GDPR you ready for competition on the merits?


The new European rules on personal data – the General Data Protection Regulation (‘GDPR’) – are coming into force on May 25. The Regulation is a giant piece of legislation and it’s expected to affect almost every aspect of commerce. The law aims to give everyone absolute control over the use of their personal data. It will require companies to give detailed information about what data they collect from their customers and to explain how they are going to use that data. The Regulation imposes strict conditions in relation to obtaining consent from persons to process their data and clarifies the ‘right to be forgotten’ established by the European Court of DATA-BagJustice. Compliance is not something that companies are willing to gamble with since the Regulation provides for fines of up to €20M for violators.

The effect of the law on the way in which companies compete in the market is not expected to be insignificant either. The regulation establishes a right to ‘data portability’ that’s been proclaimed as the basis for healthy competition in data-intensive environments. According to the GDPR, every person has the right to receive the data that they have provided to a company in a machine-readable format and – when technically feasible –  to ask for the personal data to be transferred to a different company directly. Here’s how the right might affect competition.

Incentivising interoperability:

Each company manages, organises and presents information in the way that it chooses to. Think of the contacts list on your phone for example. In addition to filling in a person’s phone number, your phone-maker typically allows you to add their home address or their email account on their contact card. Other phone-makers might allow their users to add more information on contact cards. For instance, they might allow users to pair social media accounts with their contact list.


All these different ways of doing business are implemented to enhance the experience of the customer. But they make the life of companies that aren’t part of a brand miserable. Imagine the struggle of an independent productivity app trying to convince you to leave Outlook and switch to them if they can’t get a hold of your contact list. This interoperability issue is a major obstacle for competition on the merits as it allows companies to protect themselves through simple technological tricks. Developing standard file formats (like the vCard file format for contacts) that can be read and processed easily by specialised software can alleviate this problem.  The GDPR, by giving users the right to obtain their data in a ‘machine-readable’ format, incentivises the production of such file formats. Through this right, competitors are assured that their success will depend on their ability to innovate, not on the capacity of their rivals to guard their data. In effect, the right provides the tools to empower smaller market players and to stimulate competition.

Lock-in lockout:

A characteristic of competition in data-intensive environments is that consumers are hesitant to try out alternative options because they are locked into using their current platforms. This is because consumers feel that the services that they use already know them and are, therefore, better equipped to personalise their experience. Think of your relationship with your search engine for example. You might be excited to hear that there is a new search engine that plants trees every time you do an internet search. This new search engine might enthuse you because it conforms with your personal morality. But there’s a high possibility that you are still not going to abandon Google. This is because your current search engine knows a huge amount about you. It knows your likes and dislikes, as well as your quirks and habits. The right of data portability weakens this lock-in effect and allows users to take all their history of data with them to another service. This is expected to strengthen the appetite of consumers to try alternative solutions.


Data are portable – Profiles are not

After explaining how this right to portability is expected to work, your immediate response might be that this provision is a bit unfair, or even hostile towards the current dominant data companies. After all, companies like Google and Facebook invest time and money to develop the processes that make our experience on their platforms attractive. The European Commission recognises that companies are to be applauded for innovating. The right to portability is not expected to ask companies to hand out the products of their hard labour. The GDPR specifies that the data that are to be portable are the ones that the user has provided to the company. The right to portability is additionally limited by a clause that requires for the rights of others not to be adversely affected. These provisions seem to suggest that portability is not likely to apply to data composed by a company.


Take an example from social media. Imagine that you make a post saying: ‘Watching The Last Jedi tonight!’. Your current social media provider might have developed sophisticated software that reads the content of your posts and informs your profile of your interests to pass them on to advertisers. From your post, the company might infer that you like going to the movies, or that you like sci-fi films, or that you’re a Star Wars geek (or even a Star Trek snob). All this information is still profiling data, but it’s information that a company has figured out on its own about you. The wording of the GDPR suggests, as fair competition demands, that only the provided data will be portable. In this way, companies will compete on their ability to analyse data and personalise their services. A company that’s simply accumulated large amounts of raw data will have no competitive advantage in this regard.

Tearing down walls while building new ones

Fort.pngWhile the right to portability might make life easier for some competitors in the aspects discussed before, the GDPR might produce more challenges for the most vulnerable market players. Reports have estimated that compliance with the new law will add a € 3.000 – € 7.200 yearly cost for Small and Medium-sized Enterprises (SMEs). The process of competition relies on the ability of new companies to enter the market and to disrupt it with innovative solutions. Given the fact that the GDPR will apply equally to every entity, added costs might be perceived as unproblematic for competition. But this is not the full picture. Start-ups already have trouble convincing investors to back their businesses. Adding an extra cost of this scale is not going to make their financing efforts easier. This expense, while a necessary evil, is going to be something that the Commission will have to address.

The General Data Protection Regulation promises to restore the sovereignty of the individual over its personal data. For competition, the law provides reasons for celebration. The Regulation is certainly a step bringing us closer to competition on the merits.