Below, we have provided the full transcript of our panel discussion Privacy as a Parameter of Competition Assessment. Read below to see the timely discussion where a panel of experts deepened the discussion regarding this topic, and how it specifically relates to South Korea.
Good evening, good morning, good afternoon, everyone. It’s a pleasure to have you on this panel discussion. I think that, over the course of the last decade, we’ve seen tremendous growth in the digital sector, and its massive growth has played out across the world, including more developing jurisdictions, such as India. Along with the great growth, there has been a significant debate. That debate is the subject of our conversation today, which is the role of data privacy laws and its intersection with competition law, more specifically.
I’m mindful, of course, that we have a very illustrious panel, some of whom are not entirely focused on just antitrust or competition law, but are more practitioners of privacy and related issues, but I think this is going to make a compelling discussion even more interesting.
Competition regulators across the globe have identified the use of data as non-price competition factors and have indicated that data collected from users by an enterprise may be used to the competitive advantage by some other competitors. I think in India we’ve seen some of that play out within the competition authority, the Competition Commission of India, has noted in recent comments that network effects large results from large amounts of data which are collected, that allows companies to compete on a level that does not necessarily relate to pricing, and creates a system of winner-takes-all. This is from a recent CCI e-commerce market study.
Of course, our conversation today is far broader than just India. It includes various other jurisdictions, but given that that’s the jurisdiction I know and come from, and that it’s part of the topic today, I just take that as one example.
Today’s panel will discuss several factors surrounding privacy and competition law and the implications of using privacy as a parameter for competition assessment, which is a debate that is alive and kicking, for sure. But I think the contours of this debate are far from clear.
With that brief introduction, given our stellar panel of speakers, I don’t want to take more time on dwelling on the topic itself, and we’ll move very quickly to introduce our panelists.
We have Daniel Sokol, or Danny, as many of us know you, Danny. He’s a Professor of Law at the University of Southern California Gould School of Law, and an Affiliate Professor of Business at the Marshall School of Business. Danny serves as the faculty director for the Center for Transnational Law and Business, and the Co-Director for the USC Marshall Initiative on Digital Competition. Additionally, as if there wasn’t enough on his plate, Danny also, in a part-time capacity, serves as a Senior Advisor at White & Case.
Henri is the Vice President of French Competition Authority, who we are delighted to have on this panel. Henri was, in an earlier start, the former Adviser to the Deputy Director General for mergers at DG Comp at the European Commission. Both at DG Comp and in the private sector, Henri has dealt with pay-for-delay cases in the pharmaceutical case industry, conduct and merger cases in the energy industry, payment systems, IT, and so on and so forth. Once again, pleasure to have you on board, Henri.
Maureen Ohlhausen, of course, is our third panelist, who honestly requires no introduction, but joined Baker Botts after leading the FTC as Acting Chairperson and Commissioner. She has directed all aspects of the FTC’s antitrust work. Many years ago, I had the pleasure of meeting Maureen at an ICN conference here in New Delhi, and I know her work includes merger review, conduct enforcement, and she’s steered all FTC Consumer Protection Enforcement, with a particular emphasis on privacy and technology issues. Maureen has received numerous awards, not surprisingly, including the FTC’s, Robert Pitofsky Lifetime Achievement Award. And in private practice, she heads the FTC practice group- in private practice- earlier, she’s headed the FTC practice group at a leading telecom firm representing and counseling telecoms and technology giants.
Rahul Matthan is our fourth speaker, and he’s part of the technology, media, and telecoms practice at a leading Indian platform, Trilegal. Rahul has advised on some of the largest TMT transactions in the country. He’s worked with companies across all sectors of the industry. From big telecom operators, to internet service providers, and manage data service providers, and advised on all sorts of matters, ranging from regulatory, to ongoing business issues. Rahul is a trusted advisor, and is also an esteemed alumni of the same university that I went to many years ago.
That is a quick and brief introduction to the panel, and without further ado of what we could potentially jump into, are a few questions.
We’ve decided as a panel to structure the conversation in a somewhat question / answer format, if that’s okay. So, without further ado, having introduced the panelists, I think what we’d like to do is to jump into our conversation and use our time productively. We’d like to model this conversation and keep it as open and fluid as possible.
Perhaps we’ll start with a question to our first panelist, Danny. Danny, welcome to the panel and thanks again for being on. Just to kickstart this entire conversation, I can think of no better person than you, and, Danny, there has been an active discussion about how, when, and whether companies should be using user data. How people can be empowered to make meaningful decisions about that data, and what laws and regulations? Should it be antitrust? Should be privacy? What laws and regulations should actually apply? There have been some suggestions that competition regulators should solve for violations of privacy. To what extent do you think that’s a viable solution? When do you think privacy can become a competition issue? Danny.
I’ll start by stating the obvious, since I’m the first speaker, which is that competition law works when it involves competition issues. Sometimes privacy may work in tandem with competition, so that greater privacy leads to more competition and vice versa. Sometimes it’s neutral, sometimes the two may be at odds, but these are distinct areas.
As a law professor, let me just say this; if we say that, “Oh, these things are the same,” then you might as well tell me that torts and contracts are the same, and we should have a single, legal regime for that. And that’s not quite right. There are going to be areas that are distinctive to a particular doctrinal area, and there will be areas of overlap.
The question then becomes when should we be concerned about privacy? And it’s when it impacts the competition. When might we see that? We might see it in one of two potential ways. In one way, we might be using privacy perhaps as an excuse for anti-competitive activity. Of course, we would want competition authorities to intervene when that’s the case.
Similarly, it could be that overly strong privacy protection, going the opposite direction, may be entrenching incumbents. The answer with so much of competition law is that it depends on the facts. But to say that the two are the same, isn’t quite right. It’s really about thinking about the interaction when there’s going to be something specific on the competition side we can do. Actually, I think the authorities that have really understood this the best, recently in a joint 24, 25-page paper, was the UK’s CMA and ICO, where I probably could summarize it in one line, “Which is when there’s an intersection, both of us care.”
I think that’s probably the right approach.
Thank you, Danny, that makes a lot of sense. I think for all of us lawyers, we at some point have to draw a line between two subjects, which clearly seem to intersect at so many different points. The answer, as they say, is truly blowing in the wind.
But, Maureen, if I can move on to you, how has competition law traditionally assessed privacy and personally identifiable data issues? How do you do that in just analysis? And what are the changes that you see that are being proposed to this somewhat traditional approach that has been taken thus far across different jurisdictions that you have experienced and worked on?
As we look back at cases over time that involved personally identifiable or consumer level data, frequently merger cases, the assessment was, is this combination creating market power in some identifiable antitrust market, such as for consumer home records? The FTC had some cases that involved combinations of land records about whose house is whose. Things like titles, or consumer credit data. They then said, “Okay, does this cause an overlap that will give competitive concerns stemming from having market power after the combination?” and imposed remedies to address that.
So, the idea that competition law has never had to deal with these issues and that we need to change everything, just isn’t correct. I think one of the issues that has come to the fore, however, is this idea of, “Well, because we care about privacy, are we concerned that even apart from creating any sort of market power in an identifiable antitrust market, does a combination of data through a merger going to reduce privacy somehow?” Or on the conduct side, there’s concern that a company has, through its own organic actions and not necessarily through acquisitions, gained a lot of consumer level data, and somehow that has given it an advantage, and we want other competitors to have access to that data, so we’re going to have some sort of forced sharing of it.
I think those are some of the issues that are kind of coming to the fore now. One of the things that I think is very interesting is as you look at traditional antitrust analysis and say, “Well, does the combination of two data sets after a merger actually create an efficiency that allows the merged firm to then compete even better, or create new products, or something like that?” That seems to be a negative in today’s analysis, if it involves consumer data, where previously it would have been a positive.
The other thing that’s kind of being focused on, is what is the identifiable antitrust market? Frequently, it is the market for online targeted advertising. I think it would really be beneficial to say, “Well, how many players are actually in that market?” A lot. Has supply been going up in that market? I think it probably has. Have prices been going up? I don’t think they have.
I think those are the kind of questions that we need to ask to determine are these issues about access to, collection of, or use of consumer data, actually competitive issues?
You mentioned in my introduction my other hat as a consumer protection and privacy former enforcer and current practitioner, where I actually think, at least in the US, a lot of these concerns would be much better addressed by adopting a federal privacy law that laid out the groundwork. Rather than trying to kind of distort antitrust law to deal with what are essentially privacy concerns.
I wrote a paper called, “Competition and Privacy: Friends, Foes, or Frenemies?” because it does create some real tension between the values in antitrust, and the values that we’re trying to protect through privacy law.
Thank you, Maureen. I think you’ve hit on several thought-provoking issues, including one that we should come to, which is, is it time for more ex ante kind of regulatory review by a separate standalone regulator?
In your case, you mentioned a federal privacy watchdog, or something of that nature. Not to say that one doesn’t exist, but perhaps that would help draw the lines, which we also heard Danny say are somewhat blurred today, and would kind of help to create some sort of a distinction between these two areas.
But I want to pick up on something else that you also mentioned, Maureen, and that’s this somewhat vexing question of efficiencies. Sometimes transactions which have privacy aspects to them could actually result in inefficiencies, and I guess that’s where I could perhaps turn to Rahul, given his role as a privacy lawyer.
Rahul, look, does the existence of healthy competition in and of itself show greater privacy protection to consumers and to end users? To pick up on Maureen’s thought regarding efficiencies, would greater privacy restrictions be efficiency enhancing? In other words, would it result in a greater consumer efficiency? Or efficiency to the market, and actually promote competition in the market? So, Rahul, over to you.
Samir, framed in that exact specific way, I think the simple answer is no. Because in and of itself, neither of those are going to be a yes. Picking up on what Danny said, and I think what Maureen elaborated on, is that you get a bunch of lawyers and you ask them a simple question, it’s never a yes or no, it’s always a maybe, it really depends on the circumstances.
If you say, “Does the existence of healthy competition in and of itself ensure greater privacy protection?” there are always circumstances where you will find that that is actually not the case. So if you are saying that if there is healthy competition, we will always have greater privacy, I will point to a number of sectors wherein the sectors themselves are extremely healthy, but privacy is not one of the factors on which they compete.
Just to pick up what Danny said, when that becomes an issue that you compete on, that’s when the existence of healthy competition is going to ensure that the market participants are going to fight with each other to become more privacy preserving, more privacy-enhancing.
So once again, let me just caveat in this room full of competition lawyers; I’m the one who doesn’t even understand the jargon and the lingo, and I’m going to comment on it as a privacy lawyer. And let me add another nuance to this: India does not even have state privacy laws. It does not have a federal privacy, and we don’t even have state privacy laws. We have no privacy legislation in this country, so after 20 years of doing this, I can keep asking myself, what are you doing being a privacy lawyer in a country without a privacy law?
But having said that, the nuances of privacy are now being picked up, as you yourself said in the introduction, by the competition regulator. In a sense, the solution for this situation is to have, as Danny mentioned, the two regulators that talk together and find a way in which the two competing interests can be addressed.
And just to pick up the second point on efficiencies, just the fact that there are greater privacy restrictions being imposed on the market, does not, once again, in and of itself, promote a competitive market. We have many examples of this.
Apple recently introduced this app-tracking transparency module. Which any privacy lawyer looks at it and says, “That’s a huge win for privacy,” because no longer can apps track your behavior and your actions without being transparent about what they are doing.
And yet, we know the implications that will have on the market, because Apple is a dominant operating system provider. There are these tensions between the steps to improve privacy and competition, and vice versa. I don’t think if it’s framed as you framed it, in and of itself that one is ever going to equal the other.
Thanks for that, Rahul.
I’ve got to say that, despite your admitted shortcoming in understanding the jargon or lingo, I think you’ve made that point very soundly. I think that’s loud and clear. I think also that in jurisdictions such as India where you have a virtual spaghetti bowl of regulators, I think the point you made about regulators needing to speak with each other is absolutely imperative in being able to deliver better outcomes for the public at large.
Speaking of regulators, Henri, if I can bring you in right now, in the digital economy, we’ve often spoken of this. Would you consider access to data as being essential? Or in some sense, if we use competition terminology, an essential facility, and therefore find it necessary to impose access type obligations where everyone has somewhat equal access to this essential facility owned by companies that possess these vast volumes of consumer data? How would you look at that?
That’s a very interesting and good question. Access to data has been looked at essentially, at least in Europe and the Merger Control Review.
The question being asked, when there’s these big data-based companies, like Apple or Microsoft, which is acquiring a smaller rival in an adjacent market, the combination of the two data sets create a data set which is indispensable for others to compete, and not replicable, should there be a mandate to provide access to data? That question has a reason in the merger control, and in Europe, it has never led to the conclusion that the data set was not replicable, and therefore that the access should be provided.
The answer regarding the merger control has not been provided to your question. It’s true that taking the criteria that I’ve just mentioned, they look very much alike, and with the criteria you find it to be an essential facility doctrine in Europe, the so-called Bronner criteria, but, when you look at it from a kind of business or economic perspective, I would argue that access to data sets is a very different animal from the animals that you would find that the essential facility lab train.
Why? Because initially, at least in Europe, when it was developed, the doctrine looked at physical facilities, like a port or a network infrastructure for gas transportation, for instance, where if somebody has access, others do not have access. In other words, it was asset that would create rivals, whereas with data, if you have access to data, that’s not rivalrous. If I access it, you will be able to access it afterwards or at the same time. I have not exhausted the data sets. In that sense, economically speaking, it’s a very different animal from the old fashioned facilities with the label natural facilities.
There’s another difference, in that data sets are dynamic animals. Whereas a harbor is something which doesn’t move, or every 20 or 30 years you have to drag it and then do other works, et cetera, a data set is highly dynamic. It depends on the number of instances, which are not necessarily under the control of the backbone which possesses the data sets. At the same time, if you would provide access, in a way, it wouldn’t be really access, it would be interoperability, to one data set from another one, the very fact that you would provide interoperability would change both sets of data sets as well.
This is, again, kind of an amorphous animal which is very different from one that you would find in an essential facility doctrine. My short answer to you would be, no, it’s very dissimilar. But the doctrine as to how and when access should be provided or interoperability should be provided has not yet been fully blocked. You can find some interesting precedents into gathering and sharing of information by insurance companies to assess risk. At the same time, it’s also true, but there is a level of appropriation when you have credible data set to run a platform on, and it’s a technological innovation, which is underlying it. The provider providing access to that data set may diminish incentive to invest for other such platforms. But at the same time providing access might be very problematic as well, so there’s a fine balance to find, and the work for that has not been yet completed.
Got it. Thank you for that, Henri. The fine balance is truly elusive, I think not just in Europe, but in other jurisdictions, including India.
I think that kind of is a nice segue to my next question, which is, if use the term appropriation, and perhaps, Rahul, given that you are the one true privacy lawyer, if I can say that amongst all of us, would you consider access data? I mean, just the very fact that you’re collecting excessive data, perhaps disproportionate, or stacking more than what you would necessarily need.
Of course, the debate on what constitutes excess data is in itself is a separate question, but would you consider excess data collection to be problematic from a privacy perspective? Some have suggested that such data collection could result in consumer exploitation, but again, going back to a recurring theme that we all brought up in the first part of this conversation, are we ignoring the potentially obvious, the immense benefits that data aggregation may yield for consumers? Rahul?
Excellent question. I think, even if you look at the traditional basis for privacy law, which harkens back to the FIPS in the US and eventually picked up by Europe, which then eventually evolved into GDPR, and that’s sort of what everyone bases privacy on. The way we protect privacy is by only collecting as much data as is necessary to serve a purpose, and by the very definition, anything in excess of that would violate privacy. If you collected data to an extreme level, that could even amount to exploitation.
If you look at privacy law, we have principles of purpose limitation, use limitation, data minimization, data retention restrictions, all geared at ensuring that behavior is guided towards collecting only as much information as is absolutely necessary and no more, and you’ll be punished if you do more than that. But as you said, this was perhaps useful and relevant in the FIPS era, and even during the database directive era in Europe, but once we had the big data moment in technology, we started seeing that there was value to be gained out of aggregate data. Vast amounts of data handled carefully in an ethical manner, could result in almost magical results.
We thought that computers could never beat humans at chess, but computers beat humans at chess. And then Gary Kasparov said we create a cyborg, human plus computer, and we will beat computers, and now they beat the cyborgs at chess. We thought that go would be an era we would never cross, but computers are beating humans at go without breaking a sweat.
But forget about that. Radiology. Today there is no radiologist who can compete with an AI driven radiologist. Why is all of this possible? Because of aggregated data. We’ve got vast amounts of data that have been able to train machines to do things that humans are not capable of doing.
In India, the example that I like to talk about in this context is financial data. Today India has maybe 300 million customers in financial services. We believe that an additional 300 million could be brought into the financial sector, but they don’t have the collateral that the current banking system requires them to show. It doesn’t mean that they are bad investments as far as loans are concerned, it just means they can’t prove it.
But, if you can use data, you can actually bring them into the system because you can analyze the history of their transactions. Based on that, you can say they’re good creditors. I mean, this is another 300 million people that can be brought into the financial services net only using data. You absolutely cannot ignore this.
Now, how do you enable this? Obviously, you’ve got to rethink the privacy principles of minimization, rethink the privacy principles of keeping things small, because we need this information to be able to train our analysis, and if you do this, we need to realize that there will be bad actors who will take this and misuse it, and that’s really what we’re concerned about. We’re not concerned about all the good uses of aggregated data, we’re concerned that there are some people who will misuse it, and it’s been done.
We know about Cambridge Analytica and what they did with the US elections, and we’ve seen this time and again. We’ve got to rethink the way we think about this minimization principle.
One of the things that I proposed as a solution was a sort of an accountability framework. I know that there are some senators in the US that came up with that sort of a model, an accountability framework. I know that Europe is thinking about accountability as a framework, which says that you need to establish a rights-based framework, and then punish for harms that are caused, regardless of the consent that you obtain, and things like that.
This is one solution. There are many other solutions that people are working on.
In India, we’re working on something along the lines of a techno-legal solution, where we actually get this aggregate data and put it into confidential clean rooms so that the data resides within the confidential clean room (CCR). Privacy is ensured, but artificial intelligence models can be run in those CCR environments so that you can just get the results. You can train the models without actually getting access to the private data. There aren’t many such solutions, and I strongly feel that we’ve got to start thinking along these lines in order to be able to unlock the value that aggregate data has without causing any of the harms.
That was a very long, non-competition related statement, but I’m just playing to my strengths. Sorry for that, Samir.
Not at all, Rahul, and you’d be amazed at how these non-competition law issues, as you term it, are actually invaluable as far as this larger debate is concerned, because I think that’s the crux of today’s conversation that we have about, ostensively, two disciplines, if you can call it that, moving in tandem, or at least very closely in parallel, and there are multiple points of intersection.
Speaking of intersection, because I do hear, Rahul, from your comments as well, that there is this understanding, at least amongst privacy lawyers, this concept of almost utilitarian, which is that there could be a greater need in certain circumstances for data to be shared, and there are, therefore, in the competition world at least, efficiencies to be extracted which could lead to greater consumer benefit, so on and so forth.
Taking up or taking cue from that, perhaps I can move to Danny and ask, we’ve looked at privacy so far as being the dawn on price competition type of parameter in competition assessment, is there some sort of a merit in viewing privacy as a price parameter as well? Apart from the so-called exploitation, which could be a result, but there is also a price aspect to it. Is there something that we could explore further also as competition lawyers?
If we think that the monetization of anything is possible, then there’s going to be some price related aspects. Part of it might be to step back and think about what are the business models of the people who are involved in data.
Lots of products generate data. All your apps, many of your smart devices, ISPs, you have data managers who have access to data, you have data aggregators. If you think about each of these different buckets of business models, including those who, just like us, are giving all kinds of data, it may not be big data.
I say this because we’re now in season 16 of “The Real Housewives of Orange County.” There’s a lot of data that we get, and not all of it is pro-competitive. The larger point is that we are able, across a number of areas of law, primarily contract, to figure out how much that data is worth. In some ways, it reminds us of IP discussion of what is the value of any kind of intangible good like IP, whether copyright, or trademark, or patent, but in some ways it’s different, because unlike IP, much of data is non-exclusive and non-rivalrous. I say much of, because there may be some unique data sets, for example, certain areas of digital health or upstream industrial data, where you just don’t have any kind of way of replicating it.
Could we give it some kind of financial value? Yes. Do we have a consistent set of metrics outside of arms-length business transactions across areas of law? The answer is no. We have certain confusion, let’s say, as to trying to figure out the value. That, I think, is going to become much clearer in the next few years across areas of laws as cases play out.
But, from a competition standpoint, we’ve had cases that I can simply describe as odd. The German FCO case against Facebook, for example, couldn’t be brought under European competition law, but because of the uniqueness of the German law could be brought there. But the idea that simply collecting data might somehow lead to competitive harm, again, so much of law is drawing analogies, whether it’s privacy law, contract law, or competition law. I’ll draw another one. If it’s simply about amassing something, we don’t have a law that says, it’s bad to amass cash, right? If you’re saying that we can monetize data, then we say, okay, if it’s priced, let’s just say it’s cash. We don’t, from a corporate governance standpoint, say that if you sit on too much cash, that somehow this is a competition abuse. And this gets to a larger point, at least in competition law. It’s not what you have, it’s what you do with it. That’s true, whether it’s data or any kind of other tool that you might have that is an input to some kind of outcome. That’s where I think competition law plays a particularly strong role.
Again, let me also note, in the United States, we don’t have exploitative abuse, so the German case couldn’t have come up in the US context, but the idea of some kind of exclusionary conduct, aha, now we have conduct. The conduct may have a basis with some kind of data, but where we’ve had those cases, we haven’t seen that.
We have a case involving the auto industry and data sharing, CDK, that went before the Seventh Circuit. A Section 1 case: no competition abuse. In much the way that Henri discussed, for example, that this is not quite the same as an essential facility, the court there was actually quite explicit: data is not an essential facility for competition purposes. There are other cases like this.
Samir, I think in short, what I would say is that this is an area where we’re going to see a lot more action across jurisdictions in the next few years, as we sort of work through these kinds of concepts.
Thanks, Danny. That sounds ominous: lots more of action. As you said, there is some degree of confusion, right? Is simply collecting data a competition law issue when most of us have grown up at least thinking that it’s not. As you said, it’s not what you have, but what you do with it.
Perhaps, Henri, you’re the right person to direct this question to, assuming that this is really an issue. What is the typical kind of evidentiary standard that regulators would need to follow in order to enforce cases where privacy is asserted as a competition concern? If you reach a situation where competition regulators across the globe are using privacy as a parameter in their competitive assessment, do you see that happening? Is that something that you believe is imminent? And what do you think, if that were to become the case, would be the most viable remedy? What is it that a competition regulator can ultimately do about a situation like this, should it pan out? Henri?
It’s a very wide question. Let me try to give a meaningful answer. I think to give an answer, first it is required to make a kind of taxonomy of the cases under antitrust rules that may involve privacy. When looking at the decisions of the cases that have been taken in Europe, to me there are four groups of antitrust cases that involve privacy. The first one is when the last platform, let’s say a dominant platform, when implementing a legal obligation in terms of privacy protection, we’ll have different options to do that, and we’ll choose one option, which would mean raising barriers to entry to a much higher degree than the other options available. So that’s one.
A second category of case is when actually the platform is already fulfilling its privacy legal obligations, but has decided to increase the protection. It’s where privacy becomes a parameter of competition. Beforehand, it was just a legal obligation, but now it becomes a parameter of competition. One instance would be the Apple ADT window that we just mentioned earlier in our discussion. That could lead to raising barriers to entry, or to self-preferencing issues, et cetera.
The third category is actually in a case where devising a remedy to a competitive harm would involve access to data, and that access to data may actually lead to privacy issues.
For instance, for all the infrastructure companies like Mobilier, the old monopolies in electricity or gas in France, there was an issue of how do you enable potential competitors to get into the market? They need access to the identity, and the addresses and telephone numbers of the customers of the old monopoly if they want to do so, but otherwise it’s privacy issues.
And the last category is the infamous German-Facebook case, where when you face a manifesting infringement of privacy laws, it could be labeled as an exploitative abuse. That’s not something which is absurd because I actually find that in an intersection of the IP law and competition law where manifestly, say fake patents, could be addressed in the competition law if it’s manifests. But in all of these, to go back to your question about the burden of proof, you will find different features in terms of burden of proof. In some instances, you need to interact with the privacy regulator, but we provide the Competition Authority with a kind of an assessment of what the issues are. To some of us, it’s obvious now for the Competition Authority to make some determination. It all very much depends on the category of case in which you are.
Now, to come to the second part of your question, let’s mention, by the way, there would be a case involving privacy at a global level. It all depends on what you call privacy. If it’s about the legal obligation, that may get a bit complicated, because all jurisdictions have different meanings, definitions, and obligations for privacy protection. If it’s about moving beyond and privacy as a parameter for competition, you may think of the Privacy Sandbox of Google, for instance. There, one ciykd imagine it can have cooperation on their mechanisms that exist for that kind of cooperation between the various competition authorities, because obviously from a business perspective, if there was a need for any remedy, such a remedy would need to be the same for across jurisdictions, otherwise the running of its business would get a bit complicated.
Thank you, Henri, that is immensely useful. Just to pick up on that very last point, which I could not agree more with personally, which is remedies need to be consistent. In some sense, for these are multinational corporations which work across various jurisdictions to have a spaghetti bowl of remedies would perhaps not be as efficient an outcome as a one would want.
But I think moving over to you, Maureen, if you would continue in this vein of look of looking at what is it that we can do about situations when they arise? What are the kinds of remedies that a competition lawyer can look at? I guess we’ve spoken about this briefly in the past, but, if I can ask you, how do proposals regarding data portability forced obligations in some sense to share data? How do they comport? How do they sit with competition and privacy values? How do you accommodate all of this in literally the same sentence?
In the extent some of the proposals particularly, in some of the privacy laws that are proposed legislation in the US would give consumers the right to port their data, to get it and import it to another user. I think, in that instance, you could see privacy law and competition law kind of in concert, in harmony. The consumer gets to decide and gets to exercise his or her market choice, and gets to decide whether he or she wants to share with someone else.
I think more concerns are raised when you have this forced sharing of personally identifiable data not subject to the consumer’s consent, the idea that I share my data with one player, but another player wants to get in the market, and therefore there is an obligation to just port that data over. That really puts privacy law and competition law in conflict.
That was my “frenemy,” or “foes and frenemies” part of my article.
One of the things that we’re seeing, and I have concerns in some of the proposals in the US law for some of the, particularly the big platform companies, is this idea that basically any business user, whoever that may be, it doesn’t really have to be a competitor, can ask for access, ask for the data, ask for interoperability of systems, with the idea that perhaps this will lead to more competition. They don’t have to justify it. It’s not up to them to justify the entity asking for access. The idea of some of these proposals is that maybe that’ll lead to more competition, but that really kind of flips the approach that we’ve had in the US to privacy and data security, which is to put the obligation on the holders of the data to say, “Who are you sharing it with? Why are you sharing it? Be sure you lock it down.” All the things that the FTC has said to many companies.
Some of these legislative proposals, what they do is actually kind of flip that, so that the entity holding the data is at big risk. If it says, “Well, I’m not sure you’re a reliable partner to share this data with. I’m not sure you’re a safe entity with whom to inter-operate,” under some of these proposals in the US, there is the provision that the company narrowly tailored to protect consumer privacy or security of their systems. They could say, “Well, I’m not going to share it,” but if they don’t get it right, if it’s not narrowly tailored enough, they have to kind of meet this higher burden. All the risk is on them. There are all these penalties that they may face, and kind of a huge hammer brought down on them.
We know the benefits through privacy regulation to consumers of making sure that their data isn’t shared as freely, and that we respect consumers’ choices, their sovereignty, and that data security is provided to them. We’ve kind of embraced those values through privacy law, and we’ve seen that throughout the world. We’re sort of moving away from that to reduce that to say, “Well we’re going to open this up, and let’s hope that it leads to more competition.” I think that really puts antitrust—if you can call these proposals antitrust, because they have much more of a regulatory bend to them than the traditional antitrust bend—that really puts our traditional notions of how you protect privacy and how you protect consumers’ data at odds with these ideas that forcing this and putting the whole obligation on the holder of the data to justify whether why they’re withholding it. This sort of puts those two things, I think, in a great tension. It’ll be, I think, in a very difficult position for those companies that would be subject to these proposals, should they pass.
So, in serious “frenemy” territory, I’d say, Maureen.
That’s absolutely intriguing, because I did want to pick up on, and get your thoughts on one further point, because you did say that some of these proposals have a regulatory bend to them, right? I want to just start on that. There is a significant conversation happening, perhaps in India as well.
Rahul, maybe you’d be in a better position to comment, but, Maureen, the conversation that I refer to really is, would we be better off? When I say we, I mean would the consumer, would the state, would consumer interests, which clearly lies at the heart of all of this, be better off by some form of predetermined, clear regulation, so ex ante regulation. Something which clearly says here are the key do’s and don’ts, mindful of the overlapping or the linkages between privacy and competition law. Let’s do this upfront. Let’s remove the uncertainty from the process because ex-post kind of conduct-based evaluations as competition regulators love to carry out, also lead to uncertainty. So, I guess this is the question that I wanted to bounce off each of each of our panelists: is ex ante privacy regulation with all, or some, of the various factors that each of you have pointed out the way to go, or the way to resolve this in a way such that there are at least certain outcomes which benefit the consumer? If there are roles for different agencies over there, how do you ensure that these agencies actually speak with each other to ensure that there is some sort of a uniformity and outcome?
Maureen, if I can start with you?
Certainly, happy to start on this.
I think that having a generally applicable, in the US, federal privacy law that lays out the consumer rights and the corresponding obligations on the holders of data would really be a great contribution. First, of all, the legislation that I mentioned, the way it’s been drafted, only applies to a handful of companies. That creates some competitive distortions. If you have a generally applicable law, and one of the other things that I found as a privacy enforcer, it’s not necessarily the big companies that are causing the greatest privacy damage. Small companies have sometimes very sensitive data. Think about this; we brought the case against Ashley Madison, where when that data was released, there were reports of people committing suicide. I think having a generally applicable law so that companies know where the boundaries are and can plan accordingly.
I also think it’s very difficult to have this sort of, “Well is this allowed, not allowed?” Five years later we decide, “Oh no, the line should really be in a different place,” and you’re on the hook for something where when we made these decisions, and we had these in place, it wasn’t really law. It was more the practice, the expectation, or something like that look different.
I think having generally applicable, economy-wide, privacy law with clear enforcement tools. My recommendation would be that those enforcement tools go to the Federal Trade Commission. I think that would really be kind of the path forward here.
I think all the panelists have touched on this: where you draw the lines for privacy, because that will have an impact on innovation and competition. Any privacy law also needs to take that into account, because regulation that’s poorly done can have negative competitive impacts. You’re always going to have some trade-off, but you kind of want to make that trade-off as sensible as possible.
Thank you, Maureen.
Henri, maybe I can check in on you on this one, mindful, of course, that you’re a competition regulator, but equally I think Maureen makes a pretty compelling point, which is ultimately interests are best served if there is some degree of certainty. So perhaps a clear regulation upfront is welcome. But naturally, they would be areas where this could have some sort of impact on innovation and competition, and that’s the slightly hairy line that we are talking about. Is that’s where we start to wonder, what’s the role of a competition regulator, even if there is an ex ante privacy law? Is it solvable by the regulators speaking with each other? Is it better solved, as I think Maureen tends to indicate, that perhaps have the competition regulator also be the one who enforces this ex ante privacy regulation? Maureen, I’m not sure if that’s what you meant by when you said that, “Give those paths to the FTC,” but Henri, your thoughts on this?
So there’s clearly a need for communication. You know that the situation in Europe is a bit different from that in the US also. We have an ex ante regulation. I hate the word ex ante, but at least behavior obligations are pretty clear. What is perhaps a bit less clear, because it’s still a baby, it’s something like three years old and so the teeth are getting out, the implementation of privacy law in Europe is country-by-country. It’s a European regulation, but it’s country-by-country, and there’s a need to know who has jurisdiction, and then to make sure that the privacy regulators understand each other within Europe, and apply some of the rules, and put them in a consistent way.
Perhaps one other point is really important, privacy as understood in Europe is, in a way, a pro-competitive regulation. Why? Because it provides choice. Informed choice to consumers and to customers.
And second, into the GDPR, there is a provision for the portability of data, which, when implemented, could lead to decreasing the costs of switching our customers from one platform to the others.
To come back, there’s always friction. As I was saying, there’re four points of contacts, four categories of cases, that may involve both privacy and competition law. For that to be resolved, you need a lot of interaction and discussion, whether at the structural level, or at a more informal level between the regulators for competition and for privacy. In Europe, that has a horizontal element within a country, but there’s also a vertical element because there is also discussion that needs to be done between one country and the European Commission, or one country and another; one applying the privacy law and the other one competition law. It’s a little bit complicated to implement.
Sounds familiar, honestly, Henri, complicated to implement.
I think, Rahul, moving over this very quickly, if I can get your thoughts. India as a country abounds in complications. When Henri was saying you have to be consistent, there’s a country-by-country approach, we’re obviously mindful of the various contradictions within the federal India as a board. How do you see this playing out within a jurisdiction such as India?
Just to make things slightly more complicated, maybe I can talk about what India is doing with regard to portability, and I mentioned briefly techno-legal approach.
India has built a framework called DEPA, Data Empowerment and Protection Architecture. Essentially, this is a technology layer on top of the consent-based privacy layer that Henri just spoke about. It allows us to do a lot of the things that I think Maureen was concerned about, which is, if you allow portability, you’re opening up a fire hose; competition is going to suck information. How do you protect user privacy? The DEPA architecture essentially implements portability with user consent, but in a micro-portability way.
When I spoke about financial benefits of portability in the Indian context, in the DEPA context, does, is it will allow a user to say, “Look, I’ve got information in my bank, but another lender wants this information. I, with my consent can allow that lender to take that information.” And so, in a sense it’s a marriage of the two. It improves competition because it allows new-to-bank customers. People with whom the user does not have an existing relationship can actually offer services to that user, improving competition. At the same time, it does not allow that person to misuse that information because all of the information passes with consent.
I think that as lawyers and as regulators, we tend to think that solutions lie in regulation, ex post or ex ante, but I spend so much time with technologists that I think that it is possible, particularly since ultimately we’re regulating tech companies, bringing regulation to a tech company is like bringing a knife to a gunfight. If you want to really regulate them, bring technology in to regulate the technology companies using the power of technology. I think India has done that neatly with the DEPA architecture.
Thanks a ton for that, Rahul. I guess a final word, wrapping up comments, whichever way you look at it, given that we have probably overstayed our welcome with our hosts.
Danny, as an academic, perhaps you can give us an overview as well, regulation ex ante/ex post. Henri told us of his discomfort with the term ex ante to start with. Rahul has very kindly characterized this as being bringing a knife to a gunfight. How exactly do you see this? Is it time for us to regulate or ex ante? Or are our competition law tools adequate? Is the current status quo with both of these things running parallel adequate? Or do you see some sort of a need for change?
Very quickly, the enforcement tools work effectively for purposes of enforcement. If there are issues of regulation, then we ask the basic questions: what is it we’re trying to regulate? How do we make sure that regulation is as least distortive as possible, but still reach the goals of competition that we want to have? There’s a lot of complexity here. Unlike a traditional utility in a static market, let’s say a provision of water utilities, here there are real dynamic effects, and we have to be very careful about making sure we calibrate properly. Is there a role for some area of regulation? Quite possibly, yes. What exactly that means in practice requires careful thought.
On that happy note, careful thought and calibration is where we will leave the conversation. Thank you, once again.
I don’t think that I’m well-positioned to, nor do I need to, sum up anything or any of the comments that the speakers have made today, so I’m going to end here. We’re also out of time.
I need to thank all our panelists once again. This has been, at least for me, a tremendously informative and fun conversation. Maureen, Danny, Rahul, Henri, a big thank you from me, but also on behalf of the other panelists. If we did have a live body audience, this is the point in time where you would hear much applause. Thanks a ton again for your time, and have a good remainder of the day or a remainder of the evening, depending on where you are. Thanks again.