On March 21, 2023, the Italian Competition Authority (AGCM or “ICA”) published for market testing a set of commitments proposed by Google LLC (“Google”) to close an investigation for abuse of dominance under Article 102 of the Treaty on the Functioning of the European Union (“TFEU”) and the national equivalent (Article 3 of Law 287/90). The ICA opened the investigation in July 2022 on the grounds that Google may have obstructed users’ rights to the portability of their personal data, as established by Article 20 of the EU General Data Protection Regulation (“GDPR”). The investigation was prompted by a complaint filed by Hoda Srl (“Hoda”), an Italian company that provides innovative brokering services for the marketing of personal data, which alleged that Google created a hindrance to Hoda’s transfer of user data.
Hoda filed its initial complaint in September 2021. At that time, it informed the ICA that since 2018 it has been developing a digital application (named “Weople”) that provides innovative banking and investment services for user personal data and the complementary technologies needed to market that data and monetize it. More specifically, Weople subscribers use the app to “bank” all sorts of personal data in digital accounts and then earn money each time a third party requests access to that data for business or statistical purposes (e.g., targeted advertising, customer profiling, databases, and enrichment tools). When a consumer registers a Weople account, they mandate Hoda to retrieve all of their personal data tracked and stored by digital service providers, such as e-commerce websites, social networks, app stores, browsers, mobile operating systems, video-sharing and streaming platforms, and payment service providers. Meanwhile, a business (typically a digital advertising company or retail chain) can acquire that data from Hoda in GDPR-compliant form (i.e., the data is anonymized and aggregated by default) to improve its performance. For instance, a business may use such data to offer better targeted and more valuable digital advertising services or to better profile direct customers in order to develop new products or for promotional purposes. Therefore, Weople serves as a broker between consumers and businesses, allowing the former to monetize their personal data with the latter, while via Weople the latter access a source of valuable data that serves as an alternative to incumbent data aggregators like Google.
According to the ICA’s statement opening the investigation, Hoda complained that in May 2019 it started requesting that Google develop a specific API allowing interaction between Weople and Google for the direct transfer of Google users’ data to their Weople accounts. It justified that request based on the users’ mandate to Hoda and users’ interoperability rights, as set forth in Article 20(2) of the GDPR. However, Google apparently rejected or delayed responding to that request, arguing that it was developing a shared framework that would ensure data interoperability with any rightsholder and that, in the meantime, it did not have the resources to develop a customized framework for Weople that could be guaranteed to protect users’ privacy against unauthorized access from third parties. As an interim solution, Google merely offered each Weople user the opportunity to request a copy of all their Google data using the dedicated Google Takeout tool, which requires prior authentication via the user’s Google ID account.
The preliminary legal assessment of the ICA
Provisionally, the ICA found that the procedure Google proposed to Hoda was too complicated and discouraged users from exercising their right to portability. The evidence submitted by Hoda clearly demonstrated a dramatic drop (90 to 95%) in requests for interoperability by Weople users after Hoda started instructing them to use the Google Takeout tool in July 2019. The ICA cited findings of its Big Data sector inquiry, which revealed that the main competitive leverage for digital services providers is the availability of a large volume of data about the commercial behavior of consumers—data that is essential for the provision of personalized and innovative services. The ICA therefore considers Article 20 GDPR to play a key pro-competition role by allowing consumers to explore alternative and innovative ways to extract value from their personal data that do not depend on services offered inside the Google ecosystem. Correspondingly, interoperability lowers barriers to market entry previously raised by the accumulation of Big Data in the hands of a few powerful operators and the related network effects and shifting costs, thus allowing alternative data aggregators like Hoda to offer innovative, independent services and to exert competitive pressure on the incumbent operators.
Considering the Google ecosystem in the aggregate and the activities that allow it to track, collect, store, and process personal data—and consistent with the case law of the European Commission—the ICA identified the following relevant markets for the purposes of the investigation:
- the market of general on-line research services, which is nationwide;
- the licensable mobile and PC internet browser markets, both worldwide (excluding China);
- the market for application sales portals (app stores) for the Android mobile operating system, which is worldwide (excluding China);
- the market for navigation apps that provide step-by-step directions, at least Europe-wide;
- the market for payment services via mobile devices, at least nationwide;
- the market for virtual assistants, at least nationwide;
- the market for digital music distribution services, at least nationwide;
- the market for digital translation services, at least nationwide, but potentially Europe-wide and possibly even worldwide;
- the market for wearable devices, at least covering all of Europe.
The ICA noted that Google has already been found by the Commission and other NCAs to be dominant in the first four markets listed above (with market shares ranging from 95% in general search to 62% in the mobile internet browser market in 2021). The ICA also noted Google’s “irreplicable” ability to provide targeted search advertising services due to the volume and variety of the data it collects.
Against this backdrop, the ICA preliminarily concluded that the challenged behavior could constitute unfair exploitation of consumers by limiting their ability to transfer their data to an alternative aggregator that might allow them to extract more value from the same data. The ICA also argued that the conduct is likely to restrict competition in the wider market for the provision of innovative services for drawing value from personal data by hampering the ability of an alternative provider to offer such services in competition with Google.
The proposed commitments
To address the ICA’s concerns, Google proposed the three sets of commitments summarized below, designed to simplify the sharing of user data through its Takeout Tool, thereby enhancing the value of data exported through that tool and shared by users with third-party operators and accelerating adoption of a new direct service-to-service data portability solution.
First, by April 1, 2023, Google would develop and make available a uniform resource locator (URL) that third-party operators can embed in their applications or websites to facilitate end users’ selection and export of their data from Takeout for sharing with third-party operators. Once a user clicks on the embedded link, they will be directed to their Takeout profile, where certain pre-selected categories of data will be available for download and export as a single file to one of the Takeout-enabled cloud storage services (i.e., Dropbox, OneDrive, Box, or Drive). The end user then can provide the file directly to a third-party operator by email or other means. The following categories of data will be available for download and export: My Activities (which includes data related to a variety of Google products and features, including Search, Chrome, and Maps browsing history), YouTube, Fit (which includes health data from wearable devices), and Google Accounts.
Second, by June 1, 2023, Google will make available to third-party operators detailed documentation and information regarding the data included in the My Activities section in connection to users’ searches on Google Search and their browsing histories on Chrome and YouTube. According to Google, this commitment will make the related data more useful to third-party operators by facilitating extraction (“parsing”) and importation (“ingestion”). Specifically, Google undertakes to provide information regarding headers, data fields, field definitions, and data types. Within the Takeout user interface, additional information will be provided on how users can locate and share the data exported from Takeout with third-party operators.
Third and last, by October 1, 2023, Google will make available an “early adopter program” (“EAP”) to allow third-party operators to begin testing a new solution in advance of its official release. This solution is designed to enable direct service-to-service data portability for data provided by an end user or generated through end-user activity during use of Google’s online search engine. According to Google, this program will allow third-party operators to begin developing their own tools based on Google’s direct service-to-service portability solution. As part of the program, Google plans to offer third-party operators an opportunity to benefit from technical support (e.g., workshops) so that they will be ready to use Google’s proposed solution.
Google specified that the first two commitments would last for five years from their respective dates of implementation, while the third commitment, if accepted and made binding by the ICA, would last until the release of the final service-to-service portability solution. The commitments also call for appointing an independent monitoring trustee to supervise and report on the correct and effective implementation of commitments, as well as to operate as first point of contact between Google and the ICA for any related issue.
The proposed commitments are now to be market-tested, and the ICA has already postponed the deadline for issuing a decision in the case from June 30 to July 31, 2023.
In its submission, Google specified that the proposed undertakings are subject to technical feasibility study and that several features need to be tested and explored in further detail based on market feedback and ICA indications.
Indeed, such thorough and complete commitments are unusual in Italian antitrust proceedings, whose procedural rules—similarly to EC procedural rules—require that actions proposed by investigated firms be precise and easily monitored for compliance enough to be suitable for closing a proceeding without a finding of infringement. Digital markets may require the ICA to adapt its practices to the new technological context and the legitimate needs of incumbent operators in the fast-evolving ecosystem of innovative services.
Notably, in a previous case against Google similar to this one (Google/Enel X), the ICA did not accept any of the proposed commitments and found that Google breached Article 102 TFEU by refusing to interoperate with an alternative app provider. It not only imposed a fine of EUR 100 million, but also put forth a series of specific remedies in the form of a “to-do list” of obligations for allocating resources and investments to design and develop new service features for third-party operators. That decision was challenged by Google, and on April 4, 2023, the top Italian court (Consiglio di Stato) referred a set of preliminary questions to the Court of Justice of the European Union (CJEU), including, inter alia, (i) whether a dominant company’s lack of a specific service or template to interoperate with third parties at the time of a request provides “objective justification” under Article 102 TFEU for refusal or delay in meeting the request; and (ii) whether Article 102 may be interpreted as requiring a dominant firm to modify existing products or services or develop new ones in order to meet a request from an undertaking for a customized solution to access such services.
 Article 2 of Regulation (EU) N. 679/2016 of 27 April 2016, reads in part, “1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and the processing is carried out by automated means. 2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.”
 ICA Resolution No. 28051 of December 20, 2019, Joint Sector Inquiry of the AGCM, AGCOM, and Garante Privacy; our previous report on this sector inquiry is available on the Concurrence e-Bulletin at this link.
 Decisions of the European Commission in cases AT.40099 – Google Android; AT.40411 – Google Search (AdSense); M.9660 – Google/Fitbit; and others.
 Order of the Council of State N. 7412/2022.