chevron-down Created with Sketch Beta.

ARTICLE

Privacy-Enhancing Technologies and the Sherman Act

Jennifer M Driscoll, Eric Rigoli, and Nayeli Contreras

Privacy-Enhancing Technologies and the Sherman Act
davewhitney via Getty Images

Privacy-enhancing technologies (PETs) are often understood as “a broad set of tools and methods aimed at providing ways to build products and functionality while protecting the privacy of users’ data.” Because of the close relationship between data privacy and consumer protection, PETs have often been viewed through the lens of Section 5 of the Federal Trade Commission (FTC) Act. However, for the reasons set forth below, PETs may also have implications for antitrust law.

1. What are PETs?

PETs gained prominence when the European Union enacted the General Data Protection Regulation (GDPR), which requires data controllers and processors to implement safeguards “by design and by default.” With the proliferation of digital markets and the rise of AI, companies increasingly rely on PETs to secure personally identifiable information and other sensitive data. A simple example of a PET is anonymization, where a company might randomly assign a consumer a number instead of using any personally identifying information as an identifier.

PETs are used to mitigate privacy and security risks for individuals resulting in anonymity, pseudonymity, unlinkability, and unobservability of data subjects. Five major categories of PETs have been identified: (i) homomorphic encryption, which allows third parties to process and manipulate encrypted data; (ii) AI-generated synthetic data, which simulates real data for training AI models and machine learning; (iii) multi-party computation, which allows multiple parties—sometimes within the same organization—to collaborate or work on encrypted data while employing safeguards like key management; (iv) federated learning, a form of machine learning in which models are trained locally while the data is housed in a separate location; and (v) differential privacy, a mathematical framework for protecting individual privacy in datasets.

2. The Evolution of Data Privacy and Antitrust

PETs frequently have been viewed as raising consumer protection issues within the purview of Section 5 of the FTC Act. Consistent with this perception, the FTC has brought numerous enforcement actions against companies arising out of alleged misrepresentations about the use and strength of data security. These cases have arisen from data breaches and the subsequent exposure of the respondents’ failure to use reasonable or appropriate security measures. Although the FTC cannot obtain disgorgement or restitution remedies, consumers have obtained multi-million-dollar recoveries through parallel actions brought by state attorneys general.

While the FTC’s jurisdiction to regulate PETs as a matter of consumer protection is not in dispute, thought leaders have also suggested that PETs may have antitrust implications. In June 2024, the Organisation for Economic Co-Operation and Development published a report surveying “the intersection between competition and data privacy” (hereinafter, the OECD Report). The OECD Report charted the sometimes-fraught relationship between data privacy and antitrust, noting that “[h]istorically, competition authorities tended to exclude data protection and privacy considerations from their assessments, as they were seen as standalone elements and deemed to fall outside the scope of competition” citing, among other cases, the 2007 Google/DoubleClick merger in which the FTC declined to address data privacy concerns as part of its review. In wake of this and similar transactions (such as Facebook’s acquisition of WhatsApp), there was a groundswell of protest from consumer advocacy groups—notably, the Electronic Privacy Information Center (also known as EPIC).

3. PETs and Antitrust

As noted in the OECD Report, initially “competition authorities tended to exclude data protection and privacy considerations . . . as they were seen as standalone elements and deemed to fall outside of the scope of competition.” Notably, in 2007, the FTC allowed Google to acquire DoubleClick despite “far-reaching privacy concerns” involved with the collection and retention of data raised by, among others, EPIC, the Center for Digital Democracy, and the U.S. Public Interest Research Group. While the FTC acknowledged these concerns, the agency determined that it lacked authority to block or condition the transaction on certain commitments because “the sole purpose of federal antitrust review of mergers and acquisitions is to identify and remedy transactions that harm competition.” The European Commission took a similar view in 2014 when assessing Facebook’s acquisition of WhatsApp, declaring that “[a]ny privacy-related concerns flowing from the increased concentration of data within the control of Facebook as a result of the Transaction do not fall within the scope of the EU competition law rules.”

More recently, however, antitrust authorities have started to embrace an “integrationist approach” to data privacy and antitrust. This rubric “incorporates data privacy into longstanding antitrust analytical frameworks [starting] from the well-established position that consumer welfare is improved by competition that is based not only on price, but also on non-price factors.” With the integrationist approach, PETs may have one of several different roles in an antitrust analysis. PETs may be a non-price element of competition. PETs, as a cost that would have to be borne as a result of regulation or consumer preference, may also be viewed as a barrier to entry that prevents or inhibits competition. Finally, PETs may be used to unlawfully entrench a dominant position.

(i) PETs as an Element of Non-Price Competition

PETs may be properly considered an element of non-privacy competition similar to quality and service. As such, and assuming that information costs are low, rivals compete on the efficacy or other virtues of their PETs. However, as a non-price element of competition, PETs are subject to prohibitions on unlawful joint conduct. If there were a so-called “privacy-fixing agreement” among competitors to set a ceiling or upper bounds on PETs and privacy policies, resulting in a race to the bottom of data security at the expense of consumers, it would arguably constitute a per se antitrust violation. Alternatively, PETs used as an alleged restraint of trade could be evaluated using the rule of reason balancing test. Given the fledgling status of “privacy-fixing agreements” and their potential to be a restraint on trade, some commentators favor the more nuanced rule of reason treatment.

(ii) PETs as a Barrier to Entry

Because PETs are “complex,” “technologically intensive,” and, for some organizations, cost-prohibitive, to the extent that there are legal requirements or consumer expectations of privacy, PETs are barriers to entry for small companies and new entrants, particularly in Big Tech markets. The U.K. Information Commissioner’s Office (ICO), identified several reasons why PETs interpose these hurdles, including: (i) a general limited awareness of PETs; (ii) inconsistent definitions of PETs; (iii) lack of technical expertise; (iv) complex pricing (particularly when PETs are bundled with other products and supplementary services); and (v) uncertainty on how PETs enhance regulatory compliance. Practically speaking, larger companies are able to use complex tool like PETs to ensure compliance because they are often better able to absorb or allocate the cost , which in turn “risks compounding and ossifying existing market concentration.”

(iii) PETs as Exclusionary Conduct

Despite their benefits, it is possible PETs could be leveraged to unlawfully exclude rivals and other challengers in the market. The head of the U.K. Competition and Markets Authority’s (CMA) Digital Markets Unit asserted that PETs could entrench market power through a theory of “privacy washing”—i.e., privacy initiatives that are “used a pretext to protect or enhance” dominance. In January 2021, the CMA opened an investigation into whether Google’s Privacy Sandbox—a set of proposals that included replacing third-party cookies on the dominant Chrome browser—was a “privacy washing” scheme to limit competitors’ access to data in violation of the U.K. Competition Act. After soliciting feedback from interested parties, including the U.K. Information Commissioner’s Office, the CMA secured a series of commitments from Google to address potential anticompetitive effects of the Privacy Sandbox. On July 22, 2024, Google announced that it would no longer remove third-party cookies from Chrome and cede the decision to users. Despite this concession, the CMA is engaging in another round of consultations before rendering a final decision.

4. Conclusion

Many leaders in data privacy and antitrust have long advocated for a holistic approach to evaluating digital markets—and PETs may be a logical place to start. Interagency and intra-agency cooperation will be critical to ensure that enforcers in both areas understand the interplay between market power and data protection. Despite the complexity of PETs, if used appropriately, they can promote both competition and user privacy, but it will be important to ensure they don’t undermine competition in the name of privacy.

    Authors