Data portability is attracting attention, especially due to recent portability laws in Europe and California, and the hope that it can reduce the market power of digital platforms. This article discusses the potential pro-competitive and other benefits of new data portability requirements, including for lock-in effects, network effects, and barriers to entry. There are significant risks and costs from mandating portability, including privacy and cybersecurity risks if individuals’ personal data is not carefully protected. The discussion applies the framework of the Portability and Other Required Transfers Impact Assessment (“PORT-IA”) to antitrust law. The PORT-IA provides a structured set of relevant questions, to assist legislators, regulators, enforcement officials, and others to evaluate whether proposed mandatory data sharing is likely to be net beneficial. The article concludes with analysis of how the PORT-IA may appropriately be included in merger review, enforcement discretion, fashioning of remedies and other aspects of antitrust law.

By Peter Swire & John Snyder1

 

I. INTRODUCTION

This edition of the CPI Antitrust Chronicle reflects growing public attention to the issue of data portability.

Three key trends contribute to this new attention: (1) an individual right to data portability has recently come into effect in Europe and California, with federal legislation an increasing possibility; (2) there are intense public debates about whether and how to bring antitrust enforcement actions against prominent digital platforms such as Google and Facebook, with portability as an oft-mentioned possible remedy; and (3) beyond digital platforms, multiple sectors of the economy increasingly have data portability requirements.2

The Federal Trade Commission (“FTC”) in September hosted a daylong workshop on the topic.3 In announcing that workshop, the FTC noted that data portability may “promote competition by allowing new entrants to access data they otherwise would not have, enabling the growth of competing platforms and services.”4 In so doing, the FTC echoed the reasoning of numerous other leading observers.5

This article discusses the potential pro-competitive and other benefits of new data portability requirements, including potentially addressing lock-in effects, reducing network effects, and lowering barriers to entry. At the same time, we note that there are significant risks and costs from mandating portability, including privacy and cybersecurity risks if individuals’ personal data is not carefully protected. Importantly, mandated data sharing also has the potential to diminish incentives to innovate and potentially can lock-in advantages for incumbents.

The discussion follows the framework of the Portability and Other Required Transfers Impact Assessment (“PORT-IA”), as proposed in Swire’s report. The PORT-IA is agnostic about whether a portability initiative, on balance, has net benefits or costs; instead, the proposal provides a structured set of relevant questions, to assist legislators, regulators, enforcement officials, and others to evaluate whether proposed mandatory data sharing is likely to be net beneficial.

This article concludes with analysis of how the PORT-IA, with its attention to multiple goals including promoting competition, may appropriately be included in merger review, enforcement discretion, fashioning of remedies and other aspects of antitrust law.

 

II. PORT IMPACT ASSESSMENT: A TOOL TO FACILITATE INFORMED LEGISLATING AND DECISION-MAKING

The PORT-IA offers a set of structured questions, based on case studies of historical mandates in a range of industries, that draw out the facts that legislators, regulators and enforcers can rely on to make informed policy and enforcement decisions.

Structured Questions for the PORT-IA: Top-level Questions

Q1: Define the challenge or opportunity that leads to a possible data portability or other required transfer (“PORT”) Data PORTability Benefits:

Q2: Assess PORT rationales based on competition

Q3: Assess innovation and other commercial benefits due to the PORT

Q4: Assess non-commercial benefits due to the PORT

Q5: Assess regulatory or legal benefits of the initiative

Q6: Assess any reduced benefits due to lack of technical or market feasibility

Q7: Assess incentives for those presenting evidence of benefits

Data PORTability Risks and Costs:

Q8: Assess privacy risks from the PORT

Q9: Assess security risks from the PORT

Q10: Assess risks from the PORT that may arise for either security or privacy

Q11: Assess risks to competition from the PORT

Q12: Assess regulatory or legal risks of the initiative

Q13: Assess any other significant costs or risks from the PORT, including obstacles to adoption

Q14: Assess incentives for those presenting evidence of risks or cost

As a matter of terminology, the word “portability” has become a term of art, under the E.U. General Data Protection Regulation, for transfers of an individual’s data. We use “other required transfers” for mandated transfers of two more people – these transfers are sometimes described by the vague term “data sharing” in the antitrust literature. “PORT” is a general term for Portability and Other Required Transfers. Figure 1 shows the top-level questions in the PORT-IA – there are also more detailed questions in each portion. The PORT-IA begins by requiring a clear description of the proposed data flows at issue. What is the data, where is it originating, what is the destination, and what obligations are being imposed? When the topic is portability, no accurate analysis can be conducted without a data map and understanding of the law or other constraints that may affect the data transferred. It is equally critical to outline the public policy goals that a data PORTability regime is designed to achieve because implementing any data PORTability regime is likely to require tradeoffs between competing public policy goals.

A. Identifying the Likely Pro-Competitive Benefits

The PORT-IA next examines the procompetitive benefits of the proposed PORT from a range of perspectives.6 Based on learnings from historical case studies of portability initiatives in a range of industries, the PORT-IA asks whether a required PORT initiative would 1) eliminate lock-in, 2) reduce network effects, 3) lower barriers to entry or repositioning, or 4) otherwise enhance competition in effected markets. The potential for data PORTability to achieve these pro-competitive benefits will differ by industry and depending on the specifics of the proposed obligation.

The PORT-IA first asks whether a data PORTability initiative has the potential to enhance competition by reducing lock-in effects. As used in the PORT-IA, lock-in is related to — but distinct from — network effects. Lock-in doesn’t necessarily depend on a firm having a high market share or other indicia of market power; instead it may reflect practical or technological barriers to switching behavior. For example, absent a legal obligation to facilitate number portability, even a very small mobile carrier with no meaningful market power could lock-in its customers and discourage switching to competing carriers. The extent to which a data PORTability initiative will reduce lock-in effects will turn on the nature of the initiative and the industry to which it will apply.

PORT-IA next enquires into the potential of data PORTability to reduce or eliminate network effects. Network effects can be direct or indirect. Direct network effects occur where the value of a service increases as the number of users of that service increase. For example, the value of a telephone or social network to a user increases as the number of other users on the network grows. More recently, some have observed that direct network effects can create and enhance the market power of digital platforms.7 Enforcement officials have noted that where network effects are significant, tipping can occur, resulting in a “winner take all,” or “winner take most” outcome.8 However, other observers have argued that these direct network effects may be overblown, or that they don’t always constitute a significant barrier to entry. They point to the speed at which Facebook displaced MySpace as the leading social network, as well as the ability of competing platforms, like LinkedIn and Twitter, to thrive, due in part to multi-homing behavior.9

Where applicable, the PORT-IA also requires an assessment of the potential impact on indirect network effects. Indirect network effects are driven by complementary products or services, which work together to increase the value of a network. Indirect network effects are often identified in connection with two-sided platforms, where the value of the platform to one group of participants depends on how many members of a different group participate.10 Where data PORTability can reduce indirect network effects it can facilitate entry in adjacent markets and prevent a firm from extending dominance into related products and services.

As the FTC, the Antitrust Division of the Department of Justice (“DOJ”) and Congress all wrestle with antitrust concerns about leading digital platforms, observers have noted that data PORTability has significant potential to eliminate lock-in and erode barriers to entry. Most notably, in September 2019, the influential Stigler Committee on Digital Platforms identified data interoperability as its top solution to remedy the market power of digital platforms and restore competition. In so doing, it pointed to data PORTability’s proven potential to reduce network effects:

A major cause of this lack of competition is the presence of very sizable network externalities: that is, I want to be on the social media where my friends are. Network externalities as a potential barrier to entry are not a new phenomenon: It plagued the early phone industry. To eliminate this problem, the United States forced interoperability among the various phone companies — AT&T is obliged to connect calls started by T-Mobile consumers. The same should be done with social media. Mandating not only an open but also a common Application Program Interface (“API”) would allow different messaging systems to connect to one another. In so doing, a common API guarantees interoperability and eliminates the network externalities that drive the winner-take-all nature of the social media market.11

Other policy makers, including top legislators, have advanced data PORTability as a critical tool to address consumer lock-in and reduce barriers to entry caused by network effects. Congressman David Cicilline (D-RI), Chair of the House Subcommittee on Antitrust, Commercial and Administrative Law has called for giving consumers more rights and greater control over their data, by using data PORTability to take down the “walled gardens that block start-ups and other competitors from entering the market through high switching costs.”12

Despite strong theoretical basis to expect these procompetitive benefits, reality may differ substantially in some circumstances. For example, Gabriel Nicholas and Michael Weinberg have cautioned that many of the pre-existing PORTability tools offered by major digital platforms have failed to live up to their theoretical promise.13 The PORT-IA, therefore, includes questions designed to reveal any practical and technical obstacles to adoption, so that the “gross” benefits (the benefits anticipated by proponents) are reduced to the “net” benefits (a realistic assessment of what is actually achievable).

B. Identifying the Likely Harms to Competition, Data Security and Data Privacy

Once the expected competitive benefits of a data PORTability initiative have been catalogued and evaluated, the PORT-IA turns to an equivalent analysis of likely harms. As Swire & Lagos noted in a 2013 article, the right to data portability can in some circumstances reduce incentives to innovate. It might also impose unreasonable and disproportionate compliance costs on small companies with no appreciable market power, thereby disadvantaging them relative to better capitalized competitors.14 Such potential harms to competition should not be ignored.

More generally, PORT-IA requires consideration of whether a proposed PORT would create privacy risks. Privacy risks can exist for the data subject (the person seeking portability), or third persons, such as when the data subject seeks to transfer a photograph or other personal data of another person. Privacy risks can also exist for data that is supposed to be de-identified or anonymized. In practice, greater transfers of data may increase the risk that a person can be re-identified.

For cybersecurity, a pervasive concern is authentication, how to determine that the person seeking to transfer data is authorized, rather than a hacker or other unauthorized person. Once authentication exists, it is important to transfer the data securely to the recipient, often through an encrypted Application Programming Interface (“API”). There can also be risks once the data is transferred to the receiving party, particularly where the data subject has not consented to onward transfers to additional parties.

 

III. HOW TO INCORPORATE THE PORT-IA INTO ANTITRUST LAW AND PRACTICE

A basic theoretical point of the PORT-IA is that the overall costs and benefits of a PORT initiative include both the effects on competition and effects on other significant legal and policy goals, such as privacy, cybersecurity, and user control of their information. These multiple categories or costs and benefits raise the issue of how antitrust law can and should take account of these other goals.

A. Use of the PORT-IA in Legislation, Regulation, and Company Product Choice

Multiple policy goals can and should be considered in enacting legislation – it is the province of the legislature to consider potentially conflicting goals such as competition, privacy, and cybersecurity. Hearings on proposed PORTability legislation could include witnesses able to shed light on these important topics so that lawmakers can craft laws that avoid mistakes that could harm consumer welfare.

PORTability legislation and proposals have increased in recent years. The General Data Protection Regulation in the EU, which went into effect in 2018, includes a Right to Data Portability, as does the California Consumer Privacy Act, which went into effect in 2020. In 2019, Senators Josh Hawley (R-MO), Mark R. Warner (D-VA) and Richard Blumenthal (D-CT) introduced S.2658, the Augmenting Compatibility and Competition by Enabling Service Switching (“ACCESS”) Act. At the time, Senator Blumenthal remarked that, “[a]s we learned in the Microsoft antitrust case, interoperability and portability are powerful tools to restrain anti-competitive behaviors and promote innovative new companies. The bipartisan ACCESS Act would empower consumers to finally stand up to Big Tech and move their data to services that respect their rights.”15 The ACCESS Act would impose obligations on income-generating, consumer-facing communications services with more than 100 million monthly active U.S. users, requiring them to enable users to safely download their own data or directly port it to a competing communications provider. In addition, as discussed in detail in the PORT-IA report, the leading proposals for comprehensive federal privacy legislation contain a Right to Data Portability, as do pending proposals in numerous states.16

For rulemaking, unless there is some limit created by the statute that authorizes regulation, it similarly is in the public interest to consider both competition and other regulatory goals. The structured questions can serve as a check-list to ensure that regulators appreciate competing considerations and work to impose and enforce regulations that minimize the tensions that can exist between competition, privacy and data security goals. For example, the U.S. Department of Health and Human Services issued a major rule in March 2020 on health care interoperability, which attempted to balance a range of competition, privacy, cybersecurity, and other issues.17

Similarly, the multiple goals evaluated in a PORT-IA can assist a business deciding whether and how to build PORTability into its services. For such a company, considering privacy and cybersecurity may be good for its customers or its bottom line. In addition, however, the company may be under legal requirements pertaining to privacy and cybersecurity. For instance, a company may be subject to a privacy or cybersecurity consent decrees with the FTC, or covered by comprehensive data protection laws in the European Union (“EU”) or elsewhere. Companies need to carefully evaluate whether enhancing PORTability would risk violation of these competing obligations.

B. PORT-IA Can Also be Used by Antitrust Enforcers to Make More Informed Enforcement Decisions and to Design More Effective Remedies

The use case for PORT-IA is more complex for law enforcement agencies. Enforcers like the FTC, which enforces both antitrust and consumer protection laws, arguably have broader leeway to balance competition, data security and data privacy considerations. But even dedicated competition enforcers, such as the Antitrust Division, can reach more informed decisions by considering the questions posed by the PORT-IA.

  1. PORT-IA Can Contribute to More Informed Enforcement Decisions

Most U.S. antitrust authorities appear unwilling generally to stretch the antitrust laws to target data privacy and data security breaches by major digital platforms. As FTC Commissioner Christine Wilson has argued, “[t]he antitrust laws are designed to address anticompetitive conduct; absent such conduct, they are not the right tool to protect the legitimate and important privacy rights and expectations of consumers.”18 And U.S. antitrust enforcers have historically declined to enforce the antitrust laws to protect consumer privacy rights.

But one doesn’t need to be a proponent of hipster antitrust to appreciate that data privacy and cybersecurity concerns can play a supporting role in antitrust enforcement decisions. Swire first wrote in 2007 that privacy can be a quality, non-price aspect of competition.19 FTC Commissioner Noah Phillips has acknowledged, “[p]rivacy is not necessarily irrelevant to antitrust law. If, in fact, firms are competing on privacy, then that is an aspect of competition at which we should look.”20 Assistant Attorney General Makan Delrahim has likewise indicated that “it would be a grave mistake to believe that privacy concerns can never play a role in antitrust analysis…. Like other features that make a service appealing to a particular consumer, privacy is an important dimension of quality…. As I have said before, these non-price dimensions of competition deserve our attention and renewed focus in the digital marketplace.”21

Moreover, there is an argument that data privacy and security considerations may be relevant to a traditional antitrust analysis of a business’s data portability and interoperability practices and policies. In monopolization cases, for example, a businesses’ bona fide interest in protecting data security and privacy might well bear on intent, and therefore serve as evidence that challenged conduct is not fairly characterized as exclusionary or anticompetitive.22 Relatedly, provided they are not pretextual, a company’s proffered concerns that more robust data PORTability functionality might expose its user’s data to security or privacy risks could also serve as a legitimate procompetitive justification for its practices, particularly if there are no less competitively restrictive means to avoid those concerns.23 Finally, in exercising prosecutorial discretion in close cases, enforcement agencies focused on consumer welfare arguably should not turn a blind eye to the real-world tensions that emerge as businesses work to balance competing considerations relating to competition, data security and data privacy.

  1. PORT-IA Can Allow Enforcers and Judges to Design Remedies that Avoid Unnecessary Harm to Data Security and Privacy

Enforcers can also benefit from conducting a PORT-IA in the event they are considering imposing data PORTability obligations as a remedy to an anticompetitive merger or practice. As the Director of the FTC’s Bureau of Competition explained recently, the FTC recognizes an obligation to consider data privacy and consumer protection concerns in fashioning data-related remedies for anticompetitive mergers and other conduct challenged by the agency:

Data’s competitive role and its portability is not just a question to be assessed in looking at the effects of a proposed transaction or practice. It is key to understanding what it is going to take to remedy the potential or actual competitive harms from those transactions and that conduct. Without understanding the role of data portability, we can’t fully assess the remedy necessary to address those competitive harms. And making more and more users data more accessible and held by more entities can itself actually raise privacy and consumer protection concerns that we must consider in crafting our competition remedies.24

In short, the FTC’s top antitrust enforcer has acknowledged that the agency has an obligation to consider the risks to privacy and consumer protection when fashioning remedies for antitrust violations. To date, the DOJ leadership has not addressed this issue so directly. However, the Division’s recently issued Merger Remedies Manual notes that a proposed remedy should not only effectively redress the violation, but “just as importantly, be no more intrusive than necessary to cure the competitive harm.”25 In using data PORTability as a remedy, the DOJ at least has an interest in imposing remedies that don’t unnecessarily expose consumer data to security or privacy risks. The importance of considering privacy and cybersecurity is even more compelling where a proposed remedy threatens to create a conflict with a party’s privacy or data security legal obligations, such as compliance with a privacy or data security law, regulation or consent decree. The PORT-IA is intended to be a tool to ensure that these remedy decisions are fully informed and reflect a comprehensive view of the impact of the costs and benefits of data PORTability.

 

IV. CONCLUSION

There are compelling reasons for decision-makers to explore the use of data PORTability to enhance or restore competition by reducing switching costs and lowering barriers to entry. Increased transfers of personal data, however, often carry risks to cybersecurity and personal privacy. The PORT-IA provides a structured set of questions to investigate the range of relevant effects of a PORTability proposal. As discussed here, attention to these competing public policy goals makes sense for legislation, regulation, and for decisions within individual companies of when and how to enhance PORTability. In addition, even under traditional antitrust frameworks, there are opportunities for antitrust enforcement officials to recognize these privacy and cybersecurity considerations, both in connection with enforcement decisions and when fashioning antitrust remedies.


1 Peter Swire is the Elizabeth and Tommy Holder Chair of Law and Ethics in the Georgia Tech Scheller College of Business, and Senior Counsel, Alston & Bird LLP. John Snyder is Partner, Alston & Bird LLP.

2 Peter Swire, “The Portability and Other Required Transfers Impact Assessment (PORTIA): Assessing Competition, Privacy, Cybersecurity, and Other Considerations,” Peter Swire, (Sept. 8, 2020), available at https://ssrn.com/abstract=3689171.

3 Data to Go, An FTC Workshop on Data Portability Agenda, available at https://www.ftc.gov/system/files/documents/public_events/1568699/agenda-dp-workshop.pdf. Swire was both a speaker and a panelist for this workshop.

4 Data To Go: An FTC Workshop on Data Portability, Fed. Trade Comm’n (Sept. 22, 2020) available at https://www.ftc.gov/news-events/events-calendar/data-go-ftc-workshop-data-portability.

5 See Gabriel Nicholas & Michael Weinberg, “Data Portability and Platform Competition: Is User Data Exported from Facebook Actually Useful to Competitors” Engelberg Center on Innovation Law & Policy, NYU School of Law, (Nov. 2019) available at https://www.law.nyu.edu/centers/engelberg/pubs/2019-11-06-Data-Portability-And-Platform-Competition. See also Stigler Report on Digital Platforms, Final Report, STIGLER CT. FOR THE STUDY OF THE ECONOMY AND THE STATE, CHICAGO BOOTH SCH. (2019) at 32; available at https://research.chicagobooth.edu/-/media/research/stigler/pdfs/digital-platforms—committee-report—stigler%20center.pdf.

6 Beyond the potential pro-competitive benefits from PORTability initiatives, there are also non-competition rationales for a PORT, including increased user control/autonomy over their data, a related but separate policy objective.

7 Stigler Report, supra note 5 at 38.

8 Prepared Remarks of Renata B. Hesse, Deputy Assistant Attorney General, Remarks as Prepared for the Confrence on Competition and IP Policy in High-Technology Industries: At the Intersection of Antitrust & High-Tech: Opportunities for Constructive Engagement, 6 (Jan. 22, 2014), available at https://www.justice.gov/atr/file/517776/download.

9 See, e.g. Catherine E. Tucker, Network Effects and Market Power: What Have We Learned in the Last Decade?, Antitrust, Spring 2018, at 79-80 available at http://sites.bu.edu/tpri/files/2018/07/tucker-network-effects-antitrust2018.pdf; D’Arcy Coolican & Li Jin, The Dynamics of Network Effects, Andreessen Horowitz, available at https://a16z.com/2018/12/13/network-effects-dynamics-in-practice/.

10 As the Supreme Court has explained, these indirect network effects are especially pronounced in transactional platforms, where a platform cannot make a sale unless participants on both sides of a platform agree to use their services. Ohio v. Am. Express Co., 138 S. Ct. 2274, 2286 (2018).

11 Stigler Report on Digital Platforms, supra note 5, at 16.

12 Congressman David Cicilline, Address at New America Open Technology Institute: A Deep Dive Into Data Portability: How Can We Enable Platform Competition and Protect Privacy at the SameTime?” (June 6, 2018), video available at https://www.newamerica.org/oti/events/deep-dive-data-portability-how-can-we-enable-platform-competition-and-protect-privacy-same-time/.

13 Gabriel Nicholas & Michael Weinberg, “Silicon Valley’s Favorite Idea for Encouraging Competition,” Slate, Nov. 19, 2019, available at https://slate.com/technology/2019/11/data-portability-facebook-competition-antitrust.html.

14 Peter Swire & Yianni Lagos, Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique, 72 Md L. Rev. 335 (2013).

15 Press Release, Senators Introduce Bipartisan Bill to Encourage Competition in Social Media (Oct. 22, 2019) available at https://www.warner.senate.gov/public/index.cfm/2019/10/senators-introduce-bipartisan-bill-to-encourage-competition-in-social-media.

16 International Association of Privacy Professionals, Resource Center: State Comprehensive-Privacy Law Comparison Bills Introduced 2019-2020 (2020), available at https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law.pdf.

17 See 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 84 Fed. Reg. 7424, 7469 (proposed March 4, 2019) (codified at 45 C.F.R. parts 170 and 171), available at https://www.federalregister.gov/documents/2019/03/04/2019-02224/21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification.

18 Christine S. Wilson, Commissioner, Fed. Trade Comm’n, Remarks at University of Illinois at Chicago John Marshall Law School: Global Innovation, Local Regulation: Navigating Competition Rules in the Digital Economy, 7 (Mar.13, 2020); available at https://www.ftc.gov/system/files/documents/public_statements/1569053/wilson_-global_innovation_local_regulation_ui_chicago_speech_3-13-20.pdf.

19 Peter Swire, “Protecting Consumers: Privacy Matters in Antitrust Analysis,” (Oct. 19, 2007), available at https://www.americanprogress.org/issues/economy/news/2007/10/19/3564/protecting-consumers-privacy-matters-in-antitrust-analysis.

20 Noah Joshua Phillips, Commissioner, Fed. Trade Comm’n, Keynote Address at Stanford Law School: Should We Block This Merger? Some Thoughts on Converging Antitrust and Privacy, 13 (Jan. 30, 2020) available at https://www.ftc.gov/system/files/documents/public_statements/1565039/phillips_-_stanford_speech_10-30-20.pdf.

21 Makan Delrahim, Assistant Attorney General, Dept. of Justice, Antitrust Division, Remarks at Harvard Law School & Competition Policy International Conference on “Challenges to Antitrust in a Changing Economy”: “Blind[ing] Me With Science”: Antitrust, Data, and Digital Markets, 8-10 (Nov. 8, 2019) available at https://www.justice.gov/opa/speech/assistant-attorney-general-makan-delrahim-delivers-remarks-harvard-law-school-competition.

22 See, e.g. Aspen Skiing Co v. Aspen Highlands Skiing Corp., 472 U.S. 585, 602 (1985).

23 See, e.g. United States v. Microsoft Corp., 253, F.3d 34, 59 (D.C. Cir. 2001).

24 Ian Conner, Director, Federal Trade Commission Bureau of Competition, Closing Remarks at Data to Go: An FTC Workshop on Data Portability, September 22, 2020, at 6:18:50-6:19:30 (emphasis added); video available at https://www.ftc.gov/news-events/audio-video/video/data-go-ftc-workshop-data-portability.

25 U.S. Dept. of Justice Antitrust Division, Merger Remedies Manual § II (Sept. 2020), available at https://www.justice.gov/atr/page/file/1312416/download. See also id. at fn.4 (“In contrast to the limited public-interest inquiry under the Tunney Act, the Division’s prosecutorial discretion encompasses a broader set of considerations, including the facts developed in the investigation, the judgment of the prosecuting attorneys, and the allocation of the Division’s limited resources.”).