Just three weeks after a draft version of the legislation was unveiled by congressional negotiators, the American Data Privacy and Protection Act (ADPPA) is heading to its first legislative markup, set for tomorrow morning before the U.S. House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee.

Read the full piece here.

Background…

After years of fragmented privacy law across the 50 states, a recently introduced bipartisan and bicameral bill proposes to create a federal privacy regime. Sponsors of the American Data Privacy and Protection Act (ADPPA) say it will set a national baseline for privacy protections and user remedies, while allowing firms to continue to innovate.

But…

The bill’s breadth and onerous requirements could have unintended negative consequences for consumers. Worse, the measure would only partially preempt state law, arguably leaving the worst of both worlds.

Read the full explainer here.

Abstract

The right to be forgotten, which began as a part of European law, has found increasing acceptance in state privacy statutes recently enacted in the U.S. Commentators have largely analyzed the right to be forgotten as a clash between the privacy interests of data subjects and the free speech rights of those holding the data. Framing the issues as a clash of individual rights largely ignores the important scholarly literatures exploring how giving data subjects the ability to render certain information unobservable can give rise to systemic effects that can harm society as a whole. This Essay fills this gap by exploring what the right to be forgotten can learn from the literatures exploring the implications of adverse selection, moral hazard, and the emerging policy intervention know as ban the box.

Executive Summary

Our comments in response to the agencies’ merger guidelines RFI are broken into two parts. The first raises concerns regarding the agencies’ ultimate intentions as reflected in the RFI, the authority of the assumptions undergirding it, and the agencies’ (mis)understanding of the role of merger guidelines. The second part responds to several of the most pressing and problematic substantive questions raised in the RFI.

With respect to the (for lack of a better term) “process” elements of the agencies’ apparent intended course of action, we argue that the RFI is based on several faulty premises which, if left unchecked, will taint any subsequent soft law proposals based thereon:

First, the RFI seems to presuppose a particular, preferred outcome and does not generally read like an objective request for the best information necessary to reach optimal results. Although some of the language is superficially neutral, the overarching tone is (as Doug Melamed put it) “very tendentious”: the RFI seeks information to support a broad invigoration of merger enforcement. While some certainly contend that strengthening merger-enforcement standards is appropriate, merger guidelines that start from that position can hardly be relied upon by courts as a source of information to differentiate in difficult cases, if and when that may be warranted.

Indeed, the RFI misconstrues the role of merger guidelines, which is to reflect the state of the art in a certain area of antitrust and not to artificially push the accepted scope of knowledge and practice toward a politically preferred and tenuous frontier. The RFI telegraphs an attempt by the agencies to pronounce as settled what are hotly disputed, sometimes stubbornly unresolved issues among experts, all to fit a preconceived political agenda. This not only overreaches the FTC’s and DOJ’s powers, but it also risks galvanizing opposition from the courts, thereby undermining the utility of adopting guidelines in the first place.

Second, underlying the RFI and the agencies’ apparently intended course of action is the uncritical acceptance of a popular, but highly contentious, narrative positing that there is an inexorable trend toward increased concentration, caused by lax antitrust enforcement, that has caused significant harm to the economy. As we explain, however, every element of this narrative withers under closer scrutiny. Rather, the root causes of increased concentration (if it is happening in the first place) are decidedly uncertain; concentration is decreasing in the local markets in which consumers actually make consumption decisions; and there is evidence that, because much increased concentration has been caused by productivity advances rather than anticompetitive conduct, consumers likely benefit from it.

Lastly, the RFI assumes that the current merger-control laws and tools are no longer fit for purpose. Specifically, the agencies imply that current enforcement thresholds and longstanding presumptions, such as the HHI levels that trigger enforcement, allow too many anticompetitive mergers to slip through the cracks. We contend that this kind of myopic thinking fails to apply the relevant error-cost framework. In merger enforcement, as in antitrust law, it is not appropriate to focus narrowly on one set of errors in guiding legal and policy reform.  Instead, general-purpose tools and presumptions should be assessed with an eye toward reducing the totality of errors, rather than those arising in one segment at the expense of another.

Substantively, our comments address the following issues:

First, the RFI is concerned with the state of merger enforcement in labor markets (and “monopsony” markets more broadly). While some discussion may be welcome regarding new guidelines for how agencies and courts might begin to approach mergers that affect labor markets, the paucity of past actions in this area (the vast bulk of which have been in a single industry: hospitals); the significant dearth of scholarly analysis of relevant market definition in labor markets; and, above all, the fundamental complexities it raises for the proper metrics of harm in mergers that affect multiple markets, all raise the specter that aiming for specific outcomes in labor markets may undermine the standards that support proper merger enforcement overall. If the agencies are to apply merger-control rules to monopsony markets, they must make clear that the relevant market to analyze is the output market, and not (only) the input market. Ultimately, this is the only way to separate mergers that generate efficiencies from those that create monopsony power, since both have the effect of depressing input prices. If antitrust law is to stay grounded in the consumer welfare standard, as it should, it must avoid blocking mergers that are consumer-facing simply because they decrease the price of an input. The issue of monopsony is further complicated by the fact that many inputs are highly substitutable across a wide range of industries, rendering the relevant market even more difficult to pin down than in traditional product markets.

Second, there is not enough evidence to create the presumption of a negative relationship between market concentration and innovation, or between market concentration and investment. In fact, as we show, it may often be the case that the opposite is true. The agencies should thus be wary of drawing any premature conclusions—let alone establishing any legal presumptions—on the connection between market structure and non-price effects, such as innovation and investment.

Third, the RFI blurs what has hitherto been a clear demarcation—and rightly so—between vertical and horizontal mergers by stretching the meaning of “potential competition” beyond any reasonable limits.  In doing, it ascribes stringent theories of harm based on far-fetched hypotheticals to otherwise neutral or benign business conduct. This “horizontalization” of vertical mergers, if allowed to translate into policy, is likely to have chilling effects on procompetitive merger activity to the detriment of consumers and, ultimately, society as a whole.  As we show, there is no legal or empirical justification to abandon the time-honed differentiation between horizontal and vertical mergers, or to impose a heightened burden of proof on the latter. The 2018 AT&T merger illustrates this.

Fourth, and despite some facially attractive rhetoric, data should not receive any special treatment under the merger rules. Instead, it should be treated as any other intangible asset, such as reputation, IP, know-how, etc.

Finally, the notion of “attention markets” is not ready to be applied in a merger-control context, as the attention-market scholarship fails to offer objective, let alone quantifiable, criteria that might enable authorities to identify firms that are unique competitors for user attention.

Read the full comments here.

Barry Schwartz’s seminal work “The Paradox of Choice” has received substantial attention since its publication nearly 20 years ago. In it, Schwartz argued that, faced with an ever-increasing plethora of products to choose from, consumers often feel overwhelmed and seek to limit the number of choices they must make.

Read the full piece here.

The Federal Trade Commission (FTC) is at it again, threatening new sorts of regulatory interventions in the legitimate welfare-enhancing activities of businesses—this time in the realm of data collection by firms.

Read the full piece here.

Abstract

Medical devices are increasingly connected, both to cyber networks and to sensors collecting data from physical stimuli. These cyber-physical systems pose a new host of deadly security risks that traditional notions of cybersecurity struggle to take into account. Previously, we could predict how algorithms would function as they drew on defined inputs. But cyber-physical systems draw on unbounded inputs from the real world. Moreover, with wide networks of cyber-physical medical devices, a single cybersecurity breach could pose lethal dangers to masses of patients.

The U.S. Food and Drug Administration (FDA) is tasked with regulating medical devices to ensure safety and effectiveness, but its regulatory approach—designed decades ago to regulate traditional medical hardware—is ill-suited to the unique problems of cybersecurity. Because perfect cybersecurity is impossible and every cybersecurity improvement entails costs to affordability and health, designers need standards that balance costs and benefits to inform the optimal level of risk. FDA, however, conducts limited cost-benefit analyses, believing that its authorizing statute forbids consideration of economic costs.

We draw on statutory text and case law to show that this belief is mistaken and that FDA can and should conduct cost-benefit analyses to ensure safety and effectiveness, especially in the context of cybersecurity. We describe three approaches FDA could take to implement this analysis as a practical matter. Of these three, we recommend an approach modeled after the Federal Trade Commission’s cost-benefit test. Regardless of the specific approach FDA chooses, however, the critical point is that the agency must weigh costs and benefits to ensure the right level of cybersecurity. Until then, medical device designers will face continued uncertainty as cybersecurity threats become increasingly dangerous.

ICLE Senior Scholar Miko?aj Barczentewicz joined the Warsaw Enterprise Institute to discuss  cyber-security threats arising from the Russia-Ukraine conflict. The full video (in Polish) is embedded below.

In their zeal to intervene, regulators have lost all sense of proportion and context. They are willing to sacrifice the immense economic and social benefits from technological exchange on the altar of privacy absolutism, potentially denying Europeans access to online services offered by US businesses. However, there is still hope that the courts and public officials will act responsibly and undo the impending damage.

Read the full piece here.