Privacy Regulation and Innovation Policy.

• Author: Lev-Aretz, Yafit

Table of Contents I. Introduction II. Framing the Analysis of Privacy Regulation and Innovation A. Information Privacy Regulation as Regulation of Personal Information Flow B. How Businesses Collect Personal Information C. Market Innovation in Personal Information-Based Products and Services D. Regulation, Innovation and Market Incentives E. Prior Literature III. Personal Information & Misaligned Market Demand Signals A. Collective Action Problems in Responding to Externalities B. Distortions of Individual Preferences C. Aggregation Failures in Personal Information Markets IV. Failures of appropriability in Personal Information-Based Markets A. Intellectual Property-Related Failures of Appropriability in Personal Information-Based Markets B. High Entry Barriers in Personal Information-Based Markets C. Data Aggregation and Market Value D. Implications for Follow-on Innovation V. Designing Privacy Regulation with Innovation in Mind A. Information Privacy Regulation: Is the Game Worth the Candle? B. Privacy Regulation and Failures of Appropriability: Regulatory Design Considerations VI. Conclusion I. Introduction

The amount of personal information accumulated by companies has mushroomed in recent years, giving rise to calls for more stringent information privacy regulation. (1) In the EU, such calls led to the enactment of the General Data Protection Regulation (GDPR), which came into effect last year. (2) US lawmakers have tended to be more skeptical about regulation than their European counterparts, at least at the federal level. As a result, the question of whether and how to regulate the commercial collection and use of personal information continues to be hotly debated. (3) Nonetheless, while federal proposals remain stalled, some states and even cities are moving ahead with privacy regulation. (4)

Proposals for heightened privacy protections are routinely countered with general claims that privacy regulation will stifle socially valuable innovation. (5) This rhetoric is powerful and superficially convincing. It goes something like this:

The information economy is the lifeblood of US economic growth. Increasingly, it runs on personal information collected and aggregated by companies as they provide us with services. The use of this information has brought us many benefits and conveniences and is the mainstay of our most successful companies. Sure, each of us might, in principle, prefer not to have our own activities tracked, but do we really want to risk stalling out the engine of our innovative economy by imposing privacy regulations?

Sweeping claims about the dire ramifications of regulation for innovation, jobs, and economic competitiveness are certainly not new. (6) Ideological and political battles over regulation continue to play out, most notably over climate change. In most regulatory arenas, however, a substantial and nuanced discussion about precisely what and how to regulate competes for the floor and influences, even though it does not control, regulatory policy and design. (7) The debate about information privacy regulation, however, seems mostly stuck at the shouting match stage, despite the growing influence of personal data collection, aggregation and use in society and despite growing exposures of misuse such as the infamous Cambridge Analytica debacle. (8) The information privacy regulations now on the books worldwide, including the GDPR, are nearly all based primarily on a set of Fair Information Practices (FIPs) drafted in the late 1970s and early 1980s, (9) despite the introduction of new concepts such as "privacy by design." (10) With some notable exceptions, (11) the academic discourse on privacy also has not focused on regulatory specifics.

There are many possible reasons for this state of affairs, including the fact that the extent and nature of present-day information privacy issues are novel and evolving, and that various and competing values are in play. We believe, however, that at least part of the problem is that the threat of innovation stifling seems to hold particularly strong sway in the debate about information privacy regulation, casting a spell even over constituencies otherwise inclined to a pro-regulatory stance. This Article thus analyzes whether there is any basis to expect that privacy regulations pose a uniquely serious threat to innovation that justifies blanket opposition or requires special treatment.

We ground our analysis in previous work where we developed a framework for understanding the interplay between regulation and innovation. (12) We take as our starting point the classic economic view that regulation should be adopted when it can be reasonably expected to ameliorate market failures at sufficiently low cost, thereby improving social welfare. We combine that view with the standard economic incentive theory of innovation from intellectual property theory, a perspective that has been surprisingly absent from the debate about regulation and innovation.

Our framework is based on the observation that suppliers' incentives to pursue innovations in particular goods and services vary not only based on anticipated market demand for particular innovations, but also in the extent to which suppliers expect to be able to appropriate returns on investment in light of market competition. Thus, market demand and anticipated appropriability jointly influence the market's portfolio of innovative activities. Failures of market demand, such as externalities, collective action problems and information asymmetries, are classic justifications for regulation, which aims to re-align supplier incentives so that the market will produce a more socially desirable portfolio of goods and services. Environmental, consumer protection and health and safety regulations are justified by failures of market demand.

Market failures, however, are also endemic to the supply side, particularly where incentives for innovation are concerned. Goods and services vary in the extent to which suppliers can maintain market exclusivity and thus appropriate supracompetitive returns on investment. Suppliers have incentives to distort the market's portfolio of goods and services away from what the market would otherwise demand by shifting production toward those goods and services that allow them to appropriate higher market returns. These "appropriability failures" can materialize even in the face of demand signals that are perfectly aligned with social preferences. The well-known "free rider problem," which classically justifies intellectual property, is one sort of appropriability failure. Where it occurs, competitor "free riding" precludes innovators from recouping their innovation costs and thus tends to dampen incentives for innovation. Intellectual property law attempts to address this appropriability failure by using market exclusivity to provide innovators with a period of supra-competitive market returns. Competition law addresses different sorts of "appropriability failures" that favor early suppliers of particular goods and services.

The important point here is that, overall, the market's portfolio of goods, services, and innovative activities, is jointly elicited by suppliers' perceptions of market demand, which may be shaped by regulation, and their expectations about appropriability, which may be shaped by intellectual property and competition law. While the regulatory policy literature has addressed market demand failures and the intellectual property and competition law literatures have addressed failures of appropriability, the interplay between market demand failures and appropriability failures has been under-appreciated. As we have argued elsewhere, neglecting these interactions is of little consequence in the many innovation contexts where demand failures and appropriability failures are uncorrelated. In those contexts, designers of substantive regulation need not concern themselves with appropriability failures, which can be addressed independently by IP and competition law. (13) In general, well-designed regulation is likely to shift innovative activity into more socially desirable directions, rather than to reduce innovation overall. (14)

Notably, however, in some innovation contexts regulations designed to address demand failures can interact with appropriability failures to jointly affect suppliers' incentives to pursue particular innovative paths. Even in those contexts, however, there is no general stifling effect; depending on regulatory design, the interplay can either enhance or discourage innovation. (15)

This Article applies these insights to information privacy regulation, which is one important arena in which calls for regulation are often met with sweeping assertions that regulation will stifle innovation. We conclude that certain characteristics of personal information-based products and services suggest that some sorts of privacy regulation may interact with appropriability failures to affect innovation. Nonetheless, we find no reason to assume that any such effects on innovation must be "stifling." To the contrary, our analysis suggests that some privacy regulation designs might mitigate failures of appropriability, thereby enhancing innovation. We thus conclude that across-the-board assertions about the stifling effects of information privacy regulation on innovation are simply wrong. Worse, they distract from difficult and important questions of regulatory design. While information privacy regulation can affect the appropriability of innovative activity, those effects can be either dampening or salutary. In other words, well-designed privacy regulation has the potential to improve the extent to which the market produces a socially desirable portfolio of innovations.

In Part II, we define what we mean by information privacy regulation, distinguishing it from broader possible uses of the term. We next provide a similar discussion of our usage of the...