Rethinking the role of privacy risk in addressing abuse of data power: from both data protection and competition perspectives
摘要
The question of how to measure the privacy risk/level of privacy protection can be viewed as a concern not only for data protection laws, but also for competition policy and enforcement. Data controllers build a competitive advantage at the expense of individual privacy, and the privacy risk can serve as an indicator, or a cover: The scenarios where high privacy risk is caused by improper data processing, such as data extraction without user consent or appropriate technical measures could, under certain conditions, produce exploitative effects (German Facebook case); however, the relevance of privacy risk in assessing competitive harm is premised on the importance of data for competition (Microsoft/Nuance), and the requirement that a data controller takes advantage of that importance, leading to a foreseeable loss of privacy interests. The scenarios where low privacy risk is decided by technically defined ‘deidentification’ (Google Privacy Sandbox), or contract-based consent under the cover of self-determination (Apple’s ATT policy; Doe v. Meta), cannot justify improper data processing, because the seemingly reduced privacy risk could be used as a cover to implement such practice as self-preferencing or price discrimination. It follows that the privacy protection defense cannot exempt data controllers from the data sharing obligation by simply endorsing privacy-friendly techniques, or consent-and-waiver agreement. Finally, this paper addresses the question of how to assess the privacy risk/level of privacy protection by introducing the idea of ‘data quality’, thereby contributing to the integration of competitive considerations into the data protection framework.