LSE research has directly influenced legal and policy proposals to secure effective data protection where major tech and social media companies are dominant.
What was the problem?
The information we provide about ourselves and which is collected by companies online is a valuable resource.
Existing data protection frameworks are premised on the belief that individuals should have certain rights in relation to this personal data. However, the complexities and scale of online data use mean that the control of personal data and key decisions regarding its processing cannot be left to individuals.
Furthermore, the size and power of digital platform companies such as Facebook (now Meta) and Google create questions about the control of data by such dominant market players, and the concentration of data in their hands.
What did we do?
Dr Orla Lynskey’s pioneering monograph, The Foundations of EU Data Protection Law, argued that the scale and complexity of data-processing operations online raise broad questions over data rights and control over personal data. Individuals alone cannot ensure effective data protection, and that given the dominant role of digital companies such as Facebook and Google, more cross-cutting, holistic approaches to such protections are required.
Her conclusion was that the market structure in which an individual is asked to exercise their data protection rights can have a significant impact on the effectiveness of these rights. For example, one could query whether consent is “freely given” when there is no competition in the market and the service in question is of social and professional importance to individuals.
By paying more attention to these structural factors, one can observe two inter-related dynamics: there is a significant concentration of ownership of digital consumer-facing platforms in the hands of a few providers; and there is little competition or differentiation between them. As a result, any measures to promote choice and control over data are jeopardised by the failure to acknowledge data protection considerations in market competition assessments of these companies.
In subsequent research, Lynskey elaborated on what would be needed to develop a more holistic approach to effective data protection, arguing that competition law should be applied in a way that assists in this aim. This has three dimensions. Firstly, the “consumer welfare” standard used by competition authorities to guide enforcement, which currently focuses on ensuring lower prices, more choice, and better quality products, should be interpreted to include data protection considerations.
Second, data-driven mergers and acquisitions (such as Facebook’s acquisition of WhatsApp) should be subject to a non-competition assessment alongside the competitive assessment of the merger, in an analogous way to “media plurality” assessments undertaken in media mergers. Third, Lynskey recommends that regulators engage in institutional cooperation to ensure a coherent approach between different regulators working in data-related fields.
This body of research, which was vigorously contested at the time in the competition law and policy community, provided the building blocks for subsequent developments. The first and third elements are now widely accepted, while a recent announcement from the Competition and Markets Authority suggests the second will also be implemented in the UK.
Finally, in more recent work Lynskey has examined whether control over personal data contributed to the power of digital companies and whether data portability initiatives in data protection and competition law could act as a constraint on this power.
Dr Lynskey’s research has directly influenced major legal and policy proposals seeking to secure effective data protection in digital markets. Lynskey has provided expert evidence to data protection authorities, policymakers, non-governmental organisations, and civil society organisations, influencing their stance on these issues.
Specifically, Lynskey’s research has been instrumental in shaping the approach of the European Data Protection Supervisor (EDPS), the EU’s independent data protection authority, through her formal and informal engagement with its work. In September 2016, it published “The EDPS Opinion on coherent enforcement of fundamental rights in the age of big data”, which marked a significant shift in its position on the subject. The paper recommended that data protection standards can be used “to determine ‘theories of harm’ relevant to merger control cases”. It also cites Lynskey’s research to suggest that “there are circumstances in which data protection can provide a relevant normative benchmark for competition law.”
Following this EDPS initiative, these issues gained prominence within several domestic and international institutions. The House of Lords Select Committee on Communications conducted a broad inquiry into “Regulating in a Digital Environment” in 2018/19, dedicating a chapter of its final report to “market concentration”. Lynskey presented evidence to the committee, which was used to support the report’s recommendation that “the Government should consider implementing a public-interest test for data-driven mergers and acquisitions.”
Lynskey's engagement has also been crucial in bringing this emergent area of law to the attention of civil society organisations, notably BEUC (the European Consumer Organisation or “Bureau Européen des Unions de Consommateurs”) and Privacy International. In 2020, BEUC appointed Lynskey as one of four academic advisers on its “Consumer Protection 2.0” project, ultimately ensuring it is better able to represent the interests of European consumers. Privacy International has similarly cited Lynskey’s research in its submissions to competition authorities, including to the Federal Trade Commission. She has also provided an expert statement for inclusion in its submission to the European Commission regarding Google’s proposed acquisition of Fitbit. The increased scrutiny of this acquisition by competition authorities represents further progress and ultimately may lead to data protection concerns being factored in before, rather than after, such a data-driven acquisition.
Overall, Lynskey's research has been crucial in increasing attention paid to – and acceptance of – the relationship between data protection and competition law. This is becoming notable in official decision-making, such as in an apparent shift in stance from the European Commission in its merger decisions. In the Facebook/WhatsApp merger decision (2014), it referred to data protection only once. However, in its Microsoft/LinkedIn decision (2016) the Commission refers to data protection on 26 occasions, explicitly acknowledging privacy as “an important parameter of competition”.
By influencing substantive and institutional reforms designed to ensure coherence between data protection and competition law frameworks, Lynskey’s research has contributed to the process of establishing a more robust protection of fundamental rights.