Something regarding big data has recently changed in Brussels which business should take note of. This usually prefaces news of ramping up EU data protection rules, such as the recent Data Protection Regulation, which are not universally welcomed in business circles. In particular, companies coming from the more permissive environment of the US are faced with a sea change of data protection, making global businesses harder to operate. The silver lining is if you are in the business of compliance. Although lawyers such as me usually are, this is not that kind of news.

The story starts in 2014, when the European Commission approved the Facebook/WhatsApp merger but declined to look into privacy concerns. As far as the Commission was concerned, Facebook was a social network, WhatsApp a messaging service, and the money was on selling advertising to the users of these services. Privacy was an externality, affected by these services but not really part of what made them tick. Therefore, leaving privacy for data protection rules, the Commission considered that consumers were not likely to be worse off after the merger.

Fast-forward to the Microsoft/LinkedIn merger early this year, and the European Commission has changed tack. It now states that it will look at privacy, since consumers may see it as a ‘significant factor of quality’. In other words, companies may compete on offering the best privacy, so consumers can be worse off if two competitors merge after all. What happened in the meantime? A number of academics started saying that competition authorities were wrong to disregard ‘competition on privacy’ – myself among them, co-writing with LSE’s Orla Lynskey, although we prefer the more precise ‘competition on data protection’.

Far from me to suggest that administrative authorities, or even more incredibly, academics, were on to something completely innovative. We could only posit competition on data protection because it was apparent that consumers cared about this. The European Commission had provided enough evidence in Facebook/WhatsApp, including reports of thousands of users abandoning WhatsApp in fear of Facebook’s data use policies, but at the time privacy was not seen as part of a business model. The Commission now recognises that data protection can be a market strategy, if only companies engage in such competition for consumers.

This last point is important, and led to no small amount of back-and-forth with my co-author. A data protection eminence, she is more familiar with companies’ appetite for personal data than for privacy. There is much talk in data protection about the ‘privacy paradox’: consumers claiming they care about privacy but not reflecting that in their buying decisions. We therefore had to frame the possibility of competition on data protection in careful terms, suggesting that apparent consumer disinterest may result precisely from a lack of competition.

This is not, as already said, a story of data protection compliance (otherwise I would simply direct you to Orla’s capable hands). I am very much aware that the main talk in business is of the possibilities of big data. Every company would like to know more about its customers, with data protection an afterthought. I even have sympathy for companies that genuinely think that some privacy loss (within data protection rules, of course) is a good trade-off with providing a better service – that shows that a company believes their product is, well, a good thing.

I would nevertheless advance that, in trying to better serve their customers by better knowing them, companies may be missing out on more. Disruptive innovation, as businesses are aware, happens when you give consumers something different from what they historically value. That is the opposite of the incremental improvements – lower prices, better distribution, targeted advertising, etc. – that most companies want to extract from their data. Instead, giving consumers more data protection could be the disruptive alternative.

As with all histories of disruption, consumers might not seem to care about privacy until they do. Disruptive innovation focuses on attributes neglected by incumbents which allow a low-price entry in the market. The business model everywhere appears to be using data to compete on a product, but many companies have found competing on data protection a better way to break into a market. This was after all the strategy that WhatsApp adopted, and which led to a multi-billion dollar acquisition. The same story may play out again with Snapchat.

You might of course consider that amassing a treasure trove of data, like Google or Facebook, is a surer way to innovation. Perhaps, but as competition authorities also become more interested in big data, they are becoming more wary of it being used to monopolise emerging services. The enforcement landscape is still unclear, but one thing is certain: not every company is a Facebook or Google. Many companies find themselves in the opposite position of playing catch-up in the data game.

I would ask companies to stop and think. If your product is not wed to exploiting user data, are you sure you want to go there? You will enter a big data race which you are not sure to win and which can alienate your customers. At the moment, competition on data protection is something that competition authorities seem to want to preserve. These are powerful friends to have if big data competitors come knocking.



Francisco Costa-Cabral is currently an Emile Noël Fellow at New York University School of Law. He holds a PhD in Law from King’s College London and an LLM from the College of Europe (Bruges). He has clerked at the Court of Justice of the EU, worked in private practice, and taught in several universities in Europe and in China