On 24 October 2018, Apple CEO Tim Cook delivered the opening address at a conference of European Data Protection and Privacy Commissioners in Brussels. After stating that “billions of dollars trade hands every day on scraps of data that are carefully assembled, synthesised, traded and sold”, Cook warned that “these stockpiles of personal data only enrich the companies that collect them. This should make us uncomfortable and unsettle us”. While such a forceful confrontation of privacy concerns by a major tech CEO is relatively unique, the timing of Cook’s caution was also particularly interesting given it comes just one month after Apple’s €350m acquisition of Shazam was completed, following clearance by the European Commission.

Founded in 1999, Shazam’s main product is a music recognition app which allows users to record a clip of an unknown song in order to identify a digital audio fingerprint and match the clip against Shazam’s database.  Although Shazam generates revenue through referring users to services such as iTunes, Spotify, SoundCloud and Google Play and has been downloaded over 1 billion times, in 2016 the company reported a loss of over €4.6 million on revenues of just over €35 million. Nevertheless, it was very likely that Apple was not buying Shazam for its profits, and may have been interested in the data the company holds on millions of users in relation to the ‘who, how, why and when’ of listening to music.

In April 2018, after Apple announced its intention to acquire Shazam, the European Commission opened an in-depth investigation to address concerns that access to Shazam’s database might grant Apple an unfair competitive advantage, as users could potentially be directed to Apple’s iTunes ahead of competitor services such as Spotify, SoundCloud or Google Play.

However, although competition issues were the principal focus of the EU Commission’s examination, it soon became clear that this was not the only area with which regulators were concerned. Speaking in April 2018, Margrethe Vestager, the European Competition Commissioner, said “it has become almost a habit of looking into data issues when we do a merger procedure”.  Vestager elaborated further saying that “data is an asset…you can mine it; you can work it; you can do completely different things”. Crucially, however, Vestager acknowledged that European regulators were now treating large data mergers as “a completely different creature than they did five years ago”.

This approach was further validated when in September 2018, just before the Commission announced the results of the Shazam investigation, the European Data Protection Board (EDPB) released a statement on the data protection impacts of economic concentration (eg mergers and acquisitions). In its statement, the EDPB referred to the “Commission’s intention to analyse the effects of further concentration of ‘commercially sensitive data about customers’ personal data” and went on to identify the EDPB’s interest in the Shazam case and future mergers as being “essential” in order to assess the longer-term implications for the protection of “economic, data protection and consumer rights whenever a significant merger is proposed, particularly in technology sectors of the economy.”

Subsequently, in the week following the EDPB statement, when the Commission cleared the merger, Vestager noted that while the acquisition “would not reduce competition in the digital music streaming market”, her office would be “carefully review transactions which lead to the acquisition of important sets of data, including potentially commercially sensitive ones”. Adding to Vestager’s identification of the importance of big data to the digital economy, the Commission specifically warned in their press release announcing the approval that “a merger decision does not release companies from respecting all relevant data protection laws”.

Enforcement was also a point that Cook mentioned in his opening address in late October 2018, saying “we should celebrate the transformative work of the European institutions…we also celebrate the new steps taken, not only here in Europe, but around the world. In Singapore, Japan, Brazil, New Zealand, and many more nations, regulators are asking tough questions and crafting effective reforms”.

The comments of the Commission, Vestager, the EDPB and Cook collectively indicate that both European regulators and the wider technology industry are increasingly aware of potential data protection issues.  Privacy issues have not usually been at the forefront of concerns in this regard.  However, it is uncertain how investigations focused on non-data protection matters can be effectively delineated from those investigations that do focus on such topics (and more broadly whether such a distinction is even necessary in the new regulatory environment).

The EDPB in its September statement suggested that “independent data protection authorities can help with the assessment” and that such investigations, while arising initially in a competition context, could be “separate to and independent from” the analysis carried out by competition authorities.  This would likely still require increased co-ordination between, and resources for, for both data protection and competition regulators. Whether such a consolidation of enforcement tools is achievable remains to be seen.

While a future merger could not be prohibited or delayed solely on data protection grounds, it is clear that technology companies facing regulatory scrutiny in Europe should be aware that they will be mindful of international standards for privacy compliance. “This is why we analyse in-depth what role data will play as a resource, as an asset for businesses when they merge” Vestager said in an interview in late October 2018, “of course, we keep an eye open as to whether privacy can become a competition issue”.

Contributed by: Alex Towers

Follow us on Twitter  @WFIDEA and @WilliamFryLaw