Data Control and Digital Regulatory Space(s): Towards a New European Approach

Data control, among the newest forms of power fostered by information and communication technologies (ICTs), triggers a continuous (re)negotiation of public and private orderings, with direct implications on both regulators and intermediaries. This article examines the stance of the European Union (EU) regarding the position of Google - the world’s largest internet services company as per its 2014 market value - in two controversial instances: the ‘right to be forgotten’ and the implementation of EU competition rules. It provides an analysis of these evolving debates and their meaning for EU regulatory thrust more broadly, discussing the shift in the approach to digital markets and the proactive development of a European framework influential beyond continental boundaries.

regulation of digital aspects was not in line with the neo-liberal approach to non-regulation and was not considered a priority partly due to the small share of the European information technology industry on the global market. Recent initiatives, such as the reform of the Data Protection Regulation and the newly launched Digital Single Market indicate a proactive stance in developing a genuine European regulatory space in global digital markets.
When digital markets began to prosper in the 1990s, the dominant 'hands-off' approach condemned any attempt to regulate the internet and related markets. In 1997, the Clinton administration issued a 'Framework for global electronic commerce' that illustrates this vision.
According to the document, "governments must adopt a non-regulatory, market-oriented approach to electronic commerce" in order for the internet to deliver its full economic potential (White House, 1997). However, at the beginning of the 2000s, e-commerce and other internetrelated markets were far from meeting the optimistic expectations of the 1990s. The burst of the 'Dotcom bubble' further reaffirmed the crucial role of social institutions in the creation, reproduction, and expansion of markets. European institutions were partakers, generally adopting a reactive stance, rather than driving policymaking for online activities (Christou and Simpson, 2007).
Over the last few years, oligopolistic firms have become dominant in digital markets. They own large datasets of user information that they operate through proprietary algorithms in order to create value (Pasquale, 2015). Most internet giants such as Google, Amazon, Facebook and Apple are headquartered in the United States. Digital markets in the EU mostly operate through a contractual relationship between European users and US firms. Against this backdrop, European institutions have switched their main focus from the creation of a competitive internal digital market to the creation of European rules to regulate the European 'segment' of global digital markets.
Due to space constraints, this article focuses on Google as the first and main target of European authorities in their effort to regulate the business of US internet giants in Europe. Google has been targeted by an antitrust investigation as early as 2010. More recently, other big internet companies have been placed under scrutiny by European authorities. Three main issues are tackled by regulators: taxation, antitrust and data privacy. Antitrust investigations have also been launched against Apple for its relation with music labels (April 2015) and Amazon for its pricing policy on the e-book market (June 2015). Tax optimisation strategies are also investigated for these two companies. Finally, data privacy is addressed by the decision on the right to be forgotten -first implemented by Google, but targeting all search engines -and by investigations by European national authorities on Facebook privacy policies.
Search engine results have been at the core of two recent debates driven by distinct authorities concerning Google's operations in Europe. Indirectly related, both are consequential for the recent regulatory dynamism in the European Union, in particular in relation to oligopolistic data control positions. On the one hand, the decision of the Court of Justice of the European Union (hereafter CJEU) against Google in May 2014, on the so-called 'right to be forgotten', imposed an obligation on Google to decide on potential delisting of URLs from its search results when there is a user request in that sense, for information that is "inadequate, irrelevant or no longer relevant, or excessive" (CJEU, 2014). On the other hand, the antitrust investigation recently completed by the European Commission (EC) found that Google was in breach of the competition law through the favourable treatment of its own shopping service in a situation of market domination, as discussed further in this article. The antitrust case addresses only one of the concerns of the European Commission regarding Google's business practices. Further investigations, for example into the Android service operated by Google on smart devices, have been recently opened. In this article, we examine the implications of these regulatory moves around data control in the EU and conclude that they are part of a broader attempt to develop a new regulatory space adapted to the requirements of the digital age, fostering norms for the global market.

DATA CONTROL AND NEW BUSINESS MODELS
The debates in the EU, intensified since 2010, regarding Google's position and operations as a data controller and the ensuing extension of its responsibilities, are part and parcel of the transformation of governance in the digital era. The massive amount of (personal) data collected every second no longer lends itself to human processing, thus being replaced by algorithms which combine, select, and rank information by transforming input data into a desired output that takes into account specified calculations (Gillepsie, 2014). Accompanying the advances in computer power, this shift towards 'governance by algorithms' (Musiani, 2013;Mayer-Schönberger and Cukier, 2013) is partly stirred by the myth of larger datasets generating better and more useful knowledge (Boyd and Crawford, 2012, p. 663).
To make sense of the information available online, search engines provide the first entry point and one of the most successful business models of the century. More than 90% of online users in the US currently resort to search engines for finding what they are looking for on the web, making search engines the most widespread means of accessing information. In Europe, Google owns more than 90 percent of the online search market, giving it a powerful position to mediate between the users and the information available online. Considered in its entirety, Europe is Google's biggest market (Drummond, 2015). The company's mission, "to organise the world's information and make it universally accessible and useful" translates into a continuous effort to collect data from users worldwide and a massive investment in the digitisation of offline content (archives, books, museums, etc.). Google's annual revenue was USD 66 billion in 2014 and its lobbying expenditures were the second-largest of any corporation, surpassing USD 16 million.
Its business model is primarily based on its ability to predict behaviour by combining information coming from search queries and profiling for targeted advertising. As Powers and Jablonski (2015, p. 79) explain, "its ability to connect the right advertisement with the perfect user stems from its tracking and study of user habits," pushing Google's forecasting power as far as accurately predicting voting turnout on election day or the value of the stock market (2015, p.

82). Google's patented PageRank technology remains a business secret and its search algorithm
is changed and tweaked more than five hundred times a year in order to enhance user experience and to respond to business demands, according to Google's Executive Chairman Eric Schmidt (US Senate, 2011).

GOOGLE'S IMPLEMENTATION OF THE 'RIGHT TO BE FORGOTTEN'
As of May 2014, Google is in charge of implementing the so-called 'right to be forgotten' in the EU, following the landmark case C-131/12 Google Spain SL, Google Inc. v. Agencia Española de performing a public function that can be legally contested in case of unsatisfactory results. The decision established an obligation on Google to act on potential removal from search results of items that are "inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed," (CJEU, 2014) when there is a request in this regard from the person concerned. The decision applies to searches by individual names only and imposes an obligation on Google to set-up an infrastructure for a case-by-case deletion of links based on human review. The decision came in the midst of data protection reform discussions in Europe, which uphold the 'right to be forgotten' and it triggered heated debates around de-linking search results globally, on google.com (Mediapart, 2015), or only locally (e.g. google.fr; google.it, etc.).
The CJEU case referred back to a 1998 notice of property auction published by the Spanish newspaper La Vanguardia for a now-resolved debts lawsuit of Mr. Costeja. Although Mr.
Costeja paid his debts, a Google search on his name would list that first after the digitalisation of the newspaper archive. The Spanish court decided that the newspaper archive should not be altered to no longer display this information, yet Google should remove the link to this information. Google challenged this in front of the highest national court (Audiencia Nacional), which referred the case to the CJEU.
On 13 May 2014, the CJEU ruling against Google proceeded as follows: first, it asserted its jurisdictional competence by establishing that the search engine activities of the Spanish subsidiary of Google Inc. -headquartered in the US and owning the search algorithm -were 'economically profitable' and they fall under the territorial scope of application of Data Protection Directive 95/46. Second, it determined that Google was a data controller as its activity consisted in "finding information published or places on the internet by third parties, indexing it automatically, storing it temporarily and finally, making it available to internet users according to a particular order of preference". Third, it required Google to comply with the Data Protection Directive 95/46 as a controller on the territory of a member state, in order to "remove from the list of results displayed following a search made on the basis of a person's name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful" (CJEU, 2014). The Court also recognised that when the public interest is at stake, the data controller needs to assess whether to continue to make available a particular link.
This decision imposes a financial burden on Google for case-by-case reviews, which is not expected to affect its operations, but may raise the bar for future market entries. By not providing concrete guidelines for implementation, the CJEU left ambiguous not only the de facto application of the ruling, but also its geographical coverage. It introduced a new approach which requires that the processing of data be done according to the location of the user, independent of server location or company headquarters. Recognising the dominant position of Google, this regulatory move stresses the importance of norms that prevail when doing business in Europe. It signals that restrictions would be enforced to empower the European consumer, while pushing forward the adoption of the long-debated Data Protection Regulation, which imposes a stricter framework of action on companies. It also leaves room for interpretation with regards to a potential application of the decision at the global level, in order to best protect the rights of European citizens beyond their place of residence. This was the bone of contention in the months following the CJEU judgement, coming into sharper focus recently with the order of the Paris Tribunal de Grande Instance (2014)   (2) the differentiated application of a system of penalties that 'de-motes' comparison shopping services and that is not applied to Google's own service; (3)  It is interesting to note that a similar investigation by the Federal Trade Commission in the US was settled in 2013. As the final report of the FTC states: We have not found sufficient evidence that Google manipulates its search algorithms Electronic copy available at: https://ssrn.com/abstract=2635130 Data control and digital regulatory space(s): towards a new European approach to unfairly disadvantage vertical websites that compete with Google-owned vertical properties. Although at points in time various vertical websites have experienced demotions, we find that this was a consequence of algorithm changes that also could plausibly be viewed as an improvement in the overall quality of Google's search results (FTC, 2013).
The strong reactions by US officials after the EU Parliament's non-binding resolution to break up Google and after the recent move by the EU Commission on the antitrust case illustrate the different perceptions of the situation on the two sides of the Atlantic. US President Obama depicted the EU policies as protectionism: We have owned the internet. Our companies have created it, expanded it, perfected it in ways that they can't compete. And often times what is portrayed as high-minded positions on issues sometimes is just designed to carve out some of their commercial interests (Swisher, 2015).
However, the resolution was highly controversial in Europe as well. The decision was depicted as a political move supported by Google competitors rather than a regulatory move. On the other hand, some voices in the US also advocate for a stronger regulation of digital markets.

TOWARDS A EUROPEAN REGULATORY SPACE ON THE INTERNET
The current growth of digital markets based on e-commerce and the exploitation of big data rests on a set of social institutions that ensure the protection of basic norms for market operation. Their development cannot be disconnected from the promotion of (Western) values that broadly define our understanding of the interplay between public and private actors, such as trust online or the enforcement of intellectual property rules. This reconfigures the roles of organisations and carves out new spaces for regulation (Chenou and Radu, 2015). The laissezfaire approach of the 1990s was believed to create the appropriate conditions for the development of the EU as "the most competitive and dynamic knowledge-based economy in the world" (European Council, 2000). In defining this regulatory space, instances of contestation over what is to be regulated, while not a new feature in global governance processes (Radu, Chenou & Weber, 2014), probe the boundaries of European institutions. By remaining ambiguous about the implementation of the 'right to be forgotten', the CJEU opened the door for advocating in favour of the global applicability of the decision. Specifically, the CJEU decision triggered debates as to whether the Google practice of removing links from European local versions of the search engine fully protects European citizens' rights. Moreover, a broader inquiry into the e-commerce sector has recently been launched by the European Commission as part of a Digital Single Market strategy tackling issues such as telecommunication regulation, copyright, data protection and IT security. Against this background, the antitrust case against Google appears to be an element of a broader political project rather than just a circumstantial reaction or a protectionist trend.
What is at stake here goes beyond operating in a more regulated framework. It targets the development of new norms that out-rival the transatlantic divide in key policy areas, including privacy protection and antitrust sanctioning and seek to establish global rules. Legal scholar Frank Pasquale called for a European digital regulator that would not reproduce the weaknesses of the enforcement of competition rules in digital markets in the US. The two cases analysed in this article show that, in structuring a new approach to governance in the digital age, European institutions proactively work towards the same goal by reconfiguring their own mandates, rather than transferring responsibilities to a new regulator.