Google/Fitbit review: Privacy IS a competition issue

In a recent interview with Bloomberg, Commissioner Vestager is reported to have indicated that DG Comp’s review of Google’s plan to buy Fitbit Inc. for $2.1 billion will not involve privacy regulators.1 The European Data Protection Board, the body that advises the European Commission on the application of EU data protection law, had issued a statement a few days earlier highlighting the privacy implications of the merger (“There are concerns that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data”).2 Commissioner Vestager is reported to have said to Bloomberg that “[w]e are just very careful not to see a competition issue where there is a privacy issue because, if that is the case, it’s not for us”.  She has also been on the record in the past stating that we need strong and effective data protection and that, where privacy acts as a parameter of competition, competition authorities could and should get involved.  We believe the role of data and the interface between competition and privacy issues is very broad and goes further than privacy as a parameter of competition. 

We are not involved in the review of the case, nor do we know how DG Comp is in fact approaching the case at present. However, we believe this to be a very important discussion and offer a few observations and suggestions in the spirit of contribution to the debate.

Time to get the analysis right

Google/Fitbit involves the acquisition by a giant digital platform – whose business is based on the monetisation of customers’ data through microtargeted ads, and is already sitting on a mountain of personal data and analytics capabilities – of a target with unique data-generating assets in the most sensitive of all areas: capturing biometric data (health, and even emotions) 24 hours a day, every day. 

This deal is coming forward against a background of perceived major deterioration in privacy standards, as competition between data collectors has dwindled and users’ attention is now funnelled into very few giant ‘attention brokers’. By now, the notion that privacy is also very much a competition concern has been explicitly recognised in multiple major reports (the Furman et al. report, the Cremer et al. report, the Stigler report and multiple others).3 The work of Yves-Alexandre de Montjoye (one of the co-authors of the Cremer et al. report) and the Computational Privacy Group at Imperial College London has shown not only that there is no tension between the pursuit of privacy and competition, but in fact that privacy and competition reinforce one another. Along similar lines, Tommaso Valletti’s testimony before the US Congress on the very role of data for competition in the digital space says that “privacy is at the core of the economics of many digital platforms, and competition is shaped around it. The possible degradation of consumer data protection can result from market power, and it will undermine the competitive process as well as lead to detriment to consumer welfare”.4

We have also collectively recognised (ex post) that the review of Facebook/WhatsApp missed the true driver for the deal – capturing the millennial generation’s users and monetising yet more personal data, increasing Facebook’s power in advertising markets in disregard of privacy rules. That merger ended with an unconditional clearance after a Phase 1 review because there were no ‘conventional’ competition concerns – notwithstanding that Facebook actually paid $21 billion at the time, or $55 per user.5 Just as Google today promises that “Fitbit health and wellness ‘personal’ data will not be used for Google ads”, Facebook at the time swore blind they would not exploit WhatsApp data and would monetise the $21 billion by selling emojis – something they actually never did. They were fined €110 million for having misled the European Commission, but still got to keep, mingle and exploit the data. And critically, they achieved the goal of preventing another competing social network platform from emerging.  

Six years down the road, where are we? Surely, we cannot be saying that ‘privacy issues’ are extraneous to merger assessment in a case of this kind today; and only a ‘conventional’ theory of harm (overlaps and vertical links in defined product markets) can justify a competition concern.  

We have the economic tools to deal with privacy in merger review 

Economics has made very significant progress in recent years in understanding how the distortions associated with exploitation of personal data and privacy violations can be described as competition problems. 

We are now clear that economic tools for merger assessment can find ample competition concerns linked to privacy. For example, receiving exploitative ads that are delivered when the user is exhausted, hungry, or stressed constitutes a reduction in the quality of the service, a very traditional economic harm. It is also possible that, if the target remained independent, it might be able to sell information about users in competition with the incumbent, leading to lower advertising prices. This would also be a traditional type of harm – in terms of loss of potential competition. 

We understand that the business model of advertising-funded platforms relies on grabbing people’s attention, learning about their preferences, influencing their behaviour, and ultimately showing them hyper-targeted ads. For this, specialist data which adds to the existing set in a previously unmeasured dimension of consumer activity is especially valuable. Google's strategy (both in acquisitions and the development of new products) has been driven by collecting more and more data about different aspects of our lives. It is not (necessarily) about the amount of data, but about the multi-modality: search, browsing, location, mobile, credit cards, and now health. 

We also understand that what is critical to maximise the value of data is the ability to observe statistically significant information across apps, and over time. The means that linking multiple pieces of information about individuals in a way that extracts relevant signals, and fast enough to show the relevant ad as soon as possible, is what enables the information to be mined most effectively to power the business model. Google is the largest such platform, with the ability to ‘see’ what users do along multiple dimensions, link it together and over time, with unrivalled analytics and computing power, and exploit it. It is this ability to aggregate individual-specific data into statistically meaningful signals (on location, age, gender, etc.), that matters for competition. The point here is that data – which can be uniquely exploited and aggregated and mined – needs to be seen as the key driver for deals of this kind. 

Finally, we know that a promise “not to use personal information for advertising purposes” (our emphasis) is a statement that is, at best, empty and, at worse, misleading and obfuscating – because none of the ways in which power can be increased by the deal relies on any particular piece of individual-specific information, and because it is the collection of data and profiling of individuals that interferes with privacy, not the targeting with this or that advertisement. The power comes from obtaining statistically relevant information collected from, and linking together, incredibly large datasets. Each piece may be irrelevant on its own, but their aggregation is unbeatable. In addition, targeting can be made sharper with this extra bit of critical data. For example, Google could use the Fitbit data to help it learn which ad was most effective, and then target ads more effectively while technically complying with not using “personal information for advertising purposes”. Of course, Google could also do what it did with DoubleClick, which is to say that it will not combine profiles during the review, and then combine profiles some years later without consequences.

So, what are the potential concerns?

We do see concerns about the deal in a number of possible dimensions, all of which recognise the value of personal data and where privacy issues cannot be divorced from the analysis.

1. Pre-empting the emergence of a new ‘access point’ for personal data in third-party hands.  Wearables could be potentially the ‘next Android’. They are ‘with us’, on our body, 24/7, potentially more so than any other device. They could become the ultimate access point for our attention, all of the time. If – as predicted – wearables of various kinds will become widespread with the ability to collect data that can be potentially matched with other personal data and exploited, then acquiring a business with data and a relevant OS like Fitbit has strong strategic value for anyone. With Google as the acquiror, the concern is that the acquisition is intended to pre-empt the emergence of a potential rival who could otherwise develop by exploiting a key ‘access point’ for the collection of data and for access to our attention, with the ultimate aim to defend and enhance its position in the core advertising business. In the absence of interoperability, the Google ecosystem would be reinforced, making it difficult if not impossible to switch or use devices/services that do not belong to the same ecosystem – these are the new network effects at play. 
2. Creating the opportunity to combine a unique set of intimate personal data with other sets of personal data about the same individual, generating even more powerful signals to be interrogated in multiple dimensions. This is in itself a problem as it is a de facto ‘price increase’ – or more accurately a ‘quality reduction’ – for all consumers (whether or not they are deemed to ‘value’ their privacy). Biometric and behavioural data is highly valuable, especially when collected from the same individual over time. Creating connections between these types of data and other personal data which are held for the same individual can provide unique opportunities for insight and monetisation.  The relevance of privacy is obvious: this is data that reveals the most intimate aspects of a person’s health and lifestyle, and under GDPR (as well as most data privacy laws around the world) processing of such data is prohibited unless the individual has given her explicit, specific, and informed consent. Yet it is technically possible to make these connections, and it will be hard to resist the incentive. As what matters are statistically relevant signals, this creates a gigantic negative externality if information is used and exploited, especially so for individuals with very strong preferences for privacy. This is all amplified by Google’s extreme dominant position and lack of interest in enhancing and protecting privacy. In effect, this is equivalent to a quality reduction. 
3. Impact on markets that depend on data acquisition.  Google is dominant in ad-tech, and it is further pulling up the drawbridge in multiple ways by limiting its rivals’ ability to track and target ads: it recently announced it will end support for third-party cookies that track users in Chrome, ostensibly in order to "enhance privacy" –  predicated on the disingenuous notion that privacy can only be violated by third parties and not by the service provider itself; in practice, removing the ability of third parties to track their users.6 It also announced that it would exclude from its app store third-party apps with location tracking, while of course preserving its own ability to track (Google Maps).7 It already owns locational data that is hugely important for targeted advertising, and it already has an unrivalled amount of visibility via data tracking in Android.  It thus has the ability to link personal data across platforms/apps, with unparalleled ability to offer hyper targeted ads. Combining this existing stock with enormously valuable biometric and behavioural data that can inform on other dimensions of the user’s experience, Google will gain further strength in the supply of digital advertising in which it is already super dominant.  This can manifest itself in more discrimination – higher prices and finer extraction of all surplus, and a further ‘gap’ in the ability of others to begin to challenge their core business (more revenues increase the ability to outbid others for any complementary activity that helps keep others out of the way – as in Android where no one could match Google’s offered payments to OEMs).
4. Impact on adjacent markets, such as insurance and healthcare. There is precedent for Google’s acquisitions in the health sector. For instance DeepMind –  a UK AI company acquired in the UK in 2016 – had a partnership with the NHS for the use of personal data (obtained without explicit patients’ consent, in breach of all privacy rules) and it is now integrated into Google Health after a late announcement that was not mentioned at the time of the acquisition.8 Ascension had a similar position in the US.9 Millions of individual patients’ data have been obtained without their consent and nobody really knows how Google is using it. Like patient data, biometric data can be very important to make substantial inroads in markets that value such data – from pharma to health services to insurance. The ability to match web-browsing behaviour (for example, establishing that an individual with certain characteristics also gambles) can make it possible to gain significant advantages in the supply of lending, insurance, etc. The basic premise is that these markets have been characterised historically by asymmetric information (because the individuals know more about their true ‘type’ than the supplier of these services), but this would be ‘flipped around’: one firm (Google) can know everything about individuals, while rivals don’t. This is close to a perfectly discriminating monopolist that appropriates the entire surplus, and leaves nothing to consumers. The extraction of all rents could be perfect. Consumers, even the more affluent ones with lots of surplus, could see it shifted to Google fully.  The risk of consumer harm from this kind of acquisition is enormous.

These theories need to be examined closely and verified of course. Can they amount to competition concerns? Absolutely: exploitation, vertical foreclosure, loss of potential competition, discrimination, flexing market power. But they also involve personal data and the review should include privacy in the way it impacts quality and prices and ultimately consumer welfare, as we always do. Privacy should not be excluded for a full and comprehensive economic review.

Let’s slow right down and not make mistakes

We thus urge the competition review of the merger to recognise that market power and incentives for anticompetitive conduct can arise from the uniquely personal data the target can harvest and are compounded by disregard for privacy concerns to pursue profit maximising motives. These are potentially the ‘real stories’ behind the deal, that need to be intelligently and thoroughly pursued. 

Competition regulators should not be caught in the weeds of ‘market definition’ and ‘product overlaps’, missing the wood for the trees and concluding there is no issue because there is no immediately obvious antitrust ‘overlap’. We know that ad-funded businesses have inexorable incentives to exploit data for advertising purposes. Google are proposing to acquire a unique, exclusive dataset and data collection capabilities, and from a new ‘mode’ that was not visible to them before. They will have every incentive to exploit this data in ways that can lower consumer quality and experience. Furthermore, the loss of Fitbit as an independent player implies foregoing the opportunity of a potential challenge to Google’s model based around data which is unique and valuable. 

We can nevermore rely on promises from dominant digital platforms “not to use the data”: like Facebook, Google has made promises that turned out differently or cannot be monitored, let alone enforced; or announcements about seemingly benign developments that in fact are benign only to Google. The examples are many. When it acquired DoubleClick, Google initially kept its database of web-browsing records separate from the names and other personally identifiable information collected from Gmail and its other login accounts; but this was changed last summer – when Google “literally cross(ed) out the lines in its privacy policy that promised to keep the two pots of data separate. In its place, Google substituted new language that says browsing habits “may be” combined with what the company learns from the use Gmail and other tools”.10 And given its dominance in this and its many other markets, consumers simply had no choice but to swallow yet another privacy loss.  As mentioned, it is implementing policies that reduce the ability of others to track and locate their users. This is just the tip of a very opaque iceberg of data flowing everywhere within an opaque system that authorities cannot really monitor.

We need to slow down and avoid mistakes that are irreversible. A merger prohibition, on the other hand, is not irreversible. It should not be controversial that more competition delivers more innovation. And we want innovation to happen in ways that are sustainable and do not undermine society’s goals.

Authors’ note: The views in this note are entirely our own, and do not represent those of colleagues or our respective institutions. We are not being paid or remunerated in any way by anyone to express them.

Endnotes

1 Google-Fitbit Probe Isn’t for Data Watchdogs, Vestager Says,  Bloomberg, 25 February.

2 Google gobbling Fitbit is a major privacy risk, warns EU data protection advisor, Techcrunch, 20 February.

3 See Unlocking Digital Competition, Furman et. al. March 2019; Competition Policy for the Digital Era, Crémer et. al. April 2019; Stigler Committee on Digital Platforms: Final Report, Scott-Morton et al. September 2019.

4 Testimony of Tommaso Valletti before the House Judiciary Committee Subcommittee on Antitrust, “Online Platforms and Market Power: The Role of Data and Privacy in Competition”, 18 October 2019.

5 WhatsApp: The Best Facebook Purchase Ever?, Investopedia, 25 June 2019.

6 Google to ‘phase out’ third-party cookies in Chrome, The Verge, 14 January 2020

7 Google is cracking down on Android apps that track your location in the background, The Verge, 21 February 2020

8 Google: Our DeepMind health slurp is completely kosher, The Register 15 November 2018; and less than a year later: DeepMind’s health team joins Google Health, 19 September 2019. Streams app has been subsequently integrated into Android.

9 Project Nightingale, TechTarget, February 2020

10 Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking, ProPublica, 21 October 2016