Data Regulation: Understanding The Present To Regulate The Future

What does existing data regulation tell us about data regulation in tech industries? Basically, that shortcuts do not exist. Data is not a commodity. The strategic value of a specific piece of data differs from one industry to another, varies over time, and depends on the level of aggregation and on the combination with other data. This implies that data regulation is necessarily a case-by-case exercise and requires specific solutions to well-defined specific problems. The current EU proposals for data regulation (the European Data Strategy and the Digital Markets Act) ignore this fact and attempt to regulate data through generic principles. A more flexible evidence-based approach to data regulation is likely to be more workable and effective in solving potential market failures in data intensive industries.

By Juan Delgado¹

I. OPEN BANKING: DATA REGULATION AT WORK

Three years after its adoption, the UK competition agency – the CMA – has recently proposed to update the UK’s Open Banking regulation.² Open Banking – broadly speaking – enables consumers and small and medium-sized enterprises (“SMEs”) to share their bank and credit card transaction data securely with trusted third parties,³ through common and open standards. Although the concept of Open Banking was born in the context of retail banking, it is currently evolving as an instrument to drive competition in payments and the broader financial sector. Open Banking regulations are in place in the UK (since 2018), Australia (since 2020), and the European Union (after the adoption of the second Payment Services Directive, known as “PS2”).⁴

Open Banking shares a number of features with data regulation in tech industries. Incumbents’ data ownership constitutes a barrier to competition in retail banking. Open Banking initially aimed to promote competition in retail banking by mandating data-sharing and has recently evolved as an instrument to foster competition and innovation in the payments and fintech sector. Likewise, in the case of retail banking, data constitutes an important source of market power in many other tech markets (advertising, retail trade, health, insurance, etc.). The regulatory principles governing data in tech industries should in principle respond to the same motivation and structure as data regulation in other data intensive industries.

If we look closely into Open Banking, we can identify different relevant elements of the regulatory process: the detection of a market failure, the design of a regulatory instrument to address the market failure and the potential conflict of the regulatory instrument with privacy and data protection regulation.

First of all, the regulator had detected a market failure following a market investigation into retail banking:⁵ bank customers faced high switching costs that prevented them from changing banks. As a consequence, competition between retail banks was limited.

Those switching costs were related to the fact that the receiving banks did not have sufficient information about the new clients (e.g. income history, credit records, payments record…) and therefore the new clients could not benefit from banking products, prices and benefits adapted to their characteristics. Switching banks implied resetting your financial history and, thus, it was not an option for “good” customers. Switching costs reduced competition in retail banking.

Second, on the choice of regulatory instruments, the regulator concluded that competition law was not a well-suited instrument to remove the existing obstacles to competition. Thus, the regulator opted for a specific ex-ante regulatory instrument. The new instrument established the command of sharing clients’ bank and credit card transaction data so receiving banks could rely on the new clients’ banking history to design and price the products offered to them.

Data-sharing obligations reduces switching costs and promotes customer switching and competition. The target of the regulation were the nine largest current account providers in the UK. The regulator considered that limiting the obligation to the largest banks was a proportionate measure that would suffice to remove the barriers to competition identified. Open Banking regulation was implemented by the Open Banking Implementation Entity (“OBIE”), which was paid by the target banks. Compliance and evaluation were entrusted to the CMA.

Finally, the regulator faced the problem of how to promote competition without compromising privacy and data protection. The Open Banking regulation thus included a number of safeguards in order to achieve its aims while preserving privacy and data protection, such as:

1. Open Banking requires the individual consent of bank customers through an opt-in system. In 2021, more than 3 million UK bank customers have given their consent. Bank customers hold the property rights over their data and should grant their explicit consent to participate in the scheme.
2. Open Banking specifies the type and format of the data exchanged, providing direct access to financial data down to the level of transaction-account transactions.
3. Open Banking guarantees that the exchange of data occurs in a secure and trusted environment.
4. The ecosystem is only open to authorized financial service providers (around 330 service providers in 2021) and the use of the data is restricted to the provision of authorized financial services.

In summary, Open Banking provides an example of the complexity of effective data regulation. Data regulation requires identifying and delimiting the underlying market failures it aims to solve, incorporating the characteristics of the industry and the role of data in the competition dynamics into the remedy design and taking into account the privacy and data protection concerns derived from data use and regulation. In particular, in the case of Open Banking:

1. The underlying market failure, i.e. the lack of competition, is properly identified and delimited, and a proportionate remedy is specifically designed to solve such market failure.
2. The design of the remedy is limited to the sharing of certain data which is essential to compete and foster innovation: receiving financial entities needed information on new clients’ bank and credit card transaction data to be able to develop new and innovative products and to compete with incumbent banks on a level playing field. The remedy specifies in detail the type and format of the data exchanged, which is limited to the data necessary to address the market failure, and who the target of regulation is (i.e. the nine largest banks). A specific implementation entity is designated to enforce the regulation and the competition authority is entrusted with monitoring its effectiveness.
3. The remedy incorporates privacy and data protection safeguards, recognizing the sensitive nature of the data exchanged. The safeguards mainly concern the customers’ consent for the use of their data and the requirement that data can only be used by “trusted” third parties, limiting the scope of the use of the data exchanged.

II. WHAT DOES EXISTING DATA REGULATION TELL US ABOUT DATA REGULATION IN TECH INDUSTRIES?

The Open Banking experience provides a number of insights about data regulation in tech industries.

First, data regulation should have a purpose and such purpose should be normally linked to one or several market failures that justify imposing such regulation. In the case of data, there are three main data-related market failures: innovation externalities, market power and lack of competition and data privacy concerns.⁶

Tech products, such as fintech, online advertising, online retail trade, online entertainment, health, and insurance services, are data-intensive. The extensive use of big data is essential to compete and to innovate through new products better suited to meet customers’ needs. For example, credit data allows financial institutions and fintechs to offer personalized financial products to their customers and health data can help the health industry to better diagnose health issues and adopt effective treatments. Proprietary data might limit the societal benefits of data. Mandating data sharing may allow the full exploitation of positive data externalities, fostering innovation.

Simultaneously, data plays a very relevant role in the dynamics of competition in data intensive industries. Data might confer firms a competitive advantage and create barriers to entry that can be insurmountable to new entrants, which either do not have a sufficiently large customer base or have not been long enough in the market to gather the necessary amount of data to compete on equal grounds. For example, data on consumer characteristics and behavior is essential for personalized ads and the lack of it can constitute a barrier to entry in the ad industry. Data can thus create market power. Data sharing may help to dismantle obstacles to market entry and unlock competition.

Data sharing also has drawbacks: the storage and sharing of unlawful personal data and the abuse or unauthorized disclosure of such data may cause harm to consumers. Thus, whenever personal data is gathered or exchanged, regulation should guarantee the protection of privacy and personal data.

Second, data regulatory design should serve the identified purpose. There is however no general recipe for this. The diversity of products, industries and business models framed within the so-called tech industry makes that a single remedy does not fit all circumstances. For example, an obligation to share bank and credit card transaction data will not foster competition and innovation in the video streaming industry.

Data is not a commodity. The strategic value of a specific piece of data differs from one industry to another, varies over time (instantaneous versus historical data), and depends on the level of aggregation and on the combination with other data. Data is not a “uniform, generic and static raw material.”⁷ This variability on several dimensions makes it complex to design generic data regulation and calls for a case-by-case analysis. As concluded by Crémer et al in their report on digital markets for the European Commission, “the significance of data and data access for competition will always depend on an analysis of the specificities of a given market, the type of data, and data usage in a given case.”^8]

In the case of the tech industry, there are several dimensions that determine the role of data in competition and innovation. The nature of the data with strategic value varies from industry to industry. The same data will not be equally valuable to online retail traders than to online insurance providers. The same data will affect differently to the competition and innovation dynamics in different industries. This implies that, for example, a data-sharing obligation would have to identify for each industry which type of data substantially affects competition and innovation and how sharing such data can foster competition and innovation. For example, the recent acquisition of the digital wearable devises manufacturer Fitbit by Google, approved by the European Commission on December 20, 2020,⁹ generated a heated debate on the effects of the combination of the data gathered by both companies on competition and innovation.¹⁰ Google and Fitbit gathered different type of data that was relevant in their respective markets. One of the main questions during the analysis of the operation was whether the combination of the data gathered by both companies could have market foreclosing effects and a negative impact on innovation.

But even within the same industry, data might be a strategic input for some competitors and not so for others, depending on their business models. For example, ad-sponsored business models rely substantially on big data. In the pre-Android decision market for mobile operating systems, Google’s Android used to be an ad-sponsored business while Apple’s IOS was sold integrated within Apple’s hardware.¹¹ That implied that users’ data was essential for Android’s business model while not so relevant for Apple’s. Data sharing obligations can affect in an asymmetric way to competitors in the same market.

Finally, several market failures may coexist in data intensive industries. In particular, it is frequent that privacy and data protection concerns coexist with innovation externalities and market power. This implies that, as in the case of Open Banking, regulation should provide safeguards to preserve privacy and data protection. Data-sharing obligations might entail privacy risks that must be internalized within the regulatory instrument design. Addressing separately competition and innovation market failures and data protection and privacy concerns may result in suboptimal regulation.

III. THE EU PROPOSED STRATEGY FOR DATA REGULATION

The EU (proposed) data regulation broad strategy is structured around the three above mentioned market failures:

1. The so-called European Data Strategy, recently announced by the European Commission, deals with the innovation externalities of data-sharing.¹² The strategy proposes, amongst other measures, a “cross-sectoral governance framework for data access and use” and “common European data spaces in strategic sectors and domains of public interest” through pooling European data in key sectors, with EU-wide common and interoperable data spaces.
2. The proposed Digital Markets Act (“DMA”) deals with market power (derived, amongst others, from the accumulation of data) and its effects on competition and innovation. The DMA proposes a number of generic obligations for the so-called “gatekeepers” (vaguely defined as “providers of a core platform service”), which constitute the main target of the regulation.¹³
3. The EU General Data Protection Regulation (“GDPR”), that entered into force in 2018, deals with privacy and data protection. The GDPR is a far-reaching regulatory instrument that imposes obligations on privacy and data protection onto organizations anywhere, so long as they target or collect data related to people in the EU. The GDPR is a complex piece of regulation which enforcement has been progressively more effective but slow.¹⁴

The European Strategy for Data has not yet been adopted. It proposes a regulation on data governance that aims to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data. It also anticipates the creation of a “single market for data” where data can flow within the EU and across sectors, subject to privacy and data protection, and to competition law. The regulation establishes a general framework for data sharing but, since such framework is constrained by privacy and data protection, and by competition law, its implementation will require a case-by-case analysis to guarantee compliance with EU law.

The DMA is currently under discussion. The DMA is presented as an ex-ante regulatory tool to deal with market power of large technology companies, complementing the enforcement of EU competition law. The DMA designates the target of the regulation according to arbitrary quantitative criteria (annual EEA turnover above €6.5 billion in the last three years, average market capitalization above €65 billion in the last year, active in at least three Member States, over 45 million monthly active end users in the European Union, and over 10,000 yearly active business users in the last year) that seem to refer to the big tech players and a few other firms.

Without having delimited the nature and scope of the market failures it aims to address, the DMA proposes a list of generic obligations for all gatekeepers (that include requiring gatekeepers to “refrain from combining personal data sourced from these core platform services with personal data from any other services offered by the gatekeeper or with personal data from third-party services, and from signing in end users to other services of the gatekeeper in order to combine personal data”) and a second list of obligations susceptible of being imposed on digital gatekeepers under certain (undefined) circumstances (which refer to general obligations to provide data portability and data access and interoperability). The design of such obligations is vague and not linked to specific industry characteristics or business models, which makes them not fully operational and difficult to implement.

Both the European Data Strategy and the DMA constitute generic declarations of principles that would probably need to be further developed in order to be operational and effective. Given the diverse nature of data and the diverse role of data in the dynamics of competition and innovation across different industries and business models, general principles might be useful to guarantee a coherent approach to data regulation but risk not being fully implementable in practice. Landing the principles on specific cases would probably require hundreds of data- and sector-specific regulations and/or detailed investigations under a vague regulatory framework.

Adding that the enforcement of the European Data Strategy and the DMA must be compliant with the GDPR makes the need for more concrete and clearer implementation guidelines even more pressing.

IV. CONCLUDING REMARKS

Open Banking shows that data sharing regulation needs to be carefully designed in order to be workable and effective. Open Banking shows how the solution to a “small” competition problem in a financial submarket requires a carefully designed regulatory instrument that mandates the sharing of specific competition-relevant data, specifies the conditions under which such data should be shared and establishes the appropriate provisions to comply with privacy and data protection regulation.

Addressing data-related market failures requires a deep evidence-based analysis of the market failures and the implementation of remedies specifically designed to solve such failures. Generic remedies might be useful to guarantee a coherent economy-wide approach to data regulation but risk not being fully workable in practice.

Both the European Data Strategy and the DMA might be useful to provide a general framework for regulating data in the EU but, in the absence of detailed operational instruments, they might end up being ineffective.

Concrete instruments such as market investigations and regulatory sandboxes, that enable a direct testing environment for innovative products and are widely used in financial markets, could constitute useful instruments in tech markets to make sure that data regulation promotes competition, fosters innovation, and ultimately works in favor of consumers.

1 Director, Global Economics Group (Madrid).

2 See https://www.gov.uk/government/publications/update-governance-of-open-banking/update-on-open-banking, and https://www.openbanking.org.uk/what-is-open-banking/. For more information on the UK Open Banking see https://assets.publishing.service.gov.uk/media/5893063bed915d06e1000000/retail-banking-market-investigation-order-2017.pdf https://assets.publishing.service.gov.uk/media/5893063bed915d06e1000000/retail-banking-market-investigation-order-2017.pdf and check the Open Banking webpage at https://www.openbanking.org.uk/.

3 Open Banking also enables consumers and SMEs to initiate payments directly from their payment accounts to the bank account of their payee, without the use of cards.

4 See https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015L2366&from=EN.

5See CMA’s Retail Banking Market Investigation Order (2017).

6 For a list of market failures and harms in online markets, see OFCOM (2019), “Online market failures and harms, An economic perspective on the challenges and opportunities in regulating online services” available at https://www.ofcom.org.uk/__data/assets/pdf_file/0025/174634/online-market-failures-and-harms.pdf. 

7 For a discussion, see Sofia Olhede & Russell Rodrigues (2017): Why data is not a commodity. Significance. Volume14, Issue5, October 2017, Pages 10-11. Available at https://rss.onlinelibrary.wiley.com/doi/full/10.1111/j.1740-9713.2017.01068.

8 Crémer, J., de Montjoye, Y. A. & Schweitzer, H. (2019) Competition Policy for the Digital Era. Report commissioned by the European Commission, Luxembourg, 2019. See https://ec.europa.eu/competition/publications/reports/kd0419345enn.pdf.

9 See https://ec.europa.eu/commission/presscorner/detail/en/ip_20_2484.

10 See, for example, Bria, F., C. Caffarra, G. Crawford, W. Christl, T. Duso, J. Ryan & T. Valletti (2020), “Europe must not rush Google-Fitbit deal,” Politico, July 2, 2020 (https://www.politico.eu/article/europe-must-not-rush-google-fitbit-deal-data-privacy/); and the reply by P. Régibeau, “Why I agree with the Google-Fitbit decision,” VoxEU.org, March 13, 2021 (https://voxeu.org/article/why-i-agree-google-fitbit-decision).

11 Walt Mossberg, “How to Understand the Google-Apple Smartphone War,” VOX.com, Dec. 11. 2014. https://www.vox.com/2014/12/11/11633720/how-to-understand-the-google-apple-smartphone-war.

12 See https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/european-data-strategy.

13 See https://ec.europa.eu/info/sites/default/files/proposal-regulation-single-market-digital-services-digital-services-act_en.pdf.

14 See https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en.