As Congress and other relevant stakeholders debate how to protect Americans’ privacy, a key concern is making sure that new legislation doesn’t entrench the power of big tech incumbents. In this post, we argue that incorporating data interoperability into privacy legislation is essential to empowering consumers’ data rights and fostering a competitive marketplace.
With genuine interoperability, you could potentially chat with your Apple iMessage friends from your Facebook-owned WhatsApp using Android. If you are an Uber customer, interoperability could allow you to authorize a challenger startup like Via to use some of the data Uber has collected about you to optimize their routes in your town. With interoperability, you could potentially see your friends’ Instagram stories without ever leaving Snapchat. More and better products and services is what you could expect from interoperability.
In a nutshell, interoperability means enabling different systems and organizations to communicate with each other and work together. Interoperability achieves several interrelated benefits for consumers and the economy. First, interoperability gives consumers practical control over their personal data. Consumers should not feel stuck with a bad service because it has all of their data and their friends’ data. Interoperability is the logical consequence of empowering consumers with rights to access, correct, and delete their personal data: It’s a translation of those rights into a dynamic and actually useful form.
Second, interoperability encourages innovation in both incumbents, who have to improve their services to keep users in the original platform, and challengers, who have a fighting chance to develop successful new products and services. Network effects can create a lock-in effect for users. Even when users are frustrated by a platform and would like to leave, they can be locked in by the difficulties of switching to another platform and/or the network benefits of transacting with other users on the dominant service.
And third, interoperability could allow new players to start developing their own data banks, in order to develop their own machine learning and artificial intelligence (AI). As the Sloan MIT review puts it, “the availability of greater volumes and sources of data is, for the first time, enabling capabilities in AI and machine learning that remained dormant for decades due to lack of data availability, limited sample sizes, and an inability to analyze massive amounts of data in milliseconds.” Today, due to lack of competition and network lock-in effects, there is a serious risk that only a handful of companies could compete in an AI world: Those who have been amassing your personal information. Genuine interoperability would give a fighting chance to new products and services to, with your consent and subject to their success in the marketplace, start building their own independent databases, eventually allowing them to stand on their own two feet in the economy of the future where AI will be widely used.
Following, we outline a policy approach for interoperability built on the lessons of the Cable Act, the Telecommunications Act, and the United Kingdom’s Open Banking initiative.
Portability gives users control
Most internet services get a lot of data from their users. Whether it’s for personalizing the user experience, targeting ads, or more often both, internet companies collect so much of our personal information that they know a lot about what we want, who we are, what we do, who are our friends, what we like, and where we move. As a result, it is often hard for consumers to stop using a platform or start using a competing service. If leaving a platform equals leaving memories, artistic works, or friends behind, or abandoning a digital-self that represents us in ways that we can´t offline, then very few people are going to do it.
In response to this problem, and the demands of data rights advocates, European policymakers included in the General Data Protection Regulation (GDPR, Europe’s privacy law) a right to data portability, giving consumers the “right to receive the personal data concerning him or her, which he or she has provided to [an organization] in a structured, commonly used and machine-readable format and have the right to transmit those data to another [organization].” Data portability is also recognized in a limited fashion in California’s Consumer Privacy Act (CCPA).
Some companies, such as Google, have offered some degree of data portability since 2007. However, taking full note of the GDPR, in 2017 Facebook, Google, Microsoft, and Twitter, launched the Data Transfer Project. The goal of the Data Transfer Project is to “create an open-source, service-to-service data portability platform so that all individuals across the web could easily move their data between online service providers whenever they want”. As a result, it’s now relatively easy to get some of the data that these companies have collected from you, which might help you move to a different service, and also give you a better understanding of what information they have from you.
Data portability can also help new entrants build up a store of data they can use to improve their services, because when they gain a new user, that user can also bring their data from the old service. This can increase the power of users “voting with their feet” by leaving one service to switch to another. If they can port their data the new service they’ve chosen can doubly benefit: They get a new user and also a new cache of data. This is a slow way to build up the kinds of massive data stores that big tech companies will use to hone their AI systems, so this is not a silver bullet. We will still need other pro-competition reforms to achieve dynamic competition in this space. In particular, it does not address the network effects that often keep users locked in to one service, such as only being able to communicate with other users on the same network.
Interoperability of services promotes competition
Interoperability can address some of the challenges posed by network effects and walled gardens that cannot be solved by data portability alone. For example, why isn’t there a competing social network that allows you to still keep in touch with your grandparents who only use Facebook? What services could a new dynamic startup provide to you if you give it real-time access to some of the data Amazon collects from you? The answer is that one-time data portability is not enough. With just data portability, you could take your data from Facebook to a new social network, but not use it to connect with your friends there. With just data portability you could bring a snapshot of your Amazon data to a third party, but you would not be able to use the data you create on Amazon in real time. That’s why we need to move beyond portability towards truly interoperable systems where users can communicate across networks and certain continuing data flows are shared.
In many of the services that we use the most, we’ve come to take interoperability for granted, and often don’t even realize how essential it is. For telephone networks, the 1996 Telecom Act included interoperability requirements, which it referred to as “interconnection,” between competing carriers. The Act built upon Federal Communications Commission regulation, setting forth a regulatory regime of duties to connect, of parity in quality between connections offered to the incumbent’s own affiliates and competitors, and of rates and contract terms that were just, reasonable, and nondiscriminatory. This duty to deal in a non-discriminatory way created the possibility of more competition between cable, electric, and local telephone.
In some cases, interoperability is part of the design from the beginning. Email is a good example. With email, thanks to standard protocols developed by technical groups, you can send messages from one service to another (e.g., from Gmail to Yahoo Mail), and can use different client applications (e.g., Mozilla Thunderbird and Apple Mail) with a single service. Sometimes, interoperability is imposed later on, as in the telephone network, where calls can easily be placed from one carrier to another, and one country to another, thanks to the involvement of national governments and international treaty organizations. Government intervention was also necessary on other levels — for example, to ensure that users could choose from competitive handsets, instead of just using telephones rented from the phone company.
Today, much of the interoperability on the internet happens through application programming interfaces (APIs). For example, Uber and Lyft each connect with Google Maps using APIs. In essence, APIs are controlled gates that developers can use to read, modify, and/or delete data hosted by another party. In the digital economy, standard and open APIs can be used to put consumers in control of their personal data, enable innovators to find new uses for the data subject to interoperability requirements, and allow competitors to enter more easily and circumvent the network effects protecting dominant firms. They can also help companies across the economy build their own machine learning and AI, instead of being dependent on automated systems built by companies who hold the most training data.
Creating open interoperability regimes for the digital economy seems like a daunting task. There’s a lot of personal data involved, with many complexities and implementation details to decide. There’s also the question of how far interoperability should extend. In the telephone networks example, the essential nature of the network and the Telecom Act’s mandate to promote affordable access to all Americans drove the need for network equipment and infrastructure to work seamlessly. In order to simply promote competition and consumer choice in the diverse digital platform market, that exacting level of interoperability may not be necessary. Policymakers should take on this issue, and decide, with the help of experts and relevant stakeholders, which types of data should be part of an interoperability mandate, what extent of interoperability should be required, and under which conditions. Fortunately, the United Kingdom is running a quietly successful interoperability experiment with big banks and financial data, which can inform other efforts.
Another blueprint: The UK’s Open Banking initiative
After concluding that older, larger banks do not have to compete hard enough for customers’ business, while smaller and newer banks find it difficult to grow, the Competition and Markets Authority (CMA) ordered the United Kingdom’s nine biggest banks to open up their data to third parties. According to the Financial Times, just one year after its implementation, Open Banking has been a “quiet digital revolution,” creating a “world in which, with a few swipes on a smartphone, you could find a better mortgage, compare household bills, cancel unwanted subscriptions, control direct debits and track payments across each of your accounts.”
Thanks to Open Banking, UK consumers can see all their bank accounts in one single app and set a “guilty pleasure tax” that automatically transfers money into their savings account when they buy something they think they shouldn’t have. They can compare deals on all of their household bills, learn how to cancel any unwanted subscriptions, and track their payments across every account, all from within one single app dashboard. Consumers can also use Open Banking to round up their everyday purchases to the nearest pound and invest the spare change.
But how was Open Banking implemented, and how does it work? In 2016, the CMA created the Open Banking Implementation Entity (OBIE), which is funded by the UK’s nine largest banks. The OBIE acts as a consortium of the largest banks as well as challenger banks, financial technology companies, third-party providers, and consumer groups. The OBIE has critical responsibilities to make open banking a reality in the UK:
- It sets the specifications for the APIs that banks use to provide open banking.
- It establishes security standards.
- It manages the Open Banking Directory which allows participants approved by the Financial Conduct Authority (FCA) like third-party providers to enroll in Open Banking, whitelisting approved participants to ensure the security and privacy of the system.
- It produces guidelines for participants in the Open Banking ecosystem.
- It sets out the process for managing disputes and complaints.
The Open Banking initiative offers some interesting lessons for the implementation of interoperability regimes in the digital economy in the United States. If Congress were to follow the Open Banking model for the U.S., it would start by giving guidance and authority to a regulatory agency such as the Federal Trade Commission to identify which organizations should be obliged to open their data to third parties. Second, a multistakeholder entity or agency would be tasked with establishing and maintaining the technical, security, and privacy standards and guidelines that third parties and relevant organizations abide by in order to make their systems interoperable. Third, because they are dealing with personal data, third parties that want to interoperate would be required to follow a clear and transparent open model for user privacy, including potential requirements for pre-approval or certification by an independent entity. Fourth, there would be a fair process to handle disputes.
Interoperability is consistent with privacy and security
A common argument against interoperability is that there’s an inherent and negative trade-off with user privacy. According to this perspective, third parties will surely use interoperability to exploit and abuse the information closely guarded by big platforms. Of course, this could be the case without sufficient privacy and security requirements for interoperability, and effective oversight of who gets to access what data.
Fortunately, we have historical precedents to learn from in both the Communications Act and the Open Banking initiative for how to require interoperability without compromising privacy or security. For example, Section 222(b) of the Communications Act provides that, when a telecommunications carrier receives or obtains proprietary information from another carrier to provide a telecommunications service, it shall use the information only for that purpose, not for its own marketing efforts. This was a much narrower example of interoperability, although it still had a big impact. Translating this rule to internet platforms would mean that a platform interoperating through an API would be limited in how it can use the data it gets about the customers of its third party apps, retailers, or other business users of the platform. The platform could only use that data for the purpose of providing the service and information that its own user explicitly requested, and not for advertising or any other purpose. PK’s own Harold Feld has written more extensively on this subject, here.
For example, imagine that third party apps are suddenly able to interoperate with Facebook’s newsfeed. After obtaining your consent, and in order to show you information from your newsfeed, the third party app will sometimes have to access to personal data (posts, pictures, links) created or uploaded by your friends. That third party app should not have the right to use your friends’ personal data for any other purpose than providing you the service you requested in that specific moment. In other words, the third party should not be able to process and store the data of your Facebook contacts for any other purpose than providing you the requested service, unless they obtain true informed consent from those users as well.
Open Banking gives us several other elements to consider in safeguarding privacy and security. First, as already mentioned, Open Banking obliges third parties to certify their compliance with security and privacy rules to a centralized authority, the FCA, in order to participate in the system. Translated to the broader internet ecosystem, this would mean that new entrants could certify compliance with a set of privacy and security rules to some authority, be it governmental or multistakeholder. This could boost consumer confidence in choosing third-party providers, and would enable companies to file complaints or even initiate legal actions against third parties who violate the terms of the interoperability agreement.
The Open Banking system only works because the UK and all of the European Union have a strong baseline privacy protection like the General Data Protection Regulation (GDPR). Here, the GDPR’s Article 5 offers broader principles that the United States may want to incorporate into future privacy legislation that enables interoperability. According to Article 5 of the GDPR, personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” and “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
Conclusion: Making interoperability work
As we can see from the examples above, making the big online services interoperable is not only desirable but entirely doable. Far beyond what would be achieved through static portability alone, interoperability could put consumers truly in control of their personal data. And it could spark more intense competition and innovation by both incumbents, which could not rely as much on network effects and lock-in to preserve their dominance, and challengers, which would have more of a fighting chance to develop new products and services.
Policymakers should consider interoperability as one of the major tools to address these concerns. Congress, or a specialized agency, will ultimately need to decide on exactly how to best achieve interoperability, when it is necessary, and how to keep it consistent with privacy for different types of products and for different types of data. As Congress is looking at comprehensive federal privacy legislation, this is a great time to begin the discussion of how interoperability can promote competition in digital platforms.