necessary in order to provide the service in question – as introduced by the GDPR211
– can be
forgotten altogether, since all the data is necessary for the functioning of the IoT products.212
Furthermore, the users still lack the opportunity to negotiate their contracts with these service
providers as the contracts are adhesive in their nature.213
Either the user clicks “I agree” or he
206
Emphasis added. Schrems alleges that the Privacy Shield is not going to provide adequate protection for people’s
data, but instead is just something done out of necessity to keep the consumers happy. Gilbert D., Safe Harbor 2.0: Max
Schrems Calls ‘Privacy Shield’ National Security Loopholes ‘Lipstick On A Pig’, International Business Times,
29.02.2016, http://www.ibtimes.com/safe-harbor-20-max-schrems-calls-privacy-shield-national-security-loopholes-
lipstick-2327277 ,accessed-27.04.17. 207
See chapter 4.5,pp.32-33. 208
Gartner. 209
EDPS(2014),p.35. 210
Zuboff S., Big other: surveillance capitalism and the prospects of an information civilization, Journal of Information
Technology, March 2015,vol.30(1),p.79,
https://poseidon01.ssrn.com/delivery.php?ID=94400303101712311107400709009309809900005606803900300012707
209807207012309100609511810200709600110501300609407711612602409208801301900502602012706500109102
3120007080078071101019104113001025022117007024066024088120089029121125108005114091102074089&EX
T=pdf ,accessed-27.04.17. 211
See chapter 3.2,pp.13-16. 212
EDPS(2014),p.35. 213
Birch K.
31
simply goes on without using the product, effective resigning himself from the modern society.214
And if one thinks that IoT products are not a necessity to have in the first place, one could try to live
without a smartphone for a week. Technological innovations have the tendency to creep their way
into our daily lives until one day people do not remember how life was like without them.
It is needless to say that if regulating the normal data-driven industries is difficult due to the
efficiencies they create, effective regulation of IoT seems to be outright impossible due to the fact
that without their data collection these products simply would not exist. This would be like the
above-mentioned model-T-example on steroids.215
The potential of IoT and its data collecting abilities has been recognized by the superplatforms as
well since after all, data is the core of their business. For the past several years these superplatforms
have been on a rampant shopping spree for promising IoT undertakings.216
Naturally, the
superplatforms are doing this to broaden the variety of data at their disposal, further concentrating
data into the hands of the few.217
Meanwhile these superplatforms have also engaged into a race to
develop the first fully functioning personal assistant218
, the so called digital butler.219
4.4 Digital butler
Siri, Alexa, M; these things already exist220
and are collecting data about our every move. The race
to launch the first fully functional A.I. butler is crucial for the superplatforms since it has the
potential to shift the data-advantage to the favor of the winner of this race. At the moment Google is
at the driver’s seat in this contest, as it has the ability to collect the broadest datasets. Moreover, due
to its dominance in the mobile operating system market with Apple, Google has the ability to close
out Facebook from that part of the business if necessary.221
With the digital butler, targeted advertisements would go directly to the butler without the owner
ever being aware of them.222
The butler would then make the decisions for you concerning your
daily activities such as shopping, entertainment consumption, and so on.223
The butler would also
214
Ezrachi A.,Stucke M.E.,p.217. 215
Zuboff S.,(2016). 216
Stucke M.E.,Grunes A.P.,pp.143-153. 217
OECD(2016),p.10. 218
Ezrachi A.,Stucke M.E.,pp.192-193. 219
Ibid.,p.194. 220
Ibid.,pp.192-193. 221
Although this is highly unlike to happen due to Facebook’s popularity. Form 10-K Facebook, Inc. 222
Ezrachi A.,Stucke M.E.,pp.192-193. 223
Ibid.,p.194.
32
know which news you prefer, and would help you with your social interactions by drafting your
emails and text messages.224
And this is the heart of the problem; people’s freedom of expression
and information is being taken over by the superplatforms with the help of the butler, as the steady
alteration of our information flow by the butler changes the way in which we think.225
This
phenomenon is not new, as it is happening already with the traditional data-driven platforms.226
Still, the real cause of this problem is that the vast majority of people only care about the
efficiencies created by the butler, disregarding the threats to their freedom of expression and
information.227
Not only does the butler depend on the data provided to it in order to function
properly, but likewise the people are dependent on the butler having the data, since they are unable
to deal with their day-to-day errands without its help.228
This is caused by the internal network
effect created by the butler; the more the individual uses the butler, the more efficient it becomes.229
At the point where digital butlers are becoming the gatekeepers of our information, it is appropriate
to ask the question; is it already too late to intervene? Surely no one wants a DuckDuckGo
butler?230
4.5 Inability to intervene
As the biggest threat to our freedom of expression and information comes from the superplatforms,
we have to consider how the concentration of power to these few undertakings could be curtailed.
There are two major obstacles to this curtailment, however. These obstacles are the lack of technical
capabilities to stop the algorithms and the lack of political will to intervene in the first place.
Right now the authorities drag several steps behind the algorithms, and are unable to figure out how
they function.231
More importantly, the programmers who created the algorithms are not capable of
reverse-engineering them due to their rapid phase of self-improvement.232
This problem is best demonstrated by the fact that in 2016 and early 2017, machines were able to
beat the best human players in Go233
and Texas hold’em poker234
, both being highly complicated
224
Ibid.,pp.194-199. 225
Ibid.,pp.197-199. 226
Kramer A.D.I.,Guillory J.E.,Hancock J.T; Epstein R.,Robertson R.E. 227
Newman N., The Costs of Lost Privacy: Consumer Harm and Rising Economic Inequality in the Age of Google,
William Mitchell Law Review, 2014,vol.40, issue 2,pp.855-863,
http://open.mitchellhamline.edu/cgi/viewcontent.cgi?article=1568&context=wmlr ,accessed-28.04.17. 228
Ezrachi A.,Stucke M.E.,pp.194-195. 229
Ibid. 230
Ibid.,pp.200-201. 231
Ibid.,pp.230-231. 232
Ibid.
33
games with seemingly endless amount of possible outcomes.235
In the latter example, the machine
even bluffed, making its victory even more impressive.236
Keeping these examples in mind, we can reflect on a recent speech held by the EU competition
commissioner Margrethe Vestager, where she strongly encouraged the powerful platforms to act
according to the EU competition rules.237
It is a telling example of the weakness of the current
enforcement tools when the best the Commission can do is to ask the violators not to violate the
law.238
Pairing all this up with the lack of political will to intervene as discussed in chapter 4.2239
, the
second half of the research question of this thesis can be answered by stating that effective
regulation of the online platforms is not possible at the moment as the law has fallen second to the
to the entities it strives to regulate.240
The following subchapter will reflect on this thought, and
discuss the future implications of the actions or inaction by the authorities.
4.6 Reflections and future implications
As chapter 3 explained, the enforcement tools at the disposal of the data protection and competition
authorities are inadequate to deal with the data-driven platforms, either being ineffective and unable
to change the conduct of these platforms, or over-regulating to the detriment of innovation.241
Chapter 4 contributes to this bleak realization by concluding that at the moment there is neither
technical capability nor political will to effectively regulate and enforce the data-driven industry
and in particular the dominant online platforms. This finding adds to the line of thought began at the
end of chapter 3, where it was concluded that the principles one and two of the regulatory trilemma
233
McKenzie D., Update: Why this week’s man-versus-machine Go match doesn’t matter (and what does), Science,
15.03.2016, http://www.sciencemag.org.proxy.uba.uva.nl:2048/news/2016/03/update-why-week-s-man-versus-
machine-go-match-doesn-t-matter-and-what-does ,accessed-28.04.17. 234
Moravcik M.,et.al., DeepStack: Expert-Level Artificial Intelligence in Heads-Up No-Limit Poker, Science,
02.03.2017,vol.355, issue 6328,
http://science.sciencemag.org.proxy.uba.uva.nl:2048/content/early/2017/03/01/science.aam6960.full ,accessed-
28.04.17. 235
Ibid.;McKenzie D. 236
Moravcik M.,et.al.,pp.9-11. 237
Vestager M., Algorithms and Competition, 16.03.2017, https://ec.europa.eu/commission/commissioners/2014-
2019/vestager/announcements/bundeskartellamt-18th-conference-competition-berlin-16-march-2017_en ,accessed-
27.04.17. 238
Ibid.,(This thought was originally expressed by the author in “Digital cartels: The Future of Global Cartels and
Cartel Enforcement” paper of 06.04.2017.) 239
See chapter 4.2,pp.29-30. 240
Gilbert D. 241
See chapter 3.4,p.27.
34
remain unfulfilled.242
As the law has clearly crumbled under the entities it is supposed to oversee,
the third principle of the regulatory trilemma likewise fails to be fulfilled.
Still, the superplatforms’ conduct hampering individuals’ freedom of expression and information
should somehow be halted, whilst also allowing the individuals and governments alike to enjoy the
efficiencies created by these entities. So how could the consumers and the government have their
cake and eat it too? The options discussed by the rest of this chapter are both scarce and far-fetched,
accurately depicting the overwhelming task faced by the authorities.
As discussed in chapter 3.3.1, the EU merger rules do not recognize data as a source of market
power243
, allowing data-driven mergers to concentrate more and more data to the hands of the few
superplatforms. While altering the merger rules accordingly seems like the most logical solution to
this problem, it would cause a lot of practical concerns.
With the growth of the IoT, data will likely be an inherent part of most mergers in the future. This is
especially the case with the superplatforms, as they are constantly looking to broaden the scope of
the data they collect.244
Thus, making data part of the merger evaluation would flood the
Commission with cases it would have otherwise never had to consider, making these new merger
control rules ineffective as all the cases could not be handled diligently. Here the regulatory
trilemma raises its head once again. Given this, it is unlikely that the merger rules are going to be
changed any time soon. This brings us to an alternative solution: the possible subsidization of the
undertakings which would otherwise be merging with the superplatforms.
This subsidization by the EU would solve half of the problem, as it would slow down the further
concentration of data towards the superplatforms. However, at the same time it would slow down
the superplatforms’ product development, as their access to more data would be hindered. Naturally
this would not sit well with the consumers and governments, who first and foremost care about the
efficiencies brought by the superplatforms. Moreover, the effectiveness of this strategy is highly
questionable, as the superplatforms could easily outbid whatever the EU could offer for the to-be-
merged undertaking.
So it seems that at the moment the ball is on the superplatforms’ side of the court; it is in their
power to make sure that the algorithms act accordingly and do not hinder people’s fundamental
242
Ibid. 243
ECJ, C-238/05, Asnef-Equifax,para.56. 244
Lohr S.
35
rights, and with this great power comes a great responsibility. If the algorithms are not properly
supervised, there is a risk that the digital butler will turn into a “digital priest”.245
This being said, the technical difficulties to curtail the actions of the algorithms also apply to the
platforms themselves.246
Thus, our best option at the moment is to wait for the technology to
develop so that some level of algorithm accountability can be attained.247
Until then, we can only hope that the Google’s ex-slogan “Don’t be evil”248
still holds true and is a
conscious choice rather than a horror scenario yet to materialize, capable of causing grave damage
by hampering people’s freedom of expression and information in the current state of insufficient
enforcement – or in the future, where the power it wields is going to be even greater.
5. Conclusion
Surveillance capitalism and the phenomena brought by it have created unprecedented challenges to
the protection of freedom of expression and information under the EU legal order. Superplatforms,
aided with big data and ever-growing network effects, have conquered the markets and are now
threatening people’s freedom of expression and information by acting as a gateway and gatekeepers
to the internet and consequently strongly influencing the way people see the world.
The two-dimensional research question of this thesis asked: First, whether there are basis to regulate
the practices of the superplatforms and which legislative framework would be the best to do so; and
second, whether there is political will and technical capability to do so to begin with.
To answer the first half of the research question of this thesis, it has to be concluded that although
there is a pressing demand for regulation, the current enforcement tools at the disposal of the EU
data protection and competition authorities are inadequate to effectively regulate the platforms.
These tools are either ineffective, failing to alter the behavior of the regulated entities, or over-
regulating, killing the incentive to innovate.
To achieve effective regulation, it is recommended that data protection and competition law
authorities tightly cooperate in order to achieve the key goal common to their policies, namely
stopping the concentration of data into the hands of the few extremely powerful superplatforms.
245
As stated by Brownsword at the ACELG’s annual 2016 conference. 04.11.2016. 246
Ezrachi A.,Stucke M.E.,pp.230-231. 247
Ibid. 248
Roberts D., Alphabet drops Google’s famous ‘Don’t Be Evil’ motto, Fortune, 05.10.2015,
http://fortune.com/2015/10/05/alphabet-google-evil/ ,accessed-27.04.17.
36
First this would happen through competition authorities’ recognition of data as a source of market
power and effective, data-orientated merger control, and second, through the realization that the
efficiencies created by the actions of the superplatforms are easily refuted by the negative effects
they impose on the society as they hamper people’s freedom of expression and information.
Second half of the research question can be answered by stating that due to the efficiencies created
by the superplatforms for the people and governments alike, there is no political will to effectively
regulate these superplatforms. Moreover, the technical capability to do so is non-existent, as the
self-learning algorithms are currently several steps ahead of the people who designed them, let
alone the authorities. The hypothesis of this thesis is therefore confirmed.
Currently the only thing the authorities can do is to wait for the technology to develop, and to count
on the superplatforms doing the right thing. It is a dismal position to be in, as the IoT and the digital
butler are going to raise the intrusiveness of big data collection into new spheres.
VII
List of Literature
Agerholm H., Student protesters campaigning for safe spaces 'block white students' at
Berkeley university, Independent, 27.10.2016,
http://www.independent.co.uk/news/world/americas/student-protesters-campaigning-safe-
spaces-block-white-students-from-attending-classes-racism-a7383676.html , accessed:
27.04.17.
Ahmed N., How the CIA Made Google, InsurgeIntelligence, 22.01.2015,
https://medium.com/insurge-intelligence/how-the-cia-made-google-e836451a959e ,
accessed: 27.04.17.
Ahmed N., Why Google Made the NSA, InsurgeIntelligence, 22.01.2015,
https://medium.com/insurge-intelligence/why-google-made-the-nsa-2a80584c9c1, accessed:
27.04.17.
Birch K., Market vs. contract? The implications of contractual theories of corporate
governance to the analysis of neoliberalism, Ephemera, February 2016, vol. 16(1),
http://www.ephemerajournal.org/sites/default/files/pdfs/issue/16-1ephemera-feb16.pdf ,
accessed: 27.04.17.
Brownsword R., Rules of Law, the Rule of Law, and Technological Management (speech),
ACELG annual conference, 04.11.2016.
Bundeskartellamt, Bundeskartellamt initiates proceeding against Facebook on suspicion of
having abused its market power by infringing data protection rules, 02.03.2016,
http://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2016/02_03_
2016_Facebook.html , accessed: 27.04.17.
Center for Democracy & Technology, Comments for November 2015 Workshop on Cross-
Device Tracking, 16.10.2015, https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-
Comments.pdf , accessed: 28.04.17.
Dayen D., The Android Administration, The Intercept, 22.04.2016,
https://theintercept.com/2016/04/22/googles-remarkably-close-relationship-with-the-obama-
white-house-in-two-charts/ , accessed: 27.04.17.
El-Bermawy M.M., Your Filter Bubble Is Destroying Democracy, Wired, 18.11.2016,
https://www.wired.com/2016/11/filter-bubble-destroying-democracy/ , accessed: 27.04.17.
Epstein R. and Robertson R.E., The search engine manipulation effect (SEME) and its
possible impact on the outcomes of elections, PNAS, 18.08.2015, vol. 112 no. 33,
http://www.pnas.org/content/112/33/E4512.full , accessed: 27.04.17.
VIII
European Data Protection Supervisor, Privacy and Competitiveness in the Age of Big Data:
The Interplay Between Data Protection, Competition Law, and Consumer Protection in the
Digital Economy, Preliminary Opinion, 26.03.2014,
https://edps.europa.eu/sites/edp/files/publication/14-03-
26_competitition_law_big_data_en.pdf , accessed: 26.04.17.
European Data Protection Supervisor, Towards a New Digital Ethics: Data, Dignity and
Technology: Opinion 4/2015, 11.09.2015,
https://edps.europa.eu/sites/edp/files/publication/15-09-11_data_ethics_en.pdf , accessed:
26.04.17.
European Commission, Antitrust: Commission sends Statement of Objections to Google on
Android operating system and applications, 20.04.2016, http://europa.eu/rapid/press-
release_IP-16-1492_en.htm , accessed: 26.04.17.
European Commission, Antitrust: Commission takes further steps in investigations alleging
Google's comparison shopping and advertising-related practices breach EU rules,
14.07.2016, http://europa.eu/rapid/press-release_IP-16-2532_en.htm , accessed: 27.04.17.
EU Network of Independent Experts on Fundamental Rights, Commentary of the Charter of
Fundamental Rights of the European Union, 2006, http://ec.europa.eu/justice/fundamental-
rights/files/networkcommentaryfinal_en.pdf , accessed: 27.06.17.
Evans D., The Internet of Everything: How More Relevant and Valuable Connections Will
Change the World, 2012, https://www.cisco.com/web/about/ac79/docs/innov/IoE.pdf ,
accessed: 26.04.17.
Ezrachi A. and Stucke M.E., Virtual Competition: The Promise and Perils of the Algorithm-
Driven Economy, Harvard University Press, 14.11.2016.
Fiegerman S., Facebook to Buy WhatsApp for $16 Billion, Mashable, 19.02.2014,
http://mashable.com/2014/02/19/facebook-whatsapp/#P_swPcbOyiqk , accessed: 27.04.17.
Flynn M., The Trouble with Trigger Warnings, The Huffington Post, 22.12.2016,
http://www.huffingtonpost.com/greater-good-science-center/the-trouble-with-
trigger_b_13801784.html , accessed: 27.04.17.
Gartner, Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015, 11.11.2014,
http://www.gartner.com/newsroom/id/2905717 , accessed: 26.04.17.
Gebicka A. and Heinemann A., Social Media & Competition Law, World Competition,
2014/2, volume 37.
IX
Gilbert D., Safe Harbor 2.0: Max Schrems Calls ‘Privacy Shield’ National Security
Loopholes ‘Lipstick On A Pig’, International Business Times, 29.02.2016,
http://www.ibtimes.com/safe-harbor-20-max-schrems-calls-privacy-shield-national-security-
loopholes-lipstick-2327277 , accessed: 27.04.17.
Google Transparency Report, European privacy requests for search removals,
https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en , accessed:
27.04.17.
Greenwald G. and MacAskill E., NSA Prism program taps in to user data of Apple, Google
and others, The Guardian, 07.06.2013, https://www.theguardian.com/world/2013/jun/06/us-
tech-giants-nsa-data, accessed: 27.04.17.
Hijmans H., The European Union as a constitutional guardian of internet privacy and data
protection: The Story of Article 16 TFEU, Springer, 2016.
Howarth B., How Tesco's Loyalty Card Transformed Customer Data Tracking, CMO,
21.05.2015, http://www.cmo.com.au/article/575497/how-tesco-loyalty-card-transformed-
customer-data-tracking/ , accessed: 26.04.17.
IDC, Smartphone OS Market Share, 2016 Q3, http://www.idc.com/promo/smartphone-
market-share/os , accessed: 26.04.17.
Koukouvis K., Cubero R.A. and Pelliccione P., A/B Testing in E-commerce Sales
Processes, In: Crnkovic I., Troubitsyna E., Software Engineering for Resilient Systems.
SERENE 2016, Springer, 26.08.2016, Lecture Notes in Computer Science, vol. 9823,
https://link-springer-com.proxy.uba.uva.nl:2443/chapter/10.1007%2F978-3-319-45892-
2_10 , accessed: 27.04.17.
Kramer A.D.I., Guillory J.E. and Hancock J.T., Experimental evidence of massive-scale
emotional contagion through social networks, PNAS, 17.06.2014, vol. 11 no. 24,
http://www.pnas.org/content/111/24/8788.full , accessed: 27.04.17.
Lianos I. and Motchenkova E., Market Dominance and Search Quality in the Search Engine
Market’, 9(2) Journal of Competition Law & Econonomics, 17.04.2013, (2013) 9 (2).
Lohr S., Google’s Nest to Acquire Dropcam for $555 Million, New York Times,
20.06.2014, http://bits.blogs.nytimes.com/2014/06/20/googles-nest-to-acquire-dropcam-for-
555-million/ , accessed: 26.04.17.
McKenzie D., Update: Why this week’s man-versus-machine Go match doesn’t matter (and
what does), Science, 15.03.2016,
X
http://www.sciencemag.org.proxy.uba.uva.nl:2048/news/2016/03/update-why-week-s-man-
versus-machine-go-match-doesn-t-matter-and-what-does , accessed: 28.04.17.
Merriam Webster online dictionary, “Data”, https://www.merriam-
webster.com/dictionary/data , accessed: 26.04.17.
Mitchell A., Gottfried J. and Matsa K.E., Facebook Top Source for Political News Among
Millennials, Pew Research Center, 01.06.2015,
http://www.journalism.org/2015/06/01/facebook-top-source-for-political-news-among-
millennials/ , accessed: 27.04.17.
Moravcik M., et. al., DeepStack: Expert-Level Artificial Intelligence in Heads-Up No-Limit
Poker, Science, 02.03.2017, vol. 355, issue 6328,
http://science.sciencemag.org.proxy.uba.uva.nl:2048/content/early/2017/03/01/science.aam6
960.full , accessed: 28.04.17.
Muoio P., Auction.com Launches Real Estate’s First “Nowcast”, 30.10.2015,
https://www.auction.com/blog/auction-com-launches-real-estates-first-nowcast/ , accessed:
26.04.17.
Newman N., The Costs of Lost Privacy: Consumer Harm and Rising Economic Inequality in
the Age of Google, William Mitchell Law Review, 2014, vol. 40, issue 2,
http://open.mitchellhamline.edu/cgi/viewcontent.cgi?article=1568&context=wmlr ,
accessed: 28.04.17.
Newman N., Taking on Google’s Monopoly Means Regulating Its Control of User Data,
The Huffington Post, 24.09.2013, http://www.huffingtonpost.com/nathan-newman/taking-
on-googles-monopol_b_3980799.html , accessed: 26.04.17.
Ocello E., Sjödin C. and Subočs A., ‘What’s Up with Merger Control in the Digital Sector?
Lessons from the Facebook/WhatsApp EU Merger Case’, Competition Merger Brief,
February 2015, 1/2015,
http://ec.europa.eu/competition/publications/cmb/2015/cmb2015_001_en.pdf , accessed:
26.04.17.
OECD, Big Data: Bringing Competition Policy to The Digital Era: Background Note by the
Secretariat, 29.11.2016, https://one.oecd.org/document/DAF/COMP(2016)14/en/pdf ,
accessed: 26.04.17.
OECD, Data-driven Innovation for Growth and Well-being: Interim Synthesis Report,
October 2014, http://www.oecd.org/sti/inno/data-driven-innovation-interim-synthesis.pdf ,
accessed: 26.04.17.
XI
Roberts D., Alphabet drops Google’s famous ‘Don’t Be Evil’ motto, Fortune, 05.10.2015,
http://fortune.com/2015/10/05/alphabet-google-evil/ , accessed: 27.04.17.
Rubinfeld D.L., Access barriers to Big Data, Arizona Law Review, 08.04.2017, vol. 59,
issue 339, http://arizonalawreview.org/pdf/59-2/59arizlrev339.pdf , accessed: 28.04.17.
Schneier B., Data and Goliath: The Hidden Battles to Collect Your Data and Control Your
World, W. W. Norton & Company, 02.03.2015.
Stucke M.E. and Grunes A.P., Big Data and Competition Policy, Oxford University Press,
02.08.2016.
StatCounter, Mobile and Tablet Internet Usage Exceeds Desktop For First Time Worldwide,
01.11.2016, http://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-
desktop-for-first-time-worldwide , accessed: 26.04.17.
Teubner G., Dilemmas of Law in the Welfare State, Walter de Gruyten & Co., 1988, series
A.
The Autorité de la Concurrence and the Bundeskartellamt, Competition Law and Data,
10.05.2016.
http://www.bundeskartellamt.de/SharedDocs/Publikation/DE/Berichte/Big%20Data%20Pap
ier.pdf;jsessionid=3049D2DA2F7B6B0F521558DABC9FEFC3.1_cid387?__blob=publicati
onFile&v=2 , accessed: 26.04.17.
Thielman S., Facebook fires trending team, and algorithm without humans goes crazy, The
Guardian, 29.08.2016, https://www.theguardian.com/technology/2016/aug/29/facebook-
fires-trending-topics-team-algorithm , accessed: 27.04.17.
The United States Department of Justice, Justice Department and Bazaarvoice Inc. Agree on
Remedy to Address Bazaarvoice’s Illegal Acquisition of PowerReviews, 24.04.2014,
https://www.justice.gov/opa/pr/justice-department-and-bazaarvoice-inc-agree-remedy-
address-bazaarvoice-s-illegal-acquisition , accessed: 27.04.17.
United States Federal Trade Commission, Big Data: A Tool for Inclusion or Exclusion?,
January 2016, https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-
or-exclusion-understanding-issues/160106big-data-rpt.pdf , accessed: 27.04.17.
United States Federal trade Commission, Report re Google Inc., 08.08.2012,
https://graphics.wsj.com/google-ftc-report/img/ftc-ocr-watermark.pdf , accessed: 26.04.17.
United States Securities and Exchange Commission, Form 10-K Facebook, Inc., 31.12.2014,
https://www.sec.gov/Archives/edgar/data/1326801/000132680115000006/fb-
12312014x10k.htm , accessed: 26.04.17.
XII
United States Securities and Exchange Commission, Form S-1 Registration Statement
Under The Securities Act Of 1933 The Rubicon Project, Inc., 04.02.2014,
https://www.sec.gov/Archives/edgar/data/1595974/000119312514034389/d652651ds1.htm ,
accessed: 26.04.17.
Vestager M., Algorithms and Competition, 16.03.2017,
https://ec.europa.eu/commission/commissioners/2014-
2019/vestager/announcements/bundeskartellamt-18th-conference-competition-berlin-16-
march-2017_en , accessed: 27.04.17.
VPRO, What Makes You Klick (documentary),
https://www.vpro.nl/programmas/tegenlicht/kijk/afleveringen/2016-2017/what-makes-you-
click.html , accessed: 27.04.17.
Walker K., Android: Choice at every turn, 10.11.2016, https://blog.google/topics/google-
europe/android-choice-competition-response-europe/ , accessed: 27.04.17.
Zuboff S., Big other: surveillance capitalism and the prospects of an information
civilization, Journal of Information Technology, March 2015 vol. 30(1),
https://poseidon01.ssrn.com/delivery.php?ID=9440030310171231110740070900930980990
00056068039003000127072098072070123091006095118102007096001105013006094077
11612602409208801301900502602012706500109102312000708007807110101910411300
1025022117007024066024088120089029121125108005114091102074089&EXT=pdf ,
accessed: 27.04.17.
Zuboff S., Google as a Fortune Teller: The Secrets of Surveillance Capitalism, Frankfurter
Allgemeine Feuilleton, 05.03.2016, http://www.faz.net/aktuell/feuilleton/debatten/the-
digital-debate/shoshana-zuboff-secrets-of-surveillance-capitalism-14103616.html , accessed:
26.04.17.
XIII
Cases
Court of First Instance, C-T-30/89, Hilti v Commission, 12 December 1991,
ECLI:EU:T:1991:70.
Court of First Instance, T-83/91, Tetra Pak International v Commission (Tetra Pak II), 6
October 1994, ECLI:EU:T:1994:246.
Court of First Instance, Case T-201/04, Microsoft Corp v Commission of the European
Communities, 17 September 2007, ECR II-3601.
ECJ, C-40/73, Joined cases Coöperatieve Vereniging "Suiker Unie" UA and others v
Commission of the European Communities, 16 December 1975, ECLI:EU:C:1975:174.
ECJ, C-27/76 United Brands v Commission, 14 February 1978, ECLI:EU:C:1978:22.
ECJ, C-311/84 Centre Belge d'études de marché — Télémarketing (CBEM) v Compagnie
luxembourgeoise de télédiffusion (CLT) and Information publicité Benelux (IPB), 3 October
1985, ECLI:EU:C:1985:394.
ECJ, C-288/89, Stichting Collectieve Antennevoorziening Gouda and others v
Commissariaat voor de Media, 25 July 1991, EU:C:1991:323.
ECJ, C-7/97, Oscar Bronner GmbH & Co. KG, 26 November 1998, ECLI:EU:C:1998:569.
ECJ, C-418/01, IMS Health GmbH & Co. OHG, 29 April 2004, ECLI:EU:C:2004:257.
ECJ, C-238/05, Asnef-Equifax, Servicios de Información sobre Solvencia y Crédito, SL,
Administración del Estado v Asociación de Usuarios de Servicios Bancarios (Ausbanc), 23
November 2006, ECLI:EU:C:2006:734.
ECJ, C-95/04 P, British Airways v Commission, 15 March 2007, ECLI:EU:C:2007:166.
ECJ, C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos
(AEPD), Mario Costeja González, 13 May 2014, ECLI:EU:C:2014:317.
ECtHR, Lingens v. Austria, Application Number 9815/82, judgment of 08.07.1986, Ser. A,
No. 103.
ECtHR, Markt Intern Verlag GmbH and Klaus Beermann v. Germany, Application Number
10572/83, 20.11.1989, Ser. A, No. 165.
ECtHR, Oberschlick v. Austria, Application Number 11662/85, 23.05.1991, Ser. A, No.
204.
XIV
Legislation
Charter of Fundamental Rights of the European Union, Official Journal of the European
Communities, 18.12.2000, C 364.
Commission of the European Communities, Commission Decision of 24.03.2004 relating to
a proceeding under Article 82 of the EC Treaty (Case COMP/C-3/37.792 Microsoft),
21.04.2004.
Communication from the Commission to the European Parliament, the Council, the
European Economic and Social Committee and The Committee of the Regions: Internet
Policy and Governance Europe's role in shaping the future of Internet Governance,
12.02.2014, http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:52014DC0072&from=EN , accessed: 27.04.17.
Convention for the Protection of Human Rights and Fundamental Freedoms, 01.06.2010.
Council Regulation (EC) No 139/2004 of 20 January 2004 on the control of concentrations
between undertakings (the EC Merger Regulation), Brussels.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data, Luxembourg.
European Commission, Case No COMP/M.7023 – PUBLICIS / OMNICOM Commission
decision pursuant to Article 6(1)(b) of Council Regulation No 139/2004, 09.01.2014,
http://ec.europa.eu/competition/mergers/cases/decisions/m7023_20140109_20310_3566669
_EN.pdf , accessed: 26.04.17.
European Commission, Case No COMP/M.7217 - FACEBOOK/ WHATSAPP, 03.10.2014,
http://ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132
_EN.pdf , accessed: 27.04.17.
European Commission, Communication from the Commission — Guidance on the
Commission's enforcement priorities in applying Article 82 of the EC Treaty to abusive
exclusionary conduct by dominant undertakings, Official Journal of the European
Communities, C 45, 24.02.2009.
Proposal for a Regulation of the European Parliament and of The Council on the protection
of individuals with regard to the processing of personal data and on the free movement of
such data (General Data Protection Regulation), Brussels, 25.01.2012.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the