OAIC submission to Merger Reform Consultation Paper

Introduction

1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to submit to Treasury’s Merger Reform Consultation Paper (the Consultation Paper)^[1].
2. The OAIC is an independent Commonwealth  regulator, established to bring together three functions: privacy functions  (protecting the privacy of individuals under the Privacy Act 1988 (Cth)  (Privacy Act), freedom of information (FOI) functions (access to information  held by the Commonwealth Government in accordance with the Freedom of  Information Act 1982 (Cth) (FOI Act)), and information management functions  (as set out in the Australian Information Commissioner Act 2010 (Cth))^[2].
3. The Consultation Paper seeks views on the efficacy of Australia’s current merger control regime and potential ways in which it could be improved. The Consultation Paper proposes several policy options including possible changes to the merger control process, as well as amendment to the test for whether mergers are ‘likely to have the effect of substantially lessening competition’ in the Competition and Consumer Act 2010 (Cth).
4. Competition and privacy law are inherently linked. Mergers can result in privacy impacts to consumers, particularly in the context of business models that are built upon the processing and monetisation of consumers’ personal information. A lack of competition in these contexts can result in the offering of services with lower quality privacy practices that do not align with consumers’ privacy expectations and preferences. Conversely, a competitive market can lead to increased consumer choice and allows firms to differentiate in line with consumers’ privacy preferences^[3].
5. Accordingly, the potential impacts to consumers’ personal information and privacy interests should feature as an active consideration in the assessment of the effect of a merger on competition. This submission focuses on the proposed amendments to the merger control test set out in the Consultation Paper and associated privacy implications. The OAIC is supportive of the proposal to require consideration of ‘access to or control of data and other significant assets^[4]’ or of the ‘nature and significance of assets, including data and technology, being acquired’ in assessing the impact of mergers on competition^[5]. This submission also recommends the creation of a legislative requirement to consult the Information Commissioner on potential privacy impacts as part of the assessment of mergers that involve significant amounts of personal information.
6. These measures would help to reinforce the important roles that competition and privacy law play in improving consumer outcomes and emphasise the need for ongoing cooperation between competition and privacy regulators and policymakers, particularly in the context of digital platform regulation^[6].

Mergers and privacy impacts

7. Mergers can have privacy implications for individuals and can give rise to privacy harms.^[7] These impacts may be caused by the combination of personal information holdings as well as consumers’ inability to avoid engaging with entities that have poor quality privacy practices in sectors with low levels of competition.

Data acquisition and consolidation

8. Mergers can involve the acquisition and consolidation of data and personal information holdings by the acquiring firm. In addition to potential competition concerns^[8], these mergers can give rise to privacy harms, particularly in the context of mergers in the digital economy.
9. There may be a risk that the personal information of affected individuals is used for new purposes that the individual is not aware of or does not expect. The combination of datasets as a result of a merger may allow the acquiring firm to build more comprehensive and detailed profiles of consumers that encompass their characteristics and online behaviours, as well as serve more highly targeted forms of advertising^[9]. Furthermore, large datasets can be used to generate potentially unexpected and sensitive inferences about consumers through machine learning and modern data analytics techniques, which presents an increased privacy risk^[10].
10. The combination of different de-identified datasets may increase the likelihood that individuals are identifiable or reasonably identifiable thus constituting personal information for the purposes of the Privacy Act. While de-identification can be an important privacy protective measure, it is not a fixed or end state and the risk that datasets can be re-identified increases as they are combined or released into a new data access environment^[11].
11. These risks can be particularly pronounced in circumstances where a dominant firm extends their market power into ‘related or adjacent markets,’ as is often seen in the digital platforms context.^[12] For example, a number of privacy concerns were raised in response to Google’s acquisition of Fitbit^[13], due to the particularly sensitive nature of the health and wellness information held by Fitbit. From a competition perspective, the acquisition was of particular concern given that Google held a significant share of the online advertising market (built on the accumulation of consumer data from online search) and that wearables were an emerging market and channel for data collection.^[14]
12. In the European context, Google was required to make several legally binding commitments following an investigation by the European Commission under the EU Merger Regulation. These commitments included  that Google would not use health and wellness data collected from Fitbit  devices for Google Ads, that Google would maintain a technical separation of  Fitbit user data and other Google data used for advertising, and that European  Economic Area (‘EEA') users would have an effective choice to grant or deny the  use of health and wellness data stored in their Google Account or Fitbit  Account by other Google services (such as Google Search, Google Maps, Google  Assistant, and YouTube).^[15] However, these commitments were primarily directed at addressing competition and consumer protection concerns.^[16] Europe’s Digital Markets Act (DMA) now prevents ‘gatekeeper’ platforms from combining personal data across different platforms in certain circumstances^[17].
13. Similar privacy concerns have been raised in relation to other mergers in the digital platforms context, including Meta’s acquisitions of WhatsApp and Instagram.^[18]

The effect of competition on consumer choice and service quality

14. The Consultation Paper acknowledges that competition can provide consumers with increased choice, lower prices and higher quality goods and services.^[19] Conversely, a lack of competition in the market provides consumers with less choice and can lead to the offering of lower quality goods and services at higher prices.
15. As the ACCC has observed, some large digital platforms are essentially the sole provider of a particular type of service or one of only a few providers, making them a ‘must have’ for large numbers of consumers.^[20] This lack of choice can result in individuals being forced to use services with lower quality privacy practices that do not match consumers’ preferences and reasonable expectations of privacy.^[21]
16. In many cases, consumers may feel resigned to providing their personal information to certain online services, as they do not consider there is any alternative.^[22] As these products or services become more entrenched in individuals’ lives, not engaging with a product or service (such as where an individual holds privacy concerns) may not be a realistic option without having a significant impact on an individual’s ability to engage online.^[23]
17. In addition to being dependent on the services offered by global social media platforms, search engines and e-commerce sites, individuals are usually presented with non-negotiable terms and conditions.^[24] These all-or-nothing terms and conditions can authorise privacy invasive practices such as unwanted collection, use and disclosure of personal information or greater exposure to unwanted targeted advertising.^[25] Thus, a lack of competition and consumer choice means that consumers who wish to protect their privacy may be unable to effectively do so.^[26]
18. Furthermore, privacy may be a parameter of product or service quality that can be negatively affected by a lack competition.^[27] In this regard, the Global Privacy Assembly’s Digital Citizen and Consumer Working Group has suggested that where privacy is a non-price factor of competition, a consolidation of market power can increase the likelihood of reduced privacy protections for individuals, including because “companies no longer feel the need to compete on privacy and reduce their efforts in that area.”^[28]

The merger control test

19. The Consultation Paper highlights three potential changes to the test for whether mergers are ‘likely to substantially lessen competition’,^[29] which seek to better recognise the effect that some acquisitions have on competition and the structure of the market.
20. Option A would update the list of matters that the ACCC may (and the court must) consider when assessing the impact of mergers on competition (‘merger factors’).^[30] This could include the addition of new merger factors, such as consideration of ‘access to or control of data and other significant assets’^[31] or of the ‘nature and significance of assets, including data and technology, being acquired.’^[32]
21. The OAIC is supportive of the addition of a new factor to section 50(3) of the Competition and Consumer Act 2010 (Cth)  that considers the data and technology being acquired through a merger. This could assist in considering the potential competition and privacy implications of data combination that may take place as part of a merger.
22. The OAIC also recommends that a new factor is included in section 50(3) that expressly requires consideration of the potential impacts to consumers’ privacy in the assessment of the effect of a merger on competition.
23. Such an approach would not be out of step internationally.  In the European context, privacy invasive practices and breaches of data protection law can serve as evidence of abuse of a dominant position under the Treaty on the Functioning of the European Union (TFEU).^[33] For example, in July 2023 the Court of Justice of the European Union (CJEU) found in the context of a competition law dispute involving Meta that a competition law authority is permitted to consider data protection law compliance in order to establish an abuse of a dominant position.^[34] However, the CJEU also emphasised the need for competition authorities to cooperate and consult with data protection authorities when privacy issues arise.^[35] This underlines the need for such consultation to take place in the Australian context, which is discussed further below.

The merger control process

24. The Consultation Paper also suggests policy options to address shortcomings in the current merger control process. The Consultation Paper proposes both ‘judicial enforcement’ merger control models (relying on litigation by the ACCC to stop a potentially anti-competitive merger if the parties decide to proceed) and an ‘administrative’ model (which would require ACCC approval before the parties can proceed with a merger).^[36]
25. In recognition of the potential privacy impacts of mergers and acknowledging that privacy impacts may form evidence of anti-competitive conduct, the OAIC considers that informed consultation between the ACCC and the Information Commissioner should take place as part of the assessment process for mergers that will involve significant amounts of personal information or where a merger may intersect with privacy and data protection issues. An express consultation requirement and information sharing authorisation could be reflected in the primary legislation that sets out any reformed merger control process, including the assessment of mergers.
26. There are similar consultation requirements in other legislation, for example, s 53 of the Office of the National Intelligence Act 2018 (Cth), s 355-72 of the Taxation Administration Act 1953 (Cth) and s 56AD of the Competition and Consumer Act 2010 (Cth).

^[1] Treasury, Merger Reform: Consultation Paper, November 2023, accessed 5 January 2024.

^[2]Competition and Consumer Act 2010 (Cth) s 50.

^[3] ACCC, Digital platform services inquiry - Interim report No. 5 - Regulatory reform, 11 November 2022, accessed 8 January 2024, p 43.

^[4] Treasury, Merger Reform: Consultation Paper, November 2023, accessed 5 January 2024, p 40.

^[5] Ibid p 31.

^[6] See relatedly, Global Privacy Assembly, Digital Citizen and Consumer Working Group Report – July 2022, July 2022, accessed 8 January 2023, Annex 2: Regulating the Digital Economy – why privacy and competition authorities should talk to each other.

^[7] Information Commissioner’s Office (UK), Overview of Data Protection Harms and the ICO's Taxonomy, August 2022, accessed 23 January 2024.

^[8] See the discussion regarding data-related barriers to entry and expansion at ACCC, Digital platform services inquiry - Interim report No. 5 - Regulatory reform, 11 November 2022, accessed 8 January 2024, p 35.

^[9] OAIC, Submission to Government consultation on ACCC’s regulatory reform recommendations, February 2023, accessed 5 January 2024, [31].

^[10] OAIC, Guide to data analytics and the Australian Privacy Principles, March 2018, ‘1.3 Benefits and challenges of data analytics’. See also, Daniel Solove, ‘Privacy Self-Management and the Consent Dilemma’ (2013) 126 Harvard Law Review 1880, p 1889.

^[11] OAIC, Digital Platform Services Inquiry – March 2024 report on data brokers – Issues Paper, September 2023, accessed 8 January 2024, [25]-[32]; OAIC, De-identification and the Privacy Act, 21 March 2018, accessed 8 January 2024.  See also, OAIC and CSIRO Data61, The De-identification Decision-Making Framework, 18 September 2017, accessed 8 January 2023.

^[12] See, ACCC, Digital platform services inquiry - Interim report No. 5 - Regulatory reform, 11 November 2022, accessed 8 January 2024, p 39-40.

^[13] See for example, Matt O’Brian, Google buys Fitbit for $3b, raising privacy concerns about personal health data, Sydney Morning Herald, 2 November 2019, accessed 8 January 2024.

^[14] ACCC, Statement of Issues: Google LLC proposed acquisition of Fitbit Inc, 18 June 2020, p 2.

^[15] European Commission, Mergers: Commission clears acquisition of Fitbit by Google, subject to conditions, 17 December 2020.

^[16] Ibid. See also, Case M.9660 – Google/Fitbit, p 104, footnotes 299-300; Simon Vande Walle, ‘The European Commission’s Approval of Google / Fitbit – A Case Note and Comment’ (2021) 3 Concurrencies Competition Law Review 1,  p 7-8.

^[17] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) art 5(2)(b).

^[18] Dan Tynan, WhatsApp privacy backlash: Facebook angers users by harvesting their data, The Guardian, 26 August 2016, accessed 11 January 2024; Declan McCullagh, Facebook-Instagram deal raises new privacy worries, CNET, 9 April 2012.

^[19] Treasury, Merger Reform: Consultation Paper, November 2023, accessed 5 January 2024, p 4.

^[20] ACCC, Digital platform services inquiry - Interim report No. 5 - Regulatory reform, 11 November 2022, accessed 8 January 2024, p 40, 43.

^[21] Ibid p 43.

^[22] See, OAIC, Privacy Act Review Issues Paper Submission, December 2020, accessed 5 January 2024, p 71; Competition and Markets Authority, Online platforms and digital advertising: Market study final report, July 2020, p 179-180.

^[23] Ibid.

^[24] Ibid. See also, ACCC, Digital platform services inquiry - Interim report No. 5 - Regulatory reform, 11 November 2022, accessed 8 January 2024, p 43.

^[25] ACCC, Digital platform services inquiry - Interim report No. 5 - Regulatory reform, 11 November 2022, accessed 8 January 2024, p 43.

^[26] Global Privacy Assembly, Digital Citizen and Consumer Working Group Report – August 2021, August 2021, accessed 8 January 2023, Annex 2: Digital Crossroads: The Intersection of Competition Law and Data Privacy, p 60.

^[27] See, Global Privacy Assembly, Digital Citizen and Consumer Working Group Report – August 2021, August 2021, accessed 8 January 2023, Annex 2: Digital Crossroads: The Intersection of Competition Law and Data Privacy, pp 7-8: ‘This theory could also apply where the anticompetitive conduct of a dominant firm causes a reduction in privacy-related competition and quality. The U.S. Department of Justice, Antitrust Division alleges this effect in a recent monopolization complaint against Google, arguing that “[b]y restricting competition in search, Google’s conduct has harmed consumers by reducing the quality of search (including on dimensions such as privacy, data protection, and use of consumer data).’

^[28] Global Privacy Assembly, Digital Citizen and Consumer Working Group Report – July 2022, July 2022, accessed 8 January 2023, Annex 2: Regulating the Digital Economy – why privacy and competition authorities should talk to each other, p 5.

^[29] Treasury, Merger Reform: Consultation Paper, November 2023, accessed 5 January 2024, p 39.

^[30]Competition and Consumer Act 2010 (Cth) s 50(3).

^[31] Treasury, Merger Reform: Consultation Paper, November 2023, accessed 5 January 2024, p 40.

^[32] Ibid p 31.

^[33] See generally, Inge Graef, Damian Clifford and Peggy Valcke, ‘Fairness and enforcement: bridging competition, data protection, and consumer law’ (2018) 8(3) International Data Privacy Law 200, p 210-211; Meta Platforms (Case C-252/21) [2023].

^[34] See; Meta Platforms (Case C-252/21) [2023]; CJEU, A national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed, Press Release, 4 July 2023.

^[35]Meta Platforms (Case C-252/21) [2023], [63]. A competition authority of a member state has a duty of “sincere cooperation” with the relevant privacy supervisory authority, and in view of this duty, “the national competition authority cannot depart from a decision by the competent national supervisory authority or the competent lead supervisory authority concerning those general terms or similar general terms.” Where it has doubts as to the scope of such a privacy decision, the national competition authority must consult and seek the cooperation of those privacy supervisory authorities “in order to dispel its doubts or to determine whether it must wait for them to take a decision before starting its own assessment.”

^[36] Treasury, Merger Reform: Consultation Paper, November 2023, accessed 5 January 2024, p 38.