The Veikko Palotie Award was this year granted to LL.M. (MICL) Jere Lehtioksa for his praiseworthy master’s thesis ”Big Data as an Essential Facility: the Possible Implications for Data Privacy”. The award was granted for the tenth time and it consists of the Veikko Palotie medal and a grant of EUR 4 000. Paulo Foundation and Merilampi grant the award annually to a master’s thesis that is of interest to the field of business law.
Satu-Anneli Kauranen, Partner in competition and EU-law team, who reviewed the thesis at Merilampi, explained the choice as follows: Jere’s choice of topic nicely combines current phenomena of Big Data and its competition law assessment in dominance situations with requirements of the GDPR, which entered into force last May. All these topics have been widely discussed in recent years and the debate continues. This well-written master’s thesis is interesting in view of companies as well as private persons.
Jere Lehtioksa received the award yesterday in Veikko’s Day event. Jere has graduated as Master of International and Comparative Law from the University of Helsinki. He has also earned a Bachelor of Laws with Honours degree from the City University of Hong Kong.
Summary of thesis Big Data as an Essential Facility: the Possible Implications for Data Privacy
(by Jere Lehtioksa)
My thesis covers the interplay and possible conflicts between the EU competition law and the EU General Data Protection Regulation (‘’GDPR’’) arising from the sharing of Big Data containing personal data between companies.
The research questions of my thesis concern whether companies deemed dominant under the EU competition law can be forced to share their data to competitors. The thesis also analyzes whether as a result of granting access to data containing personal data, companies could violate data privacy laws.
EU competition law prohibits companies from abusing their dominance. Considering the importance of Big Data for companies, there can be situations where dominant companies have little or no incentive to share data with their competitors. A typical harm caused by such conduct is that companies cannot compete with the dominant company as they do not have access to similar amounts of data as the dominant company.
In order for a company to be forced to share its data with competitors, the nature of the data has to amount to a so called essential facility without which competitors cannot function in the markets. The answer to whether a particular dataset can amount to such essential facility depends on the characteristics and the purpose of use of the dataset. Furthermore the structure of the market and the barriers to entry should be considered. As a result it is not possible to provide a clear answer to the nature of data as an essential facility and a case by case analysis of the relevant market and the significance of data have to be conducted.
On the other hand, there are various practical challenges concerning the forced the sharing of data. First of all the administrative challenges such as the administration and supervision of access have to be taken care of. In addition the practical implementation of access such as the mode of delivery of the data might prove challenging. The definition of the terms of access have to be drafted with precaution. The key point about forced sharing of data is the question whether this might deter companies from investing on the analysis of Big Data if they are forced to share it with competitors and thus harm innovation.
Companies sharing data with third parties have to comply with the GDPR in relation to the processing of personal data. The GDPR contains various limitations on the processing of personal data in relation to sharing data with third parties. The processing has to have a legal basis under the GDPR, which might turn out difficult to define due to the complexity of the processing. Under the GDPR, once personal data has been collected, it can only be used for the purpose it was collected for unless consent is provided by the persons whose data is being processed (data subjects) unless certain exception apply. Furthermore the GDPR places information duties on the controller to inform the data subjects on the processing of their personal data. All these limitations might make it difficult for a company to comply with the GDPR when sharing personal data in the form of Big Data.
There are certain solutions to the problems explained above such as the anonymization of the personal data as the provisions of the GDPR do not apply to anonymous data that satisfies certain criteria. On the other hand the usability and the value of anonymized data have to be considered. The GDPR also provides for a limited right to data portability meaning that data subjects can have their personal data transmitted from the original controller to another controller under certain circumstances. However this type of data portability only concerns the personal data of the data subject in question making the request and not the entire dataset.
The above issues decrease legal uncertainty for companies as companies risk violating either data privacy laws if they share data to competitors or competition laws if they decline to share data as a result of complying with data privacy laws. Furthermore the practicalities of data sharing might prove challenging. The regulators should consider the need for sector specific regulation so that companies can comply with both data privacy regulation and competition law when sharing Big Data to their competitors.
Read more: Veikko Palotie award