Recognizing and Dealing with the Tension between Competition and Privacy Policies

By Matthew Lane, Project Disco

Tech policy is in a moment of conflict. Some folks are calling for data to be shared to increase competition, while other folks are asking for far greater restrictions on data to improve privacy. We can serve both needs, privacy and competition, but we first need to have a conversation about how these policy needs interact and we may need to find less obvious solutions to the unique problems caused by clashing policies. 

A starting point is to recognize that privacy and competition remedies can run in conflict with each other. A way to promote privacy might be to limit access to information as much as possible. It’s like keeping a secret: the fewer number of people who know, the fewer the opportunities for the secret to get out. This is how we often deal with privacy concerns: through regulations like the Video Privacy Protection Act that restrict access to sensitive information. However, a potential way to promote competition might be to lower barriers of entry by increasing access to inputs. For example, antitrust agencies have long used compulsory licensing of intellectual property as a remedy. Similarly, data portability is currently being examined as a way to make it easier for consumers to change services thereby increasing competition. A specific example is the ACCESS Act introduced by Senators Warner, Hawley, and Blumenthal.

These different policy needs can be balanced. A good question to start with is just how necessary any particular data set is to allow a new entrant to compete? New entrants may not need old data or certain kinds of sensitive data to flourish, and they may be able to use alternative available sources for some data rather than relying on a potentially intrusive competition remedy. Understanding this dynamic should help guide policy that has to balance privacy needs with competition needs.

In other cases, conflicts can be mitigated through creative solutions. For example, some data sets have value not related to identity of who the data belongs to. These data sets can be accessed at low risk if properly de-identified. Other issues can be addressed by putting the user in control to make decisions about their own privacy needs. These solutions may sound simple, but there are many potential pitfalls in their application. Fortunately, experts looking at this tension between competition and privacy seem to generally believe we can work through these issues as long as we recognize the problems.

How competition remedies can impact privacy interests

There is an argument that new entrants need access to incumbents’ data in order to compete, but the sharing of this data raises privacy concerns. This risk balancing raises a preliminary question over whether the complete transfer of user data is necessary to increase competition. Often it is not the data itself, but the successful processing and application of that data that provides the value. This means that a company may not need all of a user’s data in its applications, and some companies may simply lack the capabilities to use most, if not all, of the data provided to them. 

The question is how much data is necessary to increase competition if policy-makers choose to adopt data sharing solutions? If less data is shared, then there is less privacy risk. Therefore, it is useful to understand and make data-sharing decisions based on the comparative value of each data set in terms of competition and privacy. If a data set is extremely useful for encouraging competition, and has little privacy concern, then it may be an easy call to require access to that data. However, data that is highly sensitive but does not have much usefulness to promoting competition should probably not face access requirements.

There are a couple other issues with data sharing that should be contemplated in a data access remedy. The first is trust. The users presumably trusted the company when they gave their nonpublic data to them. This trust was hopefully based on the user’s view of that company’s privacy and security policies. The user may not necessarily have that same trust in a company that is granted access to their data through policy. This may not impact policies that give the user complete decision making authority over their data, but it does raise other questions like how the user will be informed about differences among companies in privacy and data security. The second is security. Bad actors could exploit access policies to steal consumers’ data. This could be done by tricking users into giving them access to their data or by posing as users and approving a data transfer. Access remedies should promote security measures to prevent these abuses.

Continue Reading…