Master's Thesis - UvA Scripties

Universiteit van Amsterdam

Summer Semester 2017

Master’s Thesis

International and European Law: European Union Law (LLM track)

Superplatforms, Fundamental Rights and the Regulatory Trilemma: To Regulate Or Not to

Regulate?

by

Nuutti Tanner

25.07.2017

1st supervisor: Prof. Dr. Christina Eckes

Faculty of Law, European Law

2nd

supervisor: Dr. Katalin Cseres

Faculty of Law, European Law

II

Table of Contents

ABSTRACT .................................................................................................................................................................. IV

LIST OF ABBREVIATIONS ............................................................................................................................................ VI

1. INTRODUCTION ...................................................................................................................................................... 1

2. SURVEILLANCE CAPITALISM AND THE PHENOMENA CREATED BY IT ....................................................................... 2

2.1 RISE OF SURVEILLANCE CAPITALISM ............................................................................................................................... 3

2.2 BIG DATA AND BIG ANALYTICS .......................................................................................................................................... 3

2.3 THE ROLE OF NETWORK EFFECTS ....................................................................................................................................... 5

2.3.1 Network effects of scale ................................................................................................................................... 6

2.3.2 Network effects of scope .................................................................................................................................. 6

2.4 SOURCES OF DATA AND THE RISE OF “SUPERPLATFORMS” ...................................................................................................... 7

2.5 CONCENTRATION OF DATA .............................................................................................................................................. 9

3. PROBLEMS CREATED BY SURVEILLANCE CAPITALISM AND AVENUES TO SOLVE THESE PROBLEMS......................... 9

3.1 REGULATORY TRILEMMA ............................................................................................................................................... 12

3.2 ENFORCEMENT THROUGH DATA PROTECTION LAW ............................................................................................................. 13

3.2.1 Stricter conditions for consent ........................................................................................................................ 14

3.2.2 Privacy policies ............................................................................................................................................... 14

3.2.3 The right to be forgotten ................................................................................................................................ 15

3.2.4 Data portability .............................................................................................................................................. 15

3.2.5 Right to object to marketing and profiling ..................................................................................................... 16

3.2.6 Data protection by design and by default ...................................................................................................... 16

3.2.7 The shortcomings of the GDPR ....................................................................................................................... 17

3.3 ENFORCEMENT THROUGH COMPETITION LAW ................................................................................................................... 20

3.3.1 Competences of the competition authorities to deal with data protection issues ......................................... 21

3.3.2 Classic competition abuses, data-driven industry, and the absence of illegality ........................................... 22

3.3.2.1 101 violations .............................................................................................................................................................22

3.3.2.2 102 violations .............................................................................................................................................................23

3.3.2.3 “Frenemy” dynamic ...................................................................................................................................................25

3.4 REFLECTIONS ON THE CURRENT ENFORCEMENT TOOLS AVAILABLE ......................................................................................... 27

4. FUTURE CHALLENGES, THREATS, AND OPTIONS ....................................................................................................28

4.1 EFFICIENCIES CREATED FOR INDIVIDUAL USERS ................................................................................................................... 28

4.2 EFFICIENCIES CREATED FOR GOVERNMENTS ...................................................................................................................... 29

4.3 INTERNET OF THINGS ................................................................................................................................................... 30

4.4 DIGITAL BUTLER .......................................................................................................................................................... 31

4.5 INABILITY TO INTERVENE ............................................................................................................................................... 32

III

4.6 REFLECTIONS AND FUTURE IMPLICATIONS ......................................................................................................................... 33

5. CONCLUSION .........................................................................................................................................................35

LIST OF LITERATURE .................................................................................................................................................. VII

CASES ...................................................................................................................................................................... XIII

LEGISLATION ............................................................................................................................................................ XIV

IV

Abstract

Data has changed the world we live in. Data-driven superplatforms such as Google, Facebook, and

Apple rule today’s economy and are therefore in an unprecedented position to alter the way people

view the world, as they have effectively become the gateway and the gatekeepers to the internet.

This raises serious concerns over people’s freedom of expression and information – a fundamental

right under the primary law of the EU – and thus a critical study of EU’s capabilities to curtail the

concentration of data to the hands of the few is essential.

Since the contemporary EU legislative framework has yet to effectively regulate these

superplatforms and their actions, an evaluative research methodology was chosen to conduct this

study. The study criticizes the shortcomings of the current legislative framework and discusses the

practical obstacles barring effective enforcement, whilst also offering recommendations concerning

the potential future course of action to be taken in this pressing matter. Since data-driven business

overarches all fields of life, these matters are discussed at the intersection of law, technology,

politics, behavioral psychology, and economics.

The research question of this thesis is two-dimensional: First, whether there are basis to regulate

the practices of the superplatforms and which legislative framework would be the best to do so; and

second, whether there is political will and technical capability to do so to begin with.

To answer the first half of the research question, it has to be concluded that despite the clear

demand for regulation, the current enforcement tools at the disposal of the EU data protection and

competition authorities are inadequate to effectively regulate the platforms. These tools are either

ineffective, failing to alter the behavior of the regulated entities, or over-regulating, killing the

incentive to innovate.

To achieve effective regulation, it is recommended that data protection and competition law

authorities cooperate in order to stop the concentration of data into the hands of the few extremely

powerful superplatforms. First this would happen through competition authorities’ recognition of

data as a source of market power and the exercise of effective, data-orientated merger control, and

second, through the realization that the efficiencies created by the actions of the superplatforms are

easily refuted by the negative effects they impose on the society, as they hamper people’s freedom of

expression and information.

Second half of the research question can be answered by stating that due to the efficiencies created

by the superplatforms for the people and governments alike, there is no political will to effectively

V

regulate these superplatforms. Moreover, the technical capability to do so is non-existent, as the

self-learning algorithms are currently several steps ahead of the people who designed them, let

alone the authorities.

Currently the only thing the authorities can do is to wait for the technology to develop, and to count

on the superplatforms doing the right thing. It is a dismal position to be in, as the IoT and the

digital butler are going to raise the intrusiveness of big data collection into new spheres.

VI

List of abbreviations

Charter Charter of Fundamental Rights of the European Union

CJEU Court of Justice of the European Union

ECHR European Convention of Human Rights

ECtHR European Court of Human Rights

ECJ European Court of Justice

EU European Union

GDPR General Data Protection Regulation

IoT Internet of Things

SEME Search Engine Manipulation Effect

TFEU Treaty on the Functioning of the European Union

1

1. Introduction

Today people of the world face a threat they have never faced before. This threat is not something

external, but instead rises from our own creation. This threat is data, and it has changed our reality

forever.

Data-driven superplatforms such as Google, Facebook and Apple rule today’s economy. They have

won over their respective markets due to the data-advantage and the subsequent network effects

they have created, and are running away from the rest of the competition. Aided with the ever-

growing amount of big data at their disposal through the constant acquisitions of smaller businesses

in the field of the Internet of Things, these undertakings are concentrating world’s data into the

hands of the few.

Data leads to knowledge, and knowledge is power. Therefore the superplatforms are in an

unprecedented position to alter the way people view the world, as they have effectively become the

gateway and the gatekeepers to the internet. This raises serious concerns over people’s freedom of

expression and information – a fundamental right under the primary law of the EU – and thus a

critical study of EU’s capabilities to curtail the concentration of data to the hands of the few is

essential.

Since the contemporary EU legislative framework has yet to effectively regulate these

superplatforms and their actions, an evaluative research methodology was chosen to conduct this

study. The study criticizes the shortcomings of the current legislative framework and discusses the

practical obstacles barring effective enforcement, whilst also offering recommendations concerning

the potential future course of action to be taken in this pressing matter. Since data-driven business

overarches all fields of life, these matters are discussed at the intersection of law, technology,

politics, behavioral psychology, and economics.

The research question of this thesis is: Can the superplatforms’ business practices based around big

data and big analytics be curtailed in order to protect people’s freedom of expression and

information? This question is two-dimensional; first, are there basis to restrain these practices in

order to protect people’s freedom of expression and information, and what would be the right and

the most effective avenue to do so?1 And second, is it already too late for effective intervention due

1 Here the “right” avenue refers to the rules which in theory ought to solve the problem at hand as they were designed

precisely for that purpose, these namely being the EU data protection rules.

2

to the efficiencies created by these platforms, and the lack of political will and technical capabilities

to do so?

The thesis is outlined in the following manner: Chapter 2 provides the key insight to the world of

surveillance capitalism, big data, big analytics and network effects, and the inspiration for this study

– the concentration of data into the hands of the few. Chapter 3 describes and criticizes the

contemporary legislative framework of the EU from the points of view of data protection and

competition law respectively, and answers the first half of the research question. Chapter 4 will

conclude the thesis by analyzing the causes for the absence of effective regulation, by looking ahead

for the future challenges and threats faced by the enforcement authorities, and by answering the

second half of the research question.

The hypothesis of the thesis is that the best route to effective regulation involves tight cooperation

between EU’s data protection and competition law authorities in the form of renewed approach to

data as a source of market power. This involves halting the concentration of data into the hands of

the few via effective data-orientated merger control, and acknowledgement of the fact that the

efficiencies created by the superplatforms are easily outweighed by the harm they cause to the

society by hampering people’s freedom of expression and information. That said, at the moment

governments’ and people’s dependence on these superplatforms combined with the lack of technical

capability to foster algorithm accountability, makes effective enforcement impossible, leaving us to

the mercy of the superplatforms.

2. Surveillance capitalism and the phenomena created by it

This chapter is going to analyze the developments and phenomena that have changed – and will

continue to change – the world we live in. Understanding the immense magnitude of these changes

is paramount in order to affect a meaningful change at the legislative level. Surveillance capitalists,

armed with big data, big analytics and network effects – and the trends created by these entities –

are the talk of this chapter.

3

2.1 Rise of surveillance capitalism

Gone are the days when the world of business was ruled by raw material monopolies or traders at

the stock exchange.2 Today, this world is ruled by data and the undertakings in the position to

collect and utilize it on a large scale.3 As will be explained later on in this chapter, this world is

dominated by a handful of immensely powerful online platforms, which have risen to this position

with the help of network effects.4 Indeed, in every field of data-driven business, one dominant

undertaking seems to have taken hold of the market. These undertakings include Google in the

search engine market, Facebook in the social networking market, Amazon in the online shopping

market, and Google and Apple in the mobile operating system market.5

These undertakings and their business models are based around two-sided markets, where

individuals provide data for the platform through search queries, social media activities and

numerous other ways6, and the advertisers interested in this data then pay for the platform for this

data, as well as for the advertisement space on the platform.7 This targeted advertising is the key

concept in order to understand the immense power wielded by these platforms. Any other form of

advertising has become obsolete, since being able to direct one’s advertisements to the exact

demographics – or even individuals – who are interested in the product saves large amounts of

money.8 This on the other hand incentivizes these dominant platforms to advance their data

collection techniques even further. The next subchapter discusses the role big data and big analytics

play in this context.

2.2 Big data and big analytics

Data is defined as “factual information (as measurements or statistics) used as a basis for

reasoning, discussion, or calculation”.9 From this definition it is easy to infer that data can be

immensely useful for advertisers when targeting their customers. Data has been used rather

2 Zuboff S., Google as a Fortune Teller: The Secrets of Surveillance Capitalism, Frankfurter Allgemeine Feuilleton,

05.03.2016, http://www.faz.net/aktuell/feuilleton/debatten/the-digital-debate/shoshana-zuboff-secrets-of-surveillance-

capitalism-14103616.html ,accessed-26.04.17. 3 Ibid.

4 See chapter 2.3,pp.5-6.

5 Ezrachi A.,Stucke M.E., Virtual Competition: The Promise and Perils of the Algorithm-Driven Economy, Harvard

University Press, 14.11.2016,pp.148-149. 6 See chapter 2.4,pp.7-8.

7 The Autorité de la Concurrence and the Bundeskartellamt, Competition Law and Data, 10.05.2016,pp.10-11,

http://www.bundeskartellamt.de/SharedDocs/Publikation/DE/Berichte/Big%20Data%20Papier.pdf;jsessionid=3049D2

DA2F7B6B0F521558DABC9FEFC3.1_cid387?__blob=publicationFile&v=2 ,accessed-26.04.17. 8 Ibid.,pp.10-11.

9 Merriam Webster online dictionary, “Data”, https://www.merriam-webster.com/dictionary/data ,accessed-26.04.17.

4

effectively for this purpose way before the era of the internet and surveillance capitalism10

, but the

emergence of big data and big analytics have been a game-changer for the industry.11

Big data is defined by the leading authors in the field as the emergence of the “four V’s”12

; these

four V’s stand for volume, velocity, variety, and value of data13

, and are discussed in turn below.

Volume of data refers to the sheer amount of data that can be collected today from individuals as

they operate online.14

This volume has skyrocketed in recent years15

, as the access to the internet is

available to more and more people, and the usage is increasingly moving to mobile devices.16

Velocity refers to the speed at which the data can be processed and utilized by the platforms

collecting it.17

It is noted that the leading undertakings in the data-driven industries are now capable

to “nowcast” events happening at the present moment.18

This grants them an immense advantage

over their competitors, as they can help people to avoid traffic jams, or maybe let an advertiser

know that a consumer is currently searching for a restaurant in their neighborhood.19

These

examples clearly demonstrate that as mobile has become the most popular way to browse the

internet20

, time is of the essence.

Even more important than the first two V’s, is the variety of data collected by the platforms.21

Increasingly large portion of our daily activities is connected to the internet22

, which gives the

platforms – and therefore advertisers – little pieces of information of our daily habits, enabling them

to piece together a puzzle of ourselves, and creating a consumer profile that even us ourselves are

not aware of.23

10

The Autorité de la Concurrence and the Bundeskartellamt.,pp.8-9. 11

Ibid.,p.9. 12

Stucke M.E.,Grunes A.P., Big Data and Competition Policy, Oxford University Press, 02.08.2016. 13

Ibid.,p.43. 14

Ibid.,pp.43-44. 15

OECD, Big Data: Bringing Competition Policy to The Digital Era: Background Note by the Secretariat,

29.11.2016,pp.5-6, https://one.oecd.org/document/DAF/COMP(2016)14/en/pdf ,accessed-26.04.17. 16

Ibid. 17

Stucke M.E.,Grunes A.P.,pp.44-46. 18

OECD, Data-driven Innovation for Growth and Well-being: Interim Synthesis Report, October 2014,p.11,

http://www.oecd.org/sti/inno/data-driven-innovation-interim-synthesis.pdf ,accessed-26.04.17. 19

Stucke M.E.,Grunes A.P.,p.45; Muoio P., Auction.com Launches Real Estate’s First “Nowcast”, 30.10.2015,

https://www.auction.com/blog/auction-com-launches-real-estates-first-nowcast/ ,accessed-26.04.17. 20

StatCounter, Mobile and Tablet Internet Usage Exceeds Desktop For First Time Worldwide, 01.11.2016,

http://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-desktop-for-first-time-worldwide ,accessed-

26.04.17. 21


See chapter 2.4,pp.7-8. 23

Howarth B., How Tesco's Loyalty Card Transformed Customer Data Tracking, CMO, 21.05.2015,

http://www.cmo.com.au/article/575497/how-tesco-loyalty-card-transformed-customer-data-tracking/ ,accessed-

26.04.17.

5

The fourth V is the value of the data, which is simultaneously the cause and the consequence of the

rapid growth of the first three V’s.24

To be able to extract value from all the data collected from

various sources, the data must be aggregated and analyzed. This process is also known as big

analytics.25

At the center of big analytics are the self-learning algorithms processing the data.26

The

more data these algorithms receive and process, the more they learn, further enhancing their ability

to nowcast and improve themselves.27

This is where network effects come to play.

2.3 The role of network effects

Essentially, network effect refers to the phenomenon where the product’s value rises as more people

start using it.28

In the data-driven industries the network effects, too, are data-driven and therefore

more numerous than in the classic “brick and mortar” industries.

Two traditional types of network effects that can be generated in any industry are the direct network

effect and the indirect network effect.29

A Classic example of the former is the telephone, which

grants more value to every old user as new users join the network.30

Indirect network effect on the

other hand is formed when a two-sided market concentrates towards one platform; a classic

example of this is a gaming console having a lot of popular games, which attracts more players,

hence incentivizing game development on that particular console, and so on.31

In this case, it is

common for the market to “tip” to the favor of the prevailing competitor, effectively closing out

possible competition.32

24

OECD(2016),p.6. 25

European Commission, Case No COMP/M.7023 – PUBLICIS / OMNICOM Commission decision pursuant to

Article 6(1)(b) of Council Regulation No 139/2004, 09.01.2014,para.617,

http://ec.europa.eu/competition/mergers/cases/decisions/m7023_20140109_20310_3566669_EN.pdf ,accessed-

26.04.17. 26

European Data Protection Supervisor, Towards a New Digital Ethics: Data, Dignity and Technology: Opinion

4/2015, 11.09.2015,p.9. https://edps.europa.eu/sites/edp/files/publication/15-09-11_data_ethics_en.pdf ,accessed-

26.04.17. 27

United States Securities and Exchange Commission, Form S-1 Registration Statement Under The Securities Act Of

1933 The Rubicon Project, Inc., 04.02.2014,pp.4,6-7,

https://www.sec.gov/Archives/edgar/data/1595974/000119312514034389/d652651ds1.htm ,accessed-26.04.17. 28

OECD(2016),pp.9-11. 29

Stucke M.E.,Grunes A.P.,p.242. 30

Ibid.,p.242. 31

Court of First Instance, Case T-201/04, Microsoft Corp v Commission of the European Communities, 17 September

2007, ECR II-3601,para.1061; Commission of the European Communities, Commission Decision of 24.03.2004

relating to a proceeding under Article 82 of the EC Treaty (Case COMP/C-3/37.792 Microsoft), 21.04.2004,para.449. 32

Ocello E.,Sjödin C.,Subočs A., ‘What’s Up with Merger Control in the Digital Sector? Lessons from the

Facebook/WhatsApp EU Merger Case’, Competition Merger Brief, February 2015, 1/2015,pp.3-4,

http://ec.europa.eu/competition/publications/cmb/2015/cmb2015_001_en.pdf ,accessed-26.04.17.

6

These traditional network effects exhibit themselves in the data-driven industries as well; Facebook

is a quintessence of the direct network effect, while it and many others – like Google and Apple –

draw in both users and developers with their app stores, creating an indirect network effect.33

While

powerful, these two network effects pale when compared to data-driven network effects of scale

and scope.

2.3.1 Network effects of scale

Network effect of scale is created when the vast volume of data allows the self-learning algorithms

to evolve, all the while creating concretely better product.34

For instance, Google’s search engine

develops with every search query it receives, further attracting even more users towards Google

instead of its competitors due to the more accurate search results.35

Naturally the growing amount of

users also attracts more advertisers to the other side of the platform, which allows Google to further

invest in improving its algorithms. This creates a positive feedback loop on both sides of the

market.36

Here the tipping of the market is even more likely than with the traditional network

effects illustrated above, so for undertakings wishing to compete in these data-driven industries,

achieving a critical mass of users becomes a necessity.37

At certain point the returns to scale start to diminish as the search engine already has such an

immense volume of data to work with.38

In other words, few extra users will not contribute much

when compared to the billions of search queries already being placed every day.39

At this point

network effect of scope becomes important.

2.3.2 Network effects of scope

As mentioned above, out of the four V’s of big data, variety is the most important.40

Data harvested

from numerous sources helps the algorithm to “finish the puzzle”, further contributing to the

33

Ezrachi A.,Stucke M.E.,pp.149-150. 34

OECD(2014),p.29. 35

Ibid. 36

OECD(2016),p.10. 37

Ibid.,p.29. 38

United States Federal trade Commission, Report re Google Inc., 08.08.2012,p.124, https://graphics.wsj.com/google-

ftc-report/img/ftc-ocr-watermark.pdf ,accessed-26.04.17. 39


Ibid.,pp.46-47.

7

creation of the positive feedback loop on both sides of the market.41

The next subchapter will take a

closer look at these sources of data.

2.4 Sources of data and the rise of “superplatforms”

Collecting data from the users is relatively straightforward for the data-driven platforms, as their

services are based on the input of the said data by the users themselves.42

Using Google as an

example, it is easy to see how the variety of data sources makes all the difference in the data-driven

business.

Google gets a bulk of its data from search queries through its search engine, which dominates the

search engine markets, especially in the EU.43

Since more than a half of all the internet traffic

already happens through mobile devises44

, it is also important to have that field covered. Google has

done this exceptionally well by becoming dominant in the mobile operating system market with its

Android operating system. Besides iPhones, Android is used by practically all phones being sold

today.45

This gives Google a gigantic edge in data collection, as it can geo-track all its users in real

time46

; this is paramount for nowcasting as discussed above.47

But it does not end here. In fact, we have just begun. Google collects data from every app of every

Android phone, Google maps, its Chrome internet browser, Gmail, and YouTube.4849

Additionally,

Google has made several acquisitions in the field of Internet of Things (IoT)50

, striving to broaden

the variety of its collected data.51

Other search engines can only dream of having such unique

41

Report re Google Inc.,p.124. 42

The Autorité de la Concurrence and the Bundeskartellamt.,pp.6-7. 43

Google holds over 90% market share in the EEA. European Commission, Antitrust: Commission sends Statement of

Objections to Google on Android operating system and applications, 20.04.2016, http://europa.eu/rapid/press-

release_IP-16-1492_en.htm ,accessed-26.04.17. 44

Statcounter. 45

IDC, Smartphone OS Market Share, 2016 Q3, http://www.idc.com/promo/smartphone-market-share/os ,accessed-

26.04.17. 46


Ibid.,p.45. 48

Newman N., Taking on Google’s Monopoly Means Regulating Its Control of User Data, The Huffington Post,

24.09.2013, http://www.huffingtonpost.com/nathan-newman/taking-on-googles-monopol_b_3980799.html ,accessed-

26.04.17. 49

All these are owned by Google. 50

Internet of Things is a network of everyday objects connected to the internet, enabling the devises to improve our

lives and function more effectively. For instance, a refrigerator could send its owner a text, informing her that the

household is running out of milk. European Data Protection Supervisor, Privacy and Competitiveness in the Age of Big

Data: The Interplay Between Data Protection, Competition Law, and Consumer Protection in the Digital Economy,

Preliminary Opinion, 26.03.2014,p.35, https://edps.europa.eu/sites/edp/files/publication/14-03-

26_competitition_law_big_data_en.pdf ,accessed-26.04.17. 51

Lohr S., Google’s Nest to Acquire Dropcam for $555 Million, New York Times, 20.06.2014,

http://bits.blogs.nytimes.com/2014/06/20/googles-nest-to-acquire-dropcam-for-555-million/ ,accessed-26.04.17.

8

datasets at their disposal. Naturally, that dream is not going to materialize, since Google already has

the data-advantage over its competitors and the gap between them is only growing.

Google’s IoT acquisitions are especially alarming, since IoT is projected to grow into a network of

25 billion connected devises by 2020.52

When our everyday objects are sending data about our daily

lives to the superplatforms, they will be able to finish the puzzle.53

The line between our online and

“real” lives is fading rapidly.54

While Google dominates the search engine business, a couple of other remarkable players have

emerged in other sectors of data-driven industry. The most important among these are Apple and

Facebook, which dominate their respective fields of data-driven industry. As with Google, Apple

and Facebook have likewise acquired the data-advantage over their competitors by collecting data

through several means in addition to their “main” field of domination.55

Besides its mobile devises,

safari internet browser and the iOS operating system, Apple controls – and therefore collects data –

through all the apps made for iOS.56

Facebook on the other hand collects data through its social

media platform, Instagram, Facebook Messenger, and WhatsApp.57

These three platforms have

effectively become “superplatforms”, simultaneously benefitting from and supporting the

independent app developers.58

They act as the gateway to the internet for the consumers and as a

gatekeeper for the independent app developers wishing to sell their apps in the major app stores.59

As the superplatforms hold the power to squash any independent competitors as soon as they start

to threaten the superplatform’s own downstream product60

, the best these independent competitors

can wish for is to be acquired by the superplatform for being “too good” to be squashed.61

Unfortunately this concentration of data comes with a heavy price.

52

Gartner, Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015, 11.11.2014,

http://www.gartner.com/newsroom/id/2905717 ,accessed-26.04.17. 53

Evans D., The Internet of Everything: How More Relevant and Valuable Connections Will Change the World, 2012,

https://www.cisco.com/web/about/ac79/docs/innov/IoE.pdf ,accessed-26.04.17. 54

Ezrachi A.,Stucke M.E.,p.19. 55



Facebook owns all these social media platforms. 58


Lianos I.,Motchenkova E., Market Dominance and Search Quality in the Search Engine Market’, 9(2) Journal of

Competition Law & Econonomics, 17.04.2013, (2013) 9 (2),pp.419, 422; Ezrachi A.,Stucke M.E.,pp.156. 60

United States Securities and Exchange Commission, Form 10-K Facebook, Inc., 31.12.2014,pp.11,

https://www.sec.gov/Archives/edgar/data/1326801/000132680115000006/fb-12312014x10k.htm ,accessed-26.04.17. 61

This happened with the mapping service Waze, which now contributes to Google’s pursuit to launch a driverless car

service. Stucke M.E.,Grunes A.P.,pp.146-149.

9

2.5 Concentration of data

Our personal data is concentrating into the hands of very few highly powerful players. IoT is

growing larger by the day, multiplying the volume of data, and growing the variety of data

manifold. The superplatforms are waiting, ready the collect, aggregate, analyze, and utilize all of it.

This proposes significant concerns for people in the EU and around the world, as their privacy,

personal data protection, and therefore freedom of expression and information – all recognized as

fundamental rights in the EU62

– are at jeopardy. Chapter 3 will take a closer look at these concerns

and the tools at the disposal for the authorities to deal with these problems.

3. Problems created by surveillance capitalism and avenues to solve these problems

Democratic societies can only function properly when certain degree of privacy and autonomy are

in place.63

Behavior and opinions outside the mainstream line of thought are a key component to the

political and social development of these democracies.64

When these rights are hindered, chilling of

democratic participation is likely to take place due to the prejudices these non-mainstream thinkers

are likely to face.65

This is why strong protection of privacy66

, personal data67

, and freedom of

expression and information68

is guaranteed under the primary law of the EU. For the purposes of

this thesis, the freedom of expression and information is especially relevant. It is defined by the

Charter of Fundamental Right of the European Union in the following manner:

1. “Everyone has the right to freedom of expression. This right shall include freedom to hold

opinions and to receive and impart information and ideas without interference by public

authority and regardless of frontiers.

2. The freedom and pluralism of the media shall be respected.”69

Article 52(3) of the Charter further links all the rights granted by the Charter to the corresponding

ones of the European Convention of Human Rights (ECHR), ensuring that at least the same level of

62

Charter of Fundamental Rights of the European Union, Official Journal of the European Communities, 18.12.2000, C

364,paras.7,8,11. 63

Hijmans H., The European Union as a constitutional guardian of internet privacy and data protection: The Story of

Article 16 TFEU, Springer, 2016,p.32. 64

Ibid.,pp.32-33. 65

Schneier B., Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, W. W. Norton &

Company, 02.03.2015,pp.95-97. 66

Charter,art.7. 67

Ibid.,art.8. 68

Ibid.,art.11. 69

Ibid.

10

protection is to be guaranteed under the Charter.70

Even though the corresponding article in the

ECHR – article 10 on freedom of expression– is not more elaborate than article 11 of the Charter71

,

the case law of the European Court of Human Rights (ECtHR) details some key aspects in regards

to the freedom of expression and information. For the purposes of this thesis, the level of protection

enjoyed by the various types of freedom of information is highlighted.

There is a hierarchy when it comes to different categories of freedom of information. Right to

receive political information is at the top of this hierarchy72

, whilst the right to disseminate

commercial information lies at the bottom.73

European Commission of Human Rights has also

weighed in on the issue, declaring that the objective of the freedom of information is to keep the

public well informed, rather than to protect the commercial information interests of undertakings.74

Superplatforms are currently the largest media there is, and are constantly growing.75

They

therefore hold a huge power over what people see online.76

Since the internet and effective access to

it facilitate democratic progress worldwide77

, the gateway-position these superplatforms hold

creates serious concerns over the people’s ability to access all the content they want to, as well as

over the freedom and pluralism of the media.78

Online platforms base their restrictive activities to trial-and-error testing79

, using consumers’ own

data input as the resource for their self-learning algorithms to alter the search results, social media

70

Ibid.,art.52(3). 71

Convention for the Protection of Human Rights and Fundamental Freedoms, 01.06.2010,art.10. 72

European Court of Human Rights (ECtHR), Lingens v. Austria, Application Number 9815/82, judgment of

08.07.1986, Ser. A, No. 103; ECtHR, Oberschlick v. Austria, Application Number 11662/85, 23.05.1991, Ser. A, No.

204,paras.57-61. 73

ECtHR, Markt Intern Verlag GmbH and Klaus Beermann v. Germany, Application Number 10572/83, 20.11.1989,

Ser. A, No. 165,para.33. 74

EU Network of Independent Experts on Fundamental Rights, Commentary of the Charter of Fundamental Rights of

the European Union, 2006,p.117, http://ec.europa.eu/justice/fundamental-rights/files/networkcommentaryfinal_en.pdf

,accessed-27.06.17. 75

Mitchell A.,Gottfried J.,Matsa K.E., Facebook Top Source for Political News Among Millennials, Pew Research

Center, 01.06.2015, http://www.journalism.org/2015/06/01/facebook-top-source-for-political-news-among-millennials/

,accessed-27.04.17. 76

See chapters 2.1-2.2,pp.3-4. 77

Communication from the Commission to the European Parliament, the Council, the European Economic and Social

Committee and The Committee of the Regions: Internet Policy and Governance Europe's role in shaping the future of

Internet Governance, 12.02.2014,p.2, http://eur-lex.europa.eu/legal-

content/EN/TXT/PDF/?uri=CELEX:52014DC0072&from=EN ,accessed-27.04.17. 78

European Court of Justice (ECJ), C-288/89, Stichting Collectieve Antennevoorziening Gouda and others v

Commissariaat voor de Media, 25 July 1991, EU:C:1991:323,para.23. 79

Koukouvis K.,Cubero R.A.,Pelliccione P., A/B Testing in E-commerce Sales Processes, In: Crnkovic I.,Troubitsyna

E., Software Engineering for Resilient Systems. SERENE 2016, Springer,pp.133-148, 26.08.2016, Lecture Notes in

Computer Science,vol.9823, https://link-springer-com.proxy.uba.uva.nl:2443/chapter/10.1007%2F978-3-319-45892-

2_10 ,accessed-27.04.17.

11

feed, and other platform products.80

This has been proven to affect users’ emotions81

and actions82

,

and therefore possesses the capacity of severely affecting the society in whole, especially when it

comes to politics. All this has been well demonstrated since early 2016 in the form of university-

wide campus protests about the lack of so-called “safe-spaces”83

, and even mandatory issuances of

“trigger warnings” about the course contents at universities.84

This can be easily traced back to the

fact that the millennials – now enrolled in universities – have throughout their lives been influenced

by the selective content provided by search engines and especially social media, where one’s feed

largely depends on what one’s friends seem to like as well. They have rarely faced opposing

opinions in regards to social issues or politics, but as they exit their information bubble when

entering university, they get shocked by the opposing views.85

Naturally the ultimate goal of the online platforms is not to alter the political thinking of the people,

but this just happens to be in their best interest. The more users use the platform, the more data the

platform receives and is able to sell forward to its real customers, the advertisers.86

It is therefore

paramount to keep the users at the platform as long as possible, and this is most effectively done by

showing them what the platform believes they want to see.87

Great examples of this manipulation

are Facebook’s news curation algorithm88

and Google’s – as well as other search engines’ – search

80

See chapter 2.3.1,p.6. 81

Kramer A.D.I.,Guillory J.E.,Hancock J.T.,Experimental evidence of massive-scale emotional contagion through

social networks, PNAS, 17.06.2014,vol.11 no. 24,pp.8788-8790, http://www.pnas.org/content/111/24/8788.full

,accessed-27.04.17. 82

Epstein R.,Robertson R.E., The search engine manipulation effect (SEME) and its possible impact on the outcomes of

elections, PNAS, 18.08.2015,vol.112, no. 33,pp.E4512-E4521, http://www.pnas.org/content/112/33/E4512.full

,accessed-27.04.17. 83

Mostly in the United States, though. Agerholm H., Student protesters campaigning for safe spaces 'block white

students' at Berkeley university, Independent, 27.10.2016, http://www.independent.co.uk/news/world/americas/student-

protesters-campaigning-safe-spaces-block-white-students-from-attending-classes-racism-a7383676.html ,accessed-

27.04.17. 84

Flynn M., The Trouble with Trigger Warnings, The Huffington Post, 22.12.2016,

http://www.huffingtonpost.com/greater-good-science-center/the-trouble-with-trigger_b_13801784.html ,accessed-

27.04.17. 85

El-Bermawy M.M., Your Filter Bubble Is Destroying Democracy, Wired, 18.11.2016,

https://www.wired.com/2016/11/filter-bubble-destroying-democracy/ ,accessed-27.04.17. 86


VPRO, What Makes You Klick (documentary), 16:50-30:35 and 35:50-46:00,

https://www.vpro.nl/programmas/tegenlicht/kijk/afleveringen/2016-2017/what-makes-you-click.html ,accessed-

27.04.17. 88

Thielman S., Facebook fires trending team, and algorithm without humans goes crazy, The Guardian, 29.08.2016,

https://www.theguardian.com/technology/2016/aug/29/facebook-fires-trending-topics-team-algorithm ,accessed-

27.04.17.

12

engine manipulation effect (SEME).89

Google even corrects its users’ searches and suggests certain

search results based on the supposed interests of the particular user.90

As illustrated above, these platforms clearly hinder people’s freedom of expression and information,

and therefore their activities should be regulated in some manner. Since the collection and

utilization of users’ personal data is the root cause of this phenomenon, it is logical to approach the

problem from that point of view. The two main avenues through which a successful restriction of

the powers of these platforms could be achieved are the ones of data protection law and competition

law. This chapter analyses the legislative tools at the disposal of these two authorities in turn, and

strives to answer the first half of the research question of this thesis, namely; are there basis to

restrain the activities of the data-driven online platforms in order to protect people’s freedom of

expression and information, and what would be the right and the most effective avenue to do so?91

3.1 Regulatory trilemma

Before delving into the details of data protection and competition law, it is important to keep in

mind the challenges regulators face when tackling issues such as data-driven platforms. Back in

1988 Gunther Teubner coined the phrase regulatory trilemma, which refers to the difficulty of

creating regulation that A) is not ineffective by failing to change the behavior by the regulated

entity, B) does not kill the whole industry and the innovative process by over-regulating it, and C)

remains hierarchically superior to the regulated entity.92

This trilemma has been transposed to the modern era of data-driven industries by Roger

Brownsword93

, who claims that a regulation in the data-driven industries has three tasks: A) It

cannot impede innovation, but should instead facilitate it94

, B) It has to guarantee that these new

89

Epstein R.,Robertson R.E. 90

This might seem innocent and even useful for the users, but it is about to take a turn to the worse through the

development of the IoT. See chapter 4,pp.28-34. 91

As will be demonstrated in the following chapter, the right avenue and the most effective avenue are not necessarily

the same thing. This is the case particularly since the data protection rules – despite being built for this exact purpose –

fail to curtail the intrusive data collection by the superplatforms. 92

Teubner G., Dilemmas of Law in the Welfare State, Walter de Gruyten & Co., 1988, series A,pp.310-312. 93

Brownsword R., Rules of Law, the Rule of Law, and Technological Management (speech), ACELG annual

conference, 04.11.2016. 94

See chapter 4,pp.28-34. This part is highly analogous with the original trilemma, separated by the fact that the

government regulating the data-driven platforms is at least as dependent on the functioning and development of these

platforms as are the consumers. This gives them a great incentive not to over-regulate.

13

innovations will not harm us95

, and C) It has to guarantee that these new innovations do not impede

our human rights.

The last principle listed by Brownsword is the most crucial one when it comes to the right for data

protection and the freedom of expression and information. As the following subchapters illustrate,

regulating the data-driven industries is not easy while respecting these principles.

3.2 Enforcement through data protection law

As mentioned above, having one’s data protected is a fundamental right recognized by the primary

law of the EU.96

This same status is also enjoyed by the right to privacy, as well as freedom of

expression and information.97

To protect all these rights – either directly or indirectly98

– the EU has adopted the General Data

Protection Regulation (GDPR) which enters into force in May 2018.99

As the regulation will renew

the data protection rules in the EU and unify the various national practices on this field of law100

, it

will be the main subject of this subchapter.

So what were the reasons to update the data protection rules from the old Data Protection Directive

95/46/EC101

, and why was a regulation chosen instead of a new directive?

GDPR was first proposed by the European Commission in 2012 in order to:

1. Eliminate the inconsistencies in national laws;

2. Provide better privacy protection for individuals;

3. Update the law to address today’s privacy challenges created by the internet, social media,

mobile apps, cloud computing, “big data,” and behavioral marketing.

4. Reduce costly administrative burdens for undertakings dealing with multiple data protection

authorities.102

95

Again, analogous with Teubner’s line of thought on effectiveness. 96

Charter,art.8. 97

Charter,arts.7,11. 98

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of

natural persons with regard to the processing of personal data and on the free movement of such data, and repealing

Directive 95/46/EC (General Data Protection Regulation) (GDPR), Brussels, preamble para.153. 99

Ibid. 100

The Treaty on the Functioning of the European Union (TFEU), 26.10.2012,art.288. Regulations do not require any

implementation measures by the EU member states, as the regulation is directly effective from the day it enters into

force. 101

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of

individuals with regard to the processing of personal data and on the free movement of such data, Luxembourg.

14

The fourth reason listed above also answers the question why a regulation was chosen over a

directive. Since these online platforms operate globally, they currently have to satisfy the

requirements of all 28 EU member states separately, whereas the regulation will be directly

effective in all member states.103

The discussion below is limited to the most important changes brought by the GDPR for the

purposes of this thesis, these namely being stricter conditions for consent, privacy policies, the right

to be forgotten, data portability, the right to object to marketing and profiling, and privacy by design

and by default.

3.2.1 Stricter conditions for consent

Just like the current Directive, the GDPR also requires the consent of the data subject104

for the

processing of his data.105

However, the regulation sets much stricter conditions for the acquirement

of this consent. Article 7 of the GDPR defines consent as “freely given specific, informed and

explicit indication of his or her wishes by which the data subject, either by a statement or by a clear

affirmative action, signifies agreement to personal data relating to them being processed.”106

The

onus lies on the data collector, effectively meaning that the consent cannot be implied, but instead

has to be acquired via clicking through the terms and conditions, or some other concrete means

leaving a paper trail.107

Importantly, the data subject also has the right to withdraw his consent

concerning any future processing of his data.108

3.2.2 Privacy policies

Article 12 of the GDPR discusses the privacy policies imposed on the users.109

Privacy policies are

historically known as legalistic jargon that is really difficult for the average consumer to

102

Proposal for a Regulation of the European Parliament and of The Council on the protection of individuals with

regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation),

Brussels, 25.01.2012,pp.17-19,32. 103

TFEU,art.288. 104

GDPR, art.4(1). ”a natural person who can be identified by means reasonably likely to be used by the controller or

by any other natural or legal person” including by reference to “an identification number, location data, online

identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social

identity of that person”. Noticeable additions to the old definition are the location data and online identifiers. These

bring the definition to level required by today’s mobile-orientated online behavior. 105

Ibid.,art.7. 106

Ibid. 107

Ibid. 108

Ibid. 109

ibid.,art.12.

15

understand, effectively leading consumers to just click “I agree” without bothering to read the

whole text.110

Article 11 demands the use of “transparent and easily accessible policies” in “clear

and plain language”.111

3.2.3 The right to be forgotten

Although this right is covered by the article 17 of the GDPR it was really coined by the case C-

131/12 Google Spain, decided by the ECJ in 2014.112

The case concerned a Spanish citizen’s

request for Google to have certain outdated and embarrassing information about him removed from

the search engine’s search results.113

This request put Google between the rock and the hard place,

as they were effectively forced to make a choice between right to privacy and data protection on the

one hand, and freedom of information on the other.114

The ECJ ended up ruling in the favor of the

applicant, Mr. González, and Google was forced to erase the search results in question.115

The Court

ruled that individuals have the right to require their data to be removed when the data is

“inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the

light of the time that has elapsed”.116

Since the Court gave its judgment, Google has received

hundreds of thousands of requests from individuals who want their data to be removed from the

search results.117

3.2.4 Data portability

Article 20 of the GDPR outlines the right of users to have their data removed from one online

platform into the other.118

The obvious purpose of this new rule is to make changing service

providers easier for consumers, as currently the data gathered to and by the one platform keeps the

users effectively locked in to that platform.119

This will also curtail the market power hoarded by

the superplatforms as the data they have collected is not so exclusive anymore. Right to data

portability makes the access to the crucially important personal data of social media users possible

110

EDPS(2014),p.35. 111

GDPR, art.12. 112

ECJ, C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja

González, 13 May 2014, ECLI:EU:C:2014:317. 113

Ibid.,para.2. 114

Ibid.,paras.81,97. 115

Ibid.,operative part. 116

Ibid.,para.93. 117

Google Transparency Report, European privacy requests for search removals,

https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en ,accessed-27.04.17. 118

GDPR, art.20. 119

On user lock-in, see chapter 3.2.7,pp.18-19.

16

for other competitors on the market, at least in theory. However, as Stucke and Grunes point out,

the data being moved is “third party data” at that point, and therefore inferior in value to the

platform to which it is about to be moved.120

This is due to the fact that in today’s nowcasting-glad,

mobile-driven online environment data becomes outdated really fast.121

Yet a bigger problem is

created by something that cannot be controlled by the legislators in any case, namely the human

element present in the situation.122

3.2.5 Right to object to marketing and profiling

Articles 21 and 22 of the GDPR give the consumers the right to object to profiling done by the

algorithms based on their personal data and direct marketing based on that data.123

The profiling in

this context means profiling based on fully automated means; this is an important improvement

since the automatic profiling engaged in by the algorithms can easily lead people to be categorized

into groups they do not truly belong to, but only seem to belong to, based on their activities on the

platform.124

It remains to be seen how the platforms are going to react to these new provisions,

since targeted advertising is what they get paid for by their clients.125

3.2.6 Data protection by design and by default

This is perhaps the most important new rule introduced by the GDPR. Article 25 of the GDPR reads

as follows:

1. “Taking into account the state of the art, the cost of implementation and the nature, scope,

context and purposes of processing as well as the risks of varying likelihood and severity for

rights and freedoms of natural persons posed by the processing, the controller shall, both at

the time of the determination of the means for processing and at the time of the processing

itself, implement appropriate technical and organisational measures, such as

pseudonymisation, which are designed to implement data-protection principles, such as

data minimisation, in an effective manner and to integrate the necessary safeguards into the

120


See chapter 2.2,p.4. 122

See chapter 3.2.7,pp.18-19. 123

GDPR, arts.21-22. 124

United States Federal Trade Commission, Big Data: A Tool for Inclusion or Exclusion?, January 2016,pp.iii-iv,

https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-

issues/160106big-data-rpt.pdf ,accessed-27.04.17. 125

See chapter 2.1,p.3.

17

processing in order to meet the requirements of this Regulation and protect the rights of

data subjects.

2. The controller shall implement appropriate technical and organisational measures for

ensuring that, by default, only personal data which are necessary for each specific purpose

of the processing are processed. That obligation applies to the amount of personal data

collected, the extent of their processing, the period of their storage and their accessibility. In

particular, such measures shall ensure that by default personal data are not made

accessible without the individual's intervention to an indefinite number of natural

persons.”126

In effect this article requires the algorithms to be designed in a way that they cannot collect and

analyze data too intrusively. From the outset, this seems like the most effective way to deal with the

issue since the algorithms are responsible for the data collection, which in turn is one of the reasons

why the GDPR was initiated in the first place. Even Gunther Teubner, the originator of the

regulatory trilemma, suggested something like this way before the era of data-driven industries took

off. In the third point of his trilemma where he describes regulation that becomes unenforceable due

to the immense power of the regulated entity, he suggests an “internal regulation” to be employed

instead of ineffective normal regulation.127

He describes this as “strategic intervention into certain

characteristics of the organization’s decision-making process; the so-called structural, as opposed

to the duty-approach”.128

Thus, instead of counting on the platforms to do the right thing and abide

by the law, he calls for concrete restrictions to be put in place from the get-go. This approach is

widely used in several fields of the society already, such as confining the top speed of certain motor

vehicles like mopeds to the legal limit they are allowed to drive.

So the GDPR looks promising from the outset, but what are its shortcomings and why will it likely

fail to ultimately protect the personal data of individuals, and therefore their freedom of expression

and information? The next subchapter will answer these questions in detail.

3.2.7 The shortcomings of the GDPR

While the GDPR introduces many provisions directly enhancing the level of data protection such as

the requirement of clearer privacy policies, stricter conditions for consent, and the right to opt out

from marketing and profiling, these provisions are likely only going to be effective on paper. This is

126

GDPR,art.25(1-2). 127

Dilemmas of Law in the Welfare State,p.317. 128

Ibid.

18

due to the fact that the vast majority of the users of these online platforms do not actually read the

terms and conditions shown to them as they register to the platform for the first time. Moreover,

they have never done this, so they are just accustomed to accept any terms given to them.129

Furthermore, it is not like the consumers have much of an option in this regard, as the contracts they

are required to sign are adhesive in their nature.130

Finally, even if a user gets upset with a service

such as Google’s Gmail and decides to switch to another email service, all his contacts still using

Gmail are indirectly allowing Google to collect the content of the emails he sends to those

people.131

Even if we decide to disregard the previous example and analyze the opportunities created by the

principle of data portability,132

allowing the users to go elsewhere if they are unhappy with the

terms and conditions offered by the platform, it falls short when the human element of this problem

comes into play.133

The users of online platforms, especially social media platforms, are strongly locked in to the

platform.134

Great example of this is Facebook, which has established a dominant position in the

social media market due to its data-advantage, guaranteeing higher quality of service to the users in

the form of targeted content, while simultaneously providing higher quality product for its clients in

the form of more unique datasets.135

Users cannot reasonably be expected to move their data into

some smaller social network, as the quality of their user experience has never been about the

platform’s design or other elements, but about the presence of other users forming the network with

the said user, and his ability to communicate with them effortlessly.136

The social switching costs

created by changing social media platforms are way too high for any individual to bear, unless the

vast majority of his contacts in Facebook also decided to change their social media platforms to the

same alternative platform at the same time.137

129

There is no base line to see what is ”normal” consumer behavior in this context. Birch K., Market vs. contract? The

implications of contractual theories of corporate governance to the analysis of neoliberalism, Ephemera, February

2016,vol.16(1),pp.107-133, http://www.ephemerajournal.org/sites/default/files/pdfs/issue/16-1ephemera-feb16.pdf

,accessed-27.04.17. 130

Ibid. 131


GDPR, art.20 133

Rubinfeld D.L., Access barriers to Big Data, Arizona Law Review, 08.04.2017,vol.59, issue 339,pp.362-363,

http://arizonalawreview.org/pdf/59-2/59arizlrev339.pdf ,accessed-28.04.17. 134




Ibid.

19

This phenomenon effectively allows the platforms to offer products inferior in quality by not

providing adequate privacy- and data protection for their users. Since providing this protection is

costly for the platforms in the form of research & development, as well as in the form of smaller

advertisement revenue due to less effective targeted advertising, not providing the privacy

protection can be seen as equal to raising one’s prices.138

Since Facebook is dominant in its relevant

market, this has already raised some competition law concerns with the German competition

authorities. Initiating an investigation, the German Cartel office has taken a leap forward and

combined data protection and competition law139

– something the CJEU is yet to have done.

Andreas Mundt, the president of the Bundeskartellamt, stated the following in regards to the

connection of data protection and abuse of dominance in this case:

“Dominant companies are subject to special obligations. These include the use of adequate

terms of service as far as these are relevant to the market. For advertising-financed internet

services such as Facebook, user data are hugely important. For this reason it is essential to

also examine under the aspect of abuse of market power whether the consumers are

sufficiently informed about the type and extent of data collected.”140

Even though this case is only under investigation at the moment and falls strictly under the German

competition law jurisdiction, it certainly is a leap towards the right direction.

The most promising enforcement tool introduced by the GDPR seems to be the concept of data

protection by design and by default, also known as algorithm accountability. This tool, too,

however, has its deficiencies.

First of all, the technical possibility to curtail the capabilities of the self-learning algorithms is a big

question mark at the moment. Even as certain operational limitations can be set to the algorithm by

the programmers at the time of design, the self-learning capabilities of these algorithms make sure

that no human being knows how they operate after a while.141

Second, the article 20(2) of the GDPR states: “The controller shall implement appropriate technical

and organisational measures for ensuring that, by default, only personal data which are necessary

138

Since the products are free, the quality of service is the price of these services. In the end the outcome is the same;

higher profit margins for the dominant undertaking at the expense of the consumers. 139

Bundeskartellamt, Bundeskartellamt initiates proceeding against Facebook on suspicion of having abused its market

power by infringing data protection rules, 02.03.2016,

http://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2016/02_03_2016_Facebook.html

,accessed-27.04.17. 140

Ibid. 141

Ezrachi A.,Stucke M.E.,pp.230-231.

20

for each specific purpose of the processing are processed. That obligation applies to the amount of

personal data collected, the extent of their processing, the period of their storage and their

accessibility.”142

In this case the platforms will argue that since the variety of data is the most

important element in providing most accurate services to the users in the form of nowcasting or

whichever other way, they need to collect all the data available to them, all the time.143

Lastly, legally limiting the capabilities of the algorithms is like asking a giraffe to shorten its neck

or Ford to build all its model-T’s without the conveyer belt.144

Big data and big analytics are the

lifeblood of these platforms, and the single cause behind their current success. Not being allowed to

use one’s greatest asset would greatly hamper innovation on this front, which is something a

regulation should not be doing.145

But perhaps the biggest shortcoming of the GDPR is the point of view from which it approaches the

whole issue. Besides the principle of algorithm accountability – the effectiveness of which has been

questioned above – the GDPR mostly engages in damage control. All its provisions start from the

assumption that the data has already been collected, and that after this collection the abilities of the

platforms to process and utilize this data should be limited. This does not solve the initial problem

outlined in the beginning of the chapter, namely the concentration of all the data into the hands of

the few powerful superplatforms. Furthermore, today most data are analyzed instantaneously due to

the changed nature of online behavior through mobile revolution, nowcasting, and the rise of the

IoT. Luckily, the conduct of the online platforms in possession of big data allows us to consider

what tools the competition law authorities of the EU have at their disposal to deal with this problem,

and therefore indirectly get involved with the protection of personal data and freedom of expression

and information.

3.3 Enforcement through competition law

In addition to the data protection law, competition law of the EU could also be used to control the

power wielded by online platforms. Both data protection law and competition law strive towards the

same outcome when it comes to the superplatforms – namely, trying to prevent the concentration of

data into the hands of the few and hence the possible abuse of the power brought by it.

142

GDPR, art.20(2). 143


Zuboff S.,(2016). 145

See chapter 3.1,p.12. As acknowledged by Teubner and Brownsword alike.

21

Competition law has taken a more preemptive approach in this field, when compared to the damage

control tactics exercised by the data protection authorities. Competition law does this mostly by

merger control, with which it prevents possibly abusive mergers from happening.146

Data-driven

mergers have appeared to the radar of competition authorities in the past few years, although the

prevention of such mergers has thus far only been successful in the United States.147

In the EU on

the contrary, fierce criticism has been directed towards the European Commission for not

recognizing data as a source of potential market power.148

The critique started pouring in especially

after the merger of Facebook and WhatsApp in 2014 when two of the world’s biggest instant

messaging services merged, Facebook paying a whopping $19 billion for the acquisition despite the

annual revenue of WhatsApp at the time being a mere $10 million.149

It is clear that the reason for

the high price tag was the data Facebook was able to get its hands on through the acquisition.150

At

the time WhatsApp was known for its good privacy protection, whilst Facebook Messenger

collected all the data from its users; In 2015 Facebook announced – not surprisingly – that it will

start collecting data from the users of WhatsApp as well.151

The following subchapters are going to discuss the competences of the competition authorities to

act in the name of data protection, the ways in which data-driven platforms breach EU competition

rules, and the ways in which competition authorities can prevent these violations.

3.3.1 Competences of the competition authorities to deal with data protection issues

At the moment the case law of the CJEU states that there is no basis to include data protection

considerations to the field of EU competition law. Advocate General Geelhoed stated in the case

Asnef-Equifax: “Any problems concerning the sensitivity of personal data can be resolved by other

instruments, such as data protection legislation”.152

This seems a bit counter-intuitive since data in

itself has indeed become an asset to gain market power, as expressed by European Data Protection

146

Council Regulation (EC) No 139/2004 of 20 January 2004 on the control of concentrations between undertakings

(the EC Merger Regulation), Brussels, preamble paras.3-5. 147

The United States Department of Justice, Justice Department and Bazaarvoice Inc. Agree on Remedy to Address

Bazaarvoice’s Illegal Acquisition of PowerReviews, 24.04.2014, https://www.justice.gov/opa/pr/justice-department-

and-bazaarvoice-inc-agree-remedy-address-bazaarvoice-s-illegal-acquisition ,accessed-27.04.17. 148


Ibid.,p.136. 150

As admitted by Mark Zuckerberg himself. Fiegerman S., Facebook to Buy WhatsApp for $16 Billion, Mashable,

19.02.2014, http://mashable.com/2014/02/19/facebook-whatsapp/#P_swPcbOyiqk ,accessed-27.04.17. 151


ECJ, C-238/05, Asnef-Equifax, Servicios de Información sobre Solvencia y Crédito, SL, Administración del Estado v

Asociación de Usuarios de Servicios Bancarios (Ausbanc), 23 November 2006, ECLI:EU:C:2006:734,para.56.

22

Supervisor (EDPS) already in 2014.153

The opinion expressed in Asnef-Equifax was nevertheless

reinforced by the Facebook/WhatsApp merger, where the Commission only discussed data in

connection with the advertisement-side of the market.154

So the CJEU has not yet taken the leap to merge the fields of data protection law and competition,

but will most certainly do so in the near future, as cases relating to these matters have been brought

up both by the Commission and the national competition authorities.155

3.3.2 Classic competition abuses, data-driven industry, and the absence of illegality

The basic division of competition law abuses under the TFEU is between articles 101 and 102,

these governing collusive practices and the abuse of dominant position, respectively.156

3.3.2.1 101 violations

The self-learning algorithms employed by the data-driven industries such as online shopping sites

have created a new type of problem under the article 101. As the determination of the existence of

collusive behavior requires the finding of an agreement – a “meeting of the minds” – or intent to act

anticompetitively157

, the authorities are stuck. This is due to the fact that the algorithms can engage

in tacit collusion without an agreement or intent to do so.158

They simply are fulfilling the function

they were designed to fulfill.159

And since these algorithms are self-learning, the programmers

cannot be held responsible for their actions, either. Ezrachi and Stucke demonstrate this with the

example of several gas stations competing for customers by lowering their prices and undercutting

each other one after another.160

In the world without algorithms this would lower the prices and

benefit the consumers, but as the algorithms get involved, they soon realize that the other algorithm

is going to undercut the price anyway and therefore every gas station is better off if no one cuts the

153

EDPS(2014),pp.8-10. 154

European Commission, Case No COMP/M.7217 - FACEBOOK/ WHATSAPP, 03.10.2014,para.166,

http://ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132_EN.pdf ,accessed-

27.04.17. 155

see chapter 3.2.7,pp.18-19 and chapter 3.3.2.2,pp.23-25. 156

TFEU, arts.101-102. 157

Ibid.,art.101. 158


I.a. profit maximization. Ibid.,pp.74,77-79. 160

Ibid.,pp.57-60.

23

price to begin with.161

But since tacit collusion in itself is not illegal,162

there is nothing the

competition authorities can do about this.

3.3.2.2 102 violations

As the abuse of dominant position under article 102 is concerned, the best example involves Google

and the statements of objections brought against it by the European Commission in 2016.163

In the

April 2016 statement of objections, Google was alleged of having violated EU competition law by

leveraging its dominance on the search engine market and the android operating system market by

i.a.:

1. Requiring manufacturers to pre-install Google Search and Google's Chrome browser and

requiring them to set Google Search as default search service on their devices, as a condition

to license certain Google proprietary apps;

2. preventing manufacturers from selling smart mobile devices running on competing

operating systems based on the Android open source code;

3. giving financial incentives to manufacturers and mobile network operators on condition that

they exclusively pre-install Google Search on their devices.164

The Commission also issued another statement of objections in July 2016, where Google was under

attack for:

1. Requiring third parties not to source search ads from Google's competitors.

2. Requiring third parties to take a minimum number of search ads from Google and reserve

the most prominent space on their search results pages to Google search ads. In addition,

competing search ads cannot be placed above or next to Google search ads.

3. Requiring third parties to obtain Google's approval before making any change to the display

of competing search ads.165

According to the Commission, these competition law breached by Google have helped it to

maintain its dominance in the mobile operating system market as well as in the comparison

161

Ibid. 162

ECJ, C-40/73, Joined cases Coöperatieve Vereniging "Suiker Unie" UA and others v Commission of the European

Communities, 16 December 1975, ECLI:EU:C:1975:174,paras.173-174. 163

Commission statement of objections April; European Commission, Antitrust: Commission takes further steps in

investigations alleging Google's comparison shopping and advertising-related practices breach EU rules, 14.07.2016,

http://europa.eu/rapid/press-release_IP-16-2532_en.htm ,accessed-27.04.17. 164

Commission statement of objections April. 165

Commission statement of objections July.

24

shopping websites market166

, having “weakened or even marginalised competition from its closest

rivals”.167

Google has unofficially responded to these allegations by referring to the power of innovation,

warning about the dangers of the chilling effect any legal proceeding on the aforementioned

grounds could have on it.168

Moreover, Google referred to efficiencies its products create to all sides

of the market.169

As efficiencies can be used to justify otherwise abusive conduct under article 102

TFEU, finding of liability grows even more difficult.170

According to the case law of the CJEU, the European Commission has to take efficiency defenses

into account when investigating case of possible abuse under 102 TFEU.171

The Commission sets

up cumulative criteria to be fulfilled in order for the efficiency gains to be accepted as a justification

for otherwise abusive conduct:

1. “The efficiencies have been, or are likely to be, realised as a result of the conduct. They

may, for example, include technical improvements in the quality of goods, or a reduction in

the cost of production or distribution.

2. The conduct is indispensable to the realisation of those efficiencies: there must be no less

anti-competitive alternatives to the conduct that are capable of producing the same

efficiencies.

3. The likely efficiencies brought about by the conduct outweigh any likely negative effects on

competition and consumer welfare in the affected markets.

4. The conduct does not eliminate effective competition, by removing all or most existing

sources of actual or potential competition. Rivalry between undertakings is an essential

driver of economic efficiency, including dynamic efficiencies in the form of innovation. In its

absence the dominant undertaking will lack adequate incentives to continue to create and

pass on efficiency gains. Where there is no residual competition and no foreseeable threat of

entry, the protection of rivalry and the competitive process outweighs possible efficiency

166

Commission statement of objections April; Ibid. 167

Commission statement of objections July. 168

Walker K., Android: Choice at every turn, 10.11.2016, https://blog.google/topics/google-europe/android-choice-

competition-response-europe/ ,accessed-27.04.17. 169

Ibid. 170

It has to be kept in mind that the competition law does not even recognize data-related issues at the moment. 171

ECJ, C-27/76 United Brands v Commission, 14 February 1978, ECLI:EU:C:1978:22, para.184; ECJ, C-311/84

Centre Belge d'études de marché — Télémarketing (CBEM) v Compagnie luxembourgeoise de télédiffusion (CLT) and

Information publicité Benelux (IPB), 3 October 1985, ECLI:EU:C:1985:394, para.27; Court of First Instance, C-T-

30/89, Hilti v Commission, 12 December 1991, ECLI:EU:T:1991:70, paras102-119; Court of First Instance, T-83/91,

Tetra Pak International v Commission (Tetra Pak II), 6 October 1994, ECLI:EU:T:1994:246, paras136,207; ECJ, C-

95/04 P, British Airways v Commission, 15 March 2007, ECLI:EU:C:2007:166, paras.69,86.

25

gains. In the Commission's view, exclusionary conduct which maintains, creates or

strengthens a market position approaching that of a monopoly can normally not be justified

on the grounds that it also creates efficiency gains.”172

Considering these conditions, it is clear that the efficiencies are being realized and that the en masse

data collection is indeed indispensable for the creation of the product of this quality.173

If this was

not done, there would be no particular difference between the services provided by Google and

DuckDuckGo.174

The data collection is not anticompetitive either, as any competitor of these

superplatforms is in theory free to collect the data to the same extent. But as we know, network

effects have enabled the few superplatforms to win over their respective markets granting them the

data-advantage, de facto closing out the other competitors.175

These superplatforms have the best

algorithms and the data-advantage, and therefore the gap between them and the next competitor is

growing at accelerating rate. So should these dominant undertakings be punished for their success

by forcing them to share their data with their competitors? This does not seem to be the case.176

Lastly, there is no fear over the stagnation of innovation due to the growing dominance, as the ever-

improving product created by network effects and positive feedback loop prevents this from

happening.177

But there is something in these cumulative criteria that deserves closer scrutiny by the competition

authorities. According to the third criterion, the efficiencies should always outweigh the possible

consumer harm created by the abusive conduct.178

So the question is; do the users really gain more

from the high-end search results than they lose through the gradual chipping away of their privacy,

data protection rights, and freedom of expression and information? This is especially the question

when we consider IoT and the even more intrusive data collection introduced by it.179

3.3.2.3 “Frenemy” dynamic

In addition to the traditional violations under articles 101 and 102 TFEU, Ezrachi and Stucke also

identify a new dynamic in which data plays a key role in enhancing the dominance of

172

European Commission, Communication from the Commission — Guidance on the Commission's enforcement

priorities in applying Article 82 of the EC Treaty to abusive exclusionary conduct by dominant undertakings, Official

Journal of the European Communities, C 45, 24.2.2009,paras.28-31. 173


See chapter 4.1,p.28. DuckDuckGo is a search engine that does not collect any data from its users. 175


The Autorité de la Concurrence and the Bundeskartellamt,p.18. 177


Article 82 EC enforcement priorities,para.30. 179

See chapter 4.3,pp.30-31.

26

superplatforms.180

In this so-called “frenemy” relationship, the superplatforms take advantage of the

independent apps developed for their platform as long as the apps are useful and do not cause any

trouble for the superplatform.181

But as soon as the independent apps start to threaten the

superplatform’s own competing app or in any other way annoy the superplatform, these apps will be

closed out from the app store or acquired by the superplatform.182

Although the financial outcome

in these two cases can be very different for the independent apps concerned, the end-game from the

superplatform’s point of view is the same – No one can threaten its place at the top of the food

chain.

The frenemy dynamic also raises a question over the status of these superplatforms as essential

facilities.183

This indeed might be de facto the case, but unfortunately the CJEU has set up

draconian cumulative requirements to be fulfilled in order for something to be considered an

essential facility:

1. The facility has to be indispensable for carrying on the business in question;

2. It has to prevent the emergence of a new product for which there is a potential consumer

demand;

3. It has to exclude all competition in the secondary market and be unjustifiable by any

objective means184

; and

4. No alternative products or services exist, and there are technical, legal or economic

obstacles making it impossible or unreasonably difficult for an undertaking striving to

compete on the downstream market to develop, possibly in cooperation with other

companies, these products or services.185

These conditions are not fulfilled in the case of superplatforms since the independent apps are still

in theory able to compete on the market, albeit with immense difficulty.

After examining the various forms in which data-driven industries cause problems for the

competition authorities, it seems that the authorities currently lack the tools to tackle these issues.

Chapter 3.4 will reflect on the lack of enforcement tools available for the data protection and

competition authorities alike, and answers the first half of the research question of this thesis.

180


Ibid.,pp.151-155. 182


Hijmans H.,p.268. 184

ECJ, C-418/01, IMS Health GmbH & Co. OHG, 29 April 2004, ECLI:EU:C:2004:257,para.37. 185

ECJ, C-7/97, Oscar Bronner GmbH & Co. KG, 26 November 1998, ECLI:EU:C:1998:569,paras.44-45.

27

3.4 Reflections on the current enforcement tools available

At the moment there are not many tools available for the data protection or competition authorities

in order to effectively restrict the powers of the data-driven online platforms. There is light at the

end of the tunnel nonetheless, illustrated by the case brought against Facebook by the German

Cartel Office186

and the statements of objections issued against Google by the Commission.187

Even

though the effectiveness of the GDPR remains a mystery until it comes into force in 2018, it will

certainly enhance the level of data protection in the EU to some extent.

But as the regulatory trilemma referred to in chapter 3.1 demonstrates, regulating is challenging,

especially in the field of data driven-industries.188

The tools available under the GDPR are likely to

be ineffective due to user lock-in and the existence of strong data-driven network effects189

, or be

too rigid, killing the incentive to innovate.190

To answer the first half of the research question of this thesis, it therefore has to be concluded that

although regulation is badly needed, successfully regulating the data-driven platforms is a really

difficult task that has just begun, and in order to succeed, the data protection authorities and the

competition authorities will have to begin cooperating effectively.

Paramount for the successful enforcement is to keep the data from concentrating into the hands of

the few superplatforms. This would be most effectively achieved by the competition authorities

borrowing a few pages from data protection authority’s playbook, and starting to take data into

account in their investigations. This would first and foremost have to happen through effective data-

orientated merger control, and secondly through the realization that the efficiencies created by the

superplatforms and their abusive conduct are clearly being outweighed by the consumer harm

caused by the superplatforms and their ability to hinder our freedom of expression and

information.191

Until this happens, the future on this front seems grim.

Chapter 4 will discuss future options, developments, and threats in regards to people’s freedom of

expression and information, and the further challenges faced by the EU’s enforcement authorities.

The chapter also strives to answer the second half of the research question; namely, can effective

186

See chapter 3.2.7,pp.18-19. 187

See chapter 3.3.2.2,pp.23-24. 188


See chapter 3.2.7,pp.18-19. 190

Ibid. 191

See chapter 4,pp.28-34.

28

regulation still be achieved, or has the time to intervene already passed, as people and governments

alike have grown dependent on the existence of these online platforms?

4. Future challenges, threats, and options

As pointed out at the conclusion of the second chapter, the best option to regulate the

superplatforms is through the EU competition law. Besides the fact that the law has not recognized

data protection issues under its jurisdiction, what other obstacles stand in the way of more effective

enforcement?

This chapter is going to discuss the efficiencies created by the actions of the platforms and threats

posed by the rapidly advancing IoT to the people’s freedom of expression and information, and

answers the second half of the research questions, namely; is it already too late for effective

intervention due to the efficiencies created by the platforms, and the lack of political will and

technical capabilities to do so?

4.1 Efficiencies created for individual users

Are these platforms simply “too good to be regulated”? Today that is a serious question, as the

platforms make people’s lives much easier in many ways. Google knows what you want to search

for before you finish typing your search query192

and Facebook conveniently provides you with the

feed it knows will be to your satisfaction.193

As these undertakings have won over the market with

their data-advantage and provide the highest quality of product to the both sides of the market194

,

why would any regulation even be necessary?

It turns out that a small niche of the population still values their privacy more than they value

accurate search results, which has spurred the creation of services like the search engine

DuckDuckGo, whose main utility is that it does not collect any data from its users.195

Naturally the

user experience suffers from this ethical behavior, and will keep large audiences firmly committed

to Google.196

Moreover, even if one switches his search engine to DuckDuckGo, one still would

have to evade YouTube, Gmail, Google Maps, Google Chrome, Android, and all IoT products

192

Epstein R.,Robertson R.E. 193

VPRO. 194


DuckDuckGo.com’s front page states: “We don’t store your personal info. We don’t track you. Ever”. 196

Stucke M.E.,Grunes A.P.,pp.256-259.

29

Google owns in order to effectively protect his personal data.197

This is becoming increasingly

difficult with the rapid growth of the IoT, as will be discussed in chapters 4.3-4.4.198

An even bigger efficiency – or threat, depending on the point of view from which one looks at the

situation – is formed by the network effects creating and further fueling these platforms.199

Products

with network effects are the rare instance in our society where consumers are better off with less

choice.200

Users benefit as they do not have to use several networks to communicate with their

friends or use several search engines to find information, while the advertisers also benefit as they

receive broader datasets enabling them to engage in more accurate targeted advertising. It is this

wide variety of data that also creates efficiencies for the governments that are supposed to regulate

these platforms, as will be illustrated below.

4.2 Efficiencies created for governments

As became clear through the Snowden revelations in 2013, governments all over the world are

gathering vast amounts of data about individuals with the help of online platforms.201

Indeed,

United States government was heavily involved with the initial creation of Google by funding the

PhD research of Sergey Brin, the co-creator of Google.202

Governments use online platforms as

their intelligence gathering device for the simple reason that these platforms are more capable of

gathering data than the governments would ever be, as the users themselves contribute the data to

these platforms.203

At this point it is good to remember the third principle of the regulatory trilemma, namely that the

law should never submit to the entity it is supposed to regulate.204

In the light of all the

aforementioned details and for the fact that online platforms and governments are heavily involved

with each other through lobbying and other favorable arrangements205

, it has become more and

197

Center for Democracy & Technology, Comments for November 2015 Workshop on Cross-Device Tracking,

16.10.2015, https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-Comments.pdf ,accessed-28.04.17. 198

See chapters 4.3-4.4,pp.30-32. 199


Gebicka A.,Heinemann A., Social Media & Competition Law, World Competition, 2014/2, volume 37,p.159. 201

Greenwald G.,MacAskill E., NSA Prism program taps in to user data of Apple, Google and others, The Guardian,

07.06.2013, https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data,accessed-27.04.17. 202

Ahmed N., How the CIA Made Google, InsurgeIntelligence, 22.01.2015, https://medium.com/insurge-

intelligence/how-the-cia-made-google-e836451a959e ,accessed-27.04.17. 203

Ahmed N., Why Google Made the NSA, InsurgeIntelligence, 22.01.2015, https://medium.com/insurge-

intelligence/why-google-made-the-nsa-2a80584c9c1,accessed-27.04.17. 204

Dilemmas of Law in the Welfare State,p.312. 205

Ezrachi A.,Stucke M.E.,pp.244-246; Dayen D., The Android Administration, The Intercept, 22.04.2016,

https://theintercept.com/2016/04/22/googles-remarkably-close-relationship-with-the-obama-white-house-in-two-charts/

,accessed-27.04.17.

30

more unclear which entity is more dependent on the other? This begs the question whether there is

political will to effectively regulate these platforms to begin with?206

207

Moreover, the efficiencies

discussed above are going to grow even greater with the emergence of the IoT, as will be elaborated

in the following chapter.

4.3 Internet of Things

As mentioned in chapter 2.4, IoT is growing rapidly and is estimated to reach 25 billion devises by

the year 2020.208

The peculiar thing about IoT when compared to the “normal” data-driven

industries is that whereas with these normal platform products the collected data makes them better,

with IoT the collected data makes the whole product. The whole concept of IoT is the connection of

everyday devises to the internet in order to collect data; if the data collection is taken out of the

equation, we are left with ordinary toothbrushes and refrigerators.209

Here the whole dynamic of data collection changes. The users do not choose to voluntarily give

away their data anymore, but instead the data is simply taken from them, since the IoT products

they are using are dependent on the data in order to exist.210

Here the talk about better privacy terms, stricter conditions for consent, and collecting only what is

necessary in order to provide the service in question – as introduced by the GDPR211

– can be

forgotten altogether, since all the data is necessary for the functioning of the IoT products.212

Furthermore, the users still lack the opportunity to negotiate their contracts with these service

providers as the contracts are adhesive in their nature.213

Either the user clicks “I agree” or he

206

Emphasis added. Schrems alleges that the Privacy Shield is not going to provide adequate protection for people’s

data, but instead is just something done out of necessity to keep the consumers happy. Gilbert D., Safe Harbor 2.0: Max

Schrems Calls ‘Privacy Shield’ National Security Loopholes ‘Lipstick On A Pig’, International Business Times,

29.02.2016, http://www.ibtimes.com/safe-harbor-20-max-schrems-calls-privacy-shield-national-security-loopholes-

lipstick-2327277 ,accessed-27.04.17. 207


Gartner. 209

EDPS(2014),p.35. 210

Zuboff S., Big other: surveillance capitalism and the prospects of an information civilization, Journal of Information

Technology, March 2015,vol.30(1),p.79,

https://poseidon01.ssrn.com/delivery.php?ID=94400303101712311107400709009309809900005606803900300012707

209807207012309100609511810200709600110501300609407711612602409208801301900502602012706500109102

3120007080078071101019104113001025022117007024066024088120089029121125108005114091102074089&EX

T=pdf ,accessed-27.04.17. 211


EDPS(2014),p.35. 213

Birch K.

31

simply goes on without using the product, effective resigning himself from the modern society.214

And if one thinks that IoT products are not a necessity to have in the first place, one could try to live

without a smartphone for a week. Technological innovations have the tendency to creep their way

into our daily lives until one day people do not remember how life was like without them.

It is needless to say that if regulating the normal data-driven industries is difficult due to the

efficiencies they create, effective regulation of IoT seems to be outright impossible due to the fact

that without their data collection these products simply would not exist. This would be like the

above-mentioned model-T-example on steroids.215

The potential of IoT and its data collecting abilities has been recognized by the superplatforms as

well since after all, data is the core of their business. For the past several years these superplatforms

have been on a rampant shopping spree for promising IoT undertakings.216

Naturally, the

superplatforms are doing this to broaden the variety of data at their disposal, further concentrating

data into the hands of the few.217

Meanwhile these superplatforms have also engaged into a race to

develop the first fully functioning personal assistant218

, the so called digital butler.219

4.4 Digital butler

Siri, Alexa, M; these things already exist220

and are collecting data about our every move. The race

to launch the first fully functional A.I. butler is crucial for the superplatforms since it has the

potential to shift the data-advantage to the favor of the winner of this race. At the moment Google is

at the driver’s seat in this contest, as it has the ability to collect the broadest datasets. Moreover, due

to its dominance in the mobile operating system market with Apple, Google has the ability to close

out Facebook from that part of the business if necessary.221

With the digital butler, targeted advertisements would go directly to the butler without the owner

ever being aware of them.222

The butler would then make the decisions for you concerning your

daily activities such as shopping, entertainment consumption, and so on.223

The butler would also

214


Zuboff S.,(2016). 216


OECD(2016),p.10. 218


Ibid.,p.194. 220

Ibid.,pp.192-193. 221

Although this is highly unlike to happen due to Facebook’s popularity. Form 10-K Facebook, Inc. 222


Ibid.,p.194.

32

know which news you prefer, and would help you with your social interactions by drafting your

emails and text messages.224

And this is the heart of the problem; people’s freedom of expression

and information is being taken over by the superplatforms with the help of the butler, as the steady

alteration of our information flow by the butler changes the way in which we think.225

This

phenomenon is not new, as it is happening already with the traditional data-driven platforms.226

Still, the real cause of this problem is that the vast majority of people only care about the

efficiencies created by the butler, disregarding the threats to their freedom of expression and

information.227

Not only does the butler depend on the data provided to it in order to function

properly, but likewise the people are dependent on the butler having the data, since they are unable

to deal with their day-to-day errands without its help.228

This is caused by the internal network

effect created by the butler; the more the individual uses the butler, the more efficient it becomes.229

At the point where digital butlers are becoming the gatekeepers of our information, it is appropriate

to ask the question; is it already too late to intervene? Surely no one wants a DuckDuckGo

butler?230

4.5 Inability to intervene

As the biggest threat to our freedom of expression and information comes from the superplatforms,

we have to consider how the concentration of power to these few undertakings could be curtailed.

There are two major obstacles to this curtailment, however. These obstacles are the lack of technical

capabilities to stop the algorithms and the lack of political will to intervene in the first place.

Right now the authorities drag several steps behind the algorithms, and are unable to figure out how

they function.231

More importantly, the programmers who created the algorithms are not capable of

reverse-engineering them due to their rapid phase of self-improvement.232

This problem is best demonstrated by the fact that in 2016 and early 2017, machines were able to

beat the best human players in Go233

and Texas hold’em poker234

, both being highly complicated

224

Ibid.,pp.194-199. 225

Ibid.,pp.197-199. 226

Kramer A.D.I.,Guillory J.E.,Hancock J.T; Epstein R.,Robertson R.E. 227

Newman N., The Costs of Lost Privacy: Consumer Harm and Rising Economic Inequality in the Age of Google,

William Mitchell Law Review, 2014,vol.40, issue 2,pp.855-863,

http://open.mitchellhamline.edu/cgi/viewcontent.cgi?article=1568&context=wmlr ,accessed-28.04.17. 228


Ibid. 230

Ibid.,pp.200-201. 231

Ibid.,pp.230-231. 232

Ibid.

33

games with seemingly endless amount of possible outcomes.235

In the latter example, the machine

even bluffed, making its victory even more impressive.236

Keeping these examples in mind, we can reflect on a recent speech held by the EU competition

commissioner Margrethe Vestager, where she strongly encouraged the powerful platforms to act

according to the EU competition rules.237

It is a telling example of the weakness of the current

enforcement tools when the best the Commission can do is to ask the violators not to violate the

law.238

Pairing all this up with the lack of political will to intervene as discussed in chapter 4.2239

, the

second half of the research question of this thesis can be answered by stating that effective

regulation of the online platforms is not possible at the moment as the law has fallen second to the

to the entities it strives to regulate.240

The following subchapter will reflect on this thought, and

discuss the future implications of the actions or inaction by the authorities.

4.6 Reflections and future implications

As chapter 3 explained, the enforcement tools at the disposal of the data protection and competition

authorities are inadequate to deal with the data-driven platforms, either being ineffective and unable

to change the conduct of these platforms, or over-regulating to the detriment of innovation.241

Chapter 4 contributes to this bleak realization by concluding that at the moment there is neither

technical capability nor political will to effectively regulate and enforce the data-driven industry

and in particular the dominant online platforms. This finding adds to the line of thought began at the

end of chapter 3, where it was concluded that the principles one and two of the regulatory trilemma

233

McKenzie D., Update: Why this week’s man-versus-machine Go match doesn’t matter (and what does), Science,

15.03.2016, http://www.sciencemag.org.proxy.uba.uva.nl:2048/news/2016/03/update-why-week-s-man-versus-

machine-go-match-doesn-t-matter-and-what-does ,accessed-28.04.17. 234

Moravcik M.,et.al., DeepStack: Expert-Level Artificial Intelligence in Heads-Up No-Limit Poker, Science,

02.03.2017,vol.355, issue 6328,

http://science.sciencemag.org.proxy.uba.uva.nl:2048/content/early/2017/03/01/science.aam6960.full ,accessed-

28.04.17. 235

Ibid.;McKenzie D. 236

Moravcik M.,et.al.,pp.9-11. 237

Vestager M., Algorithms and Competition, 16.03.2017, https://ec.europa.eu/commission/commissioners/2014-

2019/vestager/announcements/bundeskartellamt-18th-conference-competition-berlin-16-march-2017_en ,accessed-

27.04.17. 238

Ibid.,(This thought was originally expressed by the author in “Digital cartels: The Future of Global Cartels and

Cartel Enforcement” paper of 06.04.2017.) 239


Gilbert D. 241

See chapter 3.4,p.27.

34

remain unfulfilled.242

As the law has clearly crumbled under the entities it is supposed to oversee,

the third principle of the regulatory trilemma likewise fails to be fulfilled.

Still, the superplatforms’ conduct hampering individuals’ freedom of expression and information

should somehow be halted, whilst also allowing the individuals and governments alike to enjoy the

efficiencies created by these entities. So how could the consumers and the government have their

cake and eat it too? The options discussed by the rest of this chapter are both scarce and far-fetched,

accurately depicting the overwhelming task faced by the authorities.

As discussed in chapter 3.3.1, the EU merger rules do not recognize data as a source of market

power243

, allowing data-driven mergers to concentrate more and more data to the hands of the few

superplatforms. While altering the merger rules accordingly seems like the most logical solution to

this problem, it would cause a lot of practical concerns.

With the growth of the IoT, data will likely be an inherent part of most mergers in the future. This is

especially the case with the superplatforms, as they are constantly looking to broaden the scope of

the data they collect.244

Thus, making data part of the merger evaluation would flood the

Commission with cases it would have otherwise never had to consider, making these new merger

control rules ineffective as all the cases could not be handled diligently. Here the regulatory

trilemma raises its head once again. Given this, it is unlikely that the merger rules are going to be

changed any time soon. This brings us to an alternative solution: the possible subsidization of the

undertakings which would otherwise be merging with the superplatforms.

This subsidization by the EU would solve half of the problem, as it would slow down the further

concentration of data towards the superplatforms. However, at the same time it would slow down

the superplatforms’ product development, as their access to more data would be hindered. Naturally

this would not sit well with the consumers and governments, who first and foremost care about the

efficiencies brought by the superplatforms. Moreover, the effectiveness of this strategy is highly

questionable, as the superplatforms could easily outbid whatever the EU could offer for the to-be-

merged undertaking.

So it seems that at the moment the ball is on the superplatforms’ side of the court; it is in their

power to make sure that the algorithms act accordingly and do not hinder people’s fundamental

242

Ibid. 243

ECJ, C-238/05, Asnef-Equifax,para.56. 244

Lohr S.

35

rights, and with this great power comes a great responsibility. If the algorithms are not properly

supervised, there is a risk that the digital butler will turn into a “digital priest”.245

This being said, the technical difficulties to curtail the actions of the algorithms also apply to the

platforms themselves.246

Thus, our best option at the moment is to wait for the technology to

develop so that some level of algorithm accountability can be attained.247

Until then, we can only hope that the Google’s ex-slogan “Don’t be evil”248

still holds true and is a

conscious choice rather than a horror scenario yet to materialize, capable of causing grave damage

by hampering people’s freedom of expression and information in the current state of insufficient

enforcement – or in the future, where the power it wields is going to be even greater.

5. Conclusion

Surveillance capitalism and the phenomena brought by it have created unprecedented challenges to

the protection of freedom of expression and information under the EU legal order. Superplatforms,

aided with big data and ever-growing network effects, have conquered the markets and are now

threatening people’s freedom of expression and information by acting as a gateway and gatekeepers

to the internet and consequently strongly influencing the way people see the world.

The two-dimensional research question of this thesis asked: First, whether there are basis to regulate

the practices of the superplatforms and which legislative framework would be the best to do so; and

second, whether there is political will and technical capability to do so to begin with.

To answer the first half of the research question of this thesis, it has to be concluded that although

there is a pressing demand for regulation, the current enforcement tools at the disposal of the EU

data protection and competition authorities are inadequate to effectively regulate the platforms.

These tools are either ineffective, failing to alter the behavior of the regulated entities, or over-

regulating, killing the incentive to innovate.

To achieve effective regulation, it is recommended that data protection and competition law

authorities tightly cooperate in order to achieve the key goal common to their policies, namely

stopping the concentration of data into the hands of the few extremely powerful superplatforms.

245

As stated by Brownsword at the ACELG’s annual 2016 conference. 04.11.2016. 246


Ibid. 248

Roberts D., Alphabet drops Google’s famous ‘Don’t Be Evil’ motto, Fortune, 05.10.2015,

http://fortune.com/2015/10/05/alphabet-google-evil/ ,accessed-27.04.17.

36

First this would happen through competition authorities’ recognition of data as a source of market

power and effective, data-orientated merger control, and second, through the realization that the

efficiencies created by the actions of the superplatforms are easily refuted by the negative effects

they impose on the society as they hamper people’s freedom of expression and information.

Second half of the research question can be answered by stating that due to the efficiencies created

by the superplatforms for the people and governments alike, there is no political will to effectively

regulate these superplatforms. Moreover, the technical capability to do so is non-existent, as the

self-learning algorithms are currently several steps ahead of the people who designed them, let

alone the authorities. The hypothesis of this thesis is therefore confirmed.

Currently the only thing the authorities can do is to wait for the technology to develop, and to count

on the superplatforms doing the right thing. It is a dismal position to be in, as the IoT and the digital

butler are going to raise the intrusiveness of big data collection into new spheres.

VII

List of Literature

Agerholm H., Student protesters campaigning for safe spaces 'block white students' at

Berkeley university, Independent, 27.10.2016,

http://www.independent.co.uk/news/world/americas/student-protesters-campaigning-safe-

spaces-block-white-students-from-attending-classes-racism-a7383676.html , accessed:

27.04.17.

Ahmed N., How the CIA Made Google, InsurgeIntelligence, 22.01.2015,

https://medium.com/insurge-intelligence/how-the-cia-made-google-e836451a959e ,

accessed: 27.04.17.

Ahmed N., Why Google Made the NSA, InsurgeIntelligence, 22.01.2015,

https://medium.com/insurge-intelligence/why-google-made-the-nsa-2a80584c9c1, accessed:

27.04.17.

Birch K., Market vs. contract? The implications of contractual theories of corporate

governance to the analysis of neoliberalism, Ephemera, February 2016, vol. 16(1),

http://www.ephemerajournal.org/sites/default/files/pdfs/issue/16-1ephemera-feb16.pdf ,

accessed: 27.04.17.

Brownsword R., Rules of Law, the Rule of Law, and Technological Management (speech),

ACELG annual conference, 04.11.2016.

Bundeskartellamt, Bundeskartellamt initiates proceeding against Facebook on suspicion of

having abused its market power by infringing data protection rules, 02.03.2016,

http://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2016/02_03_

2016_Facebook.html , accessed: 27.04.17.

Center for Democracy & Technology, Comments for November 2015 Workshop on Cross-

Device Tracking, 16.10.2015, https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-

Comments.pdf , accessed: 28.04.17.

Dayen D., The Android Administration, The Intercept, 22.04.2016,

https://theintercept.com/2016/04/22/googles-remarkably-close-relationship-with-the-obama-

white-house-in-two-charts/ , accessed: 27.04.17.

El-Bermawy M.M., Your Filter Bubble Is Destroying Democracy, Wired, 18.11.2016,

https://www.wired.com/2016/11/filter-bubble-destroying-democracy/ , accessed: 27.04.17.

Epstein R. and Robertson R.E., The search engine manipulation effect (SEME) and its

possible impact on the outcomes of elections, PNAS, 18.08.2015, vol. 112 no. 33,

http://www.pnas.org/content/112/33/E4512.full , accessed: 27.04.17.

VIII

European Data Protection Supervisor, Privacy and Competitiveness in the Age of Big Data:

The Interplay Between Data Protection, Competition Law, and Consumer Protection in the

Digital Economy, Preliminary Opinion, 26.03.2014,

https://edps.europa.eu/sites/edp/files/publication/14-03-

26_competitition_law_big_data_en.pdf , accessed: 26.04.17.

European Data Protection Supervisor, Towards a New Digital Ethics: Data, Dignity and

Technology: Opinion 4/2015, 11.09.2015,

https://edps.europa.eu/sites/edp/files/publication/15-09-11_data_ethics_en.pdf , accessed:

26.04.17.

European Commission, Antitrust: Commission sends Statement of Objections to Google on

Android operating system and applications, 20.04.2016, http://europa.eu/rapid/press-

release_IP-16-1492_en.htm , accessed: 26.04.17.

European Commission, Antitrust: Commission takes further steps in investigations alleging

Google's comparison shopping and advertising-related practices breach EU rules,

14.07.2016, http://europa.eu/rapid/press-release_IP-16-2532_en.htm , accessed: 27.04.17.

EU Network of Independent Experts on Fundamental Rights, Commentary of the Charter of

Fundamental Rights of the European Union, 2006, http://ec.europa.eu/justice/fundamental-

rights/files/networkcommentaryfinal_en.pdf , accessed: 27.06.17.

Evans D., The Internet of Everything: How More Relevant and Valuable Connections Will

Change the World, 2012, https://www.cisco.com/web/about/ac79/docs/innov/IoE.pdf ,

accessed: 26.04.17.

Ezrachi A. and Stucke M.E., Virtual Competition: The Promise and Perils of the Algorithm-

Driven Economy, Harvard University Press, 14.11.2016.

Fiegerman S., Facebook to Buy WhatsApp for $16 Billion, Mashable, 19.02.2014,

http://mashable.com/2014/02/19/facebook-whatsapp/#P_swPcbOyiqk , accessed: 27.04.17.

Flynn M., The Trouble with Trigger Warnings, The Huffington Post, 22.12.2016,

http://www.huffingtonpost.com/greater-good-science-center/the-trouble-with-

trigger_b_13801784.html , accessed: 27.04.17.

Gartner, Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015, 11.11.2014,

http://www.gartner.com/newsroom/id/2905717 , accessed: 26.04.17.

Gebicka A. and Heinemann A., Social Media & Competition Law, World Competition,

2014/2, volume 37.

IX

Gilbert D., Safe Harbor 2.0: Max Schrems Calls ‘Privacy Shield’ National Security

Loopholes ‘Lipstick On A Pig’, International Business Times, 29.02.2016,

http://www.ibtimes.com/safe-harbor-20-max-schrems-calls-privacy-shield-national-security-

loopholes-lipstick-2327277 , accessed: 27.04.17.

Google Transparency Report, European privacy requests for search removals,

https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en , accessed:

27.04.17.

Greenwald G. and MacAskill E., NSA Prism program taps in to user data of Apple, Google

and others, The Guardian, 07.06.2013, https://www.theguardian.com/world/2013/jun/06/us-

tech-giants-nsa-data, accessed: 27.04.17.

Hijmans H., The European Union as a constitutional guardian of internet privacy and data

protection: The Story of Article 16 TFEU, Springer, 2016.

Howarth B., How Tesco's Loyalty Card Transformed Customer Data Tracking, CMO,

21.05.2015, http://www.cmo.com.au/article/575497/how-tesco-loyalty-card-transformed-

customer-data-tracking/ , accessed: 26.04.17.

IDC, Smartphone OS Market Share, 2016 Q3, http://www.idc.com/promo/smartphone-

market-share/os , accessed: 26.04.17.

Koukouvis K., Cubero R.A. and Pelliccione P., A/B Testing in E-commerce Sales

Processes, In: Crnkovic I., Troubitsyna E., Software Engineering for Resilient Systems.

SERENE 2016, Springer, 26.08.2016, Lecture Notes in Computer Science, vol. 9823,

https://link-springer-com.proxy.uba.uva.nl:2443/chapter/10.1007%2F978-3-319-45892-

2_10 , accessed: 27.04.17.

Kramer A.D.I., Guillory J.E. and Hancock J.T., Experimental evidence of massive-scale

emotional contagion through social networks, PNAS, 17.06.2014, vol. 11 no. 24,

http://www.pnas.org/content/111/24/8788.full , accessed: 27.04.17.

Lianos I. and Motchenkova E., Market Dominance and Search Quality in the Search Engine

Market’, 9(2) Journal of Competition Law & Econonomics, 17.04.2013, (2013) 9 (2).

Lohr S., Google’s Nest to Acquire Dropcam for $555 Million, New York Times,

20.06.2014, http://bits.blogs.nytimes.com/2014/06/20/googles-nest-to-acquire-dropcam-for-

555-million/ , accessed: 26.04.17.

McKenzie D., Update: Why this week’s man-versus-machine Go match doesn’t matter (and

what does), Science, 15.03.2016,

X

http://www.sciencemag.org.proxy.uba.uva.nl:2048/news/2016/03/update-why-week-s-man-

versus-machine-go-match-doesn-t-matter-and-what-does , accessed: 28.04.17.

Merriam Webster online dictionary, “Data”, https://www.merriam-

webster.com/dictionary/data , accessed: 26.04.17.

Mitchell A., Gottfried J. and Matsa K.E., Facebook Top Source for Political News Among

Millennials, Pew Research Center, 01.06.2015,

http://www.journalism.org/2015/06/01/facebook-top-source-for-political-news-among-

millennials/ , accessed: 27.04.17.

Moravcik M., et. al., DeepStack: Expert-Level Artificial Intelligence in Heads-Up No-Limit

Poker, Science, 02.03.2017, vol. 355, issue 6328,

http://science.sciencemag.org.proxy.uba.uva.nl:2048/content/early/2017/03/01/science.aam6

960.full , accessed: 28.04.17.

Muoio P., Auction.com Launches Real Estate’s First “Nowcast”, 30.10.2015,

https://www.auction.com/blog/auction-com-launches-real-estates-first-nowcast/ , accessed:

26.04.17.

Newman N., The Costs of Lost Privacy: Consumer Harm and Rising Economic Inequality in

the Age of Google, William Mitchell Law Review, 2014, vol. 40, issue 2,

http://open.mitchellhamline.edu/cgi/viewcontent.cgi?article=1568&context=wmlr ,

accessed: 28.04.17.

Newman N., Taking on Google’s Monopoly Means Regulating Its Control of User Data,

The Huffington Post, 24.09.2013, http://www.huffingtonpost.com/nathan-newman/taking-

on-googles-monopol_b_3980799.html , accessed: 26.04.17.

Ocello E., Sjödin C. and Subočs A., ‘What’s Up with Merger Control in the Digital Sector?

Lessons from the Facebook/WhatsApp EU Merger Case’, Competition Merger Brief,

February 2015, 1/2015,

http://ec.europa.eu/competition/publications/cmb/2015/cmb2015_001_en.pdf , accessed:

26.04.17.

OECD, Big Data: Bringing Competition Policy to The Digital Era: Background Note by the

Secretariat, 29.11.2016, https://one.oecd.org/document/DAF/COMP(2016)14/en/pdf ,

accessed: 26.04.17.

OECD, Data-driven Innovation for Growth and Well-being: Interim Synthesis Report,

October 2014, http://www.oecd.org/sti/inno/data-driven-innovation-interim-synthesis.pdf ,

accessed: 26.04.17.

XI

Roberts D., Alphabet drops Google’s famous ‘Don’t Be Evil’ motto, Fortune, 05.10.2015,

http://fortune.com/2015/10/05/alphabet-google-evil/ , accessed: 27.04.17.

Rubinfeld D.L., Access barriers to Big Data, Arizona Law Review, 08.04.2017, vol. 59,

issue 339, http://arizonalawreview.org/pdf/59-2/59arizlrev339.pdf , accessed: 28.04.17.

Schneier B., Data and Goliath: The Hidden Battles to Collect Your Data and Control Your

World, W. W. Norton & Company, 02.03.2015.

Stucke M.E. and Grunes A.P., Big Data and Competition Policy, Oxford University Press,

02.08.2016.

StatCounter, Mobile and Tablet Internet Usage Exceeds Desktop For First Time Worldwide,

01.11.2016, http://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-

desktop-for-first-time-worldwide , accessed: 26.04.17.

Teubner G., Dilemmas of Law in the Welfare State, Walter de Gruyten & Co., 1988, series

A.

The Autorité de la Concurrence and the Bundeskartellamt, Competition Law and Data,

10.05.2016.

http://www.bundeskartellamt.de/SharedDocs/Publikation/DE/Berichte/Big%20Data%20Pap

ier.pdf;jsessionid=3049D2DA2F7B6B0F521558DABC9FEFC3.1_cid387?__blob=publicati

onFile&v=2 , accessed: 26.04.17.

Thielman S., Facebook fires trending team, and algorithm without humans goes crazy, The

Guardian, 29.08.2016, https://www.theguardian.com/technology/2016/aug/29/facebook-

fires-trending-topics-team-algorithm , accessed: 27.04.17.

The United States Department of Justice, Justice Department and Bazaarvoice Inc. Agree on

Remedy to Address Bazaarvoice’s Illegal Acquisition of PowerReviews, 24.04.2014,

https://www.justice.gov/opa/pr/justice-department-and-bazaarvoice-inc-agree-remedy-

address-bazaarvoice-s-illegal-acquisition , accessed: 27.04.17.

United States Federal Trade Commission, Big Data: A Tool for Inclusion or Exclusion?,

January 2016, https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-

or-exclusion-understanding-issues/160106big-data-rpt.pdf , accessed: 27.04.17.

United States Federal trade Commission, Report re Google Inc., 08.08.2012,

https://graphics.wsj.com/google-ftc-report/img/ftc-ocr-watermark.pdf , accessed: 26.04.17.

United States Securities and Exchange Commission, Form 10-K Facebook, Inc., 31.12.2014,

https://www.sec.gov/Archives/edgar/data/1326801/000132680115000006/fb-

12312014x10k.htm , accessed: 26.04.17.

XII

United States Securities and Exchange Commission, Form S-1 Registration Statement

Under The Securities Act Of 1933 The Rubicon Project, Inc., 04.02.2014,

https://www.sec.gov/Archives/edgar/data/1595974/000119312514034389/d652651ds1.htm ,

accessed: 26.04.17.

Vestager M., Algorithms and Competition, 16.03.2017,

https://ec.europa.eu/commission/commissioners/2014-

2019/vestager/announcements/bundeskartellamt-18th-conference-competition-berlin-16-

march-2017_en , accessed: 27.04.17.

VPRO, What Makes You Klick (documentary),

https://www.vpro.nl/programmas/tegenlicht/kijk/afleveringen/2016-2017/what-makes-you-

click.html , accessed: 27.04.17.

Walker K., Android: Choice at every turn, 10.11.2016, https://blog.google/topics/google-

europe/android-choice-competition-response-europe/ , accessed: 27.04.17.

Zuboff S., Big other: surveillance capitalism and the prospects of an information

civilization, Journal of Information Technology, March 2015 vol. 30(1),

https://poseidon01.ssrn.com/delivery.php?ID=9440030310171231110740070900930980990

00056068039003000127072098072070123091006095118102007096001105013006094077

11612602409208801301900502602012706500109102312000708007807110101910411300

1025022117007024066024088120089029121125108005114091102074089&EXT=pdf ,

accessed: 27.04.17.

Zuboff S., Google as a Fortune Teller: The Secrets of Surveillance Capitalism, Frankfurter

Allgemeine Feuilleton, 05.03.2016, http://www.faz.net/aktuell/feuilleton/debatten/the-

digital-debate/shoshana-zuboff-secrets-of-surveillance-capitalism-14103616.html , accessed:

26.04.17.

XIII

Cases

Court of First Instance, C-T-30/89, Hilti v Commission, 12 December 1991,

ECLI:EU:T:1991:70.

Court of First Instance, T-83/91, Tetra Pak International v Commission (Tetra Pak II), 6

October 1994, ECLI:EU:T:1994:246.

Court of First Instance, Case T-201/04, Microsoft Corp v Commission of the European

Communities, 17 September 2007, ECR II-3601.

ECJ, C-40/73, Joined cases Coöperatieve Vereniging "Suiker Unie" UA and others v

Commission of the European Communities, 16 December 1975, ECLI:EU:C:1975:174.

ECJ, C-27/76 United Brands v Commission, 14 February 1978, ECLI:EU:C:1978:22.

ECJ, C-311/84 Centre Belge d'études de marché — Télémarketing (CBEM) v Compagnie

luxembourgeoise de télédiffusion (CLT) and Information publicité Benelux (IPB), 3 October

1985, ECLI:EU:C:1985:394.

ECJ, C-288/89, Stichting Collectieve Antennevoorziening Gouda and others v

Commissariaat voor de Media, 25 July 1991, EU:C:1991:323.

ECJ, C-7/97, Oscar Bronner GmbH & Co. KG, 26 November 1998, ECLI:EU:C:1998:569.

ECJ, C-418/01, IMS Health GmbH & Co. OHG, 29 April 2004, ECLI:EU:C:2004:257.

ECJ, C-238/05, Asnef-Equifax, Servicios de Información sobre Solvencia y Crédito, SL,

Administración del Estado v Asociación de Usuarios de Servicios Bancarios (Ausbanc), 23

November 2006, ECLI:EU:C:2006:734.

ECJ, C-95/04 P, British Airways v Commission, 15 March 2007, ECLI:EU:C:2007:166.

ECJ, C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos

(AEPD), Mario Costeja González, 13 May 2014, ECLI:EU:C:2014:317.

ECtHR, Lingens v. Austria, Application Number 9815/82, judgment of 08.07.1986, Ser. A,

No. 103.

ECtHR, Markt Intern Verlag GmbH and Klaus Beermann v. Germany, Application Number

10572/83, 20.11.1989, Ser. A, No. 165.

ECtHR, Oberschlick v. Austria, Application Number 11662/85, 23.05.1991, Ser. A, No.

204.

XIV

Legislation

Charter of Fundamental Rights of the European Union, Official Journal of the European

Communities, 18.12.2000, C 364.

Commission of the European Communities, Commission Decision of 24.03.2004 relating to

a proceeding under Article 82 of the EC Treaty (Case COMP/C-3/37.792 Microsoft),

21.04.2004.

Communication from the Commission to the European Parliament, the Council, the

European Economic and Social Committee and The Committee of the Regions: Internet

Policy and Governance Europe's role in shaping the future of Internet Governance,

12.02.2014, http://eur-lex.europa.eu/legal-

content/EN/TXT/PDF/?uri=CELEX:52014DC0072&from=EN , accessed: 27.04.17.

Convention for the Protection of Human Rights and Fundamental Freedoms, 01.06.2010.

Council Regulation (EC) No 139/2004 of 20 January 2004 on the control of concentrations

between undertakings (the EC Merger Regulation), Brussels.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on

the protection of individuals with regard to the processing of personal data and on the free

movement of such data, Luxembourg.

European Commission, Case No COMP/M.7023 – PUBLICIS / OMNICOM Commission

decision pursuant to Article 6(1)(b) of Council Regulation No 139/2004, 09.01.2014,

http://ec.europa.eu/competition/mergers/cases/decisions/m7023_20140109_20310_3566669

_EN.pdf , accessed: 26.04.17.

European Commission, Case No COMP/M.7217 - FACEBOOK/ WHATSAPP, 03.10.2014,

http://ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132

_EN.pdf , accessed: 27.04.17.

European Commission, Communication from the Commission — Guidance on the

Commission's enforcement priorities in applying Article 82 of the EC Treaty to abusive

exclusionary conduct by dominant undertakings, Official Journal of the European

Communities, C 45, 24.02.2009.

Proposal for a Regulation of the European Parliament and of The Council on the protection

of individuals with regard to the processing of personal data and on the free movement of

such data (General Data Protection Regulation), Brussels, 25.01.2012.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of personal data and on the

XV

free movement of such data, and repealing Directive 95/46/EC (General Data Protection

Regulation) (GDPR), Brussels.

The Treaty on the Functioning of the European Union (TFEU), 26.10.2012.

Master's Thesis - UvA Scripties

Documents

Transcript of Master's Thesis - UvA Scripties