Article by Lily Leila Purqurian *
2022
pp. 19-57
ABSTRACT
Privacy implications have slowly trudged their way through legal analyses. Specifically with regard to antitrust enforcement, privacy made a slow but bona fide entry into the realm’s consideration after many scholars mapped an intersection between the two bodies of law. Privacy harms could be seen as a “reduction in the quality of a good or service,” and thereby reparable within antitrust.[1] Now, however, the world has discovered that some privacy harms have actually increased the quality of goods and services.[2] Facebook, Google, Apple, Microsoft, and Amazon profit primarily from culling data to then experiment on users through algorithms designed to predict consumer behavior. This then gives them an upper-hand in the market. Low to zero cost services exist not because the user is the customer, but the product.
To that logical end, market prices under a strict consumer welfare standard would invoke the anticompetitive implications for third-party advertisers –– the actual customers in this triangular relationship.
When it comes to data, antitrust enforcement is thus limited by the consumer welfare standard, or at least, the price theory that currently dominates interpretations of consumer welfare. Even if there is no space to reform antitrust law’s standards for consumer welfare, which the neo-Brandeisian framework and current Congressional investigations would vehemently disagree with, the amount of data transferred via mergers and acquisitions is an enduring competition and privacy problem. Just as technology develops, the legal response must also develop. The FTC and DOJ thus must, at minimum, consider data as a potential indicator of market power in merger review. Otherwise, antitrust law will continue to neglect significant online privacy concerns, currently left to statutory rights and remedies, that are highly relevant to competition because they concern an invaluable asset driving the modern market: data.
This Comment addresses the dangers of the continued neglect for data as an indicator of market power. Namely, by placing the rights to and control of data acquired through mergers in the hands of a few. By looking at the European Commission’s review of two particular mergers, the Facebook/WhatsApp merger and the Microsoft/LinkedIn merger, this Comment solidifies the relationship between privacy and antitrust. The immediate solution, then, is for the FTC and DOJ to consider data part of their merger analysis.
INTRODUCTION
Apple’s latest update of Safari includes a ‘Privacy Report.’ There, intelligent tracking prevention is designed to “ . . . use on-device machine learning to identify and blocks them from accessing identifying information.”[3] When one visits the New York Times, for example, nineteen trackers are prevented from profiling the user.[4] Of them were Chartbeat, Amazon, Kantar Operations, Oracle, Google, DoubleVerify, comScore, Neustar, Media.net Advertising, and Criterio.[5] Some of these tracking “owners,” like Google and Oracle, had different trackers, presumably obtaining different information.
Apple’s update is the latest in an onslaught of privacy policy renovations that are best recognized as the 4,000-word emails immediately deleted from your inbox.[6] Safari’s privacy report is sandwiched between the Favorites and Most Visited at the top of a user’s homepage and Siri Suggestions and Reading List underneath. Of those four, only one –– the Reading List –– involves manual selection by the user. The rest are algorithmic predictions that process and store information about a user to then manipulate and profit off that user’s behavior.[7]
Ideally, the dangers of data collection would be minimal, because consumers would have options built upon competing thresholds for how much better privacy could get. Just as a car purchaser may choose one car over another for its better crash protection, so too might a web browser user choose Safari over Chrome because of the better privacy protections that involve control, consent, and cooperation with your data.[8] There would be strong competition between different privacy models, all in compliance with even stronger privacy regulatory frameworks, because a user would consider privacy infringement as dangerous and menacing to one’s agency and quality of life as, say, crash protection.
Although the data is scant, market forces do not seem to be reliable in the production or enhancement of privacy safeguards.[9] For one, the operating system that is responsible for one’s interaction with and knowledge of certain privacy protections generally comes in three colors: Windows, Google Chrome, and MacOS.[10] Those three have significant market power.[11] The fear, then, is that monopoly power would follow.[12] Apple and Microsoft’s market power, for example, gives them significant power that includes, but is not limited to, determining the extent to which one interacts with certain apps.[13] Ceding privacy, not bolstering it,[14] is what drives a company’s decision to put an app, search engine, or web browser at the center of user feeds.[15]
There is much to be said about how data privacy is treated on both sides of the Atlantic: one treats it as an asset while the other treats it as a right.[16] And there is inequality where there are different philosophical foundations.[17] For the most part, however, the European Union’s merger review process mirrors that of the United States.[18] Yet, the EU has neglected the same privacy concerns under its neoliberal antitrust framework that American antitrust regulators do under the Chicago School of Thought.[19] This suggests that the frameworks for both antitrust and privacy regulation are at issue, and that, without defibrillating the frameworks to adjust and respond to current market conditions, both antitrust and privacy regulation will be stuck in a loop.[20]
One could imagine why current legal frameworks under neoclassical economic models may be as obsolete as the original iPhone. The apps that we use the most – and the apps that, in turn, use us the most[21] – are rarely offered at a dollar amount.[22] Neither the app services nor the goods provided therein are valued at their dollar cost, and instead, provide free to low-cost services.[23] This makes the prospect of predatory pricing and data-opolies not just near, but also, highly rational.[24]
Big tech has been fined and monitored for some of its anticompetitive conduct. The European Commission fined Google €2.42 billion for favoring its merchant partners in its search results.[25] The Commission also fined Facebook €110 million for “providing incorrect or misleading information” during the Commission’s review of the proposed acquisition of WhatsApp by Facebook.[26] Although not a fine, when Apple paid “substantially less tax than other businesses,” in the form of €13 billion, there was such distorted competition that the Commission stayed on watch in Apple’s proposed acquisition of Shazam.[27] Amazon, in addition to receiving tax benefits to the tune of €250 million in Luxembourg,[28] also was on the Commission’s watch for its most favored nation clause.[29] The same is true for Big Telecom.[30]
Yet, none of these fines seem to have deterred what they intended to and the efforts are, rather, cyclical. The five biggest companies by market value –– Apple, Amazon, Alphabet, Microsoft, and Facebook –– have shown that they are behemoths who are not only unafraid of regulation, but also wield enough power to dodge it altogether.[31] Privacy, an inherently non-partisan issue,[32] now dons a cloak of controversy because the companies that have escaped stricter antitrust regulations assume control over massive amounts of data, and, in most cases, depend on that data for their revenue.[33]
This Comment will argue that privacy and antitrust regulation in the form of merger reviews go hand in hand. While there is significant scholarship arguing the extent to which this is feasible or even imaginable, there is little contending that, without a reimagining of our approaches to both privacy and antitrust law, the violence done to a citizen’s agency and choice is circular.[34] Users are not just consumers, they are citizens. Frameworks that once reflected this duality seem to have forgotten so. Holes in antitrust and privacy law create legal issues which have consequences in consumer privacy, choice, and agency. The FTC and DOJ thus must, at minimum, consider data as a potential indicator of market power in merger review.[35] This consideration will enable antitrust enforcement to respond to our modern economy that is not always driven by prices, but more increasingly so, by data.
Part I describes how privacy is not just a social concern but a legal issue because companies today increase their revenue by compromising user privacy. Part II then briefly describes how data collection works. The findings are jarring. Part III then delves into the most robust transatlantic privacy laws: the European Union’s General Data Protection Regulation (GDPR) and its progeny, the California Consumer Privacy Act (CCPA). There are notable similarities between the two but, indeed, critical differences that need to be confronted in order to protect the privacy of Americans as a whole. Part IV uses these laws to address where antitrust plays its role. By detailing the methods by which companies have acquired the power to infringe upon Americans’ privacy in the first place, the Section strengthens the link between antitrust and privacy law. While privacy regulation is important on its own because small players ignoring consumer privacy also pose threats, privacy regulation would benefit greatly from paying heed to the market power created by that user data.[36] Privacy regulation is thus auxiliary to antitrust regulation, and vice versa, because antitrust laws could limit companies’ ability to access and process user data.
Parts IV to VI then investigate two cases in which mergers and acquisitions have been unable to dodge privacy concerns: the Facebook/WhatsApp merger and the Microsoft/LinkedIn merger. These cases, reviewed by agencies both in the United States and the European Union, involve analysis that supports the idea that antitrust and privacy concerns, in today’s market, are inseparable.
Part VII then discusses what these decisions entail for privacy. Privacy regulation, at this point, has been deemed insufficient to address consumer agency in Big Tech. Antitrust must thus be defibrillated to do justice to consumer agency and privacy in the modern market. The DOJ and FTC can do this, and in part VIII, a solution is proffered wherein these agencies can (1) consider data an indicator of market power and/or (2) broaden the consumer welfare standard such that the primary metric is not pricing. Sometimes, the legal issues of privacy and antitrust are seen as too big to address. So why not start small.
I. WHAT IS PRIVACY?
During Mark Zuckerberg’s testimony before the House of Representatives, Representative Anna Eshoo asked Zuckerberg if he would be willing to change the company’s business model “in the interest of protecting individual privacy.”[37] Zuckerberg responded, “I’m not sure what that means.”[38]
Zuckerberg, the CEO of Facebook, was called to the House of Representatives so Congress could “examine the alarming reports regarding breaches of trust between [Facebook], one of the biggest and most powerful [companies] in the world, and its users” and, concomitantly, “widen its lens regarding larger questions about the fundamental relationship tech companies have with their users.”[39]
Congress is not the only one asking these questions.[40] Since the Cambridge Analytica scandal that brought Zuckerberg to Washington, D.C.,[41] people are “changing the way they use social media.”[42] The idea that citizens should be paid for their data is gaining traction,[43] even by former presidential candidates.[44] Contemporary scholarship about and litigation over the constitutionality of data privacy thus operates against the backdrop of this breach.[45]
For what many identify as the breach that not only cost Americans an election, but also, their trust and relationship with the devices they “always go back to,”[46] the United Kingdom fined Facebook £500,000, the maximum fine allowed at the time of the breach,[47] and the Federal Trade Commission (FTC) around $5 million.[48] Documentaries have taken on the task of making mainstream knowledge exactly what went wrong[49] and the conversations surrounding data protection and privacy have inspired celebrities, who rely on platforms like Instagram for their reach and relevance, to freeze their accounts for 24 hours in protest of the misinformation and hate speech that runs rampant on these platforms.[50] While the responses to such data breaches, even the biggest of our time, are multiple, there is one common denominator: we always come back to these platforms.[51]
II. HOW DATA COLLECTION WORKS
Users may know big tech knows a lot about them.[52] At this point, it has become something of a sadistic joke amongst users that their iPhones listen to them, Google knows more about them than their spouses, the FBI is watching, or that Alexa is more of a spy than a robot companion.[53] These jokes are followed by a submission to the notion that these companies or agencies know just about everything about a user.[54] But maybe it is not taken as entirely true because users want to believe that is not entirely legal or morally just. This may be a contributing reason as to why users are not keen on changing their online behavior.[55] Nonetheless, this Comment must unfortunately break the news that there is no joke––Big Tech does know almost everything about a user.[56] And it is important to know exactly what that means to grasp the gravity of the privacy and antitrust concerns at hand.
Facebook, for example, gathers information about a user’s work, income level, race, religion, political views, and the ads a user clicks on.[57] This is all, of course, in addition to the elementary data points: a user’s phone number, email address, location, and the type of devices used.[58] Google, on the other hand, collects any user’s name, phone number, payment information, email address, emails the user writes and receives, any stored videos and photos, stored documents, stored spreadsheets, and YouTube comments.[59] IP addresses, system activity, date, time and referrer URL of requests, interaction between apps, browser type, device type, application version number, carrier name, and operating system are also collected.[60] And finally, as to a user’s activity on Google, almost everything is fair game.[61] A user’s search terms, videos watched, views and interactions with content and ads, video and audio information if audio features are used, time, frequency and duration of activity, purchase activity, the people a user communicates with or shares content with, activity on third-party sites and apps, browsing history, calling-party number, receiving party number, forwarding numbers, times and dates and calls of text, call duration, routing information, and types of calls are all collected.[62] The only user activity not collected are merely user messages, networks/connections, content, reviews, and privacy settings.[63] Otherwise, GPS, sensor data from a user’s device, information about things near the device (like wifi access points and cell towers) and local newspapers, third-party marketing partners, and advertisers are all also in the mix of collected data. Amazon is not much better.[64]
Amazon’s platform is inherently less immersive than Google and, as an e-commerce website, does not existentially depend on data.[65] Despite not needing data to have a return on investment, however, Amazon still collects social security and driver’s license numbers, location information, and sensor data from a user’s device.[66] Amazon also collects information on search terms, videos watched on Prime, purchase activity, reviews written, browsing history, address, browser type, and operating systems.[67]
Apple, albeit, has the most respect for data collection when the other competitors are Amazon, Twitter, Facebook, and Google.[68] This is a rather abysmal notation, however, when one remembers exactly what apps they may, for example, use on their Apple iPhone.[69] The apps typically used on iPhones are allowed to practically eviscerate all the privacy protections baked into the iPhone by tracking and collecting user data both when the app is and is not in use.[70] Further, Apple is not as existentially concerned with data as the others, so its collection is still noteworthy.
So what does big tech do with all of this data? There is a growing misconception that this data is sold, but that would assume data is fungible.[71] Big tech does not elect to sell exactly what produces its revenue. Rather, that data is harvested to develop algorithms.[72] Third-party advertisers are shopping for the most competitive algorithm to target their advertising when deciding which social media platform to pay.[73] Amazon, for example, even decided to pay its users a $10 credit to grow its predictive model.[74] The more data a company has, the more competitive their models are to third-party advertisers who feed their net worth.[75]
When it comes to antitrust considerations, what kind of data is paramount, because it reveals the potential relationships, technology processing, business visions, or network effects at hand. The anticompetitive behavior in question, for example, may not be related to data, but rather, to a company’s engineering prowess in developing algorithms. Big Tech, further, does not necessarily want data, but attention, and data is but one component in maximizing attention. But data is still part of that analysis.
Admittedly, in the context of a merger, data collection may not be as massive as it may seem. There is no magic formula for determining consumer behavior, but it may be fair to say that amongst its many traits, it can be duplicative. So a company may amass data through a merger that it already had. Data, in that case, is also “non-rivalrous” because companies can collect the same data on their own accord.[76] In fact, the same strains of our data are collected by multiple companies at any given time, and a merger does not necessarily amass “new” data by the numbers. What it does, instead, is place the rights to and control of that data in the hands of a few. In these contexts, data is not a market good or natural resource, but a materialized social relation, constituted by both technical and legal systems.[77] One would be remiss not to consider how this data may be manipulated, abused, or distorted.[78] One would be even more remiss not to consider how this has already occurred.[79] This manipulation conflicts with the economic freedom and opportunity that antitrust law intends to protect.[80] And because privacy law has not yet developed to address the profound problems presented by these technical systems,[81] antitrust-enforcement agencies must.
III. PRIVACY IN THE LAW
Privacy is no new concept to Americans or human rights law.[82] The “exact nature and extent of [privacy] protection,” however, was challenged by technological advancements.[83] Advancements in information and communication technologies were seen as threats, and instead of advancing privacy law while technologies, too, were advancing, privacy laws took on a defensive reaction to growth.[84] This was unordinary because American law otherwise plays a much more enabling or even leveling role to achieve a “desired innovative or disruptive activity.”[85] But this problem is hardly unique to the United States. Even entities like the European Union, with arguably stronger conceptions of where data protection and privacy stands on principle,[86] went through layers of reforms to achieve what the California Consumer Privacy Act (CCPA) seeks to embody: the General Data Protection Regulation (GDPR).[87]
The GDPR gives EU citizens unprecedented control over how their personal information is collected, store, and used by organizations.[88] For that, it remains the strongest privacy protection act worldwide since its enactment in May 2018.[89] The GDPR protects consumer’s names, addresses, pictures, DNA, IP addresses, and payment information.[90] Business owners must ask for permission before collecting each user’s data using clear and simple language, notify users within 72-hours of a data breach, and, at each user’s request, must explain what information is being collected, how it is being used, with whom it is being shared, and erase any information that may have been collected in the past.[91] The sheer reach of this legislation has invited criticism over how it could hurt business models or even encourage businesses to secretly collect and profit off of user information, but these criticisms have not gone far.[92] Rather, the GDPR has been, for the most part, successful in both protecting existing business models and protecting user privacy.[93] And this protection follows EU citizens wherever they are, protecting even European customers who purchase from US e-commerce merchants.[94]
The CCPA aimed to follow suit, but the California Privacy Rights Act (CPRA), effective January 1, 2023, brings waves of uncertainty.[95] There is great debate over the nature of the CPRA and whether it expands the CCPA or reverses it.[96] Regardless, both steps towards better privacy regulation still do not resolve the question of data collection. Data collection may be constrained under these acts, but that would, arguably, increase the value of who has access to data and how much. The GDPR and CCPA are both simultaneously detailed and vague regulations, leading to a greater need for attorneys and significant compliance costs. Thereby exacerbating the antitrust problem if only a handful of companies have a stronghold over user data because they can afford it.
The CCPA was nonetheless the United States’ most sweeping privacy act, granting citizens some degree of control over how their personal information is collected, stored, and used by organizations.[97] It did not apply to all businesses; rather, the law only applied to businesses that either generated $25 million annually, earned at least half of their revenue from selling personal information, or collected personal data from 50,000+ customers, devices, or households.[98] This generally implicated companies like Facebook, Amazon, and Google.[99] And it does not matter where the company is incorporated. Any businesses that have any physical presence, employees, or customers in California would have been at risk of penalty if they flouted the law.[100] Since the CCPA was enacted, some states, like New York, Nevada, and Maryland, have devised their own privacy regulations.[101]
Personal information under the CCPA means “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked,” with a particular consumer or household.[102] Businesses are thus required to disclose any personal information collected, sold, or disclosed for a business purpose about a consumer, delete any personal information in response to consumer requests, to not discriminate against any consumer who elects to exercise their rights under the CCPA, and to describe in its online privacy policy consumers’ rights under the CCPA.[103] The privacy policy must also include the methods for submitting consumer requests and a list of categories of personal information that the business has collected, sold, and disclosed about consumers in the past twelve months.[104] Now, the CCPA has been amended and expanded by the newly enacted California Privacy Rights Act, which is generously described as a delphic.[105]
Even before the CPRA was passed, however, there was a critical difference between the CCPA and the GDPR: their foundational models. The GDPR is grounded in a consent model, where ‘consent’ is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”[106] Based on these four requirements for consent, browsewrap agreements and pre-checked boxes are no longer permitted, and users cannot be punished for refusing to consent with a given site’s cookies or policies.[107]
This is in stark contrast with the CCPA, which, despite its ambitions to emulate the GDPR’s reforms, is curbed by the opt-out model.[108] The CCPA does not, like the GDPR, require users to give affirmative, clear consent before any personal data is collected or processed.[109] Rather, it merely makes it possible for consumers to direct a business not to sell their personal information to a third party. Even that, with certain caveats.[110] A business under the CCPA must provide a “Do Not Sell My Personal Information” link on its homepage that links to another webpage enabling a consumer to opt-out of the sale of his/her personal information.[111] Otherwise, a business must only affirmatively not sell personal information of consumers if the business has “actual knowledge” that the consumer is less than 16 years of age and has not authorized the sale as either a 13-16 year old or through a parent or guardian.[112] This is an incredibly narrow circumstance since in nearly every online interaction, as technology currently stands, it is almost impossible for a business to gauge the actual age of the consumer or require parent or guardian authorization.
It is also important to note what the CCPA does not do, which is restrict a business’s ability to (1) collect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information and (2) collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.[113]
In effect, the CCPA’s opt-out model provides legal recognition of a data harm by extending principles of torts and contracts,[114] which provides a notable cause of action, but reveals the limitation of privacy law.[115] There are privacy concerns everywhere –– not just with Big Tech –– and the core regulatory privacy approach has not changed from an inherently defensive stance.[116] Information and communication technologies have been rendered threats that we, as consumers, either in the European Union or the United States, must either consent to or hope that there is a cause of action to support our dissent.[117] Not only was there “always going to be a Cambridge Analytica” under these defensive stances, but there will likely be another one.[118]
III. PRIVACY RECODING DEPENDS ON ANTITRUST RECODING
While privacy law can benefit from a holistic “recoding,”[119] its ramifications are too steeped in antitrust concerns to be reformed alone.[120] When one thinks of data protection and privacy, the platform-based companies that are collecting that data for algorithms, experimentation, and advertisement revenues come to mind. Apple, Facebook, Amazon, Microsoft, and Google are growing through mergers and acquisitions, which increase their market power by increasing their access to and control over user data. For that, the issue is inherently baked into merger reviews.
The Sherman Antitrust Act, the bedrock of antitrust law, was enacted to prohibit activities that discourage competition in the marketplace.[121] Senator John Sherman introduced the Act because “the law of selfishness, uncontrolled by competition, compels it to disregard the interests of the consumer.”[122] He went onto delineate the evils that surface without this enforcement,
“If we will not endure a king as a political power we should not endure a king over the
production, transportation, and sale of any of the necessaries of life. If we would not submit to an emperor we should not submit to an autocrat of trade, with power to prevent competition and to fix the price of any commodity.”[123]
Antitrust enforcement, to Senator Sherman and the accompanying legislative intent for the Act, is thus necessary to conserve not just competition, but freedom in the marketplace.
Since its enactment, however, antitrust law has wrestled with delineating exactly what behaviors can be deemed anti-competitive and threaten freedom in the marketplace. In this regard, courts and regulatory agencies alike rely heavily on the presence or absence of market power to uproot an antitrust violation. But market power, understood as a company’s “ability to raise price profitably above the competitive level,”[124] arguably stands without a clear definition because it is unclear what that competitive level of pricing is.[125] Courts thus assess elasticity facing a firm by defining the relevant market and calculating the defendant’s market share within that market.[126] Some scholars propose that, instead, market power should be determined by evaluating whether the defendant’s conduct has enabled the defendant “to raise price above the prevailing level or maintain price above the but for level (the level to which price would fall absent the challenged conduct).”[127] Regardless of the alternatives available, many scholars share a concern in the lack of a reliable definition for market power.[128]
Naturally, a stronger definition of market power will result in better antitrust enforcement altogether. Without a reliable definition, the grounds are fertile for heightened monopoly power and concentration. Antitrust law is also often limited by the market power analysis more often than it is enhanced by it. The issue here, for privacy, is that the traditional market power analysis is based on the control of prices, but data provides another means of excluding competitors without being tethered to prices. And in the context of this Comment, ignoring the element of data in a market power analysis leaves merger review all the muddier.
IV. RECODING MERGER REVIEWS
The data acquired through mergers and acquisitions may not always be revelatory or unique, but does put mass amounts of commercially valuable data in the control of a few.[129] For that, merger review is of concern.
Much of the doctrine for merger review comes from the Clayton Act, which expanded upon the Sherman Act.[130] Mergers and acquisitions are particularly vulnerable to substantially lessening competition so, under Section 7 of the Clayton Act, the Federal Trade Commission (FTC) and Department of Justice (DOJ) must review and potentially enjoin mergers or attack anticompetitive businesses if they harm competition.[131] There are two types of mergers: horizontal and vertical. Horizontal mergers are mergers between firms operating in the same industry.[132] For example, a merger between Coca-Cola and Pepsi. Vertical mergers, on the other hand, are mergers between companies that provide different supply chain functions for a common good or service.
A principal question in merger analysis, then, is whether the proposed merger is likely to create, enhance, or facilitate market power.[133]
The antitrust revolution in the 1970s provides important background as to how this question is answered.[134] Price theory became the dominant lens with which to view anticompetition inquiries in the 1970s because “[w]hat exists is ultimately the best guide to what should exist.”[135] That shift was premised on the theory that, without prices, there can be “no markets, and consequently, no market power.”[136] Production, allocation, consumption, and pricing of goods and services thus took centerstage in antitrust enforcement and analyses under price theory.
Two consequences followed from the adoption of price theory. First, there was a “significant narrowing of the concept of entry barriers,” which are costs borne by a firm seeking entry into the industry.[137] Second, “consumer prices became the dominant metric for assessing competition.”[138] This metric is now understood as the consumer welfare standard, which originated with Robert Bork but has been interpreted by courts as a measurement of consumer prices.[139] Many scholars today critique the consumer welfare standard and how it has potentially crippled antitrust law’s capacity to confront big tech conglomerates. Antitrust attorney Lina Khan, especially, advocates for a reoriented approach, concentrated on competition, because consumer welfare is too narrow to capture the modern market characterized by a swath of companies offering free to low-cost services.[140]
In effect, price theory and the consumer welfare standard are fundamentally flawed when confronting Big Tech because they are not compatible with the outgrowths of technology and data. Predatory pricing, for example, becomes a highly rational endeavor for current market players under the price theory.[141] Existing business models also offer free to low-cost services in exchange for more valuable indicators of market power. Thus, price theory and the consumer welfare standard are especially ill-suited where is no way to quantify the loss to ‘consumer welfare’ after a loss of privacy and/or other non-monetary harm caused by market consolidation. Further, consumers care about more than just pricing. They care about quality, variety, innovation, and even privacy. Merger review is thus limited by a standard that companies like Facebook, Amazon, and Google could not successfully be scrutinized under.
The three main steps, now, in the United States’ merger review are: (1) to define the product market, which involves analyzing the set of products that a monopolist could profitably raise the prices of; (2) to define the geographic market, which parallels the area that the monopolist is allegedly raising prices in; and (3) predict the merger’s expected market share by determining the market share of the participants and any market concentration through the Herfindahl-Hirschman Index (HHI).[142] European competition law, similarly, employs the same tests but differs in some of its language.[143] The analysis is thus highly dependent on the definition of the market, and many antitrust disputes are won and lost once the relevant market is defined.[144] This could cause problems if one is counting on antitrust law to police privacy issues.[145]
For example, imagine a merger between Facebook and Salesforce.com. Facebook’s user base consists, almost entirely, of consumers. Salesforce’s user base consists, almost entirely, of businesses. They play in entirely different markets and would therefore draw far less scrutiny. Yet, they both have detailed, and complementary and/or non-duplicative, data about people. The combination of that data would move a lot of information and power under one roof.
Thus, while the substantive inquiry is no easy task, that does not rid it of exposition or modification. The procedure for merger review would significantly benefit from a revamping that includes the acquisition and stronghold over data in its determination.
The FTC and DOJ are specifically of concern because they spearhead merger review. Companies are generally required to report any deal valued at more than $94 million for review and after doing so, the FTC and DOJ decide whether the merger warrants a preliminary review.[146] Under such a limited definition of “substantially lessening competition,” however, merger reviews do not create or enhance competition, but preserve it.[147] When Google proposed to acquire DoubleClick, a company that developed and provided Internet ad serving services,[148] for example, the FTC closed its investigation because it is strictly concerned with “identify[ing] and remedy[ing] transactions that harm competition.”[149] A market can, therein, only be as good as it already is.[150] This presents difficulties when, for example, in the wake of COVID-19, the “only option” adopted by students, teachers, healthcare providers, therapists, and professionals across the board is Zoom, despite its neglect for data protection and privacy.[151] Or, for example, when platform-based companies have restructured the market with a new business model whereby users are offered free and/or low-cost services because the company’s near-entire revenue is based off advertisements.[152] These behaviors have led to users bearing the cost of privacy breaches, at best.[153] At its worst, it leads companies to experiment on their users, without their consent, through algorithms designed to manipulate and predict consumer behavior that will, in turn, give companies an upper-hand in the market.[154] While the social concerns are salient, the task of antitrust law, as professed by Senator Sherman on the Senate floor, is clear: to prevent such abuses and preserve competition in the marketplace. Antitrust is a safeguard and check for democracy. Changing the methods of merger review such that the definitions of market power and consumer welfare are broadened to include modern indicators of economic growth and concentration would suture some of these wounds, and a look into two European Union Commission decisions on proposed mergers explains why.
V. MERGING PRIVACY PROTECTIONS WITH A LACK THEREOF: THE FACEBOOK/WHATSAPP MERGER
Unlike WhatsApp, who built its business “around the goal of knowing as little about
[users] as possible,” Facebook Messenger “enables Facebook to collect data regarding its users that it uses for the purposes of its advertising activities.”[155] When the two decided to merge, then, there were tremendous privacy implications for WhatsApp users whose data was now being controlled by an entity that they either intended for a different use or wanted an escape from.[156]
The European Commission, in 2014, conducted its review and considered privacy of the proposed merger between Facebook and WhatsApp.[157] Facebook’s Facebook Messenger already competed with WhatsApp, so the European Commission tailored its review to the possible loss of competition in the social media market,[158] the communications app market,[159] and in the online advertising market.[160] A premier question of the review was whether the merger would create a concentration of data and thus, create a “data monopoly.”[161] The Commission answered no. In its approval of the merger, the Commission yielded that “regardless of whether the merged entity will start using WhatsApp user data to improve targeted advertising on Facebook’s social network, there will continue to be a large amount of Internet user data that are valuable for advertising purposes and that are not within Facebook’s exclusive control.”[162]
Interestingly, however, the Commission spent a considerable amount of time looking at how consumer privacy choices may be implicated. The Commission specifically looked to different privacy policies available to consumers. For example, the Commission noted that many German users switched to Threema and Telegram –– two existing communication apps –– “in the 24 hours following the announcement of Facebook’s acquisition of WhatsApp” for their greater privacy protections.[163] WhatsApp thus “disrupt[ed] the market conditions” by merging with a market incumbent and potentially creating “loss of actual or potential competition.”[164] This was indication of healthy competition to the Commission, not threatened by the merger.
The Commission concluded that, generally, “the main drivers of the competitive interaction between consumer communications apps appears to be (i) the functionalities offered and (ii) the underlying network.”[165] Both were of concern in this review and because “between [70-80]% and [80-90]% of WhatsApp users were Facebook users,” WhatsApp users were not at odds with Facebook Messenger’s users.[166] Immediately after, however, a high number of WhatsApp users immediately switched to Telegram.[167] Given Telegram’s oscillating nature in the market, this, if anything, signals that people want the better design of WhatsApp and the better privacy of Telegram.[168] But rather than analyze this acquisition keenly, the Commission dodged the real data privacy implications inherent in this merger so to uphold a “pure” antitrust investigation. Even though a pure antitrust investigation does implicate data and privacy protection because, as here, valuable user data is now under the control of a company that those users specifically intended to escape by using another app, like WhatsApp.
Further, while privacy was not at the forefront of the Commission’s review, it was of enough importance to propel and substantiate its argument.[169] Instead of trusting the instinct to adapt its analysis of competition to the modern economy, however, the Commission cut its analysis too short, and sacrificed thousands of users’ data and future privacy protections in the process.[170]
Despite Facebook and WhatsApp’s merger resulting in an increase in market share to nearly 40%, the Commission found that the substantial overlap of their user base meant Facebook and WhatsApp “were more like providers of complementary services than close competitors.”[171] This analysis falls short in recognizing that an overlap or duplication of data from a particular user base does not preclude antitrust violation. That overlap may not be dangerous under a strict consumer welfare standard, but it is dangerous when one considers market power, a company’s ability to raise prices above the competitive level, and that data may be an indicator of it. The Commission went on to conclude that, after the merger, there would be alternative providers for users to easily choose from, no significant barriers to entry, and network effects would not seriously hinder competitor expansion or entry, even if Facebook integrated its Messenger service with WhatsApp.[172] But this power to choose was inevitably limited by this decision, which gave Facebook more power to tailor its advertisements to users through data collection, and by extension, gives Facebook more revenue and market share.
The privilege of hindsight also disfavors the Commission’s decision that the merger would not significantly impede competition in the communications market. When merging, the United States FTC sent a letter to WhatsApp:
WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties – promises that exceed the protections currently
promised to Facebook users. We want to make clear that, regardless of the acquisition,
WhatsApp must continue to honor these promises to consumers. Further, if the
acquisition is completed and WhatsApp fails to honor these promises, both companies
could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC’s order against Facebook.[173]
Yet, in 2016, WhatsApp began sharing user’s phone numbers, last seen data, operating systems, mobile country codes, mobile carrier codes, screen resolutions, and device identifiers with Facebook.[174] In 2018, Facebook unapologetically informed WhatsApp that its functions would now be the same as those of Facebook, Instagram, and Messenger: to help advertisements reach their intended audiences. Shortly thereafter, WhatsApp founders resigned from Facebook.[175] Although this may be reduced to a breach of contract, the Commission can prevent such consequences. They can do a more detailed privacy analysis and issue greater penalties for not keeping promises made to antitrust regulators.
This is all notwithstanding Facebook’s decision to intentionally withhold its ability to automatically match users who both had the Facebook and WhatsApp apps installed, given it was already doing so for those with both Facebook and Instagram.[176] Facebook’s misleading information cost it 110 million in fines,[177] but this did not change the Commission’s decision.[178] The proposed transaction was lawful regardless of Facebook’s misconduct because the integration of Facebook and WhatsApp data did not, at the end of the day, significantly impede competition in the communications market.[179]
Internationally, this decision undermined the credibility of antitrust enforcement. The Commission applied the consumer welfare standard for substantially lessening competition and thus, deprived its review of how data privacy and competition would be compromised.
VI. THE MICROSOFT/LINKEDIN MERGER
The European Commission was put to the test again in 2016, when Microsoft’s proposed merger with LinkedIn invited another review of a potential data monopoly.[180] The Commission, again, landed on the negative, that “the combination of their respective datasets does not appear to result in raising the barriers to entry/expansion for other plays in this space, as there will continue to be a large amount of internet user data that are valuable for advertising purposes … not within Microsoft’s exclusive control.”[181] But privacy, again, ended up in its review despite privacy related concerns purportedly falling outside “the scope of EU competition law.”[182]
The Commission was mainly concerned that Microsoft could use certain integration and pre-installment practices in connection with the LinkedIn app to foreclose competition in the market for professional social networks.[183]
[T]o the extent that these foreclosure effects would lead to the marginalization of an existing competitor which offers a greater degree of privacy protection to users than LinkedIn (or make the entry of any such competitor more difficult), the Transaction would also restrict consumer choice in relation to this important parameter of competition when choosing a [professional social network].[184]
As the Commission notes, this foreclosing of competition would not only reduce a consumer’s ability to choose their preferred social network, but also, prevent them from exercising a choice that would protect or, at least, to some extent, alleviate their privacy concerns.[185] As a remedy, Microsoft was to restrict its conduct in connection with integrating and pre-installing the LinkedIn app, but otherwise, the merger was approved.[186] Microsoft also agreed not to increase the difficulty for other professional social networks to work within the Microsoft system.[187]
It is difficult to understand how the Commission deemed privacy as a parameter for Microsoft’s potential integration and/or pre-installation of the Linked-In app. Certainly, the Commission could have signed off on those restrictions without identifying privacy as a parameter.[188]
[I]n Facebook/WhatsApp, in 2014, the Commission found that, while an increasing number of users valued privacy and security, at that time the majority of consumer communications apps (e.g. Facebook Messenger, Skype, WeChat, Line, etc.) did not (mainly) compete on privacy features. When reviewing Microsoft/LinkedIn in 2016, the Commission found that privacy was an important parameter of competition among professional social networks, in particular in certain EU Member States, such as Germany.[189]
The decision not to indicates that antitrust review and regulation for tech and data companies has, at the least, a residual privacy component. At its heights, privacy steeps itself into antitrust concerns, with the potential to either exacerbate the lack of consumer choice or reconceptualize consumer choice and freedom.
The Commission here, for example, did not shy away from discussing Xing, a professional social network that “seem[ed] to offer a greater degree of privacy protection than LinkedIn” in Germany and Austria.[190] While LinkedIn users automatically accept its privacy policy upon pressing the ‘join now’ button and consent is otherwise assumed,[191] Xing has a separate box to tick in order to accept its privacy policy,[192] seeks active user consent for new policies,[193] and allows users to use the service regardless of their consent to those policies.[194] The contrast between LinkedIn and Xing’s privacy policies, tangentially, are excellent examples of what a consent model under the GDPR looks like as opposed to opt-in or opt-out models.[195]
At large, the Commission was not concerned about privacy, understood as the right to keep information from others, but instead okayed the merger because others have this information too. The collection of large amounts of data leads to serious privacy concerns and serious market power concerns, but these were deemed two very different concerns in the Commission’s review of both the Facebook/WhatsApp merger and the Microsoft/LinkedIn merger. The market power issues with collecting swaths of data were mitigated by the existence of even more data somewhere else. Yet, the privacy issues with collecting swaths of data are exacerbated, not mitigated, by the existence of even more data somewhere else. In both cases, and even more-so in the Microsoft/LinkedIn merger, the Commission seemed somewhat concerned with the economic effects of data collection, but not at all concerned with the privacy effects of data collection.
That renders the Commision’s discussion as only the first step in addressing privacy concerns. The Commission needs to not only prioritize and analyze the availability of consumer choice for privacy policies, but also, the potential to have that choice overridden by accumulating enough data. The accumulation of commercially valuable user data is what increases –– and at, the least, should indicate –– market power. So, it is not surprising that the Commission’s decision does not bode well with user privacy concerns because the idea of a competitive marketplace has devolved into four technology companies trading off, for the most part, the same data.
VII. WHAT DO THESE DECISIONS ENTAIL FOR PRIVACY? WHY ISN’T PRIVACY REGULATION, ON ITS OWN, ENOUGH?
Privacy regulation is both with and without foundation in the United States. On one hand, it is the right “to be let alone” that the late Justice Brandeis protected in his article, The Right to Privacy.[196] On the other, most privacy causes of action rely on other doctrines of law to receive defense, protection, and/or remedy, and this remedy, if granted, is often inadequate.[197]
This is inherently limiting. At its most basic level, the character of the common law both requires and relies on heavy doctrinal support to produce and guarantee strong, favorable outcomes to wronged citizens.[198] On an even more basic level, the character of the common law is to move slowly, which does not have much hope in matching the massive scale technology operates on.
State regulation would ideally provide a counterpart to the disadvantages of having little doctrinal support for modern notions of privacy in the common law. Yet, statutory remedies have only proven feeble against big tech companies.[199] The CCPA is mainly equipped to address the actual selling and transferring of data that connects to a user, but Big Tech only shares user data to third-parties with an attached pseudonym before placing the user in a targeting bucket. Google, for example, knows what users think because they tell it.[200] Every search is a communication in a two-way mirror that users are maybe only marginally aware of. And Google does with this information what every other big company does: it uses it to wield unprecedented power both in the market and in a citizen’s daily life.[201] In addition to monopolizing ad revenue, it rewrites the freedom of press, governs the internet to the point where news agencies must collaborate with Google to have any traction, and bullies anybody who does not comply with their conditions, by providing subscriber and reader data, out of sight and out of search.[202] Google’s share of the market is so large that it could even be argued AT&T acquired Time Warner as a defense to Google’s increasing market power.[203]
VIII. DOJ AND FTC MERGER REVIEW CAN IMPLEMENT THIS CHANGE
If regulatory agencies were to recognize data as an indicator of market power, antitrust enforcement would be better off against the modern economy. Antitrust law is a rather recent phenomena that can and does deserve some level of restructuring in response to changes in the market, market structure, or consumer behavior.[204] No one assessment can survive the test of time when it comes to consumer behavior. Regulatory agencies are better off recognizing this. Congress is beginning to, since its recent Investigation of Competition in Digital Markets is one of the first in tens of years to address the magnitude of the concentration crisis.[205]
In the meantime, what the DOJ and FTC can do is twofold. First, they can adopt new standards for measuring competition that reflect the modern marketplace. The amount of free to low-cost services provided by the biggest companies in the world should signal that no standard can be solely and exclusively based on pricing. By doing so, the DOJ and FTC invite more holistic and potentially multifactor investigations that would consider data and privacy concerns, and provide an answer to the zero-price market.[206]
Second, both agencies can understand data as an indicator of market power. Zero-price services are not free.[207] If they were, then there would be no harm to assess under a consumer welfare standard. These services are instead paid for by collecting, using, manipulating, and restructuring data.[208] This makes data a materialized social relation –– potentially more valuable than a market good or natural resource. Tech companies have been able to multiply their revenue and share of the market because of an asset that antitrust agencies simply have not been equipped to understand or enforce, and that must be stopped. Considering data an indicator of market power would then reinvent consumer choice by repositioning tech companies that have taken advantage of this antitrust loophole.
It is no understatement to say the FTC alone has the potential to reshape the United States economy. Its broad jurisdiction over privacy, consumer protection, and antitrust laws gives it strong legal authority to define what unfair methods of competition are and how corporations should go about their daily business.[209] Instead of being tougher on corporations, however, the FTC has privileged settlements and consent decrees over policy.[210]
Data protection and privacy are important, but are often seen as policy concerns that are too big to tackle. Many of their core issues, however, need not be resolved directly. A competitive marketplace is meant to insure against monopolists, encourage innovation, underpin middle-class growth, and protect consumers. Part of protecting consumers is protecting privacy, especially amidst merger reviews that result in both a less competitive marketplace by putting more data in the hands of a few and even more compromised consumer privacy. With proper antitrust enforcement, the problem will not go away, but it may, at the least, lose to the market.
CONCLUSION
At this point of the Comment, it is clear why antitrust and privacy are not only related, but also, inseparable. Privacy regulation depends, to some extent, on the working relationship between agencies, the judiciary, and antitrust enforcement. Further, privacy regulation is inadequate without properly internalizing and embodying antitrust values and principles.
Antitrust law, then, must reflect the modern marketplace. The DOJ and FTC must allow for broader interpretations of ‘substantially lessening competition’ so to account for the influx of zero-pricing and concomitant data grabs. This is done by broadening or abandoning the price theory central to a consumer welfare analysis. When the analysis for competition is (1) broadened to accommodate for the new levers of the marketplace, which do not necessarily include prices, and (2) data is considered an indicator of market power, antitrust enforcement can begin a robust response to the new characters and behaviors of the modern economy.
Without data protection and privacy enshrined as a human right, privacy laws existentially rely on statutory causes of action and remedies. And while legislation can provide notable privacy protections, they cannot go far without attacking the problem at the root: the companies that are compromising individual privacy, and thus, economic freedom, competition, and innovation. That is where antitrust enforcement must step in to protect competition, consumer privacy, and consumer choice.
[1] Peter Swire, Protecting Consumers: Privacy Matters in Antitrust Analysis, Ctr. For Am. Progress (Oct. 19, 2007) https://www.americanprogress.org/issues/economy/news/2007/10/19/3564/protecting-consumers-privacy-matters-in-antitrust-analysis/. See also Frank A. Pasquale, Privacy, Antitrust, and Power, 20 George Mason Law Review 1009, 1010 (2013) (“The neoliberal account of “competition promoting privacy” only achieves surface plausibility by privileging the short-term “preferences” of consumers to avoid data sharing. The narrowness of “notice-and-consent” as a privacy model nicely matches the short-term economic models now dominating American antitrust law. The establishment in the field is largely unconcerned with too-big-to-fail banks, near monopoly in search advertising, media consolidation, and other forms of industrial concentration. By focusing myopically on efficiency gains that can be temporary or exaggerated, they gloss over the long-term pathologies of corporate concentration. So, too, does a notice-and-consent privacy regime privilege on-the-fly consumer judgments to “opt-in” to one-sided contracts over a reflective consideration of how data flows might be optimized for consumers’ interests in the long run. As privacy declines and companies consolidate, mainstream antitrust and privacy theory often legitimates the process. Some scholarship can even amount to the “structural production of ignorance,” characterizing scenarios as “consent” and “competition” when they are experienced by consumers and users as coercive and monopolistic.”)
[2] This assertion is, of course, dependent on how ‘harm’ and ‘quality’ are subjectively defined. See Solove & Citron, infra note 115 and accompanying text to understand how that harm is discussed in the context of this Comment. See also Sections I and II.
[3] Screenshot of Safari homepage, Perma (data uploaded).
[4] Oracle is one of the largest sellers of personal data worldwide. These are the Largest Data Brokers in America, The Privacy Blog, https://privacybee.com/blog/these-are-the-largest-data-brokers-in-america/.
The European Union has recently brought suit against Oracle and Salesforce for their data collection practices. See Natasha Lomas, Oracle and Salesforce Hit with GDPR Class Action Lawsuits Over Cookie Tracking Consent, TechCrunch (Aug. 14, 2020) https://techcrunch.com/2020/08/14/oracle-and-salesforce-hit-with-gdpr-class-action-lawsuits-over-cookie-tracking-consent/. A detailed investigation of Oracle would prove tremendously useful to any antitrust or privacy attorney, but until the lawsuit is public, information about the company’s practices is shrouded. The data Oracle collects, however, is so useful that Facebook lists it as one of its partner categories who it licenses with for more precision in ad targeting. See Improving Accountability and Updates for Facebook Targeting, Facebook https://www.facebook.com/business/m/one-sheeters/improving-accountability-and-updates-for-facebook-targeting and Kalev Leetaru, The Data Brokers So Powerful Even Facebook Bought Their Data, Forbes (Apr. 5, 2018), https://www.forbes.com/sites/kalevleetaru/2018/04/05/the-data-brokers-so-powerful-even-facebook-bought-their-data-but-they-got-me-wildly-wrong/?sh=27f478583107.
[5] It has become popular to hide trackers with apps like StatCounter or D. They are oftentimes apps themselves or Google Chrome extensions.
[6] See Charles Warzel & Ash Ngu, Google’s 4,000-Word Privacy Policy is a Secret History of the Internet., N.Y Times (July 10, 2019), https://www.nytimes.com/interactive/2019/07/10/opinion/google-privacy-policy.html.
[7] See Ravie Lakshmanan, How Facebook and Google are Using Algorithms to Predict your Next Thought, The Next Web (May 2, 2019), https://thenextweb.com/tech/2019/05/02/how-facebook-and-google-are-using-algorithms-to-predict-your-next-thought/; see also Olivia Goldhill, An Algorithm Can Predict Human Behavior Better than Humans, Quartz (Oct. 18, 2015), https://qz.com/527008/an-algorithm-can-predict-human-behavior-better-than-humans/.
Google, for example, indicates in its Privacy & Terms that it “uses the information shared by sites and apps to deliver [its] services, maintain and improve them, develop new services, measure the effectiveness of advertising, protect against fraud and abuse, and personalize content and ads you see on Google and on our partners’ sites and apps.” See Privacy & Terms, Google, https://policies.google.com/technologies/partner-sites?hl=en-US (last visited Jan. 22, 2021). Such an intentionally broad definition of Google’s purpose when collecting and using this information inevitably involves massive privacy implications. See infra Sections II, III, and IV.
Relatedly, the FTC recently brought suit against Facebook for “illegally maintaining its social networking monopoly through a years-long course of anticompetitive conduct.” See Press Release, Fed. Trade Comm’n, FTC Sues Facebook for Illegal Monopolization (Dec. 9, 2020) (on file with author), https://www.ftc.gov/news-events/press-releases/2020/12/ftc-sues-facebook-illegal-monopolization. The suit will probably contain significant relevations regarding how Facebook’s behaviors impact privacy.
[8] Paying users for their data is gaining traction politically and socially. See Eduardo Porter, Your Data is Crucial to a Robotic Age. Shouldn’t You be Paid For It?, N.Y. Times (Mar. 6, 2018), https://www.nytimes.com/2018/03/06/business/economy/user-data-pay.html; see also Laura Hautala, California Wants Silicon Valley to Pay you a Data Dividend, CNet (Feb. 25, 2019), https://www.cnet.com/news/california-wants-silicon-valley-to-pay-you-a-data-dividend/.
Even former presidential candidate, Andrew Yang, pushed for users to be paid for their data and made it part of his campaign message. See Makena Kelly, Andrew Yang is Pushing Big Tech to Pay Users for their Data, The Verge (June 22, 2020), https://www.theverge.com/2020/6/22/21298919/andrew-yang-big-tech-data-dividend-project-facebook-google-ubi.
For a further discussion of data as property, see generally Salome Viljoen, Data as Property?, Phenomenal World (Oct. 16, 2020), https://phenomenalworld.org/analysis/data-as-property.
[9] They also may worsen competition. See Randal C. Picker, Competition and Privacy in Web 2.0 and the Cloud, 103 Nw. U. L. Rev. Colloquy 1, 11–12 (2008) (“An uneven playing field that allows one firm to use the information that it sees while blocking others from doing the same thing creates market power through limiting competition. We rarely want to do that. And privacy rules that limit how information can be used and shared across firms will artificially push towards greater consolidation, something that usually works against maintaining robust competition.”).
Consumers, also, are not able to exercise their consideration for privacy because of the lack of choice. “Consumers are concerned about their privacy and don’t like companies knowing their intimate secrets. But they feel powerless and are often resigned to the privacy invasions because they don’t have any real choice. People need to own credit cards, carry cellphones, and have email addresses and social media accounts. That’s what it takes to be a fully functioning human being in the early 21st century. This is why we need the government to step in.” Should we be afraid? See Liz Mineo, On Internet Privacy, Be Very Afraid, Harv. L. Today (Aug. 25, 2017),
https://today.law.harvard.edu/internet-privacy-afraid/.
[10] The DOJ recently brought suit against Google for violating antitrust laws in the search and search advertising markets. See Press Release, Dep’t of Just., Justice Department Sues Monopolist Google for Violating Antitrust Laws (Oct. 20, 2020) (on file with author), https://www.justice.gov/opa/pr/justice-department-sues-monopolist-google-violating-antitrust-laws.
Epic Games also recently filed an antitrust suit against Apple alleging Apple has become the precise monopoly it once criticized IBM for being, and that George Orwell might have been right about 1984. Sarah E. Needleman, Hearing in ‘Fortnite’Maker’s Apple Lawsuit Tests Antitrust Claims, The Wall St. J. (Sept. 28, 2020, 4:55 PM). Albeit, this suit relates to the App Store and not Apple’s operating system as a whole. Rather, each operating system dominates a particular arena in its own way, which may be behavior the market would like to encourage, anyway.
For a further discussion on the Epic Games lawsuit, see infra note 16.
[11]“[T]he ability of a firm––or a group of firms, acting jointly––to raise prices above the competitive level without losing so many sales so rapidly that the price increase is unprofitable and must be rescinded.” William M. Landes & Richard A. Posner, Market Power in Antitrust Cases, 94 Harv. L. Rev. 937, 937 (1981).
[12] Monopoly power is defined as “a high degree of market power.” Id.
[13] This is tremendous power. When public radio was first introduced and became widespread in the 1920s, Congressman Luther A. Johnson of Texas spoke poignantly about the problem of concentration of control with such a medium. His words are worth quoting in full.
There is no agency so fraught with possibilities for service of good or evil to the American people as the radio. As a means of entertainment, education, information, and communication, it has limitless possibilities. The power of the press will not be comparable to that of broadcasting stations when the industry is fully developed. If the development continues as rapidly in the future as in the past, it will only be a few years before these broadcasting stations, if operated by chain stores will simultaneously reach an audience of over a half of our entire citizenship, and bring messages to the fireside of nearly ever home in America. They can mold and crystallize sentiment as no agency in the past has been able to do. If the strong arm of the law does not prevent monopoly owenership and make discrimination by such stations illegal, American thought and American politics will largely be at the mercy of those who operate these stations. For publicity is the most powerful weapon that can be wielded in a Republic, and when such a weapon is placed in the hands of one, or a single selfish group is permitted to either tacitly or otherwise acquire ownership and dominate these broadcasting stations throughout the country, then woe be to those who dare to differ with them. It will be impossible to compete with them in reaching the ears of the American people.
44 Decisions and Reports of the Federal Communications Commission of the United States, Part 2, 2464–65.
[14] “Surveillance is the business model of the internet.” Meneo, supra note 10.
[15] The Epic Games lawsuit against Apple arguably serves as one example. See Needleman, supra 11. Epic Games alleges that Apple’s control over iPhones led Apple to assume control over the App Store. But the App Store, Epic Games contends, is an essential facility, so it must be shared with competitors or customers reasonably. Charging 30% for any revenue generated by any iPhone app during its first year, however, is not dealing with competitors or consumers reasonably. Epic Games inevitably proposes that Apple’s App Store policies are anti-competitive and therefore, against the people’s right to control commerce. “Spotify, Match Group, and Facebook” have all agreed with this characterization of Apple’s App Store policies in public criticisms. See Epic Games Says Apple Threatened to Cut it Out of the App Store Entirely, CNBC (Aug. 17, 2020), https://www.cnbc.com/2020/08/17/epic-games-says-apple-threatened-to-revoke-developer-account.html.
Apple’s control of the App Store has also led it to purportedly act for consumer privacy. See Chance Miller, Apple Doubles Down on iOS 14 Tracking Privacy as Facebook Panics, 9to5 Mac (Aug. 11, 2020), https://9to5mac.com/2020/08/11/apple-ios-14-privacy-tracking-facebook/. Apple stopped allowing easy tracking of app installs in the latest iOS, thereby making it harder for ad companies to reach valuable user information regarding the success and usability of their apps. Now, iPhone users will see a pop-up warning them that a particular app will be tracking their data for advertising purposes, and will enable them to “block the app from doing so.” See Megan Graham, Apple’s Seismic Change to the Mobile Ad Industry is Drawing Near, and it’s Rocking the Ecosystem, CNBC (Dec. 15, 2020), https://www.cnbc.com/2020/12/15/apples-seismic-change-to-the-mobile-ad-industry-draws-near.html.
The decision has already infuriated Facebook, who warns that “50% of its revenue” could be compromised and, in fact, protects Apple’s own targeted ad business, which is the hidden exception to data tracking notifications. See id. On the other hand, a provider’s decision on what to amplify on its services has tremendous sociopolitical implications.
Parler, for example, was founded in 2018 as an alternative to Twitter, who begun implementing user policies that resulted in moderated and/or banned content. The platform quickly turned into the launchpad for conservatives, conspiracy theorists, and right-wing extremists. See Elizabeth Culliford and Katie Paul, Unhappy with Twitter, Thousands of Saudis Join Pro-Trump Social Network Parler, Reuters (June 13, 2019), https://www.reuters.com/article/us-twitter-saudi-politics-idUSKCN1TE32S; Parler ‘Free Speech’ App Tops Charts in Wake of Trump Defeat, BBC News (Nov. 9, 2020), https://www.bbc.com/news/technology-54873800; Parler: Where the Mainstream Mingles with the Extreme, ADL (Nov. 12, 2020), https://www.adl.org/blog/parler-where-the-mainstream-mingles-with-the-extreme; Isaac Saul, This Twitter Alternative Was Supposed to be Nicer, But Bigots Love it Already, Forward (July 18, 2019), https://forward.com/news/427705/parler-news-white-supremacist-islamophobia-laura-loomer/.
Parler re-entered the news cycle after it was discovered to be the primary service used to plan the storming of the U.S. Capitol on January 6, 2021. See Sheera Frenkel, The Storming of Capitol Hill Was Organized on Social Media, N.Y. Times (Jan. 6, 2021), https://www.nytimes.com/2021/01/06/us/politics/protesters-storm-capitol-hill-building.html. As a result, Google pulled Parler from the Google Play Store and Amazon suspended Parler from Amazon Web Services because its lack of moderation policies posed a public safety threat. See Jay Peters, Google Pulls Parler from Play Store for Fostering Calls to Violence, The Verge (Jan. 8, 2021), https://www.theverge.com/2021/1/8/22221648/google-suspends-bans-parler-play-store; John Paczkowski & Ryan Mac, Amazon Will Suspend Hosting For Pro-Trump Social Network Parler, Buzzfeed News, (Jan. 9, 2021), https://www.buzzfeednews.com/article/johnpaczkowski/amazon-parler-aws.
Apple did not immediately suspend Parler. Instead, Apple gave Parler 24 hours to submit a moderation improvement plan. Still, Parler is unloading a repository of antitrust suits against the tech giants. See Leah Nylen, Parler Hits Amazon with Antitrust Suit over Shutdown, Politico (Jan. 11, 2021), https://www.politico.com/news/2021/01/11/parler-amazon-antitrust-suit-457579.
This is all to say that the old adage rings true: with great [market] power comes great responsibility.
[16] For a general discussion of the differences between EU and US treatment of digital privacy, see Filippio Lancieri, Digital Protectionism? Antitrust, Data Protection and the EU/US Transatlantic Rift, 7 J. Antitrust Enf’t (2018).
[17] See id. Because the EU enshrined data protection and privacy as a human right, the subsequent General Data Protection Regulation (GDPR) followed a consent-model much stronger in its consumer protections than the United States’s strongest competing privacy regulation: the California Consumer Privacy Act (CCPA). See infra Sections III and IV.
[18] Although there are foundational differences, see, e.g. 6 Makan Delrahim, Assistant Attorney Gen., Dep’t of Just., Good Times, Bad Times, Trust Will Take Us Far: Competition Enforcement and the Relationship Between Washington and Brussels (Feb. 21, 2018), https://www.justice.gov/opa/speech/assistantattorney-general-makan-delrahim-delivers-remarks-college-europe-brussels (“[e]uropean competition law still imposes a ‘special duty’ on dominant market players, while we in the U.S. do not believe any such duty exists”), the reviews are subject to similar legal standards.
[19] See infra Sections V and VI on the Microsoft/LinkedIn merger and Facebook/WhatsApp merger.
Since the Chicago school revolutionized the direction to and of antitrust law, the consumer welfare standard has governed most judicial interpretation of anti-competitive behavior. See generally Robert H. Bork, The Antitrust Paradox: A Policy at War with Itself (1978). The implications of this philosophy were not lost on criticism. See Lina Khan infra note 25. Khan argues the Chicago School revolution shaped the predatory pricing doctrine such that predatory pricing was deemed “almost always irrational, and so is unlikely actually to occur,” even though, right now, Amazon has become a titan through precisely that. See id. at n. 82.
The revolution also informed the consumer welfare standard, which Khan argues “fails to capture the architecture of market power in the twenty-first century marketplace.” Id. at 716. Because, for example, the “potential harms to competition posed by Amazon’s dominance are not cognizable if we assess competition primarily through price and output. Focusing on these metrics instead blinds us to the potential hazards.” Id. at 716-17.
But before that criticism could even occur, the evolution of technology rendered an already impotent philosophy even more vulnerable. Suddenly, low consumer prices were not a reliable metric of how the market is doing or whether there is space fertile for competition. Id. This gave rise to what is now dubbed the neo-Brandeisian movement, aiming to honor and defibrillate the philosophy of Justice Louis Brandeis. While the movement does not have a clear manifesto – and has been criticized for such – its aims are not difficult to gauge. See, e.g., Daniel A. Crane, How Much Brandeis do the Neo-Brandeisians Want?, The Antitrust Bull. (Nov. 8, 2019), https://econ.utah.edu/antitrust-conference/session_material/Anitrust%20Bulletin%20Article%202019.pdf.
Justice Brandeis was one of the most critical figures at a time when oligarchs like J.P. Morgan were lobbying and gambling their way through Washington. He predicted the crash of 1929 and heavily criticized any form of corporate ‘bigness.’ See generally Louis D. Brandeis, Curse of Bigness (1914). Coincidentally, apart from his work in antitrust and criticism of big government, he is most lauded for his defense of privacy. See Louis D. Brandeis & Samuel D. Warren, The Right to Privacy (1890). Neo-Brandeisians follow suit. The market structure, to neo-Brandeisians, is “deeply political” by setting policy, regulating markets, taxing, and asserting dominance. See Zephyr Teachout & Lina Khan, Market Structure and Political Law: A Taxonomy of Power, 9 Duke J. of Const. L. & Pub. Pol’y 37-74 (2014).
These are, of course, ideological assertions that some would argue are inconsistent with the empirical work done by public choice scholars. To neo-Brandeisians, however, the answer to strongholds of market power and monopolies is to “design a system of public regulation that prevents the executives who manage [a monopoly] from exploiting their power.” Lina Khan, The New Brandeis Movement: America’s Antimonopoly Debate, 9 J. Eur. Competition L. & Prac. 131 (2018). And with that, to “ensure that executives face the right incentives to provide the best service possible to everyone who relies on the monopoly to sell or to buy a particular product or service.” Id. This anti-monopoly stance then divorces itself from any potential social goal, hoping to instead focus on structures and a “broader set of measures” to assess market power. Id. For a criticism of this philosophy, see Daniel A. Crane, How Much Brandeis Do the Neo-Brandeisians Want?, 64 Antitrust Bull. 531 (2019).
[20] See generally Urs Gasser, Recoding Privacy Law: Reflections on the Future Relationship Among Law, Technology, and Privacy, 130 Harv. L. Rev. F. 61 (2016).
For a further discussion on the Chicago School of Thought, see Joe S. Bain, Workable Competition in Oligopoly: Theoretical Considerations and Some Empirical Evidence, 40 AM. ECON. REV. 35, 36-38 (1950); Marc Allen Eisner, Antitrust and the Triumph of Economics: Institutions, Expertise, and Policy Change 107 (1991); Richard A. Posner, The Chicago School of Antitrust Analysis, 127 U. PA. L. Rev. 925, 932 (1979); and Raghuram Rajan & Luigi Zingales, Saving Capitalism from the Capitalists (2003).
[21] Omri Wallach, How Big Tech Makes their Billions, Visual Capitalist (July 6, 2020), https://www.visualcapitalist.com/how-big-tech-makes-their-billions-2020/; They Made How Much?, N.Y. Times (July 31, 2020), https://www.nytimes.com/2020/07/31/business/dealbook/tech-earnings-economy.html
[22] Barry C. Lynn, The Big Tech Extortion Racket, Harper’s Mag., Sept. 2009, https://harpers.org/archive/2020/09/the-big-tech-extortion-racket/.
[23] Google, Instagram, and Facebook are all free to use, posing serious inquiries (at best) regarding what the real expense is. See infra Section IV. Amazon’s record low costs, too, have left booksellers, authors, and publishers desperate for antitrust regulation. See Joint Letter to Chairman David Cicilline from the Association of American Publishers, The Authors Guild, and American Booksellers Association (Aug. 17, 2020), available at https://lunch.publishersmarketplace.com/wp-content/uploads/2020/08/Joint-Letter-to-Chairman-Cicilline-081520-Advance-Copy.pdf. They allege that Amazon’s market power, which enables it to maintain those record low costs, stems not only from Amazon’s share of the market for book distribution, but also from the astonishing level of data that it collects across its entire platform. Amazon tracks and uses data that provides it with an incredible amount of information about individuals and how to target them, such as: what their interests are; what products or books they have bought or pre-ordered; from whom; at what price point; what they have perused or considered purchasing; what video-games they are playing; and what television shows or movies they are watching. The result is that Amazon no longer competes on a level playing field when it comes to book distribution, but, rather, owns and manipulates the playing field, leveraging practices from across its platform that appear to be well outside of fair and transparent competition.
Id. Amazon’s control does not end there. Nor do its coercive tactics. In late 2020, Amazon announced its intention to launch Amazon Pharmacy, a new service offering home delivery for prescription medication. Joe Pompliano (@JoePompliano), Twitter (Nov. 17, 2020, 4:47 AM), https://twitter.com/joepompliano/status/1328681174278033408. Immediately after the announcement, CVS’s stock dropped nearly 10%, despite CVS preparing to be a lead distributor in the COVID-19 vaccine. See Jesse Pound, Walgreens Drops 9% to Lead Drug Store Stocks Lower After Amazon Launches Pharmacy Business, CNBC (Nov. 17, 2020), https://www.cnbc.com/2020/11/17/walgreens-drops-11percent-to-lead-drug-store-stocks-lower-after-amazon-launches-pharmacy-business.html. With Amazon Pharmacy, Amazon inevitably plans to tie lower drug prices to its Amazon Prime Membership, unlocking new definitions of market power.
[24] See generally Lina M. Khan, Amazon’s Antitrust Paradox, 126 Yale L.J. 710 (2017) (arguing Amazon became a titan through predatory pricing –– the practice of keeping prices low to pursue growth). Current antitrust frameworks, Lina Khan argues, cannot respond to the anticompetitive harms of companies like Amazon because of the consumer welfare standard. Id.
[25] Case AT.39740, Google Search (Shopping), 2017 E.C. 1/2003, http://ec.europa.eu/competition/antitrust/cases/dec_docs/39740/39740_14996_3.pdf. Arguably, Google’s dominance in search engines is closely related to its acquisition of DoubleClick, a company that developed and provided Internet ad serving services. See Louise Story & Miguel Helft, Google Buys DoubleClick for $ 3.1 Billion, N.Y. Times (Apr. 14, 2007), https://www.nytimes.com/2007/04/14/technology/14DoubleClick.html and Tony Yiu, Why Did Google Buy DoubleClick?, Towards Data Science, (May 5, 2020), https://towardsdatascience.com/why-did-google-buy-doubleclick-22e706e1fb07.
[26] European Commission Press Release IP/17/1369, Mergers: Commission Fines Facebook €110 million for Providing Misleading Information about WhatsApp Takeover (May 18, 2017), http://europa.eu/rapid/press-release_IP-17-1369_en.htm.
[27] European Commission Press Release IP/16/2923, State Aid: Ireland Gave Illegal Tax Benefits to Apple Worth up to €13 Billion (Aug. 30, 2016), http://europa.eu/rapid/pressrelease_IP-16-2923_en.htm.
[28] European Commission Press Release IP/17/3701, State Aid: Commission Finds Luxemburg Gave Illegal Tax Benefits to Amazon Worth Around €250 Million (Oct. 4, 2017), http://europa.eu/rapid/press-release_IP-17-3701_en.htm.
[29] The Commission tussled with Amazon’s most favored nation clause and argued it required publishers to offer Amazon similar (or better) terms and conditions as those offered to its competitors and/or to inform Amazon about more favourable or alternative terms given to Amazon’s competitors. The clauses covered not only price but many aspects that a competitor can use to differentiate itself from Amazon, such as an alternative business (distribution) model, an innovative e-book or a promotion. The Commission considered that such clauses could make it more difficult for other e-book platforms to compete with Amazon by reducing publishers’ and competitors’ ability and incentives to develop new and innovative e-books and alternative distribution services. The clauses may have led to less choice, less innovation and higher prices for consumers due to less overall competition in the European Economic Area (EEA) in e-book distribution.
European Commission Press Release IP/17/1223, Antitrust: Commission accepts commitments from Amazon on e-books (May 4, 2017), http://europa.eu/rapid/pressrelease_IP-17-1223_en.htm.
[30] Telecommunications companies do not rely on data to bolster their corporate profit or presence. Rather, data collection for telecommunications companies helps identify problems to improve infrastructure, service, and customer service satisfaction –– much like Big Tech. Just like Big Tech, however, that data collection does not come without privacy concerns when it aids criminal investigations and the state’s targeting of minorities. See, e.g., Julia Angwin, Charlie Savage, Jeff Larson, Henrik Moltke, Laura Poitras, & James Risen, AT&T Helped U.S. Spy on Internet on a Vast Scale, N.Y. Times (Apr. 15, 2015) https://www.nytimes.com/2015/08/16/us/politics/att-helped-nsa-spy-on-an-array-of-internet-traffic.html.
[31] Michael Lewitt, How Long Can Amazon’s Ingenious Antitrust Avoidance Last?, Forbes (May 1, 2018), https://www.forbes.com/sites/michaellewitt/2018/05/01/how-long-can-amazons-ingenious-antitrust-avoidance-last/#6757c2570ac0; Russell Brandom, The Monopoly-Busting Case Against Google, Amazon, Uber, and Facebook, The Verge (Sept. 5, 2018), https://www.theverge.com/2018/9/5/17805162/monopoly-antitrust-regulation-google-amazon-uber-facebook; Michael J. Coren, Facebook is Hiring Someone to Tell Politicians it’s Not a Monopoly, Quartz (Apr. 9, 2019), https://qz.com/1587472/facebook-is-hiring-a-policy-manger-to-avoid-monopoly-regulation/; Casey Newton & Zoe Schiffer, Google and Facebook’s Antitrust Problem is Getting Much More Serious, The Verge (Sept. 10, 2019), https://www.theverge.com/interface/2019/9/10/20858028/google-antitrust-investigation-state-attorneys-general-facebook.
[32] Lee Rainie and Maeve Duggan, Privacy and Information Sharing: Many Americans Say They Might Provide Personal Information, Depending on the Deal Being Offered and How Much Risk They Face, Pew Res. Ctr., (Jan. 14, 2016), https://www.pewresearch.org/internet/2016/01/14/privacy-and-information-sharing/.
[33] Chris Ip, Who Controls your Data?, Engadget (Sept. 4, 2018), https://www.engadget.com/2018-09-04-who-controls-your-data.html. See also infra Section II.
[34] Privacy law requires a response mechanism that is not imprisoned by the lack of a statutory or constitutional remedy. See infra Sections II and III. Antitrust law, in parallel, requires a broader standard for measuring “consumer welfare.” See infra Sections IV, V, and VI.
[35] This is not a radical proposition and does not intend to be one. In fact, the European Commission has already made the transfer and control of commercially valuable user data the center of its analysis for Google’s acquisition of Fitbit. See European Commission, press release of Dec. 17, 2020, Case M.9660, Google/Fitbit, https://ec.europa.eu/competition/elojade/isef/case_details.cfm?proc_code=2_M_9660. The Commission was particularly concerned with how Google’s acquisition of Fitbit would give it a leg up in the “markets for online search advertising” because of the amount of health data unlocked after the acquisition. Id. The European Commission has approved the acquisition, however, for reasons that have not yet been released in full. It is thus imperative in the meantime to not just treat data as a consideration within the market power analysis, but as an indicator of said market power.
[36] Privacy law is particularly vulnerable because it does not have a regulatory agency for its foundation or enforcement. Rather, it has been primarily addressed through tort or contract law. See Restatement (Second) of Torts §§652A-E.
While tort law generally provides redressability for various renditions of an invasion of privacy, contract law governs most of the online behavior that compromises an individual’s behavior. Upon joining Facebook or Amazon, for example, users accept an agreement that has great repercussions on their privacy rights. Proving that an offer was accepted, adequate reliance was placed in the given privacy policy, or there are redressable ‘damages’ locks them into summary judgment or dismissal. See, e.g., In re Northwest Airlines Privacy Litigation, 2004 WL 1278459 (D. Minn. 2004) (finding that Northwest’s online privacy statement does not amount to a unilateral contract and plaintiffs failed to show they accepted any ‘offer’); see also In re Jetblue Airways Corp. Privacy Litigation, 379 F. Supp. 2d 299, 317 (E.D.N.Y. 2005) (granting a motion to dismiss where the plaintiffs could not have suffered any economic loss, which is required for a breach of contract claim, after Jetblue shared their information with third parties).
In consumer lawsuits, too, class actions do not often survive summary judgment due to a lack of Article III standing. See, e.g., In re iPhone Application Litigation, 2013 WL 6212591 (N.D. Cal. 2013) (plaintiffs could not show either constitutional or statutory standing in an action alleging Apple misrepresented its privacy policy and led users to pay too much for their iPhones and lose bandwidth and battery). While statutory standing is the easiest way to allow these plaintiffs the opportunity to litigate, the statutes must provide robust protections in order to afford adequate remedies. See, e.g., Tyler v. Michaels Stores, Inc., 984 N.E.2d 737, 742 (Mass. 2013) (determining that a Massachusetts state law purposefully left its text, title, and caption broad and robust to “guard consumer privacy” and thus, ruled in favor of plaintiffs whose zip codes were compromised in order to send marketing materials).
Without addressing the core elements of privacy that lack teeth, the “regulatory approach [remains] unchanged.” See Gasser.
[37] Transcript of Zuckerberg’s Appearance Before House Committee, Wash. Post. (Apr. 11, 2018), https://www.washingtonpost.com/news/the-switch/wp/2018/04/11/transcript-of-zuckerbergs-appearance-before-house-committee/.
[38] Id.
[39] Id.
[40] See supra Sections III, IV, and V.
[41] See Alexandra Ma & Ben Gilbert, Facebook Understood How Dangerous the Trump-linked Data Firm Cambridge Analytica Could Be Much Earlier than It Previously Said. Here’s Everything That’s Happened Up Until Now, Bus. Insider (Aug. 23, 2019), https://www.businessinsider.com/cambridge-analytica-a-guide-to-the-trump-linked-data-firm-that-harvested-50-million-facebook-profiles-2018-3. Cambridge Analytica was a British consulting firm that became infamous in 2018, when Christopher Wylie revealed that millions of Facebook users’ data was being used, without their consent, for political advertising. Both Ted Cruz and Donald Trump hired Cambridge Analytica for their campaigns, which enabled them to send tailored advertisements to voters, swaying them to vote for Ted Cruz or Donald Trump.
For a further discussion of the scandal that reinvigorated privacy issues, see Nicholas Confessore, Cambridge Analytica and Facebook: The Scandal and the Fallout So Far, N.Y. Times (Apr. 4, 2018), https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html.
[42] Kristen Herhold, How People View Facebook After the Cambridge Analytica Data Breach, The Manifest (Mar. 27, 2019), https://themanifest.com/social-media/how-people-view-facebook-after-cambridge-analytica-data-breach; Ankit Bhatia, Two Years Since Cambridge Analytica: What Has Changed?, CPO Mag. (May 20, 2020), https://www.cpomagazine.com/data-privacy/two-years-since-cambridge-analytica-what-has-changed/.
[43] See, e.g., The Great Hack (Netflix 2019); Elisabeth Zerofsky, The Investigator, Fall 2019 Columbia Journalism Rev., https://www.cjr.org/special_report/guardian-carole-cadwalladr.php.
[44] See Kelly, supra note 9.
[45] See generally Patrick Day, Cambridge Analytica and Voter Privacy, 4 Geo. L. Tech. Rev. 583 (2020), https://georgetownlawtechreview.org/cambridge-analytica-and-voter-privacy/GLTR-07-2020 and Woodrow Hartzog & Neil Richards, Privacy’s Constitutional Moment and the Limits of Data Protection, 61 B.C. L. Rev. 1687 (2020), https://lawdigitalcommons.bc.edu/bclr/vol61/iss5/3.
[46] Kellen Browning, Celebrities Plan an ‘Instagram Freeze,’ but Reaction is Icy, N.Y. Times (Sept. 15, 2020), https://www.nytimes.com/2020/09/15/technology/instagram-freeze-facebook.html.
[47] Rob Davies & Dominic Rushe, Facebook to Pay $5bn Fine as Regulator Settles Cambridge Analytica Complaint, The Guardian (July 24, 2019), https://www.theguardian.com/technology/2019/jul/24/facebook-to-pay-5bn-fine-as-regulator-files-cambridge-analytica-complaint.
[48] Id.
[49] See supra note 44, The Great Hack; see also Dan Swinhoe, The 15 Biggest Data Breaches of the 21st Century, CSO (Apr. 17, 2020), https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html.
[50] See Browning, supra note 47. Since Cambridge Analytica, Big Tech has been under attack for exploiting consumer biases to keep users locked into their networks. Id. This is also problematic for democracy, because research has shown that people are more likely to avoid echo chambers when they have access to multiple different platforms for news, thoughts, opinions, and engagements. See Elizabeth Dubois & Grant Blank, The Echo Chamber is Overstated: The Moderating Effect of Political Interest and Diverse Media, 21 Information, Communication & Society 729 (2018).
[51] See e.g. The Social Dilemma (Netflix 2020). This docu-drama illuminates how addictive mechanisms are implanted into social media platforms to mine more data. It may be common knowledge that people are being mined for their data, but “few realize how deep the probe goes. If you think the trade-off is merely getting targeted ads for your favorite sneakers, you are in for a big shock.” Kevin Crust, Review: A Call to Digital Arms, ‘The Social Dilemma’ Demands Change, L.A. Times (Sep. 9, 2020, 3:11 PM), https://www.latimes.com/entertainment-arts/movies/story/2020-09-09/review-social-dilemma-facebook-google-netflix.
[52] See The Social Dilemma, supra note 52.
[53] The suspicions have developed their own subset of investigative journalism. See, e.g., Rani Molla, Your Smart Devices Listening to You, Explained, Vox (Sept. 20, 2019, 12:30 PM), https://www.vox.com/recode/2019/9/20/20875755/smart-devices-listening-human-reviewers-portal-alexa-siri-assistant. But frankly, Alexa and like devices are not just listening to you. They are studying you. See Grant Clauser, Amazon’s Alexa Never Stops Listening to You. Should You Worry?, N.Y. Times (Aug. 8, 2019), https://www.nytimes.com/wirecutter/blog/amazons-alexa-never-stops-listening-to-you/.
[54] Plenty of films and series were created under the premise that we are giving into technology’s control. See, e.g. Her (Warner Bros. Pictures 2013) and Black Mirror (Netflix 2011).
[55] See, e.g., Lee Rainie, Americans’ Complicated Feelings About Social Media In an Era of Privacy Concerns, Pew Res. Ctr. (Mar. 27, 2018), https://www.pewresearch.org/fact-tank/2018/03/27/americans-complicated-feelings-about-social-media-in-an-era-of-privacy-concerns/ (despite privacy concerns, there are “modest associations between people’s social media use and higher levels of trust, larger numbers of close friends, greater amounts of social support, and higher levels of civic participation.”).
For a further discussion on the relationship between online behavior and privacy concerns, see Susanne Barth, The Privacy Paradox – Investigating Discrepancies Between Exprsesed Privacy Concerns and Acutal Online Behavior – A Systematic Literature Review, 34 Telematics and Informatics 1038 (2017) https://doi.org/10.1016/j.tele.2017.04.013 and Tomas Chamorro-Premuzic and Nathalie Nahai, Why We’re So Hypocritical About Online Privacy, Harvard Bus. Rev. (May 1, 2017) https://hbr.org/2017/05/why-were-so-hypocritical-about-online-privacy.
[56] Angela Moscaritolo, What Does Big Tech Know About You? Basically Everything., Enterpreneur (Feb. 5, 2019), https://www.entrepreneur.com/article/327513.
[57] Aliza Vigderman & Gabe Turner, The Data Big Tech Companies Have On You, Security.org (Oct. 27, 2020), https://www.security.org/resources/data-tech-companies-have/. That is unfortunately not all when it comes to Facebook, especially as it continues to acquire companies like Instagram and WhatsApp.
An Instagram user has filed a lawsuit against the social networking company, claiming that Facebook spied on users through their iPhone cameras, “obtaining extremely private and intimate personal data on their users, including in the privacy of their own homes.” See Kate Duffy, Facebook Spied on Instagram Users Through their iPhone Cameras, A New Lawsuit Claims, Bus. Insider (Sept. 18, 2020), https://www.businessinsider.com/facebook-spied-on-instagram-users-through-iphone-cameras-lawsuit-says-2020-9.
[58] See supra Vigderman & Turner, note 58.
[59] Id.
[60] Id.
[61] Id.
[62] Id.
[63] Id.
[64] See supra Vigderman & Turner, note 58.
[65] Although, with the advent of Alexa, Ring, and a few other intrusive Amazon products, Amazon is becoming far more immersive than a mere e-commerce platform.
[66] See supra Vigderman & Turner, note 58.
[67] Id. For more information on the data Amazon collects, see supra note 30.
[68] Id.
[69] In the ranking of the most-used apps on the Apple iPhone, Instagram, owned by Facebook, ranks number 6. Facebook ranks 7, Messenger, owned by Facebook, ranks 8, Gmail, owned by Google, ranks 10, and Amazon ranks 13. See Mobile App Rankings, SimilarWeb. See Mobile App Rankings, SimilarWeb, https://www.similarweb.com/apps/top/apple/store-rank/us/all/top-free/iphone/ (last visited Jan. 18, 2021). We cannot necessarily attribute data collected by third-party apps on an iPhone to Apple, but we can still acknowledge how the interaction between these devices and their uses end up compromising more privacy than we bargained for.
[70] It is worth noting, however, that Apple is going out of its way to make data collected by third-party apps hard. See Jack Nicas and Mike Isaac, Facebook Takes the Gloves Off in Feud With Apple, N.Y. Times (Dec. 16, 2020) https://www.nytimes.com/2020/12/16/technology/facebook-takes-the-gloves-off-in-feud-with-apple.html.
[71] Data is not fungible because databases are not “containers that hold data the way that steel barrels hold crude oil or railroad cars hold lumber.” See Lyn Robison, Correcting the Misconceptions About the Nature of Data that Thwart Information Quality, 4 MIT Info. Quality Indus. Symp. 529, 535 (July 14–16, 2010), http://mitiq.mit.edu/IQIS/Documents/CDOIQS_201077/Papers/05_03_7C-1.pdf. It is also not like money, where “one dollar is just as good as another and all that is needed are the totals.” Id. at 536. Rather, data is “a description of relevant portions of reality” and thereby, a materialized social relation. Id. at 543.
[72] For a further discussion on how these algorithms are developed, see The Social Dilemma, supra note 52. This Comment does not intend to fearmonger, but the dangers of these algorithms can feel overwhelmingly unlimited. There is a new term, for example, ‘algorithmic warfare,’ which is “built on the assumption that combat actions will happen faster than humans’ ability to make decisions.” So Artificial Intelligence (AI) will go to war –– without us knowing if it is for or against us. See Khari Johnson, The U.S. Military, Algorithmic Warfare, and Big Tech, Venture Beat (Nov. 8, 2019), https://venturebeat.com/2019/11/08/the-u-s-military-algorithmic-warfare-and-big-tech.
[73] Id.
[74] Sidney Fussel, What Amazon Thinks You’re Worth, The Atlantic (July 18, 2019), https://www.theatlantic.com/technology/archive/2019/07/amazon-pays-users-access-browser-data/594199/.
[75] Id.
[76] Darren S. Tucker & Hill B. Wellford, Big Mistakes Regarding Big Data, The Antitrust Source (Dec. 2014), available at https://www.morganlewis.com/-/media/antitrustsource_bigmistakesregardingbigdata_december2014.ashx.
[77] See Robison, supra note 72.
[78] See supra Sections I and II.
[79] Id. Facial recognition technology and license plate readers, for example, have already been used in manners that the law has not caught up to. See Nicole Martin, The Major Concerns Around Facial Recognition Technology, Forbes (Sep. 25, 2019, 3:15 PM) https://www.forbes.com/sites/nicolemartin1/2019/09/25/the-major-concerns-around-facial-recognition-technology/?sh=32bbe73a4fe3.
[80] “The goal of the antitrust laws is to protect economic freedom and opportunity by promoting free and fair competition in the marketplace. Competition in a free-market benefits American consumers through lower prices, better quality, and greater choice. Competition provides businesses the opportunity to compete on price and quality, in an open market and on a level playing field, unhampered by anticompetitive restraints. Competition also tests and hardens American companies at home, the better to succeed abroad.” Mission, U.S. Dep’t of Just., https://www.justice.gov/atr/mission#:~:text=The%20goal%20of%20the%20antitrust,better%20quality%20and%20greater%20choice (July 20, 2015).
[81] See supra Sections I and II.
[82] See generally, Brandeis & Warren, supra note 20.
[83] Id. See also Gasser, supra note 21. (“That the individual shall have full protection in person and in property is a principle as old as the common law” and has only been deemed necessary, “from time to time[,] to define anew the exact nature and extent of such protection.”).
[84] Robert Gellman, Fair Information Practices: A Basic History 1 (June 17, 2016) (unpublished manuscript), http://bobgellman.com/rg-docs/rg-FIPShistory.pdf.
[85] See Gasser, supra note 21. The rise of Silicon Valley, for example, can be understood as a result of the law, specifically intellectual property and tort law, enabling desired innovation. See Anupam Chander, How Law Made Silicon Valley, 63 Emory L. J. 639 (2014).
[86] The EU Charter of Fundamental Rights enshrines the right to “the protection of personal data concerning him or her” to everyone. Council Directive 2001/18, art. 8, 2001 O.J. (L 106) 1 (EC). “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.” Id.
The Treaty on the Functioning of the European Union, additionally, obliges the EU to “lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.” Treaty on the Functioning of the European Union 326/47-326/390, art. 16, Mar. 25, 1957, O.J. L.
[87] The CCPA is California’s Consumer Privacy Act, now amended and expanded by the California Privacy Rights Act (passed in the November 2020 ballot). It is unclear the exact ramifications of the California Privacy Rights Act. Compare, for example, Cameron F. Kerry & Caitlin Chin, By Passing Proposition 24, California Voters Up the Ante on Federal Privacy Law, Brookings (Nov. 17, 2020), https://www.brookings.edu/blog/techtank/2020/11/17/by-passing-proposition-24-california-voters-up-the-ante-on-federal-privacy-law/, (arguing that the CPRA “raises the bar” because now, businesses are restricted in how they collect and process data and are required to “protect personal information”) with Greg Bensinger, A Privacy Measure that’s Hard to Like, N.Y. Times (Oct. 28, 2020) https://www.nytimes.com/2020/10/28/opinion/california-prop-24-privacy.html (maintaining that the CPRA will give Californians “the right to seek to prohibit sharing of their data,” but falls short because there are too many loopholes. Notably, there is no opt-out default, so consumers would have to manually register their preferences in data protection among a wide swath of websites).
The proposition was quite contentious. Organizations committed to data privacy and protection, like the Electronic Frontiers Foundation, remained neutral because the Proposition was a “mixed bag of partial steps backwards and forwards.” See Lee Tien, Adam Schwartz, & Hayler Tsukayama, Why EFF Doesn’t Support California’s Proposition 24, Electronic Frontiers Foundation (July 29, 2020), https://www.eff.org/deeplinks/2020/07/why-eff-doesnt-support-cal-prop-24. The American Civil Liberties Union and Public Citizen, however, opposed it outright, alleging it is wrought with pay-for-privacy schemes. See Press Release, ACLU of Southern California Proposition Endorsements for 2020 Election, ACLU (Oct. 5, 2020), https://www.aclu.org/press-releases/aclu-southern-california-proposition-endorsements-2020-election; see also Consumer Action Opposes California Proposition 24, Cision PR Newswire (Aug. 19, 2020), https://www.prnewswire.com/news-releases/consumer-action-opposes-california-proposition-24-301115223.html.
The need for data protection and privacy legislation came after the development of “automatic data processings, which enables vast quantities of data to be transmitted within seconds across national frontiers.” See Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, OECD, https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf (last visited Jan. 18, 2021). When OECD Member countries began passing legislation in support of data protection and privacy, some were stronger than others. The General Data Protection Regulation currently stands as the toughest set of data protection rules, “enhanc[ing] how people can access information about them and plac[ing] limits on what organisations can do with personal data.” Matt Burgess, What is GDPR? The Summary Guide to GDPR Compliance in the UK, Wired (March 24, 2020), https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018. The regulation is what countries across the globe are looking to for inspiration. See Dan Simmons, 12 Countries with GDPR-Like Data Privacy Laws, Comforte (Jan. 17, 2019), https://insights.comforte.com/12-countries-with-gdpr-like-data-privacy-laws.
What makes the GDPR so particularly strong is its consent model, which requires companies to post “clear notices for users and get their unambiguous consent to collect data, instead of burying an OK inside fine print and legal jargon.” GDPR: Why Privacy is Now Stronger in EU Than U.S., Fortune (May 25, 2018), https://fortune.com/2018/05/25/what-is-gdpr-compliance.
The CCPA, on the other hand, is an opt-out model, which means users must manually opt-out of the sale of their information by clicking, for example, a ‘Do Not Sell My Personal Information’ link. For a further discussion of the difference between these two models, see infra Section III.
[88] Regulation 2016/679 of the European Parliament and of the Council of Apr. 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), art. 4, 2016 O.J. (L 119) 33 (EU) [hereinafter GDPR].
[89] Id.
[90] Id.
[91] Id.
[92] A Breakdown of CCPA, GDPR, HIPAA and Other Privacy Acts, BluePay, https://blog.bluepay.com/a-breakdown-of-ccpa-gdpr-hipaa-and-other-privacy-acts (last visited Jan. 18, 2021).
[93] Josephine Wolff, How is the GDPR Doing?, Slate Mag. (Mar. 20, 2019), https://slate.com/technology/2019/03/gdpr-one-year-anniversary-breach-notification-fines.html; Two Years of the GDPR: Questions and Answers, European Commission (June 24, 2020), https://ec.europa.eu/commission/presscorner/detail/en/qanda_20_1166.
[94] Id.
[95] See supra note 88.
[96] Id.
[97] Assemb. B. 375, 2017–18 Reg. Sess. (Cal. 2018), https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375.
[98] Id.
[99] Id.
[100] Id.
[101] Rachel R. Marmor, Maryam Casbarro, Monder Khoury, & Nancy Libin, “Copycat CCPA” Bills Introduced in States Across Country, Davis Wright Tremaine LLP Priv. & Sec. L. Blog (Feb. 8, 2019), https://www.dwt.com/blogs/privacy–security-law-blog/2019/02/copycat-ccpa-bills-introduced-in-states-across-cou).
[102] See supra note 88.
[103] Id. Online privacy policies are difficult because they can generally be reduced to optics. In terms of contract law, it is very difficult to prove actual reliance on the policy. See In re Northwest Airlines Privacy Litigation and In re Jetblue Airways Corp. Privacy, supra note 37.
[104] Id.
[105] See Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020), https://www.nytimes.com/2020/10/28/opinion/california-prop-24-privacy.html. The CPRA is discussed at length in supra note 88.
[106] See generally GDPR, supra note 89. For more information, see GDPR FAQs: Frequently Asked Questions About GDPR, EU GDPR.ORG, https://eugdpr.org/the-regulation/gdpr-faqs/.
[107] Id.
[108] Cal. Civ. Code §§ 1798.100–199 (West 2019) [hereinafter CCPA].
[109] Id.
[110] The CCPA does not stop a business from distributing the data within the organization that collected it, even different business units, and does not stop transfers outside of personal information to third parties. Id.
[111] Id.
[112] Id.
[113] The GDPR also allows the use of de-identification to reduce liability and/or risk. See GDPR.
[114] Leading privacy analysts Daniel Solove and Danielle Citron define harm as the “impairment, or set back, of a person, entity, or society’s interests. People or enities suffer harm if they are in worse shape than they would be had the activity not occurred.” Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms, 96 Tex. L. R. 737, 747 (2018). Data harm does this by increasing risk and anxiety, as companies collect “more and more personal data in inadequately secured data reservoirs.” See id. at 745.
Solove and Citron identify a refusal to engage in activities that “depend on good credit, like house- and job-hunting, … [and searching for a] new home or employment,” emotional distress, paranoia that “thieves may be using one’s personal data for criminal ends” and more as potential consequences of data harm. See id. This harm has “confounded” courts, calling into question a plaintiff’s standing. See id. at 737. For a further discussion on how to conceptualize data harms, see Joanna Redden, Jessica Brand, & Vanesa Terzieva, Data Harm Record, Data Just. Lab, https://datajusticelab.org/data-harm-record/#_ftn3 (updated Aug. 2020).
[115] Id.
[116] See Gasser, supra note 21.
[117] Id.
[118] In the Netflix documentary, The Great Hack, former Chief Operating Officer of Cambridge Analytica, Julian Wheatland, says “there was always going to be a Cambridge Analytica.” See Eric Johnson, Cambridge Analytica Made ‘Ethical Mistakes’ Because it was Too Focused on Regulation, Former COO Says, Vox (Jul. 31, 2019), https://www.vox.com/recode/2019/7/31/20747874/cambridge-analytica-julian-wheatland-great-hack-netflix-documentary-kara-swisher-podcast-interview. And many believe there will be another one. See David Petersson, Another Cambridge Analytica is Out There, and We Aren’t Ready to Fight It, Venture Beat (Apr. 13, 2018), https://venturebeat.com/2018/04/13/another-cambridge-analytica-is-out-there-and-we-arent-ready-to-fight-it.
[119] See Gasser, supra note 21.
[120] Id.
[121] 15 U.S.C. §§ 1-2 (2012), [hereinafter “Sherman Act.”]. The Sherman Act prohibits the abuse of a monopoly through anti-competitive conduct. Id.
[122] 21 Cong. Rec. 2461 (1890) (statement of Sen. Sherman).
[123] Id.
[124] See John B. Kirkwood, Market Power and Antitrust Enforcement, 98 B.U. L. Rev. 1169, 1170 (2018).
[125] Id. See also Louis Kaplow, Market Definition and Merger Guidelines, 39 Rev. Ind. Org. 107, 123 (2017) (“The market definition/market share paradigm is not merely clumsy and sometimes misleading. Rather, it is entirely bankrupt.”).
[126] See Kirkwood, supra note 125 at 1170.
[127] Id.
[128] See 2B Phillip E. Areeda, Herbert Hovenkamp & John L. Solow, Antitrust Law 114 (3d ed. 2007) (“Instead of trying to measure the degree by which a profit-maximizing monopoly price exceeds the competitive price, courts traditionally attempt to infer market power from the [defendant’s] market share.”).
[129] In a lot of mergers, especially horizontal mergers for companies that don’t already have an ad-based model, the aquired data is unique. One example is the Sprint and T-Mobile merger, which was partially approved because each had completely different customer bases. See Nilay Patel, The Court Let T-Mobile Buy Sprint Because Sprint Completely Sucks, The Verge (Feb. 12, 2020, 10:19 AM) https://www.theverge.com/2020/2/12/21134278/sprint-tmobile-merger-court-ruling-opinion-decision-explainer-carriers-antitrust.
[130] The Clayton Act, Pub.L. 63–212, 38 Stat. 730 (1914) (codified at 15 U.S.C. §§ 12–27, 29 U.S.C. §§ 52–53).
[131] 15 U.S.C § 18 (2012) [hereinafter Clayton Act].
[132] U.S. Dep’t Just. & Fed. Trade Comm’n, Horizontal Merger Guidelines 2 (2010), https://www.justice.gov/sites/default/files/atr/legacy/2010/08/19/hmg-2010.pdf.
The FTC’s horizontal merger guidelines, too, have important implications for privacy. The evidentiary standard is steep –– merger reviews must show that the resulting lack of competitive conditions would both prevent other companies from replicating the elements of a successful business model and meet the frustrated demands of people for whom other companies, for example, had more attractive privacy practices. See U.S. Dep’t Just. & Fed. Trade Comm’n, Horizontal Merger Guidelines 2 (2010), https://www.justice.gov/sites/default/files/atr/legacy/2010/08/19/hmg-2010.pdf.
The FTC defines success for merger remedies as “maintaining or restoring competition [such that] competition in the relevant market remained at its pre-merger level or returned to that level within a short time (two to three years).” Fed. Trade Comm’n, The FTC’s Merger Remedies, 2006-2012 15 (Jan. 2017), https://www.ftc.gov/system/files/documents/reports/ftcs-merger-remedies-2006-2012-report-bureaus-competition-economics/p143100_ftc_merger_remedies_2006-2012.pdf.
Even proposed reforms of merger enforcement do not change this focus on avoiding the lessening of competition, rather than enhancing it. See, e.g., Consolidation Prevention and Competition Promotion Act of 2017, S. 1812, introduced by Senator Amy Klobuchar (D-MN), September 14, 2017, https://www.congress.gov/bill/115th-congress/senate-bill/1812 (changing the standard from “substantially lessening competition” to “materially lessens competition in more than a de minimis amount.”).
[133] Id.
[134] Before the antitrust revolution in the 1970s, economic structuralism dominated most antitrust analysis. See e.g., Brown Shoe Co. v. United States, 370 U.S. 294, 328-34 (1962) (including the shoe industry’s history and trend towards consolidation as part of its market share analysis when assessing a shoe manufacturing company’s acquisition of a retail chain) and United States v. Phila. Nat’l Bank, 374 U.S. 321, 364-65 (1963) (halting a horizontal merger, under the Brown Shoe analysis, where the merged bank’s market share was only 30% because other factors pointed to anticompetition). Under economic structuralism, court decisions embraced multifactor analyses that considered both size and potential conflicts of interest.
In Brown Shoe, for example, fairness and efficiency were traded off. See Brown Shoe Co., 370 U.S. at 344 (“It is competition, not competitors, which the Act protects. But we cannot fail to recognize Congress’ desire to promote competition through the protection of viable, small, locally owned business. Congress appreciated that occasional higher costs and prices might result from the maintenance of fragmented industries and markets. It resolved these competing considerations in favor of decentralization. We must give effect to that decision.”) This all changed with Continental T.V. Inc. v. GTE Sylvania, Inc., where the Supreme Court applied a “rule of reason” approach in “deciding whether a restrictive practice should be prohibited as imposing an unreasonable restraint on competition.” Continental T.V., Inc. v. GTE Sylvania, Inc., 433 U.S. 36, 49 (1977) (citing Chicago Bd of Trade, 246 U.S. at 238). Consumer welfare was deemed the goal of antitrust law and thereby constrained the discretion of federal courts. Id.
[135] See Eisner, supra note 20 at 104.
[136] See generally John M. Newman, Antitrust in Zero-Price Markets: Foundations, 164 U. Pa. L. Rev. 149 (2015). Available at: https://scholarship.law.upenn.edu/penn_law_review/vol164/iss1/4. There is tremendous scholarship criticizing the neoclassical model of price theory, and the potential to overlook harms that do not reflect positive pricing.
[137] See George J. Stigler, The Organization of Industry 67 (1968). See also Khan, supra note 25.
[138] See Khan, supra note 25.
[139] See generally Herbert Hovenkamp, On the Meaning of Antitrust’s Consumer Welfare Principle, Faculty Scholarship at Penn Law https://scholarship.law.upenn.edu/cgi/viewcontent.cgi?article=3154&context=faculty_scholarship. For a critique of Bork’s definition, see Robert H. Lande, A Traditional and Textualist Analysis of the Goals of Antitrust: Efficiency, Preventing Theft from Consumers, and Consumer Choice, 81 Fordham L. Rev. 2349 (2013).
[140] See Khan, supra note 25.
[141] For a further discussion of the relationship between the consumer welfare standard and predatory pricing, see Lina M. Khan, Amazon’s Antitrust Paradox, 126 Yale L.J. 710 (2017).
[142] U.S. Dep’t of Justice, supra note 133, at 18. The HHI is calculated by “summing the squares of the individual firms’ market shares, and thus gives proportionately greater weight to the larger market shares.” Id.
[143] Caleb Vesey, Comparing EU and US Merger Guidelines, European Union Competition Law https://www.eucomplaw.com/merger-analysis/.
[144] See Walker Process Equip., Inc. v. Food Mach. & Chem. Corp., 382 U.S. 172, 177 (1965) (“Without a definition of [the relevant] market there is no way to measure [defendant’s] ability to lessen or destroy competition.”); McWane, Inc. v. FTC, 783 F.3d 814, 828 (11th Cir. 2015) (“Defining the market is a necessary step in any analysis of market power . . . .” (quoting U.S. Anchor Mfg., Inc. v. Rule Indus., Inc., 7 F.3d 986, 994 (11th Cir. 1993))).
[145] Even if one is not counting on antitrust law to resolve privacy concerns, Big Tech is still using privacy policies in a manner relevant to anticompetitive considerations. Professor Daniele Condorelli has identified a practice of privacy-policy tying, wherein privacy policies are bundled such that they apply across unrelated services. See Daniele Condorelli, Data-Driven Platform Envelopment with Privacy-Policy Tying, OECD On the Level (Feb. 18, 2021), https://oecdonthelevel.com/2021/02/18/data-driven-platform-envelopment-with-privacy-policy-tying/. Facebook, for example, collects information from Facebook Messenger, Instagram, and any other features, apps, technologies, software, products, or services offered by Facebook. Id. This may result in short-term benefits to consumers in the form of a better ad experience, (which is arguably a small reward to reap), but will leave consumers worse off if the “end result is monopoly.” See id.
[146] The Hart-Scott-Rodino Antitrust Improvements Act, [hereinafter Hard-Scott-Rodino Act], requires filing with the DOJ and FTC before any merger or acquisition occurs. That way, antitrust enforcement agencies can determine whether the merger or acquisition is in compliance with antitrust law and goals. See 15 U.S.C. § 18(a).
[147] “[T] ]he Department seeks to avoid unnecessary interference with that larger universe of mergers. See 1982 Merger Guidelines, Dep’t of Just., https://www.justice.gov/archives/atr/1982-merger-guidelines (Aug. 4, 2015). For a further discussion on why this preservation may not be enough, see generally Khan, supra note 25.
[148] Joanna Geary, DoubleClick (Google): What is it and What Does it Do?, The Guardian (Apr. 23, 2012), https://www.theguardian.com/technology/2012/apr/23/doubleclick-tracking-trackers-cookies-web-monitoring.
[149] Statement Concerning Google/DoubleClick, Fed. Trade. Comm’n, File No. 071-0170, (emphasis added), https://www.ftc.gov/system/files/documents/public_statements/418081/071220googledc-commstmt.pdf. In a 4-1 decision, the FTC decided not to proceed with its investigation because the proposed merger did not substantially harm competition. The European Union, too, closed its investigation after concluding likewise. See EC, Regulation No 139/2004 Merger Procedure, Case No COMP/M.4731 – Google/DoubleClick, https://ec.europa.eu/competition/mergers/cases/decisions/m4731_20080311_20682_en.pdf.
[150] See Khan, supra note 25.
[151] Since the COVID-19 pandemic and the increased reliance on our computers, Zoom has become the app-of-choice for schools and workforces alike. See Natasha Mascarenhas, Zoom’s Earliest Investors are Betting Millions on a Better Zoom for Schools, TechCrunch (Sept. 23, 2020) (unwieldy URL); Lizzie Widdicombe, The Great Zoom-School Experiment, The New Yorker (Apr. 2, 2020), https://www.newyorker.com/news/our-local-correspondents/the-great-zoom-school-experiment.
This is especially troubling when Zoom exhibits a neglect for data protection and privacy. See Khristopher J. Brooks, Zoom Sued for Allegedly Sharing Users’ Personal Data with Facebook, CBS News (Apr. 1, 2020) https://www.cbsnews.com/news/zoom-app-personal-data-selling-facebook-lawsuit-alleges/.
[152] WeChat, however, is an anomaly here because, despite its advertising revenue, “the majority of its money [is made] from gaming.” See WeChat’s Owner is Rolling Out Tools for US Advertisers, eMarketer (Sept. 25, 2017), https://www.emarketer.com/Article/WeChats-Owner-Rolling-Tools-US-Advertisers/1016517. Ads are only about 20% of WeChat’s revenue. Id. In fact, WeChat limits ads on WeChat Moments to less than 2 per user per day. See Connie Chan (@ConnieChan), Twitter (Jan. 11, 2019, 7:30 AM), https://twitter.com/conniechan/status/1083748070032957443.
[153] Both consumers and companies have to pay the cost of data breaches. “It is posited that consumers as a whole incur costs that are comparable to those incurred by the provider as a result of data breaches.” Siddharth Dongre, Sumita Mishra, Carol Romanowski, & Manan Buddhadev, Quantifying the Costs of Data Breaches, 13 (2019). Identity theft, credit card fraud, protection and monitoring, legal fees, and other intangible consequences, like difficulty securing credit cards, loans, jobs, home mortgages, and home rentals, high credit card interest rates, and psychological impacts all are part of the consumer cost of a data breach. Id. at 13–14.
[154] See supra note 52.
[155] Commission Decision of Oct. 3, 2014, Case M.7217 Facebook/WhatsApp [hereinafter EU Commission Decision, Facebook/WhatsApp], http://ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132_EN.pdf.
[156] This decision was in 2014. Since, there has been great controversy over the extent to which WhatsApp would maintain an independent privacy policy. When, for example, a report suggested that WhatsApp may be sharing your data with Facebook and removed the opt-out option, app downloads for Signal and Telegram skyrocketed. See Chance Miller, WhatsApp Clarifies Privacy Changes and Facebook Data Sharing as Signal and Telegram Soar, 9to5 Mac (Jan. 12, 2021), https://9to5mac.com/2021/01/12/whatsapp-privacy-facebook-integration/.
The clarification may not be enough, however. Elon Musk tweeted two words, “Use Signal,” and caused a global outage for Signal because of the millions of new users. See Signal Faced Outage Due to Millions of New Users and Elon Musk was Around to Troubleshoot, News18 (Jan. 16, 2021), https://www.news18.com/news/buzz/signal-faced-outage-due-to-millions-of-new-users-and-elon-musk-was-around-to-troubleshoot-3297191.html.
For more on the difference between Signal and WhatsApp’s privacy policies, see Rani Molla, What is Signal and Why is Everybody Downloading it Right Now?, Vox (Jan. 15, 2021), https://www.vox.com/recode/22226618/what-is-signal-whatsapp-telegram-download-encrypted-messaging.
[157] See EU Commission Decision Facebook/WhatsApp, supra note 156. For the purposes of this Comment, the methods of review were not substantially different between European and American regulatory forces and thus, deserve equal analysis and deference.
[158] Id. at paragraphs 143–63.
[159] Id. at paragraphs 84–142.
[160] Id. at paragraphs 164–190.
[161] Id. at paragraph 164.
[162] Id. at paragraph 189.
[163] Id. at paragraph 90, 128.
[164] DOJ 2010 Merger Guidelines, supra note 133.
[165] EU Commission Decision Facebook/WhatsApp, supra note 156 at paragraph 86.
[166] Id.
[167] Turner Wright, Crypto Telegram and Tweet Numbers are Down, But There’s Hope Yet, Cointelegraph (Apr. 17, 2020), https://cointelegraph.com/news/crypto-telegram-and-tweet-numbers-are-down-but-theres-hope-yet.
[168] See supra note 157.
[169] EU Commission Decision, Facebook/WhatsApp, supra note 156 at paragraph 86.
[170] Notwithstanding the privacy implications, the review’s economic justifications also failed to consider that using Facebook is not the same as using Facebook Messenger. This assumption is twofold. First, that Facebook is a singular platform who, when committed to, receives an undivided share in the attention economy, as opposed to a multi-faceted conglomerate with a variety of features for consumer choice. Second, that consumer choice is an even layer, as opposed to a marble cake of possibilities. Take Apple, for example. Apple has a strong command of the marketplace, but iPhone screens are still decorated with a range of rounded communications apps for when iMessage, Apple’s messaging system, falls short, either for international messages, media capacity, or GIFs.
[171] EU Commission Decision, Facebook/WhatsApp, supra note 156 at paragraph 86.
[172] Id. at paragraphs 109, 117, 135.
[173] See Letter from Jessica L. Rich, Bureau of Consumer Protection Director, FTC, to Erin Egan, Chief Privacy Officer, Facebook, and Anne Hoge, General Counsel, WhatsApp Inc. (Apr. 10, 2014), https://www.ftc.gov/public-statements/2014/04/letter-jessica-l-rich-director-federal-trade-commission-bureau-consumer.
[174] Natasha Lomas, WhatsApp to Share User Data with Facebook for Ad Targeting, TechCrunch (Aug. 25, 2016), https://techcrunch.com/2016/08/25/whatsapp-to-share-user-data-with-facebook-for-ad-targeting-heres-how-to-opt-out/.
[175] Deepa Seetharaman, Facebook’s New Message to WhatsApp: Make Money, Wall St. J. (Aug. 1, 2018) (unwieldy URL).
[176] European Commission, press release of Dec. 6, 2016, Case M.8124, Microsoft/LinkedIn, (Microsoft Press release), https://ec.europa.eu/commission/presscorner/detail/en/IP_16_4284.
[177] European Commission, press release of May 18, 2017, Mergers: Commission Fines Facebook 110 Million for Providing Misleading Information about WhatsApp Takeover, https://ec.europa.eu/commission/presscorner/detail/en/IP_17_1369.
[178] Commission Decision of Dec. 6, 2016, Case M. 8124 Microsoft/LinkedIn [hereinafter EU Commission Decision, Microsoft/LinkedIn], paragraph 108, http://ec.europa.eu/competition/mergers/cases/decisions/m8124_1349_5.pdf.
[179] Id.
[180] Id.
[181] Id. at paragraph 180.
[182] European Commission, press release of Dec. 6, 2016, Case M.8124, Microsoft/LinkedIn, (Microsoft Press release), https://ec.europa.eu/commission/presscorner/detail/en/IP_16_4284.
[183] EU Commission Decision, Microsoft/LinkedIn, supra note 179 at paragraph 350.
[184] Id.
[185] Id.
[186] Id. at paragraph 470.
[187] Id.
[188] Eleonora Ocello & Cristina Sjodin, Digital Markets in EU Merger Control: Key Features and Implications, Competition Pol’y Int’l (Feb. 19, 2018), https://www.competitionpolicyinternational.com/digital-markets-in-eu-merger-control-key-features-and-implications/.
[189] Id.
[190] EU Commission Decision, Microsoft/LinkedIn, supra note 179 at paragraph 360.
[191] Id.
[192] Id.
[193] Id. at paragraph 390.
[194] Id.
[195] At this time, the CCPA had not been enacted yet, and this Comment does not intend to suggest that the CCPA did not change LinkedIn’s behavior.
[196] See generally Brandeis & Warren, supra note 20.
[197] See Gasser, supra note 21.
[198] A problem with this when it comes to data protection and privacy, for example, is in data harm. See supra Section III and note 115 for a discussion on how data harm is not formally recognized, thereby calling a plaintiff’s standing for a cause of action into question. The CCPA, too, may also limit a plaintiff’s ability to bring forth a cause of action. See supra notes 37 and 88 and accompanying text.
[199] The CCPA is the strongest legislation protecting data privacy and regulation, but it has not resulted in major changes in the way that big tech companies conduct, control, or collect data. See, e.g., Patience Haggin, Facebook Won’t Change Web Tracking in Response to California Privacy Law, Wall St. J. (Dec. 12, 2019), https://www.wsj.com/articles/facebook-wont-change-web-tracking-in-response-to-california-privacy-law-11576175345.
[200] See Caitlin Dewey, Everything Google Knows About You (and How it Knows it), Wash. Post (Nov. 19, 2014, 4:07 AM), https://www.washingtonpost.com/news/the-intersect/wp/2014/11/19/everything-google-knows-about-you-and-how-it-knows-it/. See also supra Sections I and II.
[201] “If you know who is looking at an ad, that ad space becomes more valuable.” Dina Srinivasan, How Digital Advertising Markets Really Work, The Am. Prospect (June 24, 2019), https://prospect.org/economy/digital-advertising-markets-really-work/.
Google’s current market share in the search engine market is 92.47%. See Joseph Johnson, Worldwide Desktop Market Share of Leading Search Engines from January 2010 to January 2021, Statista (Feb. 10, 2021) https://www.statista.com/statistics/216573/worldwide-market-share-of-search-engines/#:~:text=Google%20has%20dominated%20the%20search,mobile%20devices%20and%20other%20ventures.
[202] When WSJ didn’t comply with some Google regulations, it stopped showing WSJ articles in search results which significantly decreased WSJ’s traffic. See Gerry Smith, WSJ Ends Google Users’ Free Ride, Then Fades in Search Results, Bloomberg (June 5, 2017), https://www.bloomberg.com/news/articles/2017-06-05/wsj-ends-google-users-free-ride-then-fades-in-search-results.
[203] Stephen Moore, Why the AT&T-Time Warner Merger Is a Win For Consumers, N.Y. Times (June 13, 2018), https://www.nytimes.com/2018/06/13/opinion/att-time-warner-merger-good-consumers-antitrust.html.
[204] For a detailed look at the proposed methods of restructuring, see supra note 20.
[205] Press Release, H. Comm. on the Judiciary, House Judiciary Committee Launches Bipartisan Investigation into Competition in Digital Markets (June 3, 2019), https://judiciary.house.gov/news/press-releases/house-judiciary-committeelaunches-bipartisan-investigation-competition-digital. For the full report see H.R. Rep No. 117 (2020) https://judiciary.house.gov/uploadedfiles/competition_in_digital_markets.pdf?utm_campaign=4493-519. Chairman David Cicilline spearheaded the investigation and continues to be a force against Big Tech in Congress. Press Release, Congressman David Cicilline (July 29, 2020) https://cicilline.house.gov/press-release/cicilline-opening-statement-big-tech-antitrust-hearing.
The investigation fully understands how data sways the market. As part of his opening statement on a series for ‘Reviving Competition,’ Chairman Cicilline noted that,
“Dominant platforms exploit their gatekeeper power to charge exorbitant fees, advantage their own products and services, impose oppressive contract terms, and extract valuable data from the people and businesses that rely on them. Over and over and over again, words like fear and hardship permeated concerns of businesses across the economic spectrum –– app developers, innovators, and locally owned companies alike.”
House Committee on the Judiciary, Subcommittee on Antitrust, Commercial, and Administrative Law, Reviving Competition, Part 1: Proposals to Address Gatekeeper Power and Lower Barriers to Entry Online, YouTube (Feb. 25, 2021), https://www.youtube.com/watch?v=eyvfYlxELv4&feature=emb_title.
[206] See, e.g., Lawrence Lessig, The Future of Ideas: The Fate of the Commons In A Connected World 12 (2001) (“[W]henever one says a resource is ‘free,’ most believe that a price is being quoted—free, that is, as in zero cost.”).
[207] See supra note 24 and accompanying text.
[208] Id.
[209] The FTC is the only regulatory agency currently enforcing privacy protections predominantly because “no other regulator had clear authority in the area.” William McGeveran, Privacy and Data Protection Law 205 (2016). The majority of its authority comes from Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). “[Congress] explicitly considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of competition’ by enumerating the particular practices to which it was intended to apply.” FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 239-40 (1972) (citing S. Rep. No. 63-597, at 13 (1914)).
The FTC, for example, can take action against predatory lending through almost the click of a button. It did so with merchant cash advances. See Press Release, Fed Trade Comm’n, FTC Alleges Merchant Cash Advance Provider Overcharged Small Businesses Millions (Aug. 3, 2020) (on file with author), https://www.ftc.gov/news-events/press-releases/2020/08/ftc-alleges-merchant-cash-advance-provider-overcharged-small.
The FTC brings a majority of its cases under deception and typically settles with the company in question through a “consent decree,” wherein the defendant’s unfair or deceptive practices in its privacy policy, for example, are outlined and settled. See, e.g., In re Snapchat, Inc., FTC Docket No. C–4501 (Dec. 23, 2014) (settling many issues regarding Snapchat’s privacy policy, including its deceptive communication to users that their snaps “disappear forever,” over a 20-year period). In order to preserve its resources, however, the FTC only brings these cases when the matter is arguably airtight. The Snapchat case, for example, ticked all the boxes because it involved a large company with millions of users and more serious harms since the app was often used to send sensitive materials like nudity, alcohol, or drugs. See McGeveran at 225. But the FTC cannot afford to bring these cases anytime a user’s privacy is compromised.
[210] Zoom, for example, was caught lying about its security practices and the FTC chose not to fine Zoom. See Susan Heavey & Nandita Bose, Zoom to Enhance Security as Part of Proposed U.S. Settlement with Zoom, Reuters (Nov. 9, 2020), https://www.reuters.com/article/zoom-ftc/zoom-to-enhance-security-as-part-of-proposed-u-s-settlement-with-ftc-idUSKBN27P28I. Rohit Chopra, a Democrat on the Federal Trade Commission, vehemently dissented to this. Dissenting Statement of Commissioner Rohit Chopra, Regarding Zoom Video Communications Inc., Comm. File No. 1923167 (Nov. 6, 2020) https://www.ftc.gov/system/files/documents/public_statements/1582914/final_commissioner_chopra_dissenting_statement_on_zoom.pdf. Chopra has consistently pushed for more FTC enforcement –– even attacking the addictiveness of Facebook’s products –– because “all too often, the government is too captured by those incumbents that use their power to dictate their preferred policies.” See also Dissenting Statement of Rohit Chopra, In re Facebook Inc., Comm. File No. 1823109, at 2. (“Behavioral advertising generates profits by turning users into products, their activity into assets, their communities into targets, and social media platforms into weapons of mass manipulation.”) https://www.ftc.gov/system/files/documents/public_statements/1536911/chopra_dissenting_statement_on_facebook_7-24-19.pdf.
* Lily Leila Purqurian is a law student at the University of San Diego, primarily focusing on the international intersections between antitrust and privacy law, but also dipping into securities law. She holds degrees from Sciences Po and Boston University. She can be contacted at lpurqurian@gmail.com.