This op-ed was originally published in The Hill.
By Maureen K. Ohlhausen
While privacy and competition law pursue different goals, they can exist harmoniously under the right regulatory paradigm. Both areas of law, properly delineated, have the welfare of individual consumers as their prime concern. Privacy and data security laws seek to give consumers control and protection by limiting the collection and sharing of data, subject to consumer consent, and imposing obligations on companies to safeguard their systems from bad actors. Competition law is focused on preserving consumers’ choices in the market, including on terms such as price or quality, which can include aspects of privacy.
Unfortunately, Congress is considering several antitrust bills that put privacy and competition values in sharp conflict, with privacy likely to come out the loser. The bills prioritize the “right” of business users to access the user data and systems of large U.S. tech platforms over an individual user’s privacy rights and these companies’ ability to police against hacks and other abuses of their systems and devices.
For example, one proposal pending in the Senate forces access to or interoperability with U.S. tech companies’ operating systems, hardware and software and discourages these platforms from providing enhanced privacy and security for fear of facing harsh antitrust penalties if they did not choose at the time what a regulator, in hindsight, deems a sufficiently narrow means of protection or a sufficiently “significant” threat.
These bills make consumers’ privacy and security interests subservient to the interests of an almost unlimited set of business users, who may include entities owned or controlled by foreign governments. But this position runs counter to what U.S. consumers want. A new survey by Trusted Future, where I am a board member, and the National Security Institute found that most Americans want a higher level of security for online data. Moreover, they trust American companies significantly more with their data than foreign companies and especially foreign governments.
The risks to data privacy and security from easy access to online data and operating systems is not a theoretical concern. The Federal Trade Commission (FTC), which I recently led as acting chairman and commissioner, has brought numerous cases against companies that have engaged in inadequate protection of consumers’ personal data and their own systems. These cases include instances where a platform did not secure itself against third-party hackers or failed to supervise other platform users appropriately.
The proposed legislation may cause large American tech platforms to face an irreconcilable conflict between providing easy access to business users and the FTC’s sensible requirement that companies secure their systems from abuse.
Worse yet, it is far from clear that these provisions, which threaten to undermine platform and device security and user privacy, will lead to a more competitive marketplace. For instance, the provisions to compel data sharing and mandate broad interoperability are based on assumptions that this would promote competition. Yet, there is no evidence to suggest that this is the case. In fact, the bills are likely to diminish the incentive and ability to compete on security and privacy, something that we have seen drive significant innovation in recent years.
Rather than risk diminishing consumer privacy and security through antitrust legislation, Congress should adopt a comprehensive consumer privacy framework that creates a level playing field for all competitors.
Such a framework should consist of five core principles. First, legislation should provide a national and uniform set of protections and consumer rights throughout the digital economy. Second, it should ensure strong enforcement that protects consumer information that could result in harm if disclosed or misused, while also allowing companies to provide and develop innovative products and services that consumers want.
Third, it should provide consumers clarity and visibility into companies’ data collection, use and sharing practices. This should include easily understandable choices regarding these practices that are calibrated to the sensitivity of that data. Fourth, legislation should be more comprehensive than current state laws. And fifth, federal privacy legislation should be enforced by the FTC, which has the experience and skill to meaningfully enforce the new law’s protections, supplemented by state attorneys general.
On June 14, the House Energy and Commerce Committee will hold an important hearing to discuss bipartisan legislation on data privacy and security. This is an important first step towards Congress meaningfully addressing current privacy problems.
Policymakers should be cautious about trading known privacy and security benefits for easy access to the user data and systems of online platforms by a broad collection of “business users” based on uncertain presumptions that such access will increase competition. A comprehensive national privacy framework that protects consumers and puts all competitors on an equal regulatory footing would better harmonize privacy and competition law and avoid creating a contradictory web of regulation.
Maureen K. Ohlhausen is a member of the advisory board of Trusted Future and a partner at Baker Botts, where she chairs their global antitrust and competition practice. She previously served as the acting chairman and commissioner for the Federal Trade Commission (FTC).