Regulating Search: Competition Policy and Data Protection at the Crossroad


* This entry is the re-print of an article published in the Global Science & Technology Forum Journal of Law and Social Sciences 2012, which can be found in the GSTF Digital Library.


A significant part of the world economy today is carried out via, and advanced through, the Internet. In today’s “information society”, Internet search engines have assumed a central role, which encompasses making the information readily available for everyone with little effort, facilitating the comparison of different sources and even ensuring the availability of the public domain in perpetuity[1]. Such role is crucial not only from an economic standpoint, but also, more generally, for its impact on democracy and culture:  search engines determine the way we think, gather information, make choices[2]. Accordingly, there have been calls for the imposition of a set of constraints on search engines in a much similar way to that by which media are regulated[3].

The rationale behind this kind of claim is not novel from a regulatory perspective: to the extent that search engines absolve the function of delivering information to the public, they should be treated as a medium of communication and therefore subject to regulation.

What is striking instead is that most calls have been made for a one-dimensional, traditional type of regulation: media regulation. This approach underestimates the importance of having in place a specific privacy regulator devoted to ensuring compliance with the constraints imposed by data protection rules on the use of personal data: to the extent that search engines extrapolate information from the public, shouldn’t they be subject to regulatory scrutiny?

In light of recent developments in the treatment of user data[4] and the proposed EU regulation on data protection[5], this brief contribution will suggest why it is important that the issue of data protection be tackled from a public policy standpoint, and to what extent a search engine’s privacy policy can be taken into account within the specific context of competition policy. It shows that, notwithstanding the frequent attunement of the objectives of these two different areas of law, competition disputes are not the appropriate venue for the discussion of potential privacy violations; nevertheless, competition authorities can and should address their competitive implications.

1. Setting the framework: the relevance of data protection in competition policy

The core objective of competition law is the maintenance of the competitive process by prohibiting the prevention, distortion or restriction of competition in the marketplace. Jurisdictions tend to differ, however, on the exact meaning of the concept of “competition”, as well as of what amounts to a “restriction”.

The basic model of competition policy unconcerned by non-economic objectives: the standard benchmark for the assessment of the legality of a certain behavior is identified with consumer welfare, seen from a purely economic perspective. Under this model of competition, non-economic values can enter the analysis only as a supererogatory element[6], i.e. to the extent that they are deemed to have specific effects on the competitive process.

In most jurisdictions, however, a different model is followed which allows non-economic values to be equally taken into account in the general welfare analysis: for example, one of the factors that according to South African merger control rules would justify an otherwise anti-competitive concentration  is whether the proposed operation would lead to the creation of jobs[7]. Similarly, goals of Australian competition policy include achieving a level playing field for small medium enterprises (SMEs) and promoting consumer choice[8]. Presumably, then, in the scenario where such values are relevant the competition authority will have to balance them with the economic effects of the conduct or transaction under scrutiny.

The difficulty to attach a measure to these non-economic values has been extensively discussed elsewhere[9], and will not be repeated here. This contribution merely aims to shed the light on the importance of factoring into competition analysis what is currently seen as a non-economic value, that of consumer privacy. This is in contrast with the fact that no competition law system includes specific provisions on the relation of competition and consumer privacy, or establishes the relevance of data protection on the assessment of a given conduct or transaction for competition law purposes.

Moreover, it is worth noting that even in a system which relies on the basic model of competition -i.e. one based on a purely economic notion of consumer welfare- some data protection concerns feed into the competitive analysis, for their relationship with competition in today’s knowledge-intensive, user-based search engines industry is necessarily a close one. The following paragraph demonstrates in what sense.

2. User data in the antitrust analysis of the search business

The use of user data and the extent to which it is compliant with the relevant privacy rules can enter antitrust analysis at two different stages: first, at the market definition stage, where neglecting the role of information gatekeepers can lead to a potentially inaccurate assessment of the competitive dynamics; second, at the stage of evaluation of the practices of a dominant search engine, where the use of such data can constitute the very basis for a finding of abuse.

There are essentially two ways in which the ability of search engines to collect data is relevant for competition analysis: (1) it creates barriers to entry by conferring to the incumbent advantages that cannot be replicated by potential entrants; and (2) it allows players in the search advertising industry to leverage their data from or into neighboring markets, such as contextual, display, email or more generally, non-search advertising.

The first dynamic can be easily depicted by referring to the “virtuous circle” of the search business[10]: the higher the number of searches, the more information will be available to improve the relevance of results, which will in turn attract consumers to that particular search engine, thereby leading to more information available, and again, higher relevance, and so on. As a result, the ability to acquire higher volume of user data will make a dominant firm even more dominant.

The second point needs a little more background on the type of information that is acquired and how collection takes place. As we conduct our searches, engines like Google and Microsoft Bing gather information regarding our search preferences[11]. The user’s consent to the use of such information for multiple purposes, which are contained in the terms of use of the search engine, is deemed to be given by the mere fact that the browser accepts the installation of cookies that afford the opportunity to track a user’s online behavior[12]. What exactly constitutes the kind of data that are object of such treatment is less clearly stated. Broadly speaking, they can be divided in two different categories: at a very basic level, search engines derive from simple searches information on our location (usually connected to the IP address), language, results, number of results, number of clicks and date and time of the searches.  This is the basic information that is available to all search engines, regardless of whether the user is logged in on one of the additional services or applications that the search engine or one of its affiliated parties might offer. At a more advanced level, a search engine can, to the extent that it is able to track the user as it performs her searches, rely on more extensive information about search preferences. First of all, it will be able to trace that user’s search history back to the previous searches conducted, and to combine those data. Second, it will be able to monitor the behavior of the user with respect to advertisements, such as the number and type of clicked ads, the amount of time spent on the advertised page and whether she has placed a purchase.  Third, the search engine might extrapolate further data from the additional services which it or an affiliated party provides to that user, such as toolbar, maps, video search, email, document viewer, group discussions, photo album, translator, finance portfolio management, and so on. From the list just drawn, you might notice that those are all services currently offered by Google. Although the same argument applies to every search engine with additional functionalities beyond “normal search”, we will hereinafter refer to Google in light of its unique position of dominant search engine[13] in the vast majority of jurisdictions in the world[14].

But why is the use of personal data grown so extensively in a search engine’s business? This is not only due to the fact that better technologies for the identification of users and their preferences enable a search provider to target them with more relevant -and thus potentially more interesting- ads. It is also because, increasingly, such data has become crucial to making improvements on the single most important driver of competition in search: relevance of results. The shift from “traditional” search to “personalized” search, which has been gradually done by all the major players[15], represents an important advancement in the industry. At the same time, however, as search engines are depositories of a wealth of information over users, it has brought to light a fundamental problem: the essentiality of such “data input” for effective competition in the market. In other words, the crucial importance of data begs the question of whether and under what circumstances the State should intervene to impose their sharing, in order to prevent a search engine from locking up consumers into its services and thereby stifle competition.

Answering this question in the affirmative presupposes having a clear and convincing explanation of why the raise of “personalized search” combined with a company’s monopoly or quasi-monopoly over personal data would be a problem that cannot be fixed by the market alone. At the outset, it should be clarified that the mere use of personal data to improve search is not a concern in itself, irrespective of a search engine’s position in the market; rather, what makes the situation problematic is when a dominant firm uses such data to improve other unrelated services, or to increase barriers to entry to rivals in the search market due to the essentiality of this input for competition in search. In fact, the risk is twofold: that a dominant search engine, by acquiring valuable information through search queries, cross-subsidizes its product or services in unrelated markets in which it is engaged; or viceversa, that by acquiring personal information in those markets, it relies on that information to provide better, more targeted search results. By way of example, through our Google Maps preferences Google is able to identify our home city, area code and even street address, despite the fact that our IP address might say otherwise. Observing our behavior on Youtube (videos uploaded and watched, comments made, etc.), it can predict with some precision what other products might interest us. Through the scanning of our emails for relevant keywords[16], it manages to grasp the sense of our most private conversation and our upcoming planned events.

The logical implication for competition policy of the use of personal data as an asset is that authorities will have to place more emphasis on the influence that the ability to use such data has on the competitive constraints for a defined market, i.e. on the ability of fringe competitors to enter the market offering a comparable product or service. Simply put: barriers to entry will be higher for those search engines that cannot enjoy a continuous stream of personal data as the incumbent. Accordingly, authority should place considerable attention on these dynamics in their market analysis, a practical example being that user data should be seen as something having an economic value. This seems reasonable as data are an asset which needs to be routinely refreshed[17], and therefore continuously acquired, for the operation of the match-making between users and advertisers through which search engines are normally financed.

3. Privacy regulation for search data: a necessary complement to antitrust scrutiny

Despite the important role that competition law can play in the scrutiny of a search engine, there appears to be still substantial benefit to be received from an additional layer of constraints on search operators’ use of personal data. First, there are many instances where the need to oversee the use of personal data does not stem from an economic concern, but rather, from the need to protect user privacy as a value in itself. Think, for example, of a scenario where a search engine makes certain user preferences viewable by the public via search, despite the absence of her consent. Second, the existence of rules aligned with the objectives of competition policy will obviate the need for a constant policing by the antitrust authorities over the practices of search engines. An example is the recent Proposal for an EU Data Protection Regulation, which would prohibit the cross-sectorial exportation of personal data without user consent: as a matter of fact, such rule would prevent unsolicited leveraging via data of the dominant position in search onto neighboring makets, as well as cross-subsidization of search via data acquired in these markets.

As in the first scenario discussed above, the requisite user consent is considered to be met only where the approval is free and informed: for this purpose, the Regulation makes clear that an “opt-out” mechanism –specifically adopted by Google in the new Privacy Policy announced in January 2012- would not be sufficient. At the time of writing, no changes have been made to Google’s privacy policy; and it is not clear yet whether Google will be obliged to modify its policy following the adoption of the final draft of regulation.

This hypothesis, however, suggests a potential area for further research: namely, how to ensure the effectiveness of privacy regulations in the search engine industry. As a matter of fact, how is the regulator to detect any violation of the said prohibition on cross-sectorial exportation, if the engine can embed the users’ information into an algorithm which remains secret and non-accessible? Devising a mechanism of scrutiny for compliance with privacy regulation in this context is likely to be complex, requiring access to the algorithm by a technical and independent body reviewing an extensive amount of information processing in order to detect any possible deviation from the rules and principles of the privacy regulation. Conceivably, administrative efficiency would demand the establishment of such scrutiny to be activated not on a permanent, ongoing basis, but rather only when triggered by user complaints. This will be one of the challenges that the next generation of regulators and policy-makers will have to face.


The two important implications of the prominent reliance by both search providers and advertisers on user data are that (1) antitrust markets should be defined and analyzed bearing in mind the role of user data in the search business as a factor that influences the effectiveness of the competitive constraints; and (2) nevertheless, privacy regulation is a necessary and important source of constraints for the use of personal data by search operators.

As to the more general suggestion made in this contribution: given the heavy reliance of today’s search engine industry on the input of user data, we cannot any more view competition law and data protection as separate. Rather, acknowledging and explaining the interplay between these two important policies should become a cornerstone of modern competition analysis in online search and advertising.

[1] See, for example, the aim of the Google Book Library project, available at, and of the Google News Archive Search project, available at

[2] For an account of the literature on the role of search engines as gatekeepers of information, see U. Gasser, “Regulating Search Engines: Taking Stock and Looking Ahead”, Yale Journal of Law & Technology, Vol. 9, p. 124 (2006), p. 200, footnote 164.

[3] U. Gasser, Ibid.; O. Bracha & F. Pasquale, “Federal Search Commission: Fairness, Access, and Accountability in the Law of  Search”, 93 Cornell Law Review p. 1193 (2008); F. Pasquale, “Dominant Search Engines: An Essential Political and Cultural Facility”, in B. Szoka & A. Marcus (eds.), The Next Digital Decade: Essays on the Future of the Internet, p. 410 (2010); N. Van Eijk, “Search Engines: The New Bottleneck for Content”, in B. Preissel, J. Haucap and P. Curwen (eds.), Telecommunication markets: drivers and impediments, 141 (2009) Springer; V. Moffat, “Regulating Search”, 22 Harvard Journal of Law and Technology p. 475 (2009).

[4] See Google’s new privacy policy, announced on January 26th, 2012, and available at

[5] See Proposal of Reform of the EU data protection rules, announced on January 25th, 2012, and available at

[6] For example, a famous decision by the European Commission has found that the agreement pursuant to which producers washing machines were committing to stop the production of first-generation machines could be exempted by the prohibition of article 101 TFEU explaining that the second-generation, energy-efficient machines would benefit consumers in the long run. See Commission decision of 24 January 1999 relating to a proceeding under Art. 81 EC and 53 of the EEA Agreement (Case IV.F.1/36.718.CECED), 2000/475/EC, OJ 26.7.2000 L 187/47 CECED.

[7] See W.W. Bowens, N. Hlatshwayo, M. Versfeld,  “South Africa – Merger Control”, International Comparative Legal Guide Series, available at

[8] See the International Competition Network’s Report on the Objectives of Unilateral Conduct Laws, Assessment of Dominance/Substantial Market Power, and State-Created Monopolies, available at

[9] C. Townley, ‘Article 81 and public policy’, Oxford 2009; C. Townley, “Which goals count in article 101 TFEU? Public policy and its discontents”,   9 European Competition Law Review n. 9 (2011) 441, at 446- 447. See also, more generally, T. Prosser “Competition Law and Public Services: From Single Market to Citizenship Rights?” European Public Law vol. 4 n. 11 (2005) p. 543.

[10] The existence of this circle was invoked by Microsoft to illustrate the necessity of acquiring the Yahoo! Search business in order to effectively compete with Google. However, in that context the trigger for more traffic was considered to be scale, i.e. the aggregate volume of queries. See Decision of the European Commission, Case No. COMP/M.5727 – Microsoft/Yahoo! Search Business (18 Feb. 2010), OJ L 24, 29.1.2004, p. 1, at 165-176.

[11] For a comprehensive list of the data collected by Google, see D. Dower, “The Evil Side of Google? Exploring Google’s User Data Collection”, The Daily SEO Blog, June 24th 2008, available at

[12] According to recital 66 of Directive 2009/136/EC, “where it is technically possible and effective, in accordance with the relevant provisions of directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application”.

[13] Statement of the Federal Trade Commission Concerning Google/DoubleClick, FTC File No. 0710170 at 3 (Dec. 20, 2007), available at ; Statement of Interest of the United States of America Regarding Proposed Amended Settlement Agreement (of the “Google Books project”), US Department of Justice, Antitrust Div. (Feb. 4, 2010), available at Although the European Commission has not reached such a conclusion yet, the market share in such context is much higher than in the US (approximately 94% v. 79%: see Testimony of Thomas Barnett at the Hearing “The Power of Google: Serving Consumers or Threatening Competition?” held before Senate Judiciary Committee, Subcommittee on Antitrust, Competition Policy and Consumer Rights on 21 September 2011, available at , quoting Stat Counter Global Stats, “Top 5 Search Engines in the US from Aug 10 to Aug 11”, available at

[14] The notable exceptions being China with dominant search engine Baidu, Russia with Yandex, South Korea with Naver, and Japan and Taiwan with Yahoo, : see M. McGee, “Google Now #1 Search Engine In Czech Republic; 5 Countries To Go For Global Domination”, Search Engine Land  (January 13th, 2011), available at

[15] For Google, see S. Kamvar, “Search Gets Personal”, Google’s official blog , 28 February 2005, at For Yahoo, see M. Arrington, “Yahoo Launches Personalized Search” TechCrunch, 7 August 2006, available at As to Microsoft Bing, see “Making SearchYours’”, Microsoft Bing’s search blog, entry on 17 February 2011, at

[16] This is one of the rules a user agrees upon by signing up on Gmail See Google’s FAQ on this topic at See also the letter sent on April 6th, 2004 by 31 privacy and civil liberties organizations to Google, available at; and E.F. Moltzen, “Microsoft’s Ballmer: Google Reads your Mail”, op-ed on CRN, available at

[17] The EU’s Article 29 Data Protection Working Party issued a report on April 4, 2008 containing a set of obligations to search engine firms, including that of demonstrating the strict necessity of retaining specific personal data beyond 6 months from the moment in which was acquired. See Data Protection Working Party 29, Opinion on Data Retention, available at

Share this article!

About Author

Leave A Reply