4 April 2022
Dr Johnny Ryan of ICCL spoke at a gathering of global antitrust regulators and experts on 31 March in Brussels. He set out two challenges for the European Commission:
First, use the tools in the GDPR to analyse Big Tech firms and prevent their accumulating more market power on false pretences.
Second, the new EU Digital Markets Act will be of no consequence if the European Commission persists in the approach it has taken to the GDPR. It must uphold its duty to see that the law is enforced.
Video and transcript of Dr Ryan's remarks are below. (The full event recording is available from the event organisers here.)
Transcript from recording
Thank you Christina. I've just set a timer so that I don't filibuster on something that I feel very strongly about. So when it beeps I'll be halfway through!
I wanted to talk about two things. One is how do we try to understand these complicated, strange, exotic Big Tech companies. We know that they know about us. But we also know it's very hard for us to know about them. And then I want to add in a challenge.
So let's start off with how to think about them. Earlier, Commissioner Breton said “I understand. I was in industry. I know how these companies work”.
I would challenge that. I'm not sure any of us understand how those companies work - including those companies. I don't think they understand often what they're doing with data.
Luckily, it doesn't have to be that way. We have a tool. And we've had a tool for several years. It's just lying completely and utterly unused and neglected. I'll tell you about that tool. It's called “purpose limitation”.
There was a thing that Europe got very excited about. It told the rest of the world that this thing was a big deal. It was called the GDPR. It was the last Commission's baby, so we don't hear that much about it actually meaning anything now. But in the GDPR there is something from the old Directive. It's a very simple thing called purpose limitation. And the idea goes back to the 70’s.
Let me explain with an example of what that idea is.
All of us several years ago were asked by Facebook “please give us your cell phone or your mobile number so that we can improve the security for login for you”. It was called “two factor authentication”. With the passage of about 24 months Julia Angwin then found out and published that Facebook had been using the same data that we handed over for two factor authentication. It had been using those data for other processing purposes that were related to ad targeting. Now, there were probably several processing purposes for security and there were probably tens if not hundreds of distinct processing purposes for ad targeting. And what Facebook had done here was infringe the "purpose limitation principle" in European data protection law.
So that's an example of what purposes are: they are things that companies use data for. Now I want to suggest that that can create enormous opportunities to understand these companies for enforcers. Here is how that could work.
It can work in two ways. First, let's imagine that one company wants to acquire another company, and so we together go to a regulator - we go to Andrea [points to UK Competition & Markets Authority CEO Andrea Coscelli] - and we say “Andrea we want to get together”. We paint him a nice story about what it is we're going to do together. And he has to think “do these people look credible?” Judge their body language or the equivalent. And talk to experts and so on - he will talk to you [points to host Cristina Caffara].
But what he might be able to do, I think, is use data protection law - perhaps by working with a data protection authority - and compel each of us [companies] to disclose a huge spreadsheet of every single thing that we use personal data for. And there is case law that sets the scope for an individual purpose. So you can imagine now actually the analysis is (let's imagine Google – DoubleClick, if we were back there) “what happens when these two spreadsheets have a baby?” Whoa! I think we would see more than one thing blocked a year.
So the first thing is how are we even thinking about what these companies use data for?
An immediately obvious thing will be that when you ask these companies for that spreadsheet they may not actually have one, although they are required to by law. So it's important to put them under challenge for that.
The second thing is: if I am a huge, big tech conglomerate and I have grown on the merits in one area of business in one market, of course I take those data and I drop them into adjacent markets. And I cascade my monopoly.
So, this purpose limitation principle - it seems to me - is Big Tech kryptonite.
It stops that cascading monopoly. Now the DMA [EU Digital Markets Act] plays the same game. We have now in Article 5(1)a a very sensible prohibition on Gatekeepers from combining their data. But just to be clear, that's also in the GDPR. What's really nice about that being in the DMA is that now the Commission does not need to wait for the Irish data protection Commission to actually enforce the GDPR, because under Article 10 and 11 of the DMA it should be able to do so itself. That is potentially profound.
So we've got this Big Tech kryptonite. And I'm suggesting it's not just a way to analyse companies like this and finally understand them, but it's a way to “put manners on them”, as we would say in Ireland. We just don't do it.
Now, let me talk about the challenge. It's a challenge that anyone here who is European should feel quite acutely.
There was a time when Europe set the agenda for the world. It wasn't pretty, but it did happen. And it is quite a long time since that was the case. Europe has fewer and fewer jewels left in her crown. It created one in the form of the GDPR. And we convinced more than 50% of the global GDP if you look at each jurisdiction, more than 50%, to essentially copycat our rules.
Now, I remember when I was working for US tech firm called Brave my colleagues were asking me “are these Europeans serious about this GDPR thing? Do they really mean it?" - because they didn't mean it about many other things. I said “yeah, I think they do mean it. I think this is real”. Alas, they didn't. We have a situation where at [European Commission] DG Justice there's a failure to monitor whether the law was applied. And there's a failure to intervene to see that the law is applied.
So I worry although the DMA is positive, I worry that if the next Commission treats this Commission's agenda the way this Commission treated the last Commission's agenda, there's no point in having an agenda and there's no point in having a Commission.