资源环境科技发展态势分析平台

The digital economy brings with it numerous overlaps between regulatory fields, and raises issues for which it might not be clear which regulator would have jurisdiction. Yet, in Europe, there is no enforcement cooperation mechanism to bring together the regulatory authorities responsible for digital-related issues. This creates enforcement gaps and substantial enforcement costs for both regulators and businesses. The European Union’s Digital Markets Act (DMA), a new law that should be finalised in autumn, will require cooperation between the European Commission and national regulatory authorities to ensure coherent, effective and complementary enforcement. However, the practical arrangements for cooperation will only be decided later. A practical arrangement should be based on case information, case allocation and case resolution.

Jurisdictional and cross-border issues

The digital economy implies numerous jurisdictional issues for competition, data protection and consumer protection authorities. At the heart of the business model of most digital companies, such as Google or Meta, are data-driven products that rely on data-usage practices, as set out in terms and conditions. User data enables digital companies to improve their products and services and offer new ones, contributing to their market power. Yet, these data practices raise privacy and consumer protection issues. Misleading terms and conditions that lack information (consumer protection violation) or don’t allow for explicit consent (data protection violation) might distort the competition process (competition violation).

Regulators around the world deal with these issues in different ways. For instance, Italy’s competition authority found in 2017 that Facebook-owned WhatsApp violated consumer protection law with misleading terms and conditions that forced users to share personal data with parent company Facebook. In 2021, Hamburg’s data protection authority found that a similar WhatsApp practice violated data protection law because of the absence of explicit consent. Authorities in Turkey, India, Brazil and Argentina are investigating whether the practice violates competition law by giving undue competitive advantage over rivals.

Enforcement cooperation mechanism

Europe lacks an enforcement cooperation mechanism to deal with these issues more consistently by involving different regulators in different fields. The lack of such a mechanism entails substantial enforcement costs, including compliance and transaction costs for businesses that must navigate multiple regulators and countries, administrative costs regulators running similar investigations, and inconsistent outcomes arising from conflicting rulings. But the costs of non-cooperation are likely higher than the benefits of divergence from mutual learning, higher deterrence, lower risk of corruption by interested groups and higher discretion to address the issue under a specific rule.

There have been numerous initiatives to foster enforcement, advocacy and institutional cooperation through consultation (for example, the still-pending 2019 German Facebook data-sharing case on which the competition regulator cooperated with data protection regulators), joint work (for example, the 2020 Italian Big Data joint report between Italian telecommunications, competition and data protection authorities), and joint teams (for example the United Kingdom’s Digital Regulatory Cooperation Forum, DRCF). However, these initiatives do not have enforcement powers that would significantly reduce enforcement costs. So far, the most advanced form of cooperation is the DRCF, involving competition, data protection, telecommunication and financial authorities, which set joint projects, approaches and teams. But, even the DRCF does not have enforcement powers that would cut enforcement costs.

Practical arrangement

When digital enforcement cooperation between national regulatory authorities and the European Commission is established under the DMA, the practical arrangements should ensure reduced enforcement costs while retaining the regulatory autonomy of each field and country. This is possible through a three-step enforcement cooperation mechanism based on case information, case allocation and case resolution.

Case information: National regulatory authorities should be required to inform the European Commission of the opening of all cross-regulatory and cross-border cases. This should be done through the DMA cooperation forum involving the Commission and the European bodies of competition, data protection, consumer protection, telecommunication and media regulators. At a minimum, national regulatory authorities should notify cases involving firms falling within the scope of the DMA, because the law – a list of dos and don’ts for big tech companies – has several provisions relevant for different regulatory fields. Information provided should include a non-confidential case summary, with a list of regulatory fields and countries concerned. The Commission should publish the information in a readily accessible database that automatically informs, thanks to adequate labelling, the regulators for which the case is likely to be relevant. This first step would therefore be to identify which authorities and countries are likely to need to coordinate.

Case allocation: The second step would allocate the case to a lead authority, based on four objective criteria: the main harm, the deterrence effect of the rule, the standard of proof and the territorial effect of the legal decision.

The main harm is the principal violation. The deterrence effect of the rule is how likely the rule is to change the infringer’s behaviour. The higher the level of deterrence, the lower the risk of violation and the greater the likelihood of effectively changing behaviour. The standard of proof is all the elements required by the law to prove the violation. The lower the standard, the more cost-efficient the regulator’s decision. The territorial effect of the legal decision refers to where any legal decision can have a legal effect. The wider the effect, the more the solution will solve cross-border issues.

For instance, France, Germany and Poland have ongoing investigations against Apple under competition law. Apple is accused of imposing a privacy policy on third-party services without imposing it on its own services, thus placing rivals at a competitive disadvantage. The main harm alleged is that Apple’s privacy policy favours its own services to the detriment of rivals. The privacy policy is the instrument of the alleged harm, but not the injury. The competition authority, not the data protection authority, is thus the relevant competent regulatory authority. Furthermore, should the allegations against Apple be upheld, competition law would be most likely to change the behaviour of Apple as, under competition law, the company could be fined up to 10% of its annual global turnover and a solution could be imposed that changes how Apple does business. Competition law has, however, a high standard of proof that requires defining a market and a dominant position in that market, and identifying an abuse of the dominant position that has an anticompetitive effect. Last, the legal effect of a competition-law decision is EU-wide or national, depending on whether the Commission or a national competition authority oversees the case. In this case, the Commission would have been the best-placed authority to investigate because Apple follows the same practice globally. Of course, the firm can adopt any national solution globally (eg the 2019 German Amazon online sales terms, which Amazon adopted worldwide). This second step thus enables a case allocation to a single authority to avoid multiple investigations.

Case resolution: In the third step, the lead authority would resolve the case with a joint team composed of staff from competent regulatory authorities. They should assess jointly the practice and issue a joint solution to all the cross-regulatory issues. For instance, the alleged harm in the German Facebook data-sharing case mentioned above involves Facebook exploiting user data by combining data from multiple sources (competition law violation) without the user’s voluntary consent (data protection violation). The German competition authority cooperated with data protection authorities to find a solution that resolves both issues: Facebook cannot combine data (competition law solution) without the user’s consent (data protection solution) (the case is still pending before the EU Court of Justice). This third step would thus enable solving such jurisdictional issues in relation to digital companies consistently and effectively.

Recommended citation:

Carugati, C. (2022) ‘A practical arrangement for cooperation between digital economy regulators’, Bruegel Blog, 13 June