Reforming Mergers and Acquisitions – Exposure Draft

Introduction

1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission in relation to the exposure draft legislation for the Australian Government’s reforms to merger rules and processes (Exposure Draft).[1]
2. The Exposure Draft seeks to reform Australia’s merger control system so that it is faster, stronger and simpler, and better targets anti‑competitive transactions.[2]
3. Competition and privacy law are inherently linked.[3] Mergers can result in privacy impacts to consumers, particularly in the context of business models that are built upon the processing and monetisation of consumers’ personal information. A lack of competition in these contexts can result in the offering of services with lower quality privacy practices that do not align with consumers’ privacy expectations and preferences. Conversely, a competitive market can lead to increased consumer choice and allows firms to differentiate in line with consumers’ privacy preferences.[4]
4. We consider that the ongoing reform process presents an opportunity to address downstream privacy impacts to consumers that may result from certain anti-competitive practices. This submission proposes targeted additions to the Exposure Draft so that potential privacy impacts are actively considered in the assessment of how a merger may affect consumers’ interests. It recommends that the proposed legislative principles to guide the Australian Competition and Consumer Commission’s (ACCC) assessment of mergers[5] should include the consideration of any potential impacts to consumers’ privacy and the assets (including data and technology) being acquired. We also recommend that the ACCC be required to consult with the Information Commissioner in relation to mergers that are likely to have significant privacy impacts.
5. These additions would help to strengthen the complementary roles that competition and privacy law play in improving consumer outcomes, as well as strengthen ongoing cooperation between competition and privacy regulators, particularly in the context of digital platform regulation. [6]

Mergers and privacy impacts

6. Mergers can have a range of privacy impacts for individuals whose personal information is held by the parties to the transaction. These impacts may have relevance to competition regulators’ consideration of the potential effects of a merger on consumers’ interests.

Data acquisition and consolidation

7. In addition to potential competition concerns,[7] the acquisition and consolidation of data and personal information holdings can give rise to significant privacy harms, particularly in the context of mergers in the digital economy.
8. There may be a risk that the personal information of affected individuals is used for new purposes that they are not aware of or do not expect. For example, the combination of datasets through a merger may allow the acquiring firm to build more comprehensive and detailed profiles of consumers’ characteristics and behaviours, as well as serve more highly targeted forms of advertising.[8] Furthermore, significantly expanded datasets can be used to generate new, as well as potentially unexpected and sensitive inferences about consumers through machine learning and modern data analytics techniques.[9] These risks may be amplified in the context of data-driven digital platforms and services. In these circumstances, the accumulation of data through mergers and vertically integrated business models (in addition to presenting privacy risks) also allows these entities to consolidate and exercise economic and social power.
9. In addition to the use of personal information for new or unexpected purposes, mergers may present other privacy impacts such as the disclosure of personal information to new third parties, a potential lack of transparency about the handling of personal information post-merger, and a requirement for individuals to navigate new processes to exercise their privacy rights.
10. The combination of different de-identified datasets may also increase the likelihood that individuals are identifiable or reasonably identifiable, therefore constituting personal information for the purposes of the Privacy Act. While de-identification can be an important privacy protective measure, it is not a fixed or end state and the risk that datasets can be re-identified increases as they are combined or released into a new data access environment.[10]
11. These risks can be particularly pronounced in circumstances where a dominant firm extends their market power into ‘related or adjacent markets,’ as is often seen in the digital platforms context.[11] For example, a number of privacy concerns were raised in response to Google’s acquisition of Fitbit, due to the particularly sensitive nature of the health and wellness information held by Fitbit.[12] From a competition perspective, the acquisition was of particular concern given that Google held a significant share of the online advertising market (built on the accumulation of consumer data from online search) and that wearables were an emerging market and channel for data collection.[13]
12. In the European context, Google was required to make several legally binding commitments following an investigation by the European Commission under the EU Merger Regulation. These commitments included that Google would not use health and wellness data collected from Fitbit devices for Google Ads, that Google would maintain a technical separation of Fitbit user data and other Google data used for advertising, and that European Economic Area (‘EEA') users would have an effective choice to grant or deny the use of health and wellness data stored in their Google Account or Fitbit Account by other Google services (such as Google Search, Google Maps, Google Assistant, and YouTube).[14] However, these commitments were primarily directed at addressing competition and consumer protection concerns.[15] Europe’s Digital Markets Act (DMA) now prevents ‘gatekeeper’ platforms from combining personal data across different platforms in certain circumstances.[16]
13. Similar privacy concerns have been raised in relation to other mergers in the digital platforms context, including Meta’s acquisitions of WhatsApp and Instagram.[17]

The effect of competition on consumer choice and service quality

14. A lack of competition can leave consumers with less choice and can lead to the offering of lower quality goods and services at higher prices.[18] Privacy is an important parameter of product or service quality that can be negatively affected by a lack competition.[19]
15. The Global Privacy Assembly’s Digital Citizen and Consumer Working Group has suggested a consolidation of market power can lead to reduced privacy protections for individuals as “companies no longer feel the need to compete on privacy and reduce their efforts in that area.”[20] For example, an entity with substantial market power may consider that it does not need to offer consumers as much information, choice and autonomy over how their personal information is handled.
16. The ACCC has also observed that some large digital platforms are essentially the sole provider of a particular type of service or one of only a few providers, making them a ‘must have’ for large numbers of consumers.[21] This lack of choice can result in individuals being forced to use services with lower quality privacy practices that do not match consumers’ preferences and reasonable expectations of privacy.[22]
17. In many cases, consumers may feel resigned to providing their personal information to certain online services, as they do not consider there is any alternative.[23] As these products or services become more entrenched in individuals’ lives, not engaging with a product or service (such as where an individual holds privacy concerns) may not be a realistic option without having a significant impact on an individual’s ability to engage online.[24]
18. In addition to being dependent on the services offered by global social media platforms, search engines and e-commerce sites, individuals are usually presented with non-negotiable terms and conditions.[25] These all-or-nothing terms and conditions can authorise privacy invasive practices such as unwanted collection, use and disclosure of personal information or greater exposure to unwanted targeted advertising.[26] Therefore, a lack of competition and consumer choice means that consumers who wish to protect their privacy may be unable to effectively do so.[27]

Proposed principles for assessing acquisitions and consideration of privacy impacts

19. The Exposure Draft contains principles to guide the ACCC’s consideration of whether an acquisition ‘would have the effect, or would be likely to have the effect, of substantially lessening competition in a market.’ Section 51ABX(2) provides that in making such a determination, the ACCC must have regard to:
    1. the objects of the Act; and
    2. all relevant matters, including the interests of consumers.[28]
20. Section 51ABX(3) sets out a range of other matters that the ACCC may have regard to, including the need to maintain and develop effective competition in markets, the effect of the acquisition on conditions for competition, matters relating to the parties to the acquisition and the relevant market, and potential technical innovations, economic developments and productivity gains.
21. In recognition of the potential privacy impacts of certain mergers noted above, we recommend that the impacts to consumers’ privacy should factor into the consideration of ‘the interests of consumers’ under section 51ABX, where relevant. This could be achieved by either:
    • Including the potential impacts to consumers’ privacy as an additional legislative matter that the ACCC must or may take into account under subsections 51ABX(2) or (3), or
    • Clarifying that ‘the interests of consumers’ may include their privacy interests in the Explanatory Memorandum.[29]
22. The OAIC also recommends that ‘the nature and significance of assets, including data and technology, being acquired’[30] be included as a legislative matter that the ACCC may consider under section 51ABX(3)(c).
23. These amendments would ensure that privacy is considered as an important dimension of consumer welfare that can be negatively affected by certain mergers and acquisitions, particularly where substantial datasets are acquired or where consumers’ privacy preferences are affected. It would also align with similar approaches internationally.
24. In the European context, privacy invasive practices and breaches of data protection law can serve as evidence of abuse of a dominant position under the Treaty on the Functioning of the European Union (TFEU).[31] For example, in July 2023 the Court of Justice of the European Union (CJEU) found in the context of a competition law dispute involving Meta that a competition law authority is permitted to consider data protection law compliance in order to establish an abuse of a dominant position.[32] However, the CJEU also emphasised the need for competition authorities to cooperate and consult with data protection authorities when privacy issues arise (see further, Recommendation 2 below).[33]

Consultation with the Information Commissioner

25. The Exposure Draft provides that the ACCC may invite interested parties to make a written submission, gather information from certain parties, or ‘consult with such persons as the Commission considers reasonable and appropriate’ prior to making an acquisition determination.[34] The ACCC is then required to take into account information received through these consultation or information gathering processes in making the determination.[35]
26. The OAIC is supportive of this legislative recognition of the important role of consultation in the process of assessing mergers and acquisitions.
27. The OAIC also considers that the ACCC could consult with the Information Commissioner in relation to mergers that involve the acquisition of a significant amount of personal information, or which intersect with privacy and data protection issues. Among other matters, such consultation could cover the potential privacy implications of the particular merger (see further, ‘Mergers and Privacy Impacts’ above) and how they may be relevant to the ‘interests of consumers’ for the purposes of section 51ABX.
28. This express consultation requirement as well as an information sharing authorisation could be reflected in the primary legislation. There are similar consultation requirements in other legislation, for example, s 53 of the Office of the National Intelligence Act 2018 (Cth), s 355-72 of the Taxation Administration Act 1953 (Cth) and s 56AD of the Competition and Consumer Act.