Google faces fresh antitrust probe in Italy after data portability complaint

Italy’s competition watchdog has opened an investigation into Google over concerns it has abused a dominant position by hindering data portability rights which are afforded to individuals under the European Union’s General Data Protection Regulation (GDPR).

The procedure follows a complaint made to the authority by the operator of a direct marketing platform called Weople.

The Weople app, which is operated by a company called Hoda, encourages web users to link third party accounts (such as Gmail and other Google accounts) to port their personal data into a “digital vault” — where the free service claims their data will be “masked and anonymized” in order that it can be used to target them with personalized offers, i.e. without their actual information being shared with advertisers/third parties since the app acts as an intermediary.

Weople users are apparently able to generate virtual currency or other rewards (some of which are distributed by prize draw), and potentially earn actual money, in exchange for authorizing use of their “masked” data for marketing purposes.

The app maker also says it aggregates “anonymized” user data into blocks to trade with marketers, presumably to sell market insights/trends analysis, although the company’s website does not clearly explain what it’s doing to “valorize” user data.

Notably, there have previously been concerns over Weople’s approach of leveraging GDPR data portability rights to grease commercial tradability of personal data.

Back in 2019, the app was investigated by Italy’s data protection watchdog and referred to the European Data Protection Board (EDPB) for an opinion on its approach to utilizing the GDPR’s data subject-focused portability powers for a service that seeks to monetize people’s data, as the Garante raised reservations about the implications of such a commercial purpose being used as a driver for data portability; and the risk of ported data-sets being duplicated (with associated security risks).

At the time, the privacy regulator suggested that entities receiving requests for data portability from Weople should consider the GDPR’s accountability principle when deciding whether or not to grant their requests.

Fast forward a few years and Italy’s competition authority’s concerns are, perhaps unsurprisingly, focused elsewhere — on whether Google’s conduct might be impeding competition.

Although it’s fair to say that digital businesses frequently generate cross-cutting concerns which can demand that different regulators, such as privacy and competition authorities, work together to resolve complaints and impacts — rather than risking siloed and disjointed responses.

We asked the Italy’s AGCM and the Garante about any joint working here but at the time of writing the privacy regulator had not responded to our questions and the competition watchdog declined comment. But the EDPB told us the Garante’s 2019 request for an opinion on Weople was subsequently withdrawn “following additional discussions at Board level”.

“In the Authority’s view, Google’s conduct could compress the right to portability of personal data, established by Article 20 of the GDPR, and could constrain the economic benefits that consumers can derive from their data. At the same time, the alleged abuse could restrict competition because it limits the ability of alternative operators to develop innovative data-based services,” the competition authority wrote in a press release today, saying its officers conducted an inspection at Google’s local premises yesterday in connection with the investigation.

“In particular, Hoda represented to the Authority the negative effects of Google’s conduct on its initiative to enhance personal data with the consent of the data owner, which offers innovative opportunities to use such data,” it added.

In further remarks, the AGCM suggested data portability provides an avenue for “alternative operators” to exert competitive pressure on tech giants like Google — which it describes as having “established their dominance on the creation of ecosystems based on the management of virtually unlimited amounts of data” that, it further implies, exclusively feed platform giants’ own business models.

The ACGM’s PR also makes reference to how much money Google’s parent entity, Alphabet, makes as a result of its ability to extract large amounts of data through services like Gmail, Google Maps and Android (revenues of $257.6BN in 2021).

Reached for comment on the authority’s investigation, Google avoided any direct reference to the complaint — and instead sought to redirect attention onto long-standing support it says it’s provided to portability efforts, sending us this statement:

Google has offered people the ability to take out and transfer their data for over a decade and in 2021, more than 400 billion files were exported. These tools are there to help people manage their personal information. There are also ways that any company can encourage direct data portability into their services — for example, via the open-source Data Transfer Project, which any company is welcome to participate in.

It’s not the first time the ACGM has had Google in its cross-hairs on competition grounds: Last year the regulator fined the tech giant $120M+ for antitrust violations related to restrictions applied to a local electric car charging app, called JuicePass, via Android Auto, a modified version of Google’s mobile OS intended for in-car use.

Back in 2020, the national competition watchdog also started an antitrust probe looking at Google’s ad display business in Italy.

Returning to the data portability issue, in recent years the European Union has put a lot of store on seeking to fire up a cottage industry of “trusted” data intermediaries/marketplaces (and/or so-called “personal data spaces”) — as part of a major policy plan to encourage data sharing and reuse — which, as well as having a core focus on encouraging businesses to fuel each others’ ideas with pooled industrial data-sets, seeks to grease the passing around of personal data for ‘altruistic’ societal benefit.

It’s not entirely clear whether a platform such as Weople’s — which is essentially a commercial play to generate revenue by encouraging individuals to share and pool data (trusting the platform to safeguard their identities in the process) — would constitute a model example of a trusted, neutral intermediary, as envisaged by lawmakers in the Data Governance Act. Or whether it would fall outside that definition, given the operator’s direct commercial interest in (and activity around) monetizing the tradability of users’ personal data means it may be more data-sharing participant than neutral player.

It’s also worth noting a major critique about the Commission’s approach with the flagship Data Governance Act, given it will — inevitably — pile lots of more work on (already) heavily under-resourced national regulators and legal systems, who will be tasked with ultimate responsibility for ensuring all the extra data sharing that’s being encouraged, via the EU’s centralized lawmaking, doesn’t fatally tilt the scales by scaling commercial exploitation of people’s data in a way that systemically undermines citizens’ fundamental rights as/if the region’s overworked justice institutions become hopelessly overwhelmed.

This report was updated with the EDPB’s response to our question about the Garante’s request for an opinion on Weople