Europe a cautionary tale for privacy, not a guiding light

When it comes to fixing what ails society, economist Thomas Sowell once said there are no solutions — only trade-offs. On Monday, Sen. Mark Warner’s (D-Va.) office released a white paper with 20 policy prescriptions for curing the perceived societal ills caused by social media and technology firms. It is heavy on the solutions and light on the trade-offs.

The package of proposals does, however, inadvertently reveal a tension within the chorus of Big Tech critics. One set of worries regards privacy: how much of our personal data do these firms have and what are they doing with it?

{mosads}The second set regards competition: have the largest tech firms become monopolies, and do they have too much market power? The advocates for these respective issues tend to be ideological allies on the political left. But as Senator Warner’s white paper unintentionally demonstrates, solutions put forward to redress one set of grievances can actually exacerbate other concerns.

That is, there’s a trade-off: proposals to enhance consumer privacy will necessarily decrease competition — and vice versa.

To increase privacy, the paper mentions “mirroring GDPR” — the new data protection regulations recently implemented in Europe — and specifically cites rules regarding data portability, the right to be forgotten, 72-hour data breach notification, and first-party consent. But these rules are ambiguous and costly to comply with. For the largest firms, the hefty price tag is a feature not a bug; for startups it’s a competitive disadvantage. As European Union justice commissioner Věra Jourová said after meeting with Google and Facebook — having noticed a palpable lack of anxiety — “They have the money, an army of lawyers, an army of technicians and so on.”

Privacy regulations are particularly biased in favor of the biggest tech companies in the digital advertising market. First-party consent is costly for firms to secure and users are more likely to give consent to established companies than to startups challenging the incumbents. And as Senator Warner’s white paper itself notes, rules like GDPR “render all third-party data obsolete,” making all associated business models worthless. 

Executives from Facebook, Google, and Twitter have been called to testify at the Capitol in recent months about foreign government election interference and unauthorized access to user data by political consultants. These in-person interrogations show why policymakers and regulators might prefer fewer online platforms — it makes it easier to monitor and hold them accountable. For privacy watchdogs, the flipside of more competition in the social media market is a more complex oversight responsibility.

Data portability and interoperability requirements to increase competition pose a cybersecurity risk that directly implicates user privacy. By forcing platforms to share data and maintain open programming interfaces for porting it, these regulations increase what cybersecurity experts call the “attack surface,” or the number of different points where a hacker could extract private information. It’s also not even clear these rules would increase competition, as the incumbents might be better positioned to siphon data from startups and choke off their growth.

However, there are some ideas in the paper that would fix real harms. As Google is voluntarily doing with its AI assistant, it might be wise for robots to identify themselves before interacting with humans. We might also want to make platforms liable if they fail to prevent re-uploading of content that has been deemed tortious by a court. We should also consider requiring the same transparency for digital political advertisements as we do for advertisements sold on TV, radio, and satellite. Lastly, we should open federal datasets to researchers and companies (not only startups).

In the United States, sectoral-based privacy regulation (e.g., HIPAA, FERPA, and GLBA regulate privacy in healthcare, education, and finance, respectively) has done an excellent job addressing real risks to sensitive data. This nuanced approach is not the shiny object of one-size-fits-all baseline privacy regulations, but it does strike a reasonable balance between privacy and competition. Advocacy groups pushing for more privacy and more competition from Big Tech need to realize that these are competing values and favoring one comes at the expense of the other. 

The EU is simultaneously implementing new privacy rules which raise costs and reduce competition, while using antitrust enforcement actions to punish the most successful technology firms for “stifling” competition. As a recent research report by the Information Technology & Innovation Foundation found, “additional regulation restricts the supply of digital technologies by raising costs and reducing revenues for companies to invest in new products and services.” In other words, well-intentioned privacy regulations will come at the cost of choice and competition — and Europe should be a cautionary tale, not a guiding light.

Alec Stapp is a technology policy fellow and Ryan Hagemann is the senior director for policy at the Niskanen Center.