ENHANCED PRIVACY DUTIES FOR DOMINANT TECHNOLOGY COMPANIES.

• Author: MacCarthy, Mark

I. INTRODUCTION

In March 2019 Mark Zuckerberg called for the U.S. to adopt a national privacy statue "in line with the European Union's General Data Protection Regulation." (1) Some commentators immediately attacked this move as a cynical attempt to avoid "competition interventions." (2)

This article takes the Facebook CEO at his word. It explores the possibility that strong privacy rules might be one policy response to the lack of competitive alternatives in markets controlled by the dominant technology companies. This article does not try to make the case for universal applicability of these rules, nor does it make the opposite argument that these rules should not be applied to other companies. Rather, this article argues merely that these strong privacy rules should apply at least to the dominant tech companies in order to remedy the special limitations on consumer choice present in the markets they dominate.

Two recent privacy interventions from government agencies inspired this approach. The first is the Federal Communications Commission's adoption in 2016 of strong privacy rules for broadband providers. (3) The second is the decision in 2018 by the German Federal Competition Office ruling that Facebook's extraction of certain information from its users was an infringement on their privacy rights. (4) Both made the special marketplace position of the companies involved central to their justification for these privacy actions.

These examples invite reflections on how to formulate a general approach to improving privacy for dominant technology companies in the United States. The course advocated in this article is for Congress to pass a new national privacy law with enhanced privacy duties for technology companies that also are dominant in their line of business.

To formulate the enhanced privacy duties this article draws on several strands of privacy law and scholarship. This article examines the way the European Union's General Data Protection Regulation requires companies to have a legal basis for data processing. (5) A new approach to privacy in the U.S. would require a dominant technology company in the U.S. to demonstrate that its data practices have the freely given consent of its users, are necessary to provide the services that its customers want, or are in its overriding legitimate interests.

These requirements to demonstrate a legal basis for data use are well-suited to protecting the privacy interests of customers of dominant technology companies. One way to limit the power of dominant technology companies to extract information from captive customers would be by making them show that they have consent, contractual necessity or legitimate interests as a basis for their use of consumer data, and to ban those practices absent such a showing.

This article also draws on recent work by Woodrow Hartzog (6) to argue that dominant technology companies should be prohibited from using technology designs that are unreasonably deceptive, abusive or dangerous. From Jack Balkin's work on information fiduciaries, (7) it draws the requirement that dominant technology companies should have special duties of care, loyalty and confidentiality toward their customers.

These measures are especially appropriate to apply to a dominant company because its marketplace position gives it unusual power to abuse its customers. If a dominant technology company is not bound by special duties of care, loyalty and confidentiality, it can exploit its customers' vulnerabilities without fear that they will flee to viable alternative providers. If a dominant technology company attempts to manipulate its customers through deceptive, abusive or dangerous technology designs, there is nowhere for these customers to go, even if they see through these harmful nudges and want to avoid them.

The article calls for a new national privacy law to enshrine these enhanced obligations for dominant technology companies in statute. Administrative agencies or courts could interpret current law to impose enhanced privacy obligations on dominant technology companies. The FCC tried to do this under its existing authority, but a subsequent Commission would have overturned its broadband privacy rules if Congress had not repealed them. The FCO in Germany attempted to apply GDPR and German antitrust law in prohibiting some of Facebook's data practices, but the decision is under lengthy court review. The initial court review by the Diisseldorf Higher Regional Court suspended the FCO's ruling. In a later ruling, fifteen months after the original decision, the Federal Court of Justice in Karlsruhe ruled that Facebook must comply with the order during the appeal. (10)

Attempting to establish these duties though novel interpretations of current U.S. law would be stretching their boundaries and would generate protracted litigation from challengers. It is better to avoid the uncertainties of current law. A new national privacy bill would clearly establish enhanced privacy duties that protect consumers in the context of the market dominance by technology companies.

The article also proposes rules limiting data sharing with thirdparty service providers and affdiates. The rules draw a lesson from some privacy statutes that prohibit certain data uses entirely such as the sale of student data (11) and the prohibition on the disclosure of financial account information for marketing purposes. (12) The proposed new privacy law would provide for the possibility that dominant technology companies would not be permitted to use data for certain purposes.

This article calls for the new privacy law to provide for an industry-specialist regulator to ensure effective implementation and enforcement. In calling for a specialist regulator, this article engages with the very different scholarship seeking to update competition law and policy to deal with the unique problems posed by digital platforms. Jason Furman's report for the government of the United Kingdom argued for a new digital markets unit in the UK government empowered to create special pro-competitive rules for platforms with strategic market position. (13) Harold Feld's report for Public Knowledge argues for a dedicated agency to regulate dominant digital platforms with authority to establish and enforce pro-competitive and information diversity rules. (14) Fiona Scott Morton authored a report for the Stigler Center urging the creation of a Digital Authority, a specialist regulator with authority over digital platforms with bottleneck power, and able to prescribe a variety of pro-competitive rules for these companies. (15)

One task of this specialist regulator would be to determine when technology companies are dominant in their field and so covered by the new statutory privacy. The notion of a company holding a dominant position is familiar from the provision in European competition law prohibiting the abuse of a dominant position. ' The article draws on the development of this notion in European competition law, the antitrust law in the U.S. and the recent procompetition scholarship from Furman, Feld and Scott Morton to identify conditions that indicate when competition might have failed in a market. These factors include firm size, market share, strategic market status, cost of exclusion, bargaining power, essential facility status, barriers to entry, significant market power, data power, and unavoidability. The new privacy law would authorize the regulatory agency to consider these factors in determining when a company is dominant for purposes of the enhanced privacy rules.

This article draws inspiration from Furman, Feld and Scott Morton for the idea of a specialist regulator with authority over technology companies with market power. But focuses on authorizing this regulatory agency to promulgate and enforce regulations to implement and interpret the new statutory privacy duties. The agency should have authority to write implementing privacy regulations for dominant technology companies, enforce them through fines, penalties and injunctions, and update them for changes in technology and business practices.

A specialist privacy regulator with authority over technology companies would be best positioned to make the difficult decisions in interpreting, applying and enforcing the new privacy duties. In principle, the privacy duties envisioned in the new privacy law could be formulated in a general fashion to be applicable in principle to all companies. Indeed, the models for these proposals for dominant companies were all constructed to be universally applicable. But interpretation and enforcement require a specialist regulator with detailed knowledge of the technology industry.

The article also examines recent attempts by Furman, Feld and Scott Morton to define "digital platforms" to see if these concepts provide a way to focus the legislation on the technology sector. These definitions all rely on general economic conditions such two-sided platforms with strong network effects and high switching costs that limit the normal forces of competition. Such definitions are entirely appropriate as a way to delineate when additional efforts are needed to promote competition. But platforms with strong network effects are everywhere in the economy. As a result, these definitions are overly broad attempts to define a business sector.

The article does not attempt to define the technology sector, since technology is not a specific line of business. Instead of trying to define the coverage of the new law as the technology sector or as digital platforms, the proposed new law would specify the lines of business covered by the enhanced privacy requirements. The article suggests social media, search, video platforms, and electronic marketplaces as business sectors to be covered, given the centrality of these services to contemporary life and the persistent failure of competition in their markets. In the article the...