The University of Oslo is closed. This disputation will therefore be fully digital and streamed directly using Zoom. You can download zoom or use your browser. Please visit our web-page for more information on digital disputation and see specially the part for the general audience
Ex auditorio questions: the chair of the defence will invite the audience to ask ex auditorio questions either written in "chat" or oral requested by clicking 'Participants -> Raise hand'.
Participate at the disputation here (opens at 11:00am April 20th)
A recorded version of the trial lecture you will find here from Friday 17th of April
Adjudication committee
- Professor Eirik Østerud, University of Oslo (leader)
- Professor Björn Lundqvist, Stockholm University (1. opponent)
- Professor Orla Lynskey, London School of Economics and Political Science (2. opponent)
Chair of defence
Vice Dean Tarjei Bekkedal
Supervisors
- Professor Lee Andrew Bygrave
- Professor Inger Ørstavik
Summary
Background
In the last few years, we have seen the emergence of companies whose core business models are built around the monetisation of users’ personal data. At the forefront of this venture are companies like Google and Facebook, which collect and analyse massive amount of data about consumers—where they are, what devices they use, what they purchase and different categories of their online behaviours. The availability of such vast amounts of data enables these companies to deliver online advertising in a precise fashion. This ad-based business model has allowed these companies to ascend to the top of the hierarchy of the most valuable companies. The core remit of this thesis is to investigate the theoretical and practical implications that the commercialization of personal data has on the foundations and policy boundaries of EU data privacy law and competition law including their potential intersection.
Questions and Findings
What threats and challenges does the commercialisation of personal data pose for the data privacy rights of individuals and their enforcement?
The commercialisation of personal data drives companies to expand the scope and scale of their data collections, which in turn create significant challenges for the application of EU data privacy rules. Google’s aggressive expansion to a broad array of new product areas is a case in point, collecting and combining personal data from more than 100 consumer-facing services. The thesis argues that such development gives rise to two key challenges—one institutional and the other substantive. The institutional challenge relates to the difficulty of applying the current rules as companies start to collect and combine data across hundreds of services—i.e. a scaling problem. This is because the application of the rules is predicated on the ability to distinguish the different services for which the data are collected (processing activities) and relate each piece of personal data to one particular service (processing activity). The substantive challenge relates to the inadequacy of the current rules to address emergent privacy risks, such as the overexposure of the individual and the loss of practical obscurity. These risks are ‘emergent’ in the sense that the sum, i.e. the data aggregated from the multitude of services, contains risks that are not present in the individual datasets (processing activities). In light of these challenges, the thesis underscores the need for a holistic approach that looks at imposing enhanced responsibilities on certain entities, considering the totality of the processing activities and data-aggregation practices.
To what extent is privacy a concern for competition law and can firms exercise market power by degrading data privacy or excluding competition on data privacy?
With the commercialisation of personal data, antitrust authorities in the EU and the US have started to recognise privacy as a non-price competition parameter. Despite the recognition, there is little general theoretical literature on this subject. The thesis seeks to fill in this gap by outlining different theories of harm for incorporating privacy as a non-price element into merger assessment and discussing various anticompetitive practices affecting privacy.
Privacy cartels: At the center of competition rules is the prohibition of cartels—rival companies are forbidden from agreeing on the price they charge their customers. But price as a parameter of competition is largely absent in relation to many digital services, where users often “pay” by handing over their personal data. The question is whether users' privacy could become the new arena for cartel agreements. The answer is yes, it could and it has. The agreement between Google and Eye, company that owns the anti-tracking and ad-blocking software Adblock Plus, is a good example. Google paid Eyeo millions in return for Eyeo agreeing to restrict its ad-blocking activity and scale down its investment in the market. This was found to be anticompetitive by the German and the Austrian Competition Authorities.
Platform bans of privacy-enhancing services: Is it a breach of competition law if Google removes privacy-enhancing apps such as Adblock Plus from its Google Play app store? Under EU competition law, this depends on whether Google Play is indispensable, i.e. the only alternative, for the app to reach consumers. Indeed Google Play is not the only gateway as users can download Adblock Plus directly from its website and install its browser extensions. The question is what happens if Google also controls the other alternatives and removes Adblock Plus’s browser extension from Chrome and its website from Google Search results—which Google actually did in 2012? Drawing lessons from emergent properties, the thesis advocates for a holistic analysis of an illegal refusal to deal under TFEU Article 102, taking into account the possibility that a dominant undertaking could hinder effective competition using multiple actions across different platforms and targeting several players.
Method and Lessons
The thesis draws on elements from systems theory, particularly the concept of emergent property to answer the research questions. Two lessons from emergent properties are worth highlighting: first, although the idea of ‘one thing at a time’ is a useful guiding principle in life, it may not be suitable in a world where the line between one thing and another is unclear. Importantly, law in general, but data privacy and competition law in particular, has to recognise the possibility that the sum of fully compliant behaviours may nonetheless create behaviour that is not compliant or not in the spirit of the law.