Competition and privacy: friends or foes?

— with Clara Duarte Augusto

On Mar. 31, France’s national competition regulator issued a decision penalizing Apple for its app tracking transparency (ATT) framework, which the company claims is designed to provide users with the ability to prevent apps from “tracking” their activity on mobile devices. The French authorities disagreed, claiming that while the ATT may function in theory, its concrete implementation had led to several issues. 

First, because the ATT framework fails to give users actual information about what is going on with their data. The prompt does not allow app developers to include the detail required by privacy laws to obtain valid and informed consent from users.

In order to meet the legal obligations of the European Union’s General Data Protection Regulation (GDPR), developers are forced to display a second consent pop-up – typically via a Consent Management Platform (CMP) — making the user experience unnecessarily complex and fragmented. 

Second, because it leads to discrimination. While Apple describes its own data use as “personalized advertising,” it claims app developers engage in tracking — regardless of what data these developers effectively collect or use. The concrete effect of ATT, therefore, is basically harming competitors, which are unable to develop ad measurement standards equivalent to Apple’s.

In February, Germany’s competition authority followed a similar path and sent Apple a preliminary legal assessment indicating that ATT may allow Apple to favor its own services by applying stricter rules to third-party apps. According to the German regulators, Apple’s own data practices are not subject to the same consent requirements, and its design choices around consent prompts tend to steer users toward accepting Apple’s tracking while discouraging third-party tracking.

This dispute reached Brazil in January, when social media platform Meta presented a complaint about Apple’s ATT framework to Brazil antitrust agency CADE. The regulator formally started its investigation last month. 

When deciding to launch the inquiry, CADE noted that while Apple’s policy may appear, at first glance, to be solely about data protection, it could have significant anticompetitive effects. The authority emphasized that ATT might be structured and enforced in a discriminatory and restrictive manner, favoring Apple’s own services and its privileged access to data as a first party, while imposing stricter limitations on competitors that depend on third-party data access.

Following this, CADE requested that Apple provide information on iOS app developers who are required to display the ATT prompt, suggesting that the authority may be preparing a broader market study — similar to what other jurisdictions have done — to better understand the competitive dynamics surrounding ATT and its impact in Brazil.

This is but the first step of a debate on the interplay between competition and privacy that is bound to grow in the coming years. The associations that presented the case before the French competition authority were very clear in stating that they believe ATT to be a prime example of “privacy washing,” a practice by which a dominant company promotes a measure as being aimed at protecting consumer privacy or personal data, but which, in reality, serves other purposes — in this case anticompetitive ones.

According to them, although Apple frames ATT as a pro-privacy measure, it imposes strict consent requirements on third-party apps while applying more permissive rules to its own services. This, they argue, gives Apple a competitive advantage masked as privacy protection, despite existing regulations like the GDPR already requiring meaningful consent. But if this is the first example, it will probably not be the last.

As is the case with pretty much every regulation, implementation of privacy laws can be carried out in many different formats.

It has historically been the position of competition authorities in Brazil and across the globe that if companies have options, they cannot hide behind regulation to justify anticompetitive behavior. In other words, if there is more than one way in which a rule can be implemented, firms have the obligation to do so in ways that do not harm competition.

Of course, that is different when the rule is itself a restriction on competition — for example, if a jurisdiction decides that in order to establish telecom services a company must obtain certain licenses, any other company that does not have such licenses will not be able to operate in that country. But if the regulation in question leaves room for firms to make decisions on how best to comply, then competition comes back into the equation.

That debate also raises the point about institutional interplay, generally applicable to every digital debate. In Brazil, competition is a well-established policy, and the authority in charge has been active for many years. The same cannot be said about data protection, the legal implementation of which was very recent and for which a regulatory body has been around for less than five years.

In the specific case of ATT, France offers an example of how institutional coordination can work: the antitrust authority received two opinions from France’s CNIL data protection authority, which were taken into account in the competitive assessment. This decision builds on a formal cooperation framework between the two institutions, established in a joint declaration signed in December 2023, aimed at ensuring innovation unfolds within a context that safeguards both fundamental rights and market balance.

How Brazil will face this issue is still unclear. But there is no question that it is a discussion that will take place.