Data control and digital regulatory space(s): towards a new European approach
AbstractData control, among the newest forms of power fostered by information and communication technologies (ICTs), triggers a continuous (re)negotiation of public and private orderings, with direct implications on both regulators and intermediaries. This article examines the stance of the European Union (EU) regarding the position of Google - the world’s largest internet services company as per its 2014 market value - in two controversial instances: the ‘right to be forgotten’ and the implementation of EU competition rules. It provides an analysis of these evolving debates and their meaning for EU regulatory thrust more broadly, discussing the shift in the approach to digital markets and the proactive development of a European framework influential beyond continental boundaries.
Licence: Creative Commons Attribution 3.0 Germany
Competing interests: The author has declared that no competing interests exist that have influenced the text.
Keywords: Intermediary liability, Regulatory shifts, Digital monopoly, Right to be forgotten, E-commerce, Data protection, Taxation, Antitrust, Privacy
Citation: Radu, R. & Chenou, J.-M. (2015). Data control and digital regulatory space(s): towards a new European approach. Internet Policy Review, 4(2). DOI: 10.14763/2015.2.370
At the core of the European Union’s activity for deepening integration, regulation developed through gradual reform, relying primarily on institutional layering and the conversion of the different types of regulatory bodies (Thatcher and Coen, 2008). The emergence of a single European regulatory space - through the institutionalisation of agencies and networks within the EU - is prominently debated in academic circles (Levi-Faur, 2011; Maggetti and Gilardi, 2014). With most efforts concentrated on the creation of a competitive internal market at the turn of the millennium (such as the Lisbon Strategy devised in 2000), the comprehensive regulation of digital aspects was not in line with the neo-liberal approach to non-regulation and was not considered a priority partly due to the small share of the European information technology industry on the global market. Recent initiatives, such as the reform of the Data Protection Regulation and the newly launched Digital Single Market indicate a proactive stance in developing a genuine European regulatory space in global digital markets.
When digital markets began to prosper in the 1990s, the dominant ‘hands-off’ approach condemned any attempt to regulate the internet and related markets. In 1997, the Clinton administration issued a ‘Framework for global electronic commerce’ that illustrates this vision. According to the document, “governments must adopt a non-regulatory, market-oriented approach to electronic commerce” in order for the internet to deliver its full economic potential (White House, 1997). However, at the beginning of the 2000s, e-commerce and other internet-related markets were far from meeting the optimistic expectations of the 1990s. The burst of the ‘Dotcom bubble’ further reaffirmed the crucial role of social institutions in the creation, reproduction, and expansion of markets. European institutions were partakers, generally adopting a reactive stance, rather than driving policymaking for online activities (Christou and Simpson, 2007).
Over the last few years, oligopolistic firms have become dominant in digital markets. They own large datasets of user information that they operate through proprietary algorithms in order to create value (Pasquale, 2015). Most internet giants such as Google, Amazon, Facebook and Apple are headquartered in the United States. Digital markets in the EU mostly operate through a contractual relationship between European users and US firms. Against this backdrop, European institutions have switched their main focus from the creation of a competitive internal digital market to the creation of European rules to regulate the European ‘segment’ of global digital markets.
Due to space constraints, this article focuses on Google as the first and main target of European authorities in their effort to regulate the business of US internet giants in Europe. Google has been targeted by an antitrust investigation as early as 2010. More recently, other big internet companies have been placed under scrutiny by European authorities. Three main issues are tackled by regulators: taxation, antitrust and data privacy. Antitrust investigations have also been launched against Apple for its relation with music labels (April 2015) and Amazon for its pricing policy on the e-book market (June 2015). Tax optimisation strategies are also investigated for these two companies. Finally, data privacy is addressed by the decision on the right to be forgotten - first implemented by Google, but targeting all search engines - and by investigations by European national authorities on Facebook privacy policies.
Search engine results have been at the core of two recent debates driven by distinct authorities concerning Google’s operations in Europe. Indirectly related, both are consequential for the recent regulatory dynamism in the European Union, in particular in relation to oligopolistic data control positions. On the one hand, the decision of the Court of Justice of the European Union (hereafter CJEU) against Google in May 2014, on the so-called ‘right to be forgotten’, imposed an obligation on Google to decide on potential delisting of URLs from its search results when there is a user request in that sense, for information that is “inadequate, irrelevant or no longer relevant, or excessive” (CJEU, 2014). On the other hand, the antitrust investigation recently completed by the European Commission (EC) found that Google was in breach of the competition law through the favourable treatment of its own shopping service in a situation of market domination, as discussed further in this article. The antitrust case addresses only one of the concerns of the European Commission regarding Google’s business practices. Further investigations, for example into the Android service operated by Google on smart devices, have been recently opened. In this article, we examine the implications of these regulatory moves around data control in the EU and conclude that they are part of a broader attempt to develop a new regulatory space adapted to the requirements of the digital age, fostering norms for the global market.
Data control and new business models
The debates in the EU, intensified since 2010, regarding Google’s position and operations as a data controller and the ensuing extension of its responsibilities, are part and parcel of the transformation of governance in the digital era. The massive amount of (personal) data collected every second no longer lends itself to human processing, thus being replaced by algorithms which combine, select, and rank information by transforming input data into a desired output that takes into account specified calculations (Gillepsie, 2014). Accompanying the advances in computer power, this shift towards ‘governance by algorithms’ (Musiani, 2013; Mayer-Schönberger and Cukier, 2013) is partly stirred by the myth of larger datasets generating better and more useful knowledge (Boyd and Crawford, 2012, p. 663).
To make sense of the information available online, search engines provide the first entry point and one of the most successful business models of the century. More than 90% of online users in the US currently resort to search engines for finding what they are looking for on the web, making search engines the most widespread means of accessing information. In Europe, Google owns more than 90 percent of the online search market, giving it a powerful position to mediate between the users and the information available online. Considered in its entirety, Europe is Google’s biggest market (Drummond, 2015). The company’s mission, “to organise the world’s information and make it universally accessible and useful” translates into a continuous effort to collect data from users worldwide and a massive investment in the digitisation of offline content (archives, books, museums, etc.). Google’s annual revenue was USD 66 billion in 2014 and its lobbying expenditures were the second-largest of any corporation, surpassing USD 16 million.
Its business model is primarily based on its ability to predict behaviour by combining information coming from search queries and profiling for targeted advertising. As Powers and Jablonski (2015, p. 79) explain, “its ability to connect the right advertisement with the perfect user stems from its tracking and study of user habits,” pushing Google’s forecasting power as far as accurately predicting voting turnout on election day or the value of the stock market (2015, p. 82). Google’s patented PageRank technology remains a business secret and its search algorithm is changed and tweaked more than five hundred times a year in order to enhance user experience and to respond to business demands, according to Google’s Executive Chairman Eric Schmidt (US Senate, 2011).
Google’s implementation of the ‘right to be forgotten’
As of May 2014, Google is in charge of implementing the so-called ‘right to be forgotten’ in the EU, following the landmark case C-131/12 Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. This decision by the CJEU created an unprecedented regulatory situation, entrusting Google the powers of a quasi-legal entity performing a public function that can be legally contested in case of unsatisfactory results. The decision established an obligation on Google to act on potential removal from search results of items that are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed,” (CJEU, 2014) when there is a request in this regard from the person concerned. The decision applies to searches by individual names only and imposes an obligation on Google to set-up an infrastructure for a case-by-case deletion of links based on human review. The decision came in the midst of data protection reform discussions in Europe, which uphold the ‘right to be forgotten’ and it triggered heated debates around de-linking search results globally, on google.com (Mediapart, 2015), or only locally (e.g. google.fr; google.it, etc.).
The CJEU case referred back to a 1998 notice of property auction published by the Spanish newspaper La Vanguardia for a now-resolved debts lawsuit of Mr. Costeja. Although Mr. Costeja paid his debts, a Google search on his name would list that first after the digitalisation of the newspaper archive. The Spanish court decided that the newspaper archive should not be altered to no longer display this information, yet Google should remove the link to this information. Google challenged this in front of the highest national court (Audiencia Nacional), which referred the case to the CJEU.
On 13 May 2014, the CJEU ruling against Google proceeded as follows: first, it asserted its jurisdictional competence by establishing that the search engine activities of the Spanish subsidiary of Google Inc. - headquartered in the US and owning the search algorithm - were ‘economically profitable’ and they fall under the territorial scope of application of Data Protection Directive 95/46. Second, it determined that Google was a data controller as its activity consisted in “finding information published or places on the internet by third parties, indexing it automatically, storing it temporarily and finally, making it available to internet users according to a particular order of preference”. Third, it required Google to comply with the Data Protection Directive 95/46 as a controller on the territory of a member state, in order to “remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful” (CJEU, 2014). The Court also recognised that when the public interest is at stake, the data controller needs to assess whether to continue to make available a particular link.
This decision imposes a financial burden on Google for case-by-case reviews, which is not expected to affect its operations, but may raise the bar for future market entries. By not providing concrete guidelines for implementation, the CJEU left ambiguous not only the de facto application of the ruling, but also its geographical coverage. It introduced a new approach which requires that the processing of data be done according to the location of the user, independent of server location or company headquarters. Recognising the dominant position of Google, this regulatory move stresses the importance of norms that prevail when doing business in Europe. It signals that restrictions would be enforced to empower the European consumer, while pushing forward the adoption of the long-debated Data Protection Regulation, which imposes a stricter framework of action on companies. It also leaves room for interpretation with regards to a potential application of the decision at the global level, in order to best protect the rights of European citizens beyond their place of residence. This was the bone of contention in the months following the CJEU judgement, coming into sharper focus recently with the order of the Paris Tribunal de Grande Instance (2014) in favour of global applicability.
In practical terms, for the implementation of the ‘right to be forgotten’, Google opened an online delinking request form on 29 May 2014 and received 12,000 deindexing requests in the following 24 hours. From September to November 2014, it held consultations with the newly-established Advisory Council (made up of invited experts) in seven European capitals. One year after the CJEU judgement, the total number of requests for delisting that Google received reached 253,258, with a total of 918,699 URLs evaluated. Of these URLs, 58.7% have not been removed. In spite of the position of the Article 29 Data Protection Working Party - a cross-European panel of data protection watchdogs - advocating delisting on google.com to “satisfactorily guarantee the rights of the data subjects according to the ruling” (2014, p.1), Google decided that the judgement would not apply outside the European Union plus Norway and Iceland, meaning that links are removed only from the local versions of the search engine (google.fr, google.de, etc.), but not from google.com. The current application includes posting the following disclaimer for all searches by name, except for public figures: Some results may have been removed under data protection law in Europe. Google also informs the site webmaster that a link to their website was removed from the search results, without providing the reasoning. In its final report issued in February 2015, the Advisory Council to Google on the Right to be Forgotten supported Google’s decision to delist from all European-directed services, but not from google.com. Their position is similar to Google’s:
The google.com domain is actually US targeted. And what happens is when you come to Europe, your default access is to the dot UK or dot DE or dot FR, or what have you. And since the court focused on European users, we're going to focus on those domains. A very small percentage, less than 5% of European traffic goes to .com. So 95% or more, I don't know the exact numbers, are to these sites and that's where the action is (Eric Schmidt, Google’s Executive Chairman, Advisory Council Meeting London, 16 October 2014).
Balancing privacy and freedom of expression across boundaries is also pinned by a historical transatlantic divide between the First Amendment of the US Constitution guaranteeing freedom of speech and the strive for privacy protection in Europe. Moreover, the General Data Protection Regulation reform, initiated in January 2012 by the European Commission, saw its scope expanded after the US mass surveillance revelations. The European Parliament adopted a Data Protection Reform package on 12 March 2015. Generally promoting greater transparency and accountability for the use of personal data (including data portability and data breach notifications), the new data protection proposal establishes a responsibility for the data controller to demonstrate compelling grounds for processing which override the rights or interests of the data subject. It shifts responsibility from individuals to companies to prove that data is still relevant or needed. Following the political agreement reached by the Council of the EU on 15 June 2015, the negotiations between the Parliament and member states proceeded as early as 24 June, with the hope that the General Data Protection Regulation is adopted in early 2016 and enters into force after a two-year transition period.
Part of the broader regulatory thrust in the EU, the implementation of the so-called ‘right to be forgotten’ offers useful insights into value-laden tensions and boundary contestation as integral parts of the construction of European rules for global digital markets. The next section outlines similar efforts by European institutions to apply competition law to powerful data controllers, illustrated by the case of Google.
European Union vs. Google: the monopoly debate
In November 2010, the European Commission opened an antitrust investigation against Google Inc. based on allegations that the company had abused its dominant position in online search to favour its own services in violation of the EU competition rules. The investigation tried to determine whether Google Inc. had altered the ranking of its algorithm to promote its own services and to ‘de-mote’ competitors (EU Commission, 2010). Such behaviour would constitute a clear violation of article 102 of the Treaty of the EU that prohibits “any abuse by one or more undertakings of a dominant position within the internal market or in a substantial part of it [...] as incompatible with the internal market in so far as it may affect trade between Member States” (TFEU, 2012, former art. 82 TCE). In this case, the promotion by Google of its own services at the expense of competitors would amount to what is described in the Treaty as “applying dissimilar conditions to equivalent transactions with other trading parties, thereby placing them at a competitive disadvantage” (TFEU, 2012, Art. 102, § c).
After a four-year scrutiny, the European Commission reopened its investigation into Google’s search and advertising services. On 15 April 2015, the European Commission sent a Statement of Objections to Google. It contained a number of preliminary conclusions that paved the way to sanctions against the company. It concluded that Google had abused its dominant position in the online search market to favour its own services and in order to divert traffic away from its competitors, as early as 2008. More specifically, the Statement of Objections stresses five points (EU Commission, 2015a): (1) the systematic positioning and prominent display of Google’s comparison shopping service in Google’s general search results pages, irrespective of its merits; (2) the differentiated application of a system of penalties that ‘de-motes’ comparison shopping services and that is not applied to Google’s own service; (3) the growth in market shares of Google’s successive comparison shopping service after the implementation of the changes in the algorithms compared to the poor performance of Froogle, Google’s first comparison shopping service that did not benefit from the same algorithmic treatment; (4) the systematic favouring of Google’s comparison shopping services after the failure of Froogle; (5) the negative impact of these practices on consumers and innovation.
The preliminary conclusions of the European Commission have triggered a process in which Google Inc. is able to respond to the allegations (until the end of June 2015) and to organise an oral hearing with the Commission. At the end of the process, if the infringement of competition rules is confirmed, the Commission can take a wide array of “appropriate measures to bring it to an end” (TFEU, 2012, art. 105). Moreover, the Commission was put under pressure by the European Parliament that voted a non-binding resolution to break up Google in November 2014. While a break-up of the digital giant is unlikely to be decided, important financial sanctions might be taken against Google. Beyond the financial aspect of the case, the determination of the European institutions to take regulatory measures targeting US internet giants is an important symbolic step towards the creation of a European regulatory space on the internet, also signalled in the Digital Single Market strategy of the European Commission.
It is interesting to note that a similar investigation by the Federal Trade Commission in the US was settled in 2013. As the final report of the FTC states:
We have not found sufficient evidence that Google manipulates its search algorithms to unfairly disadvantage vertical websites that compete with Google-owned vertical properties. Although at points in time various vertical websites have experienced demotions, we find that this was a consequence of algorithm changes that also could plausibly be viewed as an improvement in the overall quality of Google’s search results (FTC, 2013).
The strong reactions by US officials after the EU Parliament’s non-binding resolution to break up Google and after the recent move by the EU Commission on the antitrust case illustrate the different perceptions of the situation on the two sides of the Atlantic. US President Obama depicted the EU policies as protectionism:
We have owned the internet. Our companies have created it, expanded it, perfected it in ways that they can’t compete. And often times what is portrayed as high-minded positions on issues sometimes is just designed to carve out some of their commercial interests (Swisher, 2015).
However, the resolution was highly controversial in Europe as well. The decision was depicted as a political move supported by Google competitors rather than a regulatory move. On the other hand, some voices in the US also advocate for a stronger regulation of digital markets. For example, Thomas Rosch, the FTC Commissioner, expressed some dissent about the FTC settlement with Google:
The Commission’s mission is to protect competition and consumers. The proposed “settlement” here will do the opposite. The Commission’s acceptance of a commitment letter to resolve an alleged violation of the antitrust laws is an unjustified and dangerous weakening of the Commission’s law enforcement authority” (Rosch, 2012).
The debate on both sides of the Atlantic indicates that the recent developments within EU institutions to regulate digital markets and big data controllers represent a struggle between competing norms for the governance of digital markets rather than anti-American protectionism. The antitrust case against Google is only a first step in a wider attempt by the EU in this direction. The alleged unfair promotion of its own services by Google is only one of the four concerns expressed by the EU Commission with regards to Google’s practices. While the present antitrust case addresses the way Google displays its search services compared to its competitors, further investigations are to be expected on the Google use of content from other websites; on Google's dominance over advertising on search terms; and on restrictions that surround how advertisers can move their campaigns to other search engines.
A formal investigation has been opened on the possible anti-competitive measures taken by Google concerning its mobile operating system Android. Google allegedly imposed the pre-installation of its services to smartphones and tablet manufacturers, prevented the development and marketing of modified and potentially competing versions of Android, and bundled certain applications to other Google services (EU Commission, 2015b). The following section explores the meaning of the new European approach by combining the analysis of the economic aspects to the societal aspects outlined in the previous section.
Towards a European regulatory space on the internet
The current growth of digital markets based on e-commerce and the exploitation of big data rests on a set of social institutions that ensure the protection of basic norms for market operation. Their development cannot be disconnected from the promotion of (Western) values that broadly define our understanding of the interplay between public and private actors, such as trust online or the enforcement of intellectual property rules. This reconfigures the roles of organisations and carves out new spaces for regulation (Chenou and Radu, 2015). The laissez-faire approach of the 1990s was believed to create the appropriate conditions for the development of the EU as “the most competitive and dynamic knowledge-based economy in the world” (European Council, 2000).
The failure of the Lisbon strategy - despite some successful initiatives such as the ‘.eu’ top-level domain, became obvious. Since 2010, a new approach of the EU towards the governance of digital markets seems to be emerging. Legal and political processes target in particular digital giants with headquarters outside its territory, offering services to European users. More than reacting to the changes brought about by the ubiquitous internet, the European institutions work towards creating a new regulatory space that counters data control as a form of monopolistic power. The value-laden rules that start to be imposed shape the development of digital markets in an unprecedented way. While recognising the dominant position of private intermediaries, the new General Data Protection Regulation and the Digital Single Market strategy represent new means to enhance the EU governance of digital markets and to go beyond a conventional approach.
In defining this regulatory space, instances of contestation over what is to be regulated, while not a new feature in global governance processes (Radu, Chenou & Weber, 2014), probe the boundaries of European institutions. By remaining ambiguous about the implementation of the ‘right to be forgotten’, the CJEU opened the door for advocating in favour of the global applicability of the decision. Specifically, the CJEU decision triggered debates as to whether the Google practice of removing links from European local versions of the search engine fully protects European citizens’ rights. Moreover, a broader inquiry into the e-commerce sector has recently been launched by the European Commission as part of a Digital Single Market strategy tackling issues such as telecommunication regulation, copyright, data protection and IT security. Against this background, the antitrust case against Google appears to be an element of a broader political project rather than just a circumstantial reaction or a protectionist trend.
What is at stake here goes beyond operating in a more regulated framework. It targets the development of new norms that out-rival the transatlantic divide in key policy areas, including privacy protection and antitrust sanctioning and seek to establish global rules. Legal scholar Frank Pasquale called for a European digital regulator that would not reproduce the weaknesses of the enforcement of competition rules in digital markets in the US. The two cases analysed in this article show that, in structuring a new approach to governance in the digital age, European institutions proactively work towards the same goal by reconfiguring their own mandates, rather than transferring responsibilities to a new regulator.
Article 29 Data Protection Working Party (2014). Guidelines on the implementation of the CJEU judgement C-131/12. Press release. 26 November.
Boyd, D. & Crawford, K. (2012). Critical questions for big data: provocations for a cultural, technological and scholarly phenomenon. Information, Communication and Society, Vol. 15 (5), 662-679.
Chenou, JM, & Radu, R. (2015). Beyond turf wars in Internet governance: the relationship between Internet organisations and IGOs. In: Rioux, M. & Fontaine-Skronski, K. (eds.), Global Governance Facing Structural Changes. New York: Palgrave
CJEU (2014). Judgment of the Grand Chamber of 13 May 2014. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. http://bit.ly/1AUdKN6
Christou, G., & Simpson, S. (2007). The New Electronic Marketplace: European Governance Strategies in a Globalising Economy. Edward Elgar Publishing
EU Commission (2010). Antitrust: Commission probes antitrust violations by Google. Press Release IP/10/1624. 30 November
EU Commission (2015a). Antitrust: Commission sends Statement of Objections to Google on
comparison shopping service. European Commission Fact Sheet MEMO/15/4781. 15 April
EU Commission (2015b). Antitrust: Commission opens formal investigation against Google in relation to Android mobile operating system. European Commission Fact Sheet MEMO/15/4782. 15 April
European Council (2000). Presidency Conclusions. Lisbon European Council. 23-24 March
FTC - Federal Trade Commission (2013). Statement of the Federal Trade Commission Regarding Google’s Search Practices In the Matter of Google Inc. (3 January). FTC File Number 111-0163
US Senate (2011). Response of Eric Schmidt, Executive Chairman, Google Inc. before the Senate Committee on the Judiciary Subcommittee on Antitrust, Competition Policy, and Consumer Rights Hearing on ‘The Power of Google: Serving Consumers or Threatening Competition?’ (21 September)
Gillespie, T. (2014). The Relevance of Algorithms. In: Gillespie, T., Boczkowski, P. & Foot, K., Media Technologies: Essays on Communication, Materiality, and Society. Cambridge, MA: MIT Press, pp. 167-194
Maggetti, M. & Gilardi, F. (2014). Network Governance and the Domestic Adoption of Soft Rules. Journal of European Public Policy, Vol. 21 (9): 1293-1310
Mayer-Schönberger, V., & Cukier, K. (2013). Big Data: A Revolution That Will Transform How We Live, Work, and Think. Boston: Eamon Dolan/Houghton Mifflin Harcourt
Mediapart (2015). French data-protection agency tells Google to make ‘right to be forgotten’ global’. 12 June
Musiani, F. (2013). Governance by algorithms. Internet Policy Review, Vol. 2 (3): 1-8
Pasquale, F. (2015). The Black Box Society: The Secret Algorithms That Control Money and Information (1st edition). Cambridge: Harvard University Press
Powers, S. & Jablonski, M. (2015). The Real Cyber War: The Political Economy of Internet Freedom. Chicago: University of Illinois Press
Radu, R., Chenou, JM., Weber, R.H. (eds.) (2014). The Evolution of Global Internet Governance: Principles and Policies in the Making. Berlin and New York: Springer
Rosch, J. T. (2012). Concurring and Dissenting Statement of Commissioner J. Thomas Rosch Regarding Google’s Search Practices In the Matter of Google Inc. (3 January). FTC File No. 111-0163
Swisher, K. (2015). White House. Red Chair. Obama Meets Swisher. Re/code. 15 February
Thatcher, M., & Coen, D. (2008). Reshaping European regulatory space: an evolutionary analysis. West European Politics, Vol. 31 (4), 806-836
TFEU - European Union (2012). Consolidated Versions of the Treaty on the European Union and the Treaty on the Functioning of the European Union. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:C:2012:326:FULL&from=EN