Data Portability Is Better Included In Privacy Legislation Than Antitrust

Technology companies have drawn the scrutiny of antitrust regulators. Claiming that sufficient competition is lacking online, House lawmakers unleashed an array of antitrust bills targeting some of America’s largest companies. The Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act of 2021 would require “covered platforms” (applying to a handful of large technology companies) to make user data portable. The purported goal of this legislation is to increase competition by lowering the barriers of leaving an online service. In reality, there would be minimal pro-competitive benefits from data portability, and the resulting change to competition in the online space would likely fall well short of proponents’ expectations. Instead, if lawmakers pursue a data portability mandate, they should view the issue through the lens of a federal data privacy legislation.

First, it is important to differentiate between data portability and data interoperability. Data portability allows a user to access their data on an online platform and download or transfer that data elsewhere. Separately, data interoperability requires the use of an application programming interface (API) to allow users or third parties to access and make use of the platform’s data. It’s important to note that these are not synonymous terms and should be viewed as separate topics.

The argument behind data portability legislation as a pro-competitive measure is that large technology companies’ troves of user data gives them an insurmountable advantage. Giving users the ability to take that data elsewhere, proponents claim, would create more Facebooks and Twitters by giving smaller platforms the same advantage. However, the data itself is far less valuable than the ability of these companies to process data at scale and create value for the consumer. It’s difficult to value user data on an individual level, but by some estimates a single user’s data is worth well under a dollar or even a fraction of a penny. Private companies spend billions of dollars to interpret the mass amounts of data into usable formats. As Will Rinehart, formerly of the American Action Forum states, “data is ubiquitous, but what isn’t widespread is understanding what kind of information you might have and doing something useful with it.” Simply spreading user data around would do very little to create the next major technology company if new entrants aren’t equipped to process it. There would be substantially fewer pro-competitive benefits than supporters of the ACCESS Act claim.

Proponents of data portability as an avenue to increase online competition point to the portability of telephone numbers as a case in which portability increases competition. Customers are able to switch providers, and in many cases, keep their same phone number even when switching providers. However, phone number porting is not analogous to data portability. First, phone numbers are a narrow and straightforward data set that comes in a standard form. User data, like a social graph from an online platform, is significantly more complex and not standardized. For example, user data can include user-generated posts, contact lists, photos, not to mention the inferences that online companies make based on user activity like suggested music or events. Mandating data portability presents much more complexity than phone number portability.

The other way this analogy misses the mark is the pro-competitive benefits of phone number porting are likely higher than with data portability. Phone number porting gives consumers more power to choose their provider without being locked-in to a service. This lowers the switching cost associated with having to choose a new phone number. For example, a small business owner would be confronted with sizable barriers to leaving a service provider if they were forced to change their phone number. They would have to alert customers to their new contact information, update their marketing, and could miss out on revenue in the interim or even permanently. In contrast, the cost of switching to a new online platform is much lower. The idea that mandating data portability will substantially increase competition ignores the fact that consumers are already able to utilize multiple competing services with very low barriers to switching between them. Similarly, consumers use large platforms because they like the service, and even with a portability mandate, consumers may still choose to stay on a larger platform. Switching between free online platforms does not present the same challenges as switching between paid telephone providers.

While there may be very few pro-competitive benefits for consumers, if lawmakers would like to create a data portability mandate, they should view federal data privacy legislation as a better vehicle than antitrust legislation. California, Colorado, and Virginia have passed data privacy laws, and other states are likely to follow. This patchwork approach to privacy policy increases compliance complexities, especially for smaller online companies. A federal data privacy with a data portability component could address some of the most glaring flaws with the ACCESS Act without radically disrupting the technology sector.

Defining “data” is complicated. Instead of creating a definition, the ACCESS Act punts the issue to the Federal Trade Commission (FTC). However, this is an issue better addressed by elected officials, who are accountable to their constituents, rather than political appointees and bureaucrats. Similarly, Congress, not the states, should be the entity that creates internet regulations. A federal data privacy standard would address the question of what “data” means. It is undoubtedly a difficult term to define as nearly all online companies — from large social media platforms to online restaurant reservation sites — routinely collect data. However, the difficulty of the problem does not give Congress a pass on addressing it. Congressional lawmakers are best positioned to create a thorough definition of data while maintaining a light-touch approach to internet regulation.

After defining what “data” is, lawmakers also need to address what data “belongs” to a specific user. Data portability would allow the user to download or transfer their data elsewhere, but the ACCESS Act does not clarify what qualifies as an individual user’s data. This may seem straightforward, but there are numerous examples of grey areas. If a user is tagged in a photo with another user, does that data belong to the user who posted it or is it both of their data? If a user wants to download their list of contacts from a social media platform, how much of the other users’ information can be downloaded and transferred? Lawmakers may also want to consider if certain types of data should not be portable from online services. Some users may use platforms or sites specifically because they have strong privacy protections and would be opposed to another user taking some of their information to another site that does not have the same level of privacy.

In a similar fashion to addressing what data “belongs” to a user, another major issue that lawmakers must address is the question of data liability. If a user transfers their data from Company A to Company B and their data is compromised, can Company A be held liable? Crafting an ecosystem where users are able to move their data more freely requires clear rules of the road the businesses are able to reasonably follow. Online platforms won’t want to open themselves up for liability or accompanying legal action. A data privacy standard with a portability component would address this issue, if responsibly crafted.

The private sector has already taken steps to make data portable for users. The Data Transfer Project was launched in 2018 by some of the largest technology companies to make user data portable and interoperable. However, this only includes a relatively small set of companies. The application of data portability from these private companies can help inform Congressional action. Shunning “Big Tech” in Washington has become more common, but it’s important for lawmakers to hear how data portability has worked in the private sector so far, and what issues legislation would need to address. Real world experience would benefit the process, and it would behoove lawmakers to hear from small and large companies that already are leading the way in data portability.

There has been some overzealous legislation when it comes to regulating technology companies, and lawmakers should avoid onerous regulation requirements like Europe’s General Data Protection Regulation. If lawmakers are set on a data portability mandate, a federal data privacy standard with a data portability component would be a superior way to creating a light-touch framework. Despite a flurry of hearings surrounding “Big Tech,” Congressional action on data privacy has been noticeably lacking. States will continue to ratchet up the pressure for federal lawmakers to act as more states go at the issue alone to the detriment of consumers and small businesses. There are plenty of vague areas in the ACCESS Act and as lawmakers look to allow users’ data to move more freely, they must ensure reasonable protections are in place. Addressing complex questions about the definition of data, liability, and privacy must be answered before moving the issue of data portability forward.