In a rare move on February 27, 2023, the Federal Trade Commission (FTC) issued its first statement akin to a closing statement since 2019. The FTC’s statement was, however, lukewarm. Its focus was warning the parties to the transaction, Amazon and One Medical, that they must live up to their words regarding the cross-use of sensitive health data or face consequences.
The statement is a signal, not only to Amazon and One Medical, but also to other tech and life sciences companies navigating the intersection of data privacy, antitrust and consumer protection laws to take notice that the FTC and other enforcers consider matters beyond competition in their merger reviews.
Companies conducting M&A in this space must be alive to this full range of issues from the outset of a transaction process. The interplay of data privacy, consumer protection and antitrust considerations need to form an additional element of pre-transaction workstreams, including in due diligence, synergies modelling (additional revenue streams) and innovation opportunities (new commercial propositions and monetization opportunities).
Merger review is not the end of the story
Amazon announced its proposed acquisition of One Medical on July 21, 2022. Following more than six months of investigation, the parties announced that they had closed the $3.9 billion deal on February 22, 2023. With respect to the merger review, without addressing the substance of their competition analysis, the Commissioners merely stated that the FTC’s investigation of the transaction “did not result in a challenge to the acquisition before the parties were eligible to consummate it under the Hart-Scott-Rodino Act’s timeline”. However, the Commissioners took the opportunity to raise issues beyond antitrust laws, noting that “the acquiring and acquired companies’ conduct with respect to the sensitive data they hold could risk violating consumer protection laws”.
During merger reviews, authorities around the world often require demanding and extensive document productions. This enables authorities to mine companies for information not just on competition issues, but also on general market and customer interactions. While merger review is a competition-based assessment, as authorities get under the skin of an industry, privacy, consumer protection, and other regulatory issues may well be spotted and tied to the merger review process. Indeed, authorities appear to also be homing in on similar issues as they review Amazon’s acquisition of Roomba maker iRobot.
This is not a new phenomenon—some of the FTC’s high-profile privacy enforcement in the tech space related to concerns it had previously highlighted in merger closing statements. The FTC’s statement reminds the parties of this and also that it has more tools in its toolkit. Specifically, the FTC enforces, among other things, Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce” (see also our previous blog on the revival of this provision).
The FTC’s most recent statement highlights potential privacy and consumer protection concerns stemming from representations by Amazon and One Medical separately and collectively about how consumers’ personal health information would be used. These statements, according to the FTC, “constitute promises to consumers about the collection and use of their data by the post-acquisition entity”. Heralding its previous successes in prosecuting consumer law breaches where “companies make statements that, though they may be technically true or qualified by fine print, convey a false net impression”, the Commissioners advised Amazon and One Medical to “make clear not only how they will use protected health information as defined by HIPAA but also how the integrated entity will use any One Medical patient data for purposes beyond the provision of health care”.
This warning is underscored by the FTC’s recent enforcement actions against other consumer-facing health services based on alleged inappropriate disclosure of consumers’ health information for advertising purposes (see here and here). It also serves as a reminder of the dual powers of the FTC to enforce both competition and consumer protection laws: even after the transaction is completed, the parties will remain subject to the FTC’s scrutiny from a consumer protection and data privacy standpoint.
This trend can also be seen outside the US. Authorities with dual competition and consumer enforcement powers, such as the UK Competition and Markets Authority (CMA) and the Australian Competition and Consumer Commission, can also easily switch hats. This will become more acute for the CMA, whose consumer enforcement powers will be significantly strengthened by the introduction of the Digital Markets, Competition and Consumer Bill (see here).
It is also common for consumer associations and regulators, such as those responsible for data privacy and protection, to make submissions to the antitrust authority during the merger review process. The engagement between different regulators is increasing – for example, in the UK, a Digital Regulation Cooperation Forum has been established to ensure greater cooperation between the CMA, the Information Commissioner’s Office (the data protection authority), Ofcom (the communications regulator) and the Financial Conduct Authority (the financial services regulator) on online regulatory matters. As regulators continue to collaborate more closely and consumer associations seek to influence merger reviews more aggressively, the potential spill over of merger reviews into data privacy and consumer protection issues will only increase.
Health data in the spotlight
As the benefits and opportunities of using health data are increasingly recognized, so too has the regulatory spotlight on how this particularly sensitive type of data is collected and used by companies. Amazon/One Medical is one of many transactions to have been reviewed by antitrust authorities in this area.
In some cases, remedies have been accepted by authorities that share many similarities with the public statements made by Amazon and One Medical – namely, restricting the use of health data in Amazon’s advertising service. While these other cases have been solely concerned with the competitive advantage parties may receive from use of such data, the FTC’s statement makes clear that there are a plethora of other issues on its (and likely other authorities’) radar that may arise from the use of health data and that it will take action where it sees necessary.
As antitrust authorities continue to concentrate on how to empower consumers and facilitate active consumer choice in the use of data (including health data), we expect that data privacy and consumer protection considerations will play an increasing role in their decision-making and the outcomes they seek to achieve. Indeed, Commissioner Slaughter of the FTC confirmed as much recently, noting that “all of the commissioners, on a bipartisan basis, agree that this is an important thing for [the FTC] to be looking at”.
Transaction planning and the continuing intersection of data privacy, antitrust and consumer protection
Even in the initial stages of a transaction, companies undertaking M&A in the tech and life sciences space need to be conscious of the different lenses that authorities can use to assess the current and potential future business activities of the combined entity. While this may already be present as part of a due diligence process, compliance with relevant data privacy and consumer protection laws must also be a key consideration for revenue and costs synergies modelling, as well as analyses of innovation benefits and monetisation opportunities. Not only does this carry significant legal risk generally, internal documents reporting on these pre-transaction assessments will be in the hands of authorities through the merger control review, signposting any red flags for future monitoring, investigation or intervention.
The one and a half pages that makes up the FTC’s statement accordingly typifies the legal issues facing almost all companies in the tech and life sciences space. The increasing blurring of the lines between data privacy, antitrust, consumer protection and IP laws, as well as cross-conduct legislative initiatives (such as the EU’s Digital Markets Act), make legal and regulatory compliance an ever-growing chess board with multiple players. Which “piece” and “where” to focus next requires an integrated, cross-practice and cross-jurisdictional perspective.
To read more about these issues and developments globally, please see our Global Antitrust in 2023: 10 Key Themes report.