On November 6-8, 2018, the U.S. Federal Trade Commission (“FTC”) hosted a public hearing on “Privacy, Big Data, and Competition.”  The event was part of a series of public hearings on Competition and Consumer Protection in the 21st Century, modeled after the agency’s 1995 “Pitofsky Hearings.”  The series solicits input from a wide variety of private and public sector stakeholders and academics to inform and guide the FTC’s regulatory and enforcement efforts in light of broad economic changes, evolving business practices, new technologies, and international developments.

While prior hearings in the series have focused on antitrust law, this hearing marked a shift toward cybersecurity and privacy regulation.  (Future hearings will focus on data security and consumer privacy.)  The panels focused on a wide range of issues on the future of regulating big data via consumer protection and antitrust regimes from both a domestic and international perspective.

  • Simon McDougall, the Executive Director of Technology Policy and Innovation at the Information Commissioner’s Office (ICO) of the United Kingdom, and Rainer Wessely, a member of the European Union Delegation to the United States, discussed the impact on competition and innovation of the European General Data Protection Regulation (GDPR), the E.U.’s seminal privacy legislation that took effect in May 2018. McDougall posited that the GDPR includes mechanisms for enhancing competition, such as privacy-related codes of conduct that trade associations can create in partnership with E.U. data protection authorities.  Wessely similarly suggested that the GDPR has generated opportunities for companies to review how they collect and use data.  Wessely further opined that the law provided room for innovative growth by increasing consumer trust in how data is handled and reducing entry barriers through data portability requirements.
  • Maureen Ohlhausen, former Commissioner and former Acting Chair of the FTC, and Julie Brill, former FTC Commissioner and current Corporate Vice President and Deputy General Counsel for Global Privacy and Regulatory Affairs at Microsoft, discussed the use of antitrust regimes to tackle consumer privacy concerns and big data companies’ increased efforts to compete on privacy and trust. Ohlhausen acknowledged that consumer data may at times be relevant to antitrust analysis, but argued that “[c]ompetition law offers at best a convoluted and indirect approach to addressing privacy concerns in connection with big data.”  In particular, Ohlhausen cautioned that enforcing consumer privacy concerns solely through antitrust law — for example, in the context of a merger or acquisition but not in circumstances where a company acquires large quantities of data piecemeal over time — could lead to asymmetric and incomplete privacy protections.  The more direct route to address consumer privacy concerns associated with big data, Ohlhausen opined, is through consumer protection laws.  Brill, on the other hand, asserted that existing antitrust tools are sufficient to address concerns associated with big data.  She instead urged regulators to think “creatively” about available remedies, including blocking a merger if necessary and utilizing data portability to facilitate competition.
  • Academics from the Universities of Virginia, Chicago, and Toronto addressed the interplay between protecting privacy and promoting competition and innovation. Avi Goldfarb, Professor of Marketing at the University of Toronto Rotman School of Management, warned that privacy regulations may have unintended consequences, such as boosting incumbents who have built sufficient trust with consumers to maintain access to their data even under a regulatory regime.  To deal with these kinds of uncertainties, Amalia Miller, Professor of Economics at the University of Virginia, advocated for small-scale experimentation coupled with a willingness to revise privacy regulations as more is learned about their costs and benefits.  Acknowledging the difficulty of measuring the costs of privacy violations, Lior Strahilevitz, Professor of Law at the University of Chicago Law School, proposed that regulators like the FTC should prioritize areas where consumers have faced difficulties in protecting privacy through other mechanisms such as the judicial process.  For example, while an individual plaintiff may struggle to prove in court that a large-scale data breach caused the theft of her identity, Strahilevitz noted that the FTC may sidestep such tricky legal questions by bringing an enforcement action on behalf of consumers in the aggregate.
  • Alexander Okuliar, former Attorney Advisor to Ohlhausen, proposed a framework for determining whether to address big data and privacy through antitrust or consumer protection laws. Okuliar suggested first considering the character of the harm — broad effects on consumer welfare and economic efficiency are typically dealt with through antitrust enforcement, while individual harms may be better treated under consumer protection laws.  Second, consider the source of the harm — consumer protection laws may be best situated to deal with harm when it arises from the terms of a bargain between a company and consumers.  Finally, consider which laws are more likely to provide an effective remedy.  Using the antitrust laws to block a merger of two companies possessing complementary big data, for example, may be unlikely to effectively mitigate harm if the companies could nonetheless combine their data by contract even if the merger is blocked.
  • Last, Dennis Hirsch, Professor of Law at The Ohio State University Moritz College of Law, discussed research findings suggesting that companies engaged in big data analytics are looking beyond privacy toward broader “data ethics,” which considers additional risks to individuals and companies from data use, such as bias, procedural unfairness, and exploitation. According to Hirsch, companies have started evaluating data ethics to reduce regulatory risk and as a nexus of competition between companies for employees with similar ethical values.  Companies may also use data ethics as an avenue to improve their reputations with customers (who value ethical data use), regulators (who may be more lenient towards companies with ethical data practices), and business partners (who face liability from third-parties with questionable data use practices).  Hirsch encouraged the FTC to facilitate the implementation of data ethics programs by collecting and sharing best practices and recognizing companies with effective programs.