LSE - Small Logo
LSE - Small Logo

Orla Lynskey

June 7th, 2022

Towards a holistic approach to effective data protection

0 comments | 9 shares

Estimated reading time: 3 minutes

Orla Lynskey

June 7th, 2022

Towards a holistic approach to effective data protection

0 comments | 9 shares

Estimated reading time: 3 minutes

Existing data protection frameworks are premised on the belief that individuals should have certain rights in relation to this personal data. However, the complexities and scale of online data use mean that the control of personal data and key decisions regarding its processing cannot be left to individuals. Orla Lynskey writes that competition law should be applied in a way that assists in developing a more holistic approach to effective data protection.


Impact Case -- Research Excellence Framework (REF)

What was the problem?

The information we provide about ourselves and which is collected by companies online is a valuable resource.

Existing data protection frameworks are premised on the belief that individuals should have certain rights in relation to this personal data. However, the complexities and scale of online data use mean that the control of personal data and key decisions regarding its processing cannot be left to individuals.

Furthermore, the size and power of digital platform companies such as Facebook (now Meta) and Google create questions about the control of data by such dominant market players, and the concentration of data in their hands.

What did we do?

My monograph, The Foundations of EU Data Protection Law, argued that the scale and complexity of data-processing operations online raise broad questions over data rights and control over personal data. Individuals alone cannot ensure effective data protection, and given the dominant role of digital companies such as Facebook and Google, more cross-cutting, holistic approaches to such protections are required.

Her conclusion was that the market structure in which an individual is asked to exercise their data protection rights can have a significant impact on the effectiveness of these rights. For example, one could query whether consent is “freely given” when there is no competition in the market and the service in question is of social and professional importance to individuals.

By paying more attention to these structural factors, one can observe two inter-related dynamics: there is a significant concentration of ownership of digital consumer-facing platforms in the hands of a few providers; and there is little competition or differentiation between them. As a result, any measures to promote choice and control over data are jeopardised by the failure to acknowledge data protection considerations in market competition assessments of these companies.

In subsequent research, I elaborated on what would be needed to develop a more holistic approach to effective data protection, arguing that competition law should be applied in a way that assists in this aim. This has three dimensions. Firstly, the “consumer welfare” standard used by competition authorities to guide enforcement, which currently focuses on ensuring lower prices, more choice, and better quality products, should be interpreted to include data protection considerations.

Second, data-driven mergers and acquisitions (such as Facebook’s acquisition of WhatsApp) should be subject to a non-competition assessment alongside the competitive assessment of the merger, in an analogous way to “media plurality” assessments undertaken in media mergers. Third, I recommend that regulators engage in institutional cooperation to ensure a coherent approach between different regulators working in data-related fields.

This body of research, which was vigorously contested at the time in the competition law and policy community, provided the building blocks for subsequent developments. The first and third elements are now widely accepted, while a recent announcement from the Competition and Markets Authority suggests the second will also be implemented in the UK.

Finally, in more recent work I have examined whether control over personal data contributed to the power of digital companies and whether data portability initiatives in data protection and competition law could act as a constraint on this power.

What happened?

This research has directly influenced major legal and policy proposals seeking to secure effective data protection in digital markets. I have provided expert evidence to data protection authorities, policymakers, non-governmental organisations, and civil society organisations, influencing their stance on these issues.

Specifically, my research has been instrumental in shaping the approach of the European Data Protection Supervisor (EDPS), the EU’s independent data protection authority, through her formal and informal engagement with its work. In September 2016, it published “The EDPS Opinion on coherent enforcement of fundamental rights in the age of big data”, which marked a significant shift in its position on the subject. The paper recommended that data protection standards can be used “to determine ‘theories of harm’ relevant to merger control cases”. It also cites my research to suggest that “there are circumstances in which data protection can provide a relevant normative benchmark for competition law.”

Following this EDPS initiative, these issues gained prominence within several domestic and international institutions. The House of Lords Select Committee on Communications conducted a broad inquiry into “Regulating in a Digital Environment” in 2018/19, dedicating a chapter of its final report to “market concentration”. I presented evidence to the committee, which was used to support the report’s recommendation that “the Government should consider implementing a public-interest test for data-driven mergers and acquisitions.”

This engagement has also been crucial in bringing this emergent area of law to the attention of civil society organisations, notably BEUC (the European Consumer Organisation or “Bureau Européen des Unions de Consommateurs”) and Privacy International. In 2020, BEUC appointed me as one of four academic advisers on its “Consumer Protection 2.0” project, ultimately ensuring it is better able to represent the interests of European consumers. Privacy International has similarly cited my research in its submissions to competition authorities, including to the Federal Trade Commission. I have also provided an expert statement for inclusion in its submission to the European Commission regarding Google’s proposed acquisition of Fitbit. The increased scrutiny of this acquisition by competition authorities represents further progress and ultimately may lead to data protection concerns being factored in before, rather than after, such a data-driven acquisition.

Overall, my research has been crucial in increasing the attention paid to – and acceptance of – the relationship between data protection and competition law. This is becoming notable in official decision-making, such as in an apparent shift in stance from the European Commission in its merger decisions. In the Facebook/WhatsApp merger decision (2014), it referred to data protection only once. However, in its Microsoft/LinkedIn decision (2016) the Commission refers to data protection on 26 occasions, explicitly acknowledging privacy as “an important parameter of competition”.

By influencing substantive and institutional reforms designed to ensure coherence between data protection and competition law frameworks, my research has contributed to the process of establishing a more robust protection of fundamental rights.

Dr Orla Lynskey will be discussing data law with Professor Andrew Murray in the online event How to Navigate Data Law and its Challenges and Opportunities on Wednesday 15 June 2022, 12:00pm to 1:00pm, hosted by LSE Festival: How Do We Get to a Post-COVID World?

♣♣♣

Notes:

  • This blog post appeared first as an LSE Research Excellence Framework impact case study.
  • The post represents the views of its author(s), not the position of LSE Business Review or the London School of Economics.
  • Featured image by Privecstasy on Unsplash
  • When you leave a comment, you’re agreeing to our Comment Policy

 

About the author

Orla Lynskey

Orla Lynskey is an Associate Professor in Law at LSE. She teaches and conducts research in the areas of data protection, technology regulation, digital rights, and EU law. She holds an LLB (Law and French) from Trinity College Dublin, an LLM in EU Law from the College of Europe (Bruges) and a PhD from the University of Cambridge.

Posted In: LSE Authors | Q and A | Technology

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.