Speaking at the Internet Governance Forum in Washington, D.C., a new member of the Federal Trade Commission (FTC) discussed his concerns about expanding privacy regulations.
Commissioner Noah Phillips, who joined the FTC earlier this year, shared his problems regarding new laws and regulations, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act.
“I want today to register my concern that laws and regulations intended to promote privacy may build protective moats around large companies (some of which already possess significant amounts of data about people) by making it more difficult for smaller companies to grow, for new companies to enter the market and for innovation to occur—and insist that competition be part of our conversation about privacy,” Phillips told attendees.
The new regulations are moving away from the current scheme of regulation in the United States, he argued, which is “not an accident of history,” but based on “a principled, risk-based approach that focuses privacy and security rules on the sectors of the economy where Congress has determined such rules are most needed.”
This compartmentalized approach to privacy regulation recognizes that not all entities are the same, Phillips explained, with different types of protections based on the data being protected and the size of the entities involved.
“The United States’ risk-based approach imposes the greatest costs on businesses at the points where our democratic process has determined the greatest privacy need exists, limiting such costs where the need is less,” he said. “So, while we may argue about whether the risks are being appropriately evaluated, whether ‘leveling the playing field’ among firms doing different things with different kinds of data makes sense, or whether the quantity and quality of data being collected today ought to change our approach, we should not be confused about whether the American approach to privacy is deliberate or sensible.”
Phillips used his remarks as a cautionary tale, as the “one size fits all” European approach found in the GDPR appears to be spreading across the pond with California’s new law, set to take effect in 2020.
“While we may want to protect privacy in new ways, we do not want the regulatory burden to be so onerous that it excludes potential market entrants or inhibits innovation; at the very least, we need an honest discussion about the costs and benefits,” the commissioner said.
Early signs in the implementation of the GDPR appear to be pointing to the effects on competition that Phillips fears, he said, with large technology companies able to spend the money necessary to achieve compliance and smaller companies pushed out, unable to afford the effort. In addition to these economies of scale, Phillips said the “brand effect”—under which consumers are more likely to trust the companies they know—will also skew benefits in favor of large incumbents over small startups, or as he put it, “the big guys win again.”
“The upshot is that, as we consider the potential benefits of new privacy protection, we must consider the costs, too: on competition and innovation. [The] GDPR provides us with a great opportunity to see how a large-scale privacy regime works in practice, and for us in the United States to learn from Europe’s experience,” Phillips concluded. “We don’t yet know the answer. About the American risk-based approach, however, we can say one thing for certain already: It has both targeted the areas of greatest privacy need and still permitted a tremendous amount of innovation.”
To read the prepared remarks, click here.
Why it matters: When considering new privacy regulations, Phillips advocated that proponents ask: “Are we willing to allow a reduction in competition or innovation? What competitive price are we willing to pay for great[er] privacy protection? Are we willing, for instance, to allow the biggest technology companies—lately the focal points of discussion about both privacy and competition—to entrench further?” He also noted that the upcoming FTC hearings offer a good opportunity to discuss the intersection of privacy protections with competition and innovation.