Deep Dive Episode 139 – Implications of Data Portability: A Consumer Protection Tool or Burden?
Data portability has been a hot topic of late, from GDPR to CCPA to the FTC’s recent Data to Go Workshop. To some, data portability is a consumer right to access and move individual data. For others, data portability means the sharing of larger swaths of data with other services and platforms to lower entry barriers to effective competition.
Although both forms of portability aim to enhance consumer welfare and increase competition, data portability raises a host of issues, such as privacy protection, data security, and intellectual property rights. Additionally, there is evidence that data portability mandates, when used as a competition remedy, is costly, ineffective, and may reduce business incentives, and could entrench incumbents by making it difficult for smaller competitors to change their services and modernize their products.
This comes as many competition agencies and legislatures alike are considering interoperability and data portability mandates to increase competition. And, Congress is set to release a report with recommendations for reducing the market power of online platforms, which may include these mandates.
The Regulatory Transparency Project explored the hot topic of data portability over the course of a two-part virtual panel series entitled, “Data Portability Mandates, Consumer Privacy Protections, and Competition Law.” This panel discussed the consumer protection and privacy implications of data portability, and the second panel turned to the use of portability and interoperability mandates in competition law.
Although this transcript is largely accurate, in some cases it could be incomplete or inaccurate due to inaudible passages or transcription errors.
Colton Graub: Good afternoon and welcome to The Federalist Society’s Fourth Branch Podcast for the Regulatory Transparency Project. My name is Colton Graub. I’m the Deputy Director of RTP.
As always, please note that all expressions of opinion are those of the guest speakers on today’s call. If you would like to learn more about each of our speakers and their work, you can visit regproject.org where we have their full bios. After opening remarks and discussion between our panelists, we will go to audience Q&A, so please be thinking of the questions you’d like to ask our speakers.
This afternoon we’re pleased to host a conversation exploring the topic of data portability, which has been something of a hot topic as of late. To delve into this topic a bit more and introduce our panelists, I’m pleased to introduce our moderator for today’s discussion, Svetlana Gans, who is Vice President and Associate General Counsel at NCTA. I’ll now hand it off to her to kick things off. Svetlana.
Svetlana Gans: Great. Thank you so much, Colton, and thank you, Colton, Jack, and the entire RTP group for including us in your call today. My name is Svetlana Gans, and I’m a member of the Regulatory Transparency Project Cyber and Privacy Working Group. I am thrilled to moderate this first session of two on data portability. Our second session in the series will be this Thursday at 1:00 p.m., and I hope all of you will join us.
As Colton mentioned, data portability has been a hot topic of late from GDPR in the European Union to California’s Consumer Privacy Act to baseline privacy legislation here in the United States, all including some facet of data portability. For some, data portability means allowing an individual consumer to port their data from one company to another. For others, data portability is a requirement that companies share an entire swath of data with smaller entrants as a means to enhance competition.
The goal under either scenario is the same: to increase competition. However, one must ask on which assumption do these goals rely? What have been our experiences to date with data portability? What are the costs and benefits, and what are the key considerations of policymakers going forward? Please join me in welcoming an expert panel to discuss all of these issues.
First, we have Peter Swire, professor of law at the Georgia Institute of Technology. Peter has been the leading privacy and cybersecurity expert since the rise of the internet in the 1990s. Peter served as one of five members of President Obama’s review group on in intelligence and communications policy and also served as a chief counsel for privacy in OMB under President Clinton. He has researched data portability schemes extensively, and we are thrilled that he is with us here today.
Next, we have Professor Liad Wagman, professor of economics at the Illinois Institute of Technology’s Stuart School of Business. Liad focuses on information economics, industrial organization, and law and economics, among other areas. Liad is currently serving as a senior economic and technology advisor at the FTC’s Office of Policy Planning. Liad has also written extensively in the area of information economics and the GDPR.
Next, we have Dr. Gabriela Zanfir-Fortuna, who is a Senior Counsel for the Future of Privacy Forum. Gabriela leads to FPF’s work on global privacy developments and European data protection law and policy. Previously, Gabriela worked for the European data protection supervisor in Brussels, being part of the team that advised the EU legislator on the GDPR during its legislative process. She also actively participated in the work of the Article 29 working group, as well as other policy study groups.
Thank you all for being here. So perhaps for us to get started, maybe we could turn first to Gabriela who could start the conversation at the beginning and tell us how data portability developed as a key policy concept in the EU and how it broadened to something larger. Gabriela?
Gabriela Zanfir-Fortuna: Thank you very much, Svetlana. Hello, everyone. Thank you for tuning in and listening to this conversation. I’m very much looking forward to it. To kick us off, I’m going to give you background about how data portability came to be as a right under the protection law in the European Union.
Well, it was introduced as one of the rights of the data subject by the General Data Protection Regulation, the GDPR. It was tabled in the first legislative proposal of the GDPR in 2012, and then it was adopted as part of the GDPR in 2016. The European Union actually had very limited previous experience, but it did have some previous experience with the idea of portability. For example, there was the telephone number portability, which was introduced through the Universal Services Directive back in 2002, specifically with the purpose of facilitating competition among telephone service providers.
The rule imposed back then on phone companies was to allow users to keep their telephone number when they switched services, so for users to be able to port their telephone number. But in order to understand why data portability was introduced as one of the rights of the data subject in this protection law, let me explain a bit what those are. First of all, let’s start with data subject.
They are the individuals whose personal data is processed by organizations. They may be consumers, users, students, employees, taxpayers, citizens engaging with their municipalities. EU data protection law actually applies to all of them because it applies to both public and private sector. And it applies across industries. That’s very important to keep in mind.
Now, data subjects have a set of rights who’s ultimate goal is to ensure that they have control over their personal data. And this is also one of the key goals of data portability, just as it is the case for the other rights of the data subject. These other rights are the right to receive information about the processing that will take place at the time of data collection; the right to access their own data, including to receive a copy of it; the right to ask for erasure of their data under some limited condition; the right to ask for correction of the data; the right to object to certain data processing; and the right not to be subject to a solely automated decision making that has a significant or a legal effect against them.
Now, data portability is among those rights as well, and they are regulated together under Chapter 3 of the GDPR. Very interestingly, data portability was one of the new rights introduced by the GDPR compared to the previous legal framework under the Directive 95, the Data Protection Directive 95, paragraph 46. Now, one of the background points I want to make is that data protection is provided as a fundamental right in the EU charter, a fundamental right at Article 8, basically then the right to expect for private life or privacy, which is enshrined in Article 7.
The right of the data subjects are an essential prerogative of the fundamental rights to data protection as they are mentioned in the second paragraph of Article 8. Even if only access and correction are specifically identified in the second paragraph of Article 8, scholars agreed that the underlying idea of providing control to data subjects through their rights of the data subjects is an essential element of this fundamental right to data protection. So you see, the idea of control [inaudible 08:51] is a big part of why data portability was introduced in the GDPR.
So what does portability entail according to the GDPR? It allows data subjects to obtain a copy of the personal data concerning them in a structured, commonly used, and machine-readable format. And I quoted this from the law — so “structured, commonly used, machine-readable format.” And then also, they have the right to transmit those data to another organization without hindrance from the first organization. This right also provides that only where it is technically feasible the data should be transmitted directly between the two organizations.
So this is the big picture, but it is very important to talk a bit about the limited scope of portability because you will see that the GDPR also limits the scope of the stripe quite a lot. First of all, only the personal data that the data subject has provided himself or herself to the organization can be subject to such a request. So this would typically include, for example, in a social media context, photos uploaded by users, any information they used to create a profile, messages that they sent, statuses they upload, so information they provided themselves in this particular scenario.
Now, data protection authorities in Europe issued guidelines by which they expanded this notion of data provided by data subjects to include also personal data that are observed from the activities of users as well. For example, this could include activity log, history of website access, etc. Importantly, though, inferred data or inferences made on the basis of data that has been uploaded by data subjects are outside the scope of portability.
For example, this would mean the profile of users that are created by organizations on the basis of the data that the users upload. As well, outside the scope of portability are personal data obtained from other sources than from individuals providing the data directly. So you see, the scope is quite limited, but it would still allow data subjects to have some control over their data.
Secondly, there are also limitations of the scope of the stripe due to the fact that only personal data practiced on the basis of consent of the data subject and on the basis of necessity to enter a contract can be subjects to a portability request. For example, this excludes all of the data processed on the basis of the legitimate interests of an organization. And legitimate interest is one of the widely relied on lawful grounds that allow data processing.
So this is the general picture of data portability as part of the data protection legislation in the European Union. And it was introduced as part of data protection, as an individual right of the data subject that facilitates control of the data subjects over their own data. That was the underlying idea.
However, I think always we’ve been in the process of getting to the final version of the GDPR — there was always this notion of having portability also a tool to not have locked in abusers on the internet and in other digital services. So there was always in the back of the legislator’s head the idea that data portability also is the tool to avoid lock in. So it is a tool to allow competition.
Now, what happened in practice is that we’ve seen after the evaluation of the first two years of the GDPR, which took place this year — we’ve seen that data portability has not been used as much in practice as the legislators were perhaps hoping to see. So now, the European Commission is looking at ways to actually make data portability more known to users perhaps or to find other solutions to make it more appealing, more usable, let’s say. One last point I will make is that we’ve seen the data portability moving from the GDPR to other legal systems as well.
First of all in the CCPA, the California Consumer Privacy Act, there is a specific reference to interoperable data — data in an interoperable format whenever someone has the right to receive a copy of their data, which leads us to believe that we have a sort of a hidden right to portability attached to the right to access under the CCPA. In the personal data protection bill currently being discussed by the Indian parliament includes a general right to data portability, which actually is much broader than what I described under the GDPR. In Brazil, the new general law for protection of personal data that just entered into force last month also includes a broad right to portability.
And we’ve seen Singapore’s efforts to update their data protection law also to include a new right to data portability over there as well. So this would be the general background of portability and how it came to be in Europe.
Svetlana Gans: Great. Thank you so much. That was super helpful. Peter, Gabriela mentioned that in the EU data portability were premised on kind of telephone number portability, which we also have in the United States. Can you talk to us a little bit about sectoral specific data portability schemes here in the United States, how they’ve been fairing, and some of the advantages and disadvantages of those schemes in light of the broader data portability discussion?
Peter Swire: Okay. And thanks, Svetlana. And first let me thank The Federalist Society for inviting me to participate. After law school, I clerked for the Honorable Ralph K. Winter on the Second Circuit, and he was the first faculty advisor to the first Federalist Society group at Yale Law School. So I’ve known for a long time The Federalist Society has reached out to people with different backgrounds to try to talk about these important issues and thank you.
And also, as you know, Svetlana, I just finished writing a long report, over 120 pages, on a number of these things. And they include case studies on phone number portability, on financial services, healthcare and other sectors. So there’s been more actual experimentation with these issues of portability than I think a lot of people have realized. And I think if you look at what’s been going on recently, there’s at least three reasons people have been paying more attention to portability.
One is we have these new laws like GDPR in Europe that went into effect a couple of years ago, the California law that went into effect this year. And in the various proposals in Congress, there’s been bipartisan support to date for data portability in a variety of proposed privacy related legislation. A second thing is there’s a lot of antitrust people especially who think that portability is going to be an attractive idea for handling digital platforms.
If we can get the data out to lots of competitors, then more people can play with the data, can compete, and that’s a strong antitrust reason to be interested in data portability or mandatory data sharing as it’s sometimes called in Europe. And then, as you said, there’s been these new sectoral laws, including a major regulation in the healthcare industry that just went final this year from HHS. In my report, I suggest some terminology, which is portability with a small ‘p,’ has become a term of art for an individual right to move your data to some other place.
But there’s also other required transfers, such as opening up a database, maybe a social network database or other databases, to competitors. So in my proposed terminology we’d have portability or other required transfers, which is all capital for port, and that’s a way to think about the range of these proposals that are going forward today. And what we essentially have is a dilemma where antitrust people and people claiming rights of the individual to their control of their data want to open up the dataflow so individuals get to have more access to data or businesses do.
But then if you open up the dataflows the wrong way, you can create privacy problems. That’s Cambridge Analytica. Or you could have cybersecurity problems, which is if you’re opening up the data to the hackers who’re pretending to be somebody, then that’s a problem. So the trick here is how do you get the right dataflows to open up and the right dataflows to close down because you have multiple goals here?
From the antitrust side in Europe and the United States, the enforcers have been talking a lot about their interest in mandatory data sharing in case of platforms having monopoly power. So my own proposal in the report is to create what I call a portability and other required transfers impact assessment — a port IA, an impact assessment. And in the report, there’s a set of structured questions to try to go through step by step how to decide whether it makes sense to have this data mandate or not. And we tested this against about eight different case studies and have validated the structured questions as being useful, I think, in connection with that.
So we mentioned phone number portability. What I’ve suggested is that that’s actually been a somewhat misleading example. So phone number portability is, if you have an AT&T number and you want to move to T Mobile or Verizon, you can take the number with you, and that helps competition. You don’t get locked in. But for portability, you actually want your phone number known. That’s not really a privacy issue most of the time. Most people don’t want an unlisted number.
And also in cybersecurity, this has tended to happen in person as part of having a subscription. So the cybersecurity’s been taken care of. The privacy’s been taken care of. So people who like portability tend to point to phone number portability. But my own looking at a lot of case studies suggest it’s not a very good precedent in the sense that the security and privacy risks tend to be more important in other places.
So in terms of just a quick summary of how to do this impact assessment, the first thing you do in any issue around dataflows is you have to define the dataflows. Where does the data come from? Where does it go? What kind of data has to be covered, and what are the legal requirements? So Gabriela is at the Future of Privacy Forum or European privacy people. We all know that you have to map the dataflows first.
Then, there’s a series of possible benefits from these dataflows, and some of those can be competition and might address network effects. Data might be locked in with high switching costs. So one way to unlock the lock in effect is to require portability in some way. It might also reduce barriers to entry. If somebody has a huge database that can’t be easily reproduced, access to that database is almost like an essential facility. And some antitrust people would want to open it up for that reason.
There’s also other reasons that support possible mandatory dataflows. You might get innovation by getting data to new people. You might have these noncommercial benefits like control over your data. And so there could be strong rationale for having the mandatory flows.
On the risk or cost side, I’ve mentioned privacy and cybersecurity problems. Even if the data goes from company A to company B, there’s a risk whether company B is going to handle it carefully and whether they’ll have onward transfer to other people who don’t have good protections in place. And then another thing that my analysis looks at a lot is when people claim they can’t share data for privacy and security, is that a good faith story about, oh, my goodness, there’s real privacy risks? Or is it a pretext? Are people using that as a reason to keep control of the data? And I’ve been a witness in some ongoing litigation in the auto dealer industry that’s described in the report where the claim from the plaintiffs is that the dealers are claiming — sorry, not the dealers, that the software providers are claiming there’s cybersecurity problems when really that’s an excuse to keep the data locked up contrary to other reasons not to keep in unlocked.
One other point I’ll make on competition is there can be risks to competition if you have portability rules. If the incumbents write the rules, that can be a standards process that potentially can be a risk to competition. And so just to sort of wrap up — and there’s more we could talk about — we’ve had a lot of these recent portability laws and proposals. It takes experience in privacy, cybersecurity, and trust to do the analysis. I’ve happened to have taught all of those courses, but usually it’s going to take a team to work on that.
So one thing to do here is to sensitize antitrust regulators that privacy and security may be a valid concern, to sensitize privacy regulators that pro competition might be something that would benefit the consumers and their rights. And this whole process can be a way that private sector companies can assess which of their procedures most are open to having a good basis for portability. So to conclude, there’s reasons to open dataflows. There’s reasons to close dataflows.
The analysis that I propose is agnostic about whether portability is good or not. It tries based on these case studies to come up with a structured way to evaluate when the cost and benefits are likely to be greater. And going forward, we’re going to need a lot more attention to these things. And I thank The Federalist Society for hosting this panel today to discuss this. Thanks.
Svetlana Gans: Great. Thanks so much, Peter. Liad, let’s turn to you. Peter just mentioned that there are some costs and benefits to data portability. Would you mind elaborating on the empirical findings of the cost and benefits?
Liad Wagman: Yes. Thank you, Svetlana, and thank you everyone for tuning in and thank you to the hosting team for organizing this important forum. At the outset, let me just reiterate these thoughts are my own and not of any organization or agency. They’re not the opinions of the FTC or any of its commissioners.
Just to start, as Gabriela and Peter indicated, data portability is happening. Whether it’s GDPR or CCPA or the U.S. healthcare industry, it’s happening. From an economic perspective, data portability has the potential to create benefits in multiple ways. First, it could promote consumer choice.
A consumer can take their data somewhere else. This ability to move data elsewhere implied reduction in switching costs. That can mean more competition over consumer spending, either in attention or in dollars. And more competition can translate to lower prices or better-quality products, which can mean higher consumer surplus.
Data portability can also have value in showing consumers what data is collected about them. There’s sort of an educational dimension. And once consumers have better understanding of this, maybe they could be incentivized to better manage their data. Data portability can also be helpful on the firms’ side as far as implementation of regulatory compliance, for instance of privacy by design, because it forces developers to think where to draw the line between what data should be categorized as about a user or inferred about a user or not about a user.
Now, while there is cost to the implementation, the benefit, such as those I just delineated, are tangible and can line up with some regulatory objectives, for instance, of promoting transparency and consumer understanding about data collection and promoting privacy by design, promoting compliance with international and domestic regulations, and promoting better data management by firms and consumers. For instance, this could even make it easier for the press to review a firm’s data collection practices and hold firms accountable. Now, potential entrants and younger venturers may have the advantage of still being in the earlier design phases of their product, so maybe the ability to redesign the product, which could help promote adopting best practices. Data portability can also lead to newer businesses emerging to help consumers manage their now portable data or to help consumers review the data they have shared and maybe flag potential actions that consumers could take to better manage the data about them.
Now, of course, data portability introduces some risks and some potential costs. First, there are the risks of data security and data privacy. What consumers do with their ported data may exposed them to new risks, and steps can be taken to mitigate those risks potentially, like encryption of data ported. There are also risks as far as the parties to whom data is ported and how they might handle or mishandle the data.
Now, there’s also risk to other parties potentially porting and obtaining data, pretending essentially to be a consumer. That means that firms have to verify the identity of the user requesting data to be ported. And in order to do so, a user’s personally identifiable information may be exposed in order to verify that they are who they are. And this exposure might happen before the consumer even knows what they might get in return. But as a user must first verify who they are by sharing this personally identifiable information, and then they find out what data about themselves they might be able to receive and port from the firm, if any.
Now, this is an important implementation issue, and it may be particularly pervasive for smaller firms who do not have existing trusted mechanisms to identify users before porting their data. Smaller firms may be forced to licenses such verification mechanisms from larger incumbents or third parties, sort of acting like trusted middlemen. Now, this is not ideal because it raises compliance costs, and it brings other parties into the picture. It basically spreads the data to more nodes in a network so to say.
Now, there’s also compliance cost issue, which may be compounded here given the patchwork of laws about where data is stored and whether it should be portable in a particular jurisdiction and to whom it should be portable. Now, while these potential costs are real, there are some empirical evidence of the potential benefits of loosening dataflows. So I’ve worked on a number of studies that examine the impacts of consumer data rights.
Some recent works are particularly related to the topic of data portability although they’re not precisely on data portability. They more relate to dataflows. So one is a 2015 paper published in the RAND Journal of Economics. This paper studies the opt out provision of the Gramm-Leach-Bliley Act, or GLB Act. And it accesses government’s data and financial markets. The study compares the opt out provision in the act to a stricter opt in provision enacted by local counties in California.
Now, as subtle as that opt out/opt in difference may sound — which there’s different governments at default — it entails a loosening or a tightening of dataflows — a loosening under opt out because the default is that data can be shared with nonaffiliated third parties or a tightening under opt in because data cannot be shared unless the consumer gives explicit permission for it to be shared. The GLB Act requires financial institutions to notify consumers how their personal information is collected and used. In order to share or sell consumer data to nonaffiliated third parties, the firms must first give consumers a chance to opt out under GLB.
And under such an opt out mechanism, if the consumers care, they can act. And we can have a discussion about how easy it should be for them to opt out. That’s a topic I’ve studies as well.
Now, under this sort of natural experiment in a few California counties, several counties in the San Francisco metropolitan statistical area adopted an opt in approach. Under that approach, in order to share or sell consumer data, firms would require a written waiver from consumers. Now, I empirically show in that paper that the opt in provision led to less efficient matching between borrowers and loans, leading to higher mortgage prices and mortgage defaults and foreclosures down the road. The results show that due to tightening of dataflows, market outcomes worsen for consumers. And while the reason does not precisely match the data portability, arguably, data portability can enhance dataflows and give consumers a choice in how to direct those flows.
Another interpretation of the results is that firms can voluntarily facilitate data sharing in the absence of severe regulatory restrictions in doing so. And such sharing would not be mandated — there may not be necessarily be a duty to deal unless regulation itself hinders it. And I’ll comment about that more in a little bit.
But first, I want to emphasize that this perspective from these findings in this paper are reinforced by a number of other studies by myself and other colleagues on other laws, for example, the 2009 EU Privacy Directive and of GDPR, including my own recent work in GDPR. So as an example, in one recent study of GDPR that’s now forthcoming in the journal Marketing Science, my coauthors and I show the effects of the regulation appear to have been quite negative to the tune of 26 percent reduction in investments in European technology ventures. Our results indicate that those effects had little to do with GDPR’s data portability requirement, in part because this particular requirement was known to investors since at least April 2016. And the effects we detect are longer term and largely kick in after GDPR’s rollout in May 2018.
Now, these results in these studies, they raise concerns about choking dataflows. And one suggested cure, most commonly in the European Union, seems to be data sharing and other required transfers, as Peter named them. Now, I’m wary of this approach to fix one regulation that distorts dataflows in one direction with another regulation that distorts them in another. That could easily lead to unintended economic consequences.
As far as data sharing and other required transfers, while that is not our focus today, I just want to say a few words about the economic perspective concerning the incentives — the underlying incentives that may be at play here. First, firms can benefit from trading and selling or sharing data voluntarily. It’s another potential source of revenue and partnership. They may not do it uniformly, but uniformity does not imply economic efficiency necessarily. Mandating uniformity, a one-size-fits-all approach, can be inefficient.
Now, as far as voluntary sharing versus duty to deal or share, the effect on firms and incumbents and on entrants are largely unclear and introduce the issue of symmetric versus asymmetric regulation that was discussed at the data portability workshop. And definitely more study is needed here. The impact of duty to share and incentives to innovate and introduce new products is also unclear. New tradeoffs emerge on whether products should be frontend at the user level or at the backend.
There is a talk of mandating, for example, click stream data sharing from search entries in the EU right now. With such a mandate in the medium to long term makes sense if consumer screens since presort into search interest verticals prior to searching. That could really limit the use of click stream data and might be an unintended consequence in the reaction.
Another issue is standard formation. While establishing a standard, for example, for interoperability, that creates more competition in one dimension, technology is a highly fluid and fast evolving industry, particularly as far as consumer facing software is concerned. And a standard might lag the pace of innovation. So that’s another potential concern that needs to be studied. Products change. Consumers’ preferences change, and regulation and standards tend to lag behind.
Another related issue as far as the required transfers is that they necessitate at least somewhat structured data. Some data is simply not structured, and the structuring may change day to day. And it is costly. For example, the recent Snowflake IPO and firm valuation to the tune of tens of billions of dollars indicates that a firm that operates in this industry of structuring data and collecting data and sorting it is expensive. It’s an expensive thing to do. Who should bear the cost for structuring data if sharing is mandated at a price of zero, for instance? All right?
So in some industries, as the caveat, like healthcare and finance, in light of privacy concerns and liabilities, data sharing maybe be severely limited without intervention. In those instances, facilitating a so-called safe legal corridor and at the same time mandating duties like interoperability and data sharing can make sense since a corridor itself is decided by the policymaker, not the firm. And the policymaker may have a clear objective in this corridor, which may be of benefit to consumers and firms.
In health and finance, the corridor is clearly tied to a policy objective. When such ties are clear, it might make economic sense to create this corridor, especially since its regulation itself might prevent the corridor not shaping up voluntarily by a firm. In the absence of severe privacy restrictions, like the ones imposed by GDPR, is such a safety corridor with all its limitations the efficient approach? I’d say that that requires significant more study.
Now, I will conclude by saying that data portability, interoperability, and data sharing introduce very different economic concerns. Data portability makes empirical sense from the perspective of loosening dataflows and reducing switching costs while controlling for risks. Interoperability and center formation may make sense on a case by case basis, as Peter indicated. And data sharing or duty to deal or duty to share, on the other hand, essentially implies that price ceiling arguably at zero, which is known to be a highly distorting policy action.
The EU, for instance, is reportedly considering requiring dominant search platforms to provide click stream data. A duty to deal or sharing this setting implies forcing a firm to sell under such a price ceiling of zero or near zero despite billions in costs for structuring data from multiple sources. For these actions to be efficient, there needs to be an economic justification.
There’s also consideration of policies of not to use data. The European Union, for instance, is reportedly considering restrictions on using ad data to develop new products, essentially placing walls between platform and product development teams. First, this is an asymmetric manipulation that targets larger platforms, at least as its rumored to be proposed. Second, it seems to fly against some of the lessons we’ve seen from GDPR and other regulations so far since it tightens dataflows.
Moreover, a number of independent empirical studies suggest that GDPR itself has helped entrench dominance. So this again seems to be an approach to fix one regulation that distorts dataflows in one direction with another regulation that distorts them in another. Finally, with respect to data portability and the workshop and particularly with respect to other required transfers, I would emphasis that one observable that — maybe one learning from this workshop that we’ve had is that it’s not just a discussion between antitrust on the one hand — quote/unquote, dataflows are good — and consumer protection on the other — quote/unquote, privacy and security are good. As I hope I have made clear, as far as economics is concerned here this is an intricate and complex debate within each bucket.
Svetlana Gans: Great. Thanks so much, Liad. Colton, do you want to open the floor for questions? And then in the meantime, I have a few to ask.
Colton Graub: Sure. Let’s go to audience questions.
Svetlana Gans: All right. Great. Thanks, Colton. All right. So as we compile audience questions, I just wanted to ask the panelists a few questions stemming from the remarks so far. So all three of you discussed kind of the cost benefit analysis of data portability schemes, that it’s an intricate balance of weighing the pros and cons. So as you know, the U.S. and state legislators are considering data portability in various privacy legislation. What would you say should be the key considerations moving forward on mandated data portability in the United States? Peter, I can turn it over to you first, and then Gabriela and Liad.
Peter Swire: Right. I’ve been cautious about thinking I know the answer on whether to legislate similar to the California law. I think in some ways what Gabriela said is that as GDPR has gone into effect there’s been relatively low take up or consumer use of the data portability right. And so it’s possible that there’s not much harm from requiring it at this level because companies aren’t having to do very much. It’s also possible it’s not having very much benefit as currently written.
I do think that there’s a sort of common sense — and this has been accepted, I think, by legislators from both parties — a common sense that it’s a user’s own data, and he or she should be able to do with it what they want. And if there’s being artificial ways of stopping the user from getting his or her own data out, getting your own photos out or whatever, that that seems like a bad digital service. And so I think there’s a real attraction for a lot of people that there should be some sort of ability for each of us to have some sort of control over our data.
The costs go up the more strict and far reaching the requirements are that the company write a lot of software and rejigger their systems to change based on what’s being done. So the more invasive it is towards what the processes would be, then there’s risks that the costs could go up. I wrote an earlier paper back in 2013 as GDPR was under consideration about this. And I think we really were concerned there that small and moderate sized companies don’t have the software in place to make everything easily portable in a lot of circumstances.
So I’d be a little cautious about being too directive about what the companies should do. But I think that the attractiveness of the right to our own data is very, very strong, and my guess is something along those lines will happen, at least at the level of there ought to be a way for people to have portability.
Svetlana Gans: Great. Gabriela?
Gabriela Zanfir-Fortuna: Thank you, Peter, for those remarks. I agree with what you were saying. I would want to add first something about the fact that most of the big data controllers — the big organizations are already providing portability as a feature of their services, even to America consumers. And this is a consequence of the GDPR.
It turned out that the cost of separating features that they only provide to European-based users and features they only provide to American-based users was actually quite high. So then they decided to provide sort of the same rights, the same feature — let’s call it a feature — for their entire customer base. And for example, one of the companies that went public to declare this was Microsoft.
I think it’s also interesting for those who are listening to us to find out about a project that’s called the Data Transfer Project where the big platforms came together — so Apple, Facebook, Google, Microsoft, and Twitter — and they are trying to build this open source platform to create standards and work on formats that allow portability among their services. So this is the Data Transfer Project in case people that are listening in will want to find out more about it. So my point is that already in practice we are seeing data portability provided as a matter of a general right for Americans.
So I would invite legislators to take that into account when they are deciding whether any of this is feasible or not. They should take into account this is already happening as a matter of practice here in the U.S. Unfortunately, I don’t have any data about how much use of this feature is actually happening in the U.S. As I was saying as far as Europe is concerned, this right has not been used broadly until now. But I do not have data about what’s happening here in the U.S.
Other than that, I think legislators should also pay attention to some of the key challenges that have appeared in practice with those portability requests that exist. So for example, one key challenge is the authentication and verification of the identity of the individual making the portability request. This needs to be addressed somehow because if you don’t have proper authentication and verification methods, there is a risk to actually facilitate data breaches and privacy breaches if you go ahead and provide data in a portable format to someone that has not been authenticated.
Another key challenge that we’ve seen in practice is the social nature of some personal data. Often, you have personal data that also includes personal data of others. Think of a photo that’s uploaded on social media. So how do we deal with that situation? That should also be one of the points to consider when thinking of rules around portability. Yeah. So this would be some of the high-level comments for legislators to take into account.
Svetlana Gans: Great. Thanks. Liad?
Liad Wagman: I just have a little to add here. I think the implementation here is crucial, as was kind of suggested by Gabriela and Peter. And specifically how can the implementation of data portability be used to improve dataflows and reduce consumer switching costs, whether it be by the standard of data ported or some other considerations? And the implementation needs to be intended to also foster new innovations, to create businesses and jobs while maintaining the security of data perhaps by standards for encryption.
I would also add that the GDPR has resulted in what Gabriela described as asymmetric effects. We see the larger platforms in the U.S. offering data portability. Some may apply the same standards as under GDPR to consumers elsewhere. And on the other hand, smaller players — smaller firms in the U.S. may withdraw from the EU market completely and not offer data portability or other features of GDPR. Maybe CCPA partially is changing that as far as portability is concerned. But this asymmetry is not necessarily an efficient outcome. And that’s something that a regulation could address.
Peter Swire: Could I just make a follow up on the asymmetry? So if you think of there being the large platforms that have, as have been described here — large platforms have put portability into effect relatively thoroughly. Smaller companies less so. Some of the U.S. proposed legislation would only apply to the large platforms. And some of the regulators in the EU have said they actually favor asymmetries where the big platforms would have to be portable out, but the small companies would not have to be portable.
And they justified that on the idea that, if you really focused on antitrust problems on the data getting caught in a relatively small number of big platforms, that there can be a rationale for antitrust reasons in putting the burden on the big platforms but not having the same requirements on smaller players. So that’s been explicitly considered in both the U.S. and EU. It might seem unfair to the big platforms, or it might seem like a sensible way to address antitrust concerns that people have.
Liad Wagman: I would add to that that, on the consumer side, if I’m a consumer and I’m going to invest in effort in supplying my data to a smaller player from which I may not be able to port my data if I’m dissatisfied with the service, that could be a concern for adoption. And it might lead to a voluntary implementation of data portability by smaller players in order to address this asymmetry.
Peter Swire: That would be a decision by the smaller player of the cost of building a system versus the advantages to the company of promising portability to consumers. And they’d have the usual kind of engineering and business ways to try to decide whether it was worth building that feature.
Liad Wagman: That’s right.
Svetlana Gans: All right. Colton, I want to turn it over to you to see if we have an audience questions.
Colton Graub: We do. We have one audience question. We will go to them now.
Caller 1: Good afternoon. Really appreciate this teleforum. I feel like I’m very much catching up with something that’s already gotten quite a ways down the pike. So I don’t know if there are any good treatises any of you could recommend for a relative neophyte.
But just moving to kind of the philosophical/conceptual level about this, so data, to paraphrase one of my favorite authors — data is things — data are things. Data is a thing, but it’s a thing about other things. And unlike a physical race, it doesn’t have — it can’t — it’s hard to identify ownership and possession exclusively, like physical things. It seems more analogous to intellectual property, and I’m wondering if maybe the tools of IP are a better regulatory regime to apply because information about me doesn’t necessarily make it mine. It doesn’t necessarily mandate that I have rights over it.
And I’m just sort of thinking of some potential reductio ad absurdums, so what if a company is anticipating litigation, and they put a litigation hold on a bunch of information, which includes data about me? But at the same time, they’ve been directed to port it or destroy it or something like that based on my request or the request of some other government agency or something like that? If a company can be mandated to move my data and in a sense forget it by deleting the records associated with it, can we do the same thing with people?
Can we make someone forget something, a human being? I don’t know if there are any — to what extent the pre-information technology era has been drawn up on to try to resolve some of these issues. But it just seems like a fraught area where we’re rushing into regulation without having fully thought through all the implications.
Peter Swire: I could take a try — oh, go ahead, Gabriela.
Gabriela Zanfir-Fortuna: Thank you. Thank you, Peter. And just very quickly to point out that this has been soundly part of the conversation for a long time in the European Union and in Europe generally. And by this, I mean the nature of the right people have over their data. And the consensus in Europe is that there’s no property right over one’s data.
However, all of this right that I was talking about — the right of the data subjects — allows the individual to be at least a bit in control over how their data are collected and used and shared with others. And to be clear, portability does not actually entail that once the data is ported to another platform it necessarily is erased from the first platform or organization. So it might actually happen that there is an individual that wants to try out new services. So then they just port a copy of their data to this other new services while actually continuing to use both of them.
So absolutely this is a conversation we should have at a philosophical level. But the way Europe is solving this problem is by stating from the outset that we are not talking about property rights and personal data — an absolute right in personal data in individuals — but about rights that allow individuals to have control over how their data are shared, used, collected, and to have some limits over that — sort of being an expression of the free will of the individual. Peter?
Peter Swire: I can also — there was quite an extensive symposium in the Stanford Law Review back in 2000, so 20 years ago, specifically on the relationship of intellectual property law and privacy law. And most of the academics ended up thinking that they were pretty different realms. In IP law, in intellectual property a lot of the emphasis is on creating innovation, and so you want to encourage the selling of rights to a place that will give the highest and best use and maximize economic value from the innovation. But we don’t usually think in privacy that maximizing the selling of your health data, maximizing the selling of your banking data, of your personal secrets is really the goal.
And so that feeds into what Gabriela was saying about the European analysis about rights to your personal data. Within the U.S., even if you don’t take it as a fundamental right, the goal of maximizing the exchange is not usually what we think of when we think of our personal data, our family secrets, our diaries, our photos and things like that. So the IP example doesn’t hold up, I think, as well as it might seem to when you start down the path.
Liad Wagman: I would just say that from the economics perspective there’s a paper dates to 1996 on markets and privacy by Kenneth Laudon that looked at essentially establishing a market where consumers could trade their data, could sell their data as if they had the property rights to it, and they could be compensated by firms for their data as just any product that’s traded in the market. So this idea for assigning property rights has been around for a while — assigning it to data. There are more recent works that try to explore the potential dynamics of data ownership and work from just this last year that shows that this type of market may not work because of various externalities in this market where data about other users could be used to infer information about a user. And this could reduce the value of the user’s data to essentially zero, and, in effect, prices of all users’ data would go down to zero. So this market would not function properly. I think this just adds an economic dimension to the IP discussion.
Svetlana Gans: Great. Thank you. Colton, any other questions from the audience?
Colton Graub: We don’t.
Svetlana Gans: Alrighty.
Colton Graub: Seeing none, Svetlana.
Svetlana Gans: Okay. Alrighty. So we have just a few moments left, so I thought each of our panelists can kind of summarize with key takeaways on data portability. What should we be doing next in our discussion on U.S. policy regarding data portability going forward? If everyone could just take one moment to give their kind of closing thoughts, that’d be great. I’ll do Gabriela, Peter, and then Liad.
Gabriela Zanfir-Fortuna: My closing thought is that data portability is not going away, as I was mentioning. It’s already happening in practice actually in the U.S., as well, as a consequence either of the CCPA directly or as a consequence of how companies are applying GDPR rules without discrimination among Americans and Europeans. So I think it would be advisable — it would be thoughtful to have American based rules around this that take into account the values of the U.S. and the cultural differences that exist between this regime. So definitely a focus on portability would be advisable.
Peter Swire: What I’d say — this is Peter. I’ve worked on these issues for a long time, and they’re super important issues in a data society because when do you open data flows or close data flows is a very fundamental question. I’ve written this long report that’s available on Social Science Research Network. If you put in Peter Swire and portability and facts assessment, you’d find it.
Also, with my partner at Alston & Bird, John Snyder, we have an article coming out soon, “The CPI Antitrust Chronicle,” about how to integrate portability analysis in the antitrust law. And that addresses this issue of antitrust is its own domain, but when and how do you let privacy harms or cybersecurity harms or other legal things? So in this next article we’re trying to explore the right way to think about antitrust law when it hits some of these portability issues. Thanks.
Liad Wagman: I would just conclude by saying that data portability, interoperability, and data sharing and other required transfers have very different economic implications. As far as data portability is concerned, I would say that implementation is key. So any policy in this space needs to carefully consider implementation.
For the data sharing, it’s quite different. Mandated data sharing, at least in the European Union, as it’s reportedly considered right now seems to me, at least, to be partially used to address existing distortions such as entrenching dominance that were introduced by GDPR. Data sharing introduces a slew of economic considerations regarding incentives, firm incentives, structured versus unstructured data, standard formation, etc., that all must be considered — carefully considered before we think of a direction.
Svetlana Gans: Great. Thank you all very much. We will continue this discussion on mandated data sharing from the antitrust perspective on Thursday at 1:00 p.m. I hope you all can join us. I wanted to thank all the panelists, RTP, and you, the audience, for joining us today. With that, I’ll turn it back over to Colton.
Colton Graub: Thank you all. We echo Svetlana’s remarks. Peter, Liad, and Gabriela, we are very grateful for you, for your time today, and to our live audience for joining us. We welcome listener feedback by email at [email protected] Thank you for joining us. This concludes today’s call.
Elizabeth and Thomas Holder Chair and Professor of Law and Ethics
Scheller College of Business, Georgia Institute of Technology
Professor of Economics
Stuart School of Business, Illinois Institute of Technology
Future of Privacy Forum
Gibson, Dunn & Crutcher, LLP
Data Portability Mandates, Consumer Privacy Protections, and Competition Law