Author: Ryan Brewer, J.D Candidate, Class of 2014, Benjamin N. Cardozo School of Law
The Cardozo IP & Information Law Program kicked off its fall 2012 IP Speaker Series with a presentation by Professor Peter Swire. Professor Swire teaches at the Moritz College of Law at Ohio State University and is a national and global leader on privacy, cybersecurity, and related technology issues. In his third appearance at the Benjamin N. Cardozo School of Law, Professor Swire discussed his upcoming article: The Right to Data Portability: Is This New Privacy Right Contrary to Antitrust Law?
Professor Swire focuses his discussion on the January 2012 draft of proposed reforms to the European Union (EU) Data Protection Directive that was put in place seventeen years ago. The proposal places the Right to Data Portability (RDP) amongst other fundamental human rights recognized within the EU and creates RDP for all EU citizens. More specifically, RDP creates a right in every user to obtain, in a “widely–used format,” a copy of his or her own electronic data that is “undergoing processing.” The regulation also creates a right to manipulate this data and export it “without hindrance.”
Professor Swire contends that this regulation was created with major Internet companies in mind—such as Facebook—and without consideration of the unintended and highly detrimental effects it would have on small businesses and consumers. Professor Swire provided the example of Facebook, which received criticism for many years over its control of users’ information. Previously, Facebook did not offer an export–import module (EIM) that would allow users to remove or export user material (e.g. photos, posts, contact lists) from the site. Furthermore, it was unclear which information a Facebook user had a right to—comments, liked pages, and photos in which the user was tagged were not necessarily considered the user’s own data. Prior to the passage of this regulation, Facebook responded to the criticism by creating its own EIM that allows a user to control his or her data in a manner that generally complies with the new right.
Although the treatment of user data by major companies is a valid concern, Professor Swire addressed concerns on three major areas affected by RDP: antitrust, privacy, and inter–operability. First, Professor Swire asserted that a major consideration of the regulation is to promote consumer welfare by preventing monopolistic practices or “lock–ins.” “Lock–in” practices refer to the tendencies of major Internet companies to create high switching costs and refuse to supply or deal with other competitors in order to build a user base of loyal customers. Lock–in becomes a concern when companies achieve large market dominance or become an essential facility (e.g. Facebook) and then stymie competition. Requiring that data be made available to all users in a widely–used format would allow users to take their information to whichever sites they found most appealing, thus undermining monopolistic practices. In the case of a small business with a new application, however, the initial phase of building a name and user base requires lock–in practices. Moreover, the costs of designing and administering an EIM may prove prohibitive. In this sense, argues Professor Swire, the impact of RDP was not properly investigated, and the regulation likely will result in reduced competition and diminished consumer welfare.
Second, Professor Swire questioned the rationale of creating a human right in data portability. Although the right to privacy is widely accepted as a fundamental human right, the extension to data portability is less clear. Furthermore, Professor Swire states that RDP actually creates a significant privacy concern. Because it requires all companies to provide EIM to all users, there is a very real threat that an individual or entity falsely claiming to be a user could export large amounts of another user’s sensitive information. Most security systems are incapable of withstanding this intrusion. Factoring in this consideration, in addition to the fact that comprehensive user information is packaged and ready for the taking, the value of a security attack increases for criminals. RDP may in fact create or exacerbate a large security threat.
Third, the effects on inter–operability are difficult to predict. Although it would seem that requiring the transferability of data in a widely–used format would increase inter–operability and promote openness, Professor Swire argues the regulation might actually result in minimal gains with significant losses. Case law already exists that prohibits first–party creators from blocking second parties from providing transfer services. By requiring that all first parties make their own EIMs, second parties are cut out of their business without benefitting the consumer in any way. Even more troubling, the language in the preamble points to users and competitors, indicating that another social networking site, such as Google+, would be able to compel other sites, such as Facebook, to supply users’ data for transfer to its own site. This could be carried out on behalf of the user, provided the user consented.
Professor Swire warns that the unprecedented magnitude of the RDP mandate is overly broad and creates numerous foreseeable and avoidable problems. To avoid the substantial damage to consumer welfare and innovation that this draft regulation poses, he asserts that the regulation should be scrapped. Although Professor Swire does not offer a comprehensive solution, he proposes that a concept such as RDP should be treated as a per se rule that would prohibit anti–innovation practices such as software bundling and designing software that is incompatible with that of other companies.
The views expressed here are exclusively of the author and do not represent agreement or endorsement by the Cardozo Arts & Entertainment Law Journal, Benjamin N. Cardozo School of Law, or Yeshiva University.