Research Programs
More
What are you looking for?
Showing 9 of 184 Publications in Data Security & Privacy
Written Testimonies & Filings FTC Hearings on Competition & Consumer Protection in the 21 st Century. Comments of the International Center for Law & Economics: The FTC’s Flawed Data Security Enforcement Program and Suggestions for Reform. Hearing #9 (Dec. 11-12, 2018). Submitted May 31, 2019.
Several pressing issues are raised by the ongoing need for data security as underscored by high profile breaches. One of the core problems in this area, however, is not simply that firms have inadequate data security, but that lawmakers have, to date, broadly failed to offer a viable standard by which firms can guide their conduct in this area.
The flawed strategy which the FTC currently deploys to deal with data security issues is a prime example. In brief, the Commission’s over-reliance on enforcement by consent decrees has created a quasi-regulatory approach to data security, eschewed the fundamentally useful aspects of a true common law approach to developing liability rules, and as a consequence provided little record of what actually amounts to liability for “unreasonable” data security. A true standard would include such components as: the assessment of reasonable care on the part of the tortfeasor, the thorough analysis of causality, an economically grounded computation of harm, and the establishment that harm is likely absent some level of care.
Given these failings, the FTC should consider implementing reforms that might bring its decisional practice closer to the common law tradition. These include giving more weight to economic analysis (notably by allowing the FTC’s Bureau of Economics to play a greater role in data security proceedings), adopting modest measures that would increase the transparency of the FTC’s data security decisions (thereby increasing legal predictability), bringing greater judicial review to data security proceedings, and incentivizing firms to better communicate their data security activities.
Click here to read full comments.
Presentations & Interviews ICLE Director of Law & Economics Programs, Gus Hurwitz joins Matthew Heiman, Chris Riley, Anna Hsia, and Thomas Hazlett at Pepperdine Law Review‘s 2019 Symposium. The Free . . .
ICLE Director of Law & Economics Programs, Gus Hurwitz joins Matthew Heiman, Chris Riley, Anna Hsia, and Thomas Hazlett at Pepperdine Law Review‘s 2019 Symposium. The Free Lunch Podcast has provided the recording of their panel where they discuss the challenges and implications of online privacy regulation. In this panel, the speakers discuss the implications of internet privacy legislation in both California and Europe on innovation, small businesses, and consumer protection. The full episode is embedded below.
Presentations & Interviews On March 1, 2019, ICLE Research Fellow Alec Stapp appeared on a panel discussing “Big Brother in Big Tech” and the privacy implications associated with . . .
On March 1, 2019, ICLE Research Fellow Alec Stapp appeared on a panel discussing “Big Brother in Big Tech” and the privacy implications associated with large tech platforms like Google, Amazon, and Facebook. This panel is part of a day-long conference— “Who’s Afraid of Big Tech”—that will explore the larger legal and policy issues that arise around the privacy, censorship, and competition concerns that have been raised about the large tech platforms. Video of the panel is embedded below.
Written Testimonies & Filings FTC Hearings on Competition & Consumer Protection in the 21 st Century. Comments of the International Center for Law & Economics: Understanding Competition in Markets Involving Data or Personal or Commercial Information. Hearing # 6 (Nov. 6-8, 2018). Submitted January 7, 2019.
Markets involving data and personal information have unique characteristics, but do not present such novel challenges that the well-developed tools of antitrust are incapable of incorporating them. Nonetheless, some critics continue to press for misguided antitrust intervention into data markets, often based on fundamental misunderstandings.
For a start, commonly repeated analogies between data and oil are highly misleading. Oil is physical commodity that is highly rivalrous (a user cannot use oil without impairing others’ ability to use the same oil) and readily excludable (it can easily be stored in ways that prevent use by non-authorized parties). By contrast, data is simply information that bears some of the traits of a public good: it is often non-rivalrous in consumption (the same information may be used by multiple parties without any degradation) and difficult to appropriate because it is difficult to prevent others’ use of the same data, it is difficult to ensure optimal investment in its creation). Moreover, in most instances, it is not data that is scarce, but the expertise required to generate and analyze it. In any case, most successful internet companies started life with little to no data. This suggests that data is more a byproduct of the ongoing operation of internet platforms than it is a critical input for their creation.
Further, data is unlikely to constitute a barrier to entry, and even less likely to amount to an essential facility. As George Stigler famously argued, a barrier to entry is “[a] cost of producing that must be borne by a firm which seeks to enter an industry but is not borne by firms already in the industry.” There is no reason that the cost of obtaining data for a new entrant should be any higher than it was for an incumbent. In fact, the opposite will often turn out to be true.
Other ills that allegedly plague data-rich markets (and the merits of proposed solutions) are equally dubious. This is notably the case for the relationship between mandated data portability and competition. Contrary to what some scholars have advanced, it is far from clear that mandated data portability will increase consumer welfare in data-reliant markets. Not only is this type of portability unlikely to significantly affect switching costs for consumers but, even if it did, this would have ambiguous consumer welfare consequences (as is generally the case for consumer lock-in and regulatory interventions to overcome it). To make matters worse, mandated data portability is not without its risks. Most notably, data portability poses data security and user privacy risks.
Likewise, fears of costly price discrimination and widespread algorithmic collusion are greatly overblown. While it is true that big data may have a transformative effect on firms’ ability to price discriminate, there is no strong reason to believe that this would have a detrimental effect on consumer welfare. Instead, as with all forms of price discrimination, it may potentially expand output and allow less well-off consumers to participate in markets they might otherwise be priced out of. Similarly, the idea that big data and algorithms will lead to collusion is deeply flawed. Fears of collusion rest on the faulty premise that online marketplaces and the use of big data will dramatically increase transparency, thus facilitating collusion. In fact, the opposite is just as likely (and, in any case, the manifest benefits of increased transparency, likely outweigh the speculative costs).
In short, the advent of data-enabled markets does not have implications that support the calls for a significant expansion of antitrust tools and antitrust enforcement being made. Data is not irrelevant, of course, but it is just one amongst a plethora of factors that enforcement authorities and courts should consider when they analyze firms’ behavior.
Click here to read the full comments.
Scholarship Although the FTC is well-staffed with highly skilled economists, its approach to data security is disappointingly light on economic analysis. The unfortunate result of this lacuna is an approach to these complex issues lacking in analytical rigor and the humility borne of analysis grounded in sound economics.
Although the FTC is well-staffed with highly skilled economists, its approach to data security is disappointingly light on economic analysis. The unfortunate result of this lacuna is an approach to these complex issues lacking in analytical rigor and the humility borne of analysis grounded in sound economics. In particular, the Commission’s “reasonableness” approach to assessing whether data security practices are unfair under Section 5 of the FTC Act lacks all but the most superficial trappings of the well-established law and economics of torts, from which the concept is borrowed.
In actuality, however, the Commission’s manufactured “reasonableness” standard — which, as its name suggests, purports to evaluate data security practices under a negligence-like framework — actually amounts in effect to a rule of strict liability for any company that collects personally identifiable data. This is manifestly not what Section 5 intends.
In its recent LabMD opinion, the Commission describes its approach as “cost-benefit analysis.” But simply listing out (some) costs and benefits is not the same thing as analyzing them. Recognizing that tradeoffs exist is a good start, but it is not a sufficient end, and “reasonableness” — if it is to be anything other than the mercurial preferences of three FTC commissioners — must contain analytical content.
Persistent and unyielding uncertainty over the contours of the FTC’s data security standard means that companies may be required to accept the reality that, no matter what they do short of the extremes, liability is possible. Worse, there is no way reliably to judge whether conduct (short of obvious fringe cases) is even likely to increase liability risk.
The FTC’s recent LabMD case highlights the scope of the problem and the lack of economic analytical rigor endemic to the FTC’s purported data security standard. To be sure, other factors also contribute to the lack of certainty and sufficient rigor, (i.e., matters of process at the agency), but at root sits a “standardless” standard, masquerading as an economic framework.
This paper explores these defects, paying particular attention to the FTC’s decision in LabMD and subsequent district court proceedings in the case.
Presentations & Interviews ICLE founder and president Geoffrey Manne participated in FTC Hearing #9: Data security on the panel entitled, FTC Data Security Enforcement, on Wednesday, December 12, . . .
ICLE founder and president Geoffrey Manne participated in FTC Hearing #9: Data security on the panel entitled, FTC Data Security Enforcement, on Wednesday, December 12, 2018 at the FTC Constitution Center Auditorium Washington, DC.
The data security hearings included five panel discussions and additional discussion of research related to data breaches and data security threats. The first day’s panel discussions examined incentives to invest in data security and consumer demand for data security. Discussions on the second day focused on data security assessments, the U.S. framework related to consumer data security, and the FTC’s data security enforcement program.
Read the full transcript here. Video of the event is embedded below.
Regulatory Comments ICLE submitted comments to the National Telecommunications and Information Administration (NTIA) on Developing the Administration’s Approach to Consumer Privacy.
Last week, ICLE submitted comments to the National Telecommunications and Information Administration (NTIA) on Developing the Administration’s Approach to Consumer Privacy. Scholars Geoffrey Manne, Kristian Stout, and Dirk Auer urge the agency to avoid legislation mandating tight controls on private companies’ use of consumer data akin to the EU’s General Data Protection Regulation (GDPR).
Although the US does not have a single, omnibus, privacy regulation, this does not mean that the US does not have “privacy law.” In the US, there already exist generally applicable laws at both the federal and state level that provide a wide scope of protection for individuals, including consumer protection laws that apply to companies’ data use and security practices, as well as those that have been developed in common law (property, contract, and tort) and criminal codes.
In addition, there are specific regulations pertaining to certain kinds of information, such as medical records, personal information collected online from children, credit reporting, as well as the use of data in a manner that might lead to certain kinds of illegal discrimination.
Getting regulation right is always difficult, but it is all the more so when confronting evolving technology, inconsistent and varied consumer demand, and intertwined economic effects — all conditions that confront online privacy regulation. Given this complexity, and the limits of our knowledge regarding consumer preferences and business conduct in this area, ICLE’s evaluation suggests that the proper method of regulating privacy is, for now at least, the course that the Federal Trade Commission (FTC) has historically taken: case-by-case examination of actual privacy harms, without ex ante regulations, coupled with narrow legislation targeted at problematic uses of personal information.
Many (if not most) services on the Internet are offered on the basis that user data can, within certain limits, be used by a firm to enhance its services and support its business model, thereby generating benefits to users. To varying degrees (and with varying degrees of granularity), services offer consumers the opportunity to opt-out of this consent to the use of their data, although in some cases the only way effectively to opt-out is to refrain from using a service at all.
Critics of the US approach to privacy sometimes advocate for a move to an opt-in regime (as is the case in the GDPR). But the problem is that “‘[o]pt-in’ provides no greater privacy protection than ‘opt-out’ but imposes significantly higher costs with dramatically different legal and economic implications.” In staunching the flow of data, opt-in regimes impose both direct and indirect costs on the economy and on consumers, reducing the value of certain products and services not only to the individual who does not opt-in, but to the broader network as a whole. Not surprisingly, these effects fall disproportionately on the relatively poor and the less technology-literate.
U.S. privacy regulators have generally evidenced admirable restraint and assessed the relevant tradeoffs, recognizing that the authorized collection and use of consumer information by data companies confers enormous benefits, even as it entails some risks. Indeed, the overwhelming conclusion of decades of intense scrutiny is that the application of ex ante privacy principles across industries is a fraught exercise as each firm faces a different set of consumer expectations about its provision of innovative services, including privacy protections.
This does not mean that privacy regulation should never be debated, nor that a more prescriptive regime should never be considered. But any such efforts must begin with the collective wisdom of the agencies, scholars, and policy makers that have been operating in this space for decades, and with a deep understanding of the business realities and consumer welfare effects involved.
Read the full comments here.
Presentations & Interviews ICLE Director of Law & Economics Programs Gus Hurwitz discusses the European Court of Human Rights’ ruling that GCHQ’s bulk data collection practices fail to meet . . .
ICLE Director of Law & Economics Programs Gus Hurwitz discusses the European Court of Human Rights’ ruling that GCHQ’s bulk data collection practices fail to meet human rights standards, though they can be fixed without dumping bulk collection. And I marvel that France is urging the European Court of Justice, which needs little encouragement to indulge its anti-Americanism, to impose Europe’s “right to be forgotten” censorship regime on Americans and on other users around the world. That’s a position so extreme that it was even opposed by the European Commission. The full episode is embedded below.
https://www.steptoe.com/podcasts/TheCyberlawPodcast-231.mp3
Presentations & Interviews ICLE Senior Scholar Joshua Wright participated in the FTC’s Hearing #1: The Current Landscape of Competition and Privacy Law and Policy on the panel, Has . . .
ICLE Senior Scholar Joshua Wright participated in the FTC’s Hearing #1: The Current Landscape of Competition and Privacy Law and Policy on the panel, Has the US Economy Become More Concentrated and Less Competitive: A Review of the Data. Read the full transcript here. Video of the event is embedded below.
