Submission of the Office of the Privacy Commissioner of Canada on the Competition Act reform
March 20, 2023
The Honourable François-Philippe Champagne
Minister of Innovation, Science and Industry
C.D. Howe Building
235 Queen Street
Ottawa, Ontario K1A 0H5
I want to thank you for the opportunity to provide comments on the future of competition policy in Canada. As Privacy Commissioner of Canada, I have been following this important issue with great interest, as competition and privacy issues are increasingly overlapping.
The digital economy continues to bring several regulatory spheres together. This requires greater cooperation between the various privacy and competition agencies, as well as stronger laws to provide the protection that Canadians expect and deserve. This will create conditions that are conducive to consumer confidence and foster an innovative marketplace – goals we undoubtedly share.
Attached is our Competition Act reform submission explaining these common goals. We also provided this document through the consultation portal. I would be happy to discuss this further with you and your departmental officials at your convenience.
(Original signed by)
c.c.: Simon Kennedy, Deputy Minister, ISED
Mark Schaan, Senior Assistant Deputy Minister, ISED
Matthew Boswell, Commissioner of Competition
att.: Submission of the Office of the Privacy Commissioner of Canada on the Competition Act reform
Submission of the Office of the Privacy Commissioner of Canada to the Minister of Innovation, Science and Economic Development Canada (‘ISED’) on reforming the Competition Act
I - Introduction
My Office welcomes the decision of Innovation, Science and Economic Development Canada (ISED) to launch a consultation on potential reforms to Canada’s competition framework. I am pleased to have this opportunity to provide recommendations through the lens of the Office of the Privacy Commissioner of Canada (OPC) to ensure that privacy considerations are factored into potential reforms to Canada's competition policy given the important role that privacy protection plays in supporting citizen trust and confidence in the marketplace.
The OPC is tasked with the protection and promotion of the privacy rights of Canadians. To fulfill this mandate, my Office oversees compliance with the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (‘PIPEDA’), Canada’s federal private-sector privacy law.
ISED’s discussion paper, The Future of Competition Policy in CanadaFootnote 1, seeks feedback on a variety of topics, many of which are particular to competition law. As our expertise is necessarily confined within the scope of our privacy mandate, this submission is not intended to provide detailed recommendations vis-à-vis the intricacies of competition policy. Rather, it is meant to highlight the growing intersection between privacy and competition, and how changes to competition legislation may have effects on consumer privacy.
There are several themes of interest in the discussion paper that align with elements of my vision for privacy that I presented to the House of Commons and Senate during my confirmation hearings last June.Footnote 2 For example, the paper notes that digital innovation is transforming Canada’s economy, affecting not only issues related to the marketplace, such as concentration of economic power, but also Canada’s social landscape, democracy and consumer confidence. In addition, the paper’s section on deceptive marketing asks to consider adopting new enforcement tools suited for modern forms of commerce, ‘given the nature and ubiquity of the digital advertising’ (for example, better defining false or misleading conduct, such as the use of deception for the purpose of collecting consumer data).Footnote 3 This largely aligns with my focus on privacy in support of the public interest and Canada’s innovation and competitiveness, and seeing privacy as an accelerator of Canadians’ trust in their institutions and in their participation as digital citizens.Footnote 4
With the fast-paced evolution of the digital economy implicating the function of regulatory agencies across the board, operational lines are interconnecting, and mandates are coming into contact more frequently, with investigations often carrying competition, consumer protection and privacy implications. A prominent example of this trend is the Competition Bureau’s investigation into conduct by Facebook (now Meta), where the Bureau concluded that Facebook had made false or misleading claims about the privacy of Canadians’ personal information on Facebook and Messenger. Under the consent agreement entered into by the Bureau and Facebook, Facebook agreed to pay an administrative monetary penalty and to not make materially false or misleading representations to the public regarding the disclosure of personal information. The Competition Bureau's investigation coincided with the OPC’s own investigation of Facebook in the wake of the Cambridge Analytica scandal, which focused on whether and how Facebook was getting consent from its users, their safeguards against unauthorized access, use and disclosure by apps, and their accountability for information under the organization’s control. The OPC determined that the company failed to obtain valid and meaningful consent from its users.
A further example is our 2016 investigation of Ashley Madison’s privacy breach, which raised both consumer protection and competition issues. We were able to address these issues through a joint investigation involving Australia’s Privacy Commissioner, with cooperation from the US Federal Trade Commission (‘FTC’). This case also reflects the current limits around domestic collaboration, as the OPC was able to share information with the US FTC, but due to domestic statutory limitations, could not similarly collaborate with the Canadian Competition Bureau.
There is also a growing international acknowledgment of developing harms that affect both consumer privacy and competition. The emergence of so-called dark patterns, design structures made to mislead users into making decisions that they might otherwise not make, can, according to a study by the Organization for Economic Cooperation and Development (OECD), cause ‘significant privacy harms or psychological detriment’ and ‘may also harm consumers collectively, by weakening competition and sowing distrust…’Footnote 5
Our submission offers several recommendations based on what we have learned in the past few years about the interaction of privacy and competition law and what we can do to avoid regulatory overlap, collaborate with one another, and solve common problems that impact the lives of Canadians. This submission does not examine every area of overlap relating to current proposed legislation (such as Bill C-27) which is currently before Parliament. I look forward to providing my advice to Parliament on these matters when I am invited to do so during Parliament’s review of the proposed legislation.
In recent years, there has been a proliferation of academic studies, articles and research on the intersection between competition and privacy law. Many of these studies indicate further required analysis within this field as well as the need for robust policy solutions. Acknowledging that there is an emerging body of literature on these issues, our Office would welcome further joint exploration of this subject matter and offers these suggestions in the meantime:
- To avoid regulatory overlap, support one another’s mandates, surmount any potential issues that may arise in ensuring competitive markets while also protecting Canadian citizens’ privacy rights and deliver results for the public in an increasingly complex regulatory environment, the OPC and the Competition Bureau should be legislatively authorized to collaborate on investigations, inquiries or other formal compliance matters.
- Acknowledging that there are other risks affecting both privacy and competition in the digital economy, legislation should look to further define and prohibit dark patterns that affect the marketplace, comparable with other jurisdictions internationally, as a means of addressing both competition and privacy harms.
II – OPC’s work on the intersection between privacy and competition
The intersection between privacy and competition is a topic that my Office has been examining for a number of years. We have pursued this work through activities such as our leadership on a working group of the Global Privacy Assembly mandated to explore the intersection between privacy and competition and to promote cross-regulatory enforcement cooperation, as well as through our own OPC-funded research products. The following are notable examples of some of our recent work:
OPC Submission to Senator Wetston’s Public Consultation
As mentioned in ISED’s discussion paper, in October 2021, Senator Howard Wetston ran a consultation to explore paths forward for Canadian competition law.Footnote 6 In my Office’s submission to Senator Wetston we underscored two key points.Footnote 7
First, we highlighted that privacy considerations will play a larger role in competition policy and that privacy can be a non-price factor of competition analysis. For example, if a reduction in the number of competitors in a market is likely to lead to increased prices, it will also likely lead to a decrease in privacy protections as a qualitative component of a product or service, as fewer competitors may disincentivize enhancing or maintaining levels of privacy protection.
Second, our submission outlined the need for cross-regulatory collaboration to ensure a ‘holistic and consistent approach to digital regulation to the benefit of competitive markets, consumer welfare, and the protection of privacy rights.’ Rather than operating in regulatory isolation, our Office highlighted numerous examples of international cross-regulatory collaboration amongst authorities in charge of regulating digital markets.
Digital Citizen and Consumer Working Group (DCCWG)
As highlighted in our submission to Senator Wetston, my Office has been heavily involved in the DCCWG’s work on examining the intersection between the regulatory spheres of privacy and competition, serving as co-chair of the working group since 2018. Recent notable work of the DCCWG includes two reports published in 2021 focused on the connections between privacy and competition. The first report was a DCCWG-commissioned independent academic analysis written by Professor Erika Douglas of Temple University which considered the complements and tensions created by privacy/data protection and competition agency mandates and objectives.Footnote 8 The second was a DCCWG-authored report focusing on the broad takeaways of a series of interviews with competition authorities, discussing issues such as the extent to which privacy was taken into account as part of a merger, abuse of dominance and general market power assessments as well as practical examples of how privacy/data protection has factored into competition authorities’ work.Footnote 9
This year, the DCCWG continues to look at this intersection in even more depth, specifically analyzing the data and personal information implications of business mergers and acquisitions. It is conducting a study which sets out to identify the impacts of mergers and acquisitions through the theory of data protection harms including how such harms can be considered and addressed by both competition and privacy authorities through collaborative action.
The DCCWG is also tracking and documenting regulatory and enforcement actions, legislative developments, and policy initiatives relating to the intersection of privacy and competition with the DCCWG Mapping TableFootnote 10, which demonstrates that the significant increase in the number of issues cutting across regulatory spheres corresponds to the expansion of the digital economy and the use of personal information in market competition.
III – Recommendations
Collaboration – its importance in a digital economy
The Benefits of Collaboration – Privacy as Factor of Analysis
There is an evolving debate in competition circles regarding the extent to which non-price factors are included into a competitive analysis. A more ‘traditionalist’ approach to competition regulation believes that competition authorities can better achieve their mandate by focusing on competitive issues and setting aside factors that do not have a competitive bearing on a firm’s conduct.Footnote 11 In his discussion paper, Professor Iacobucci highlights certain arguments from the traditionalist’s perspective, noting that the incorporation of a range of non-economic policy values into a competition case may render the application of the Act unpredictable, and risk arbitrariness (i.e. resulting in subjective decisions by Tribunal members based on conflicting values). He also notes that other institutions with requisite expertise may be better positioned to promote particular values, such as privacy and the Office of the Privacy Commissioner.Footnote 12
Rather than accepting that these two regulatory spheres are necessarily distinct and should therefore effectively function in operational silos, the OPC’s submission to Senator Wetston underlined a potential danger with the ‘traditionalist’ approach: that it may result in regulatory output that promotes competition at the expense of privacy or vice versa. This kind of binary outcome does not best serve Canadians and, we believe, can be remediated.
There is growing acknowledgment that privacy can be a non-price factor of competition analysis. Our Office noted that, amongst other things, when a ‘digital enterprise gains a dominant market position, if not an outright monopoly, consumers will be left with little to no choice but to accept a lower quality product should that enterprise choose to reverse course with respect to previous privacy-serving practices’. Notably, there have been calls by some competition authorities to use a small but significant non-transitory decrease in quality test for antitrust analysis in cases where the product or service is offered in a zero-price market.Footnote 13 Ostensibly, this could include privacy as part of its analysis.
While much of this remains hypothetical, we are pleased to see this acknowledgment reflected in a recent amendment to the Competition Act that expands a list of factors to include consumer privacy as a consideration for determining impact on competition, specifically for competitor collaboration and mergers, as well as abuse of dominance.
There are practical challenges in measuring privacy-related effects on competition, and there is a lack of analytical tools to evaluate competitive effects on privacy quality.Footnote 14 As noted by Professor Douglas, this gap presents a significant opportunity for collaboration between privacy and competition authorities ‘to develop reliable, well-founded methodology and tools for measuring competition-related effects on privacy quality.’Footnote 15
Formalized collaboration along these lines may also aid in developing a larger understanding of conceptual frameworks, terminologies, and objectives between the two fields of regulation. As noted in the DCCWG’s 2021 report, privacy authorities are likely unfamiliar with terminology such as relevant products markets in the same way as competition authorities are likely unfamiliar with privacy concepts such as accountability or openness. In this sense, there is value in ensuring that our Offices can understand one another’s mandates, leaving the door open for more effective collaboration.
The Benefits of Collaboration – Avoiding Regulatory Overlap
The growing number of occurrences of this intersection has led to both complements and tensions between these two regulatory spheres. There are instances where privacy and competition goals are complementary. For example, data portability both empowers individuals to take ownership of their personal information and promotes competition by enhancing the ability of consumers to switch providers in relevant markets.
However, as underlined in a joint statement on competition and data privacy issued by the UK Information Commissioner’s Office (‘ICO’) and UK Competition Markets Authority (‘CMA’), these issues are not insurmountable. For example, the ICO-CMA statement suggests that tensions around competitive remedies such as data access can be resolved with data protection law so long as they are
‘…limited to what is necessary and proportionate, are designed and implemented in a data-protection compliant way, that related processing operations are developed in line with the principles of data protection by design and by default, and they do not result in a facilitation of unlawful or harmful practices.’Footnote 17
For these kinds of solutions to function properly, it necessitates greater cooperation between privacy and competition agencies to foster mutual benefits for Canadians.
The benefits of this kind of collaborative action have been observed in several jurisdictions. For example, the DCCWG 2021 report highlighted Colombia’s Superintendencia de Industria y Comercio (SIC) and how it collaborates on competition and privacy matters. As a regulator with multiple enforcement mandates, the SIC’s competition division consulted their privacy counterparts when assessing a digital joint venture between three Colombian banks. Despite the competitive nature of the assessment, several recommendations made were privacy-related, including protecting customer data according to Colombia’s privacy laws and only transferring customer data to the new joint venture if the Banks first obtained customer consent.Footnote 18
Examples such as these illustrate the benefits of collaboration, as they demonstrate that both competition and privacy mandates can be supported so long as authorities are willing to cooperate with one another, share insights and foster a sense of common trust and mutual respect for each other’s objectives.
Examples of Informal Collaboration
While understanding of this intersection continues to deepen, there have been several international examples of domestic agencies collaborating with one another in this space, when applicable. Some of this collaboration is done informally and with limited legislative change, particularly when addressing broader strategic considerations and when sharing best practices.
In the UK, the Digital Regulation Cooperation ForumFootnote 19 (‘DRCF’) consists of the UK CMA, the UK ICO, the Office of Communications (the UK communications regulator), and the Financial Conduct Authority. The goals of the forum include enhancing collaboration, ensuring informed regulatory policymaking through use of collective expertise, and enhancing regulatory capabilities.
With the DRCF, the member authorities have been able to study and tackle issues collectively such as algorithmic processing and digital advertising. The formation of the DRCF has also built up the capacity and institutional know-how of the ICO and the CMA and allowed the authorities to collaborate efficiently.
In Australia, the Australian Competition and Consumer Commission, the Australian Communications and Media Authority, the Office of the Australian Information Commissioner, and the Office of the eSafety Commission formed the Digital Platform Regulators ForumFootnote 20 (DP-REG) in March 2022. Member authorities set out in the DP-REG’s terms of referenceFootnote 21 the goals of improving communication between authorities and with stakeholders, enhancing regulatory capabilities, and improving sharing of information.
Of note, the Canadian Competition Bureau and the OPC have expressed great interest in having a closer relationship as well as an ability to collaborate, in the form of a forum or platform similar to the DRCF or the DP-REG. Initial exploratory meetings for such a forum between the OPC and the Competition Bureau have already commenced.
While informal collaboration is a good first step towards aiding one another in understanding and supporting our respective mandates, the OPC believes that this can be further strengthened. For example, the OPC is currently unable to formally collaborate with the Competition Bureau in investigations or share relevant information that would benefit Canadian citizens.
In our submission on the first draft of the Consumer Privacy Protection ActFootnote 22 (the former Bill C-11), my Office noted that the Act provided authority to the Privacy Commissioner to enter into agreements and arrangements with both the CRTC and the Competition Bureau in order ‘to undertake and publish research and to develop procedures for disclosing information.’ However, my Office recommended that this did not go far enough. In order to have the capability to collaborate with one another on investigations, inquiries, or other formal compliance matters, we recommended that the Bill be amended to allow for the kind of collaboration my Office is already able to do with international authorities. The most recent version of the Bill, Bill C-27, similarly does not allow for cooperation on compliance-related matters. Comparative amendments to the Competition Act found within the Bill also limit the nature of cooperation.
My Office had also recommended that language in the Bill be broadened so that we may collaborate and share information with institutions responsible for enforcement or administration of federal or provincial law. The broadening would not be meant to expand the scope of the matters that can be investigated by my Office, but rather to ensure the ability to work with other bodies, such as the Competition Bureau, in areas of overlap to promote effectiveness and efficiency.
Recommendation: The OPC and the Competition Bureau should have the legislative ability to collaborate with one another on investigations, inquiries or other formal compliance matters.
Addressing challenges of data and digital markets – dark patterns
Dark Patterns and the Privacy/Competition Intersection
Protecting user privacy and consumer choice involves a basic tenet – Canadians’ trust in digital markets. While there are other risks to the digital economy that involve the intersection of privacy and competition, the explosion of businesses present within online spaces has led to a proliferation of false and misleading design patterns that affect consumer privacy and competition.
Internationally, there is an emerging consensus that dark patterns, defined as design practices that trick or manipulate users into making choices that they would not otherwise have madeFootnote 23, are a growing threat in the digital economy, particularly as it relates to a person’s ability to trust a business with which it has entered into a relationship. There has been a plethora of recent studies around the use of dark patterns, including from the European Commission, the OECD, and the US FTC.Footnote 24
These studies have highlighted areas where manipulative designs can alter consumer privacy decisions as well as negatively affect a competitive economic environment. For example, the dark pattern categorized broadly as obstruction aims to make task flows (such as filling out a form or making a purchase) or user interaction with an interface more difficult than it may need to be to dissuade an action. From a privacy perspective, the ramifications of such a design may make it easy for users to opt-in to privacy-intrusive settings while making it difficult to cancel the service or opt-out.Footnote 25 From a competition perspective, obstructive designs may prevent consumers from making price comparisons when shopping or hamper switching to competitors.Footnote 26
From a broader viewpoint, using a dark pattern such as privacy-intrusive default settings may also have consequences for a competitive marketplace. For example, privacy-intrusive default settings may lead to customers providing more personal information than desired, which may, in turn, ‘…solidify a competitive advantage over firms that do not employ dark patterns, without the need to offer better quality goods or services.’Footnote 27 This benefit may incentivize certain business models that weaken consumer privacy while also concentrating advantages to platforms with a strong data collection infrastructure.
There are also challenges around personalization practices revolving around the use of personal information. One broad takeaway from the European Commission’s study of dark patterns is that data-driven personalization practices (personalized pricing, ranking) are more problematic than other dark patterns, as they are difficult to identify and investigate due to the presence of individual personalization and group segmentation.Footnote 28
There is both a privacy and competition component to data-driven personalization practices. From the privacy side, online traders often collect vast amounts of consumer data, which allows them to develop personalized advertising targeting consumers’ inferred needs and vulnerabilities, often without obtaining meaningful consent. This kind of data collection allows traders the ability to identify consumers willing to pay higher prices and to potentially personalize their pricing. From the competition side, online traders can identify consumers with higher abilities to pay/lower switching rates and charge them higher prices, with enforcers unable to assess algorithms that personalize pricing/ranking/recommended offers on marketplaces, favouring some traders and acting as a detriment to consumer choice and competition.
This demonstrates how some dark patterns affect not only one area of regulatory practice but also overlap with others. Thus, it is imperative to tackle these kinds of practices which have negative effects for Canadian privacy, consumer protection and the competitive health of the marketplace.
In the context of Canadian privacy law, Principle 4.3.5 of PIPEDA requires that, among other elements, consent shall not be obtained through deception. This has been explored in several PIPEDA investigations, including the Ashley Madison investigation.Footnote 29 As well, Principle 4.4.2 of PIPEDA requires that personal information be collected by fair and lawful means, which is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which the information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
Section 16 of the Consumer Privacy Protection Act would prohibit organizations from obtaining/attempting to obtain an individual’s consent by providing false or misleading information or using deceptive or misleading practices.Footnote 30 This would prevent the use of some kinds of dark patterns for obtaining consent.
However, within the context of Canadian privacy law, there is a limit to which dark patterns may be regulated. As PIPEDA is based around a user’s consent to collect, use and disclose personal information, it may be inadequate at regulating certain kinds of dark patterns and manipulative online designs, such as ones which ‘…lead people to reveal more about themselves in order to access ‘free’ services.’Footnote 31
Considering that the Commissioner of Competition is responsible for the enforcement of the Competition Act, including the provisions on deceptive marketing practices, the Act could explicitly define dark patterns that harm competition, like it already does with drip pricing. Specifying these kinds of patterns within the Act would provide clarity and certainty on these issues, and allow for robust enforcement, which may also lead to privacy benefits, with consumers feeling safe to share their personal information with businesses which they can trust to handle their personal information with care.
Actions in other jurisdictions have been taken regarding dark patterns, by both competition and privacy authorities alike.Footnote 32 The European Union’s Digital Services Act includes provisions that define dark patterns and prohibits their implementation as defined.Footnote 33 The FTC issued a policy statementFootnote 34 in October of 2021 against dark patterns that trick or trap consumers into subscriptions. Likewise, its report on dark patterns also makes several recommendations to businesses on what practices may constitute illegal behaviour. The European Data Protection Board (EDPB) has issued guidance on dark patternsFootnote 35, identifying six categories that contravene the General Data Protection Regulation.
Finally, the EU’s Digital Markets Act prohibits gatekeepers from presenting end-user choices in a non neutral manner, or using the structure, function or manner of operation of a user interface to subvert or impair user autonomy, decision-making, or choice.Footnote 36 While the Act does not explicitly use the term ‘dark patterns’, its definition generally conforms with dark patterns as popularly understood. All these examples demonstrate a willingness to tackle a growing problem in the digital economy through different regulatory fields. Canada should endeavour to do the same.
Recommendation: Legislation should look to further define and prohibit dark patterns that affect the marketplace, comparable with other international legislative developments.
IV - Conclusion
As the digital economy continues to bring our regulatory worlds closer together, tackling these common harms through enhanced cooperation and stronger legislation will help to provide the protection that Canadians expect of their government and establish conditions conducive to consumer trust and an innovative marketplace. As consideration of the future of competition policy in Canada progresses, my Office would welcome the opportunity for ongoing dialogue on these matters with a view to identifying solutions that allow our economy to flourish while protecting Canadians’ fundamental right to privacy.
- Date modified: