The tension between tech competition and regulating privacy
Photo 109788973 © Alexandersikov | Dreamstime.com

Commentary

The tension between tech competition and regulating privacy

Regulators targeting big tech may face an even thornier problem as sweeping new regulations start to undermine each other.

Governments on both sides of the Atlantic have left little doubt of their intent to regulate large technology firms. European and U.S. authorities have multiple ongoing antitrust suits and other regulatory actions against a now-familiar list of corporations featuring Amazon, Google, Meta, Apple, and Microsoft.

High on the list of regulators’ stated goals in many of these actions is a level playing field for smaller firms and new entrants to compete with those now labeled ‘giants.’ Many of the direct means to achieve that goal employed in both the U.S. and Europe, such as recent antitrust actions, are dubious and hotly debated. 

But regulators targeting big tech may face an even thornier problem. With ambitious plans aimed at reducing market power, promoting entry, protecting children, safeguarding user privacy, and curbing misinformation–to name only a partial list–sweeping new regulations may undermine each other.

An example of consumer protection regulation potentially at odds with regulators’ competition-policy goals noted above comes in the debate over user privacy. Europe’s 2018 General Data Protection Regulation (GDPR) was primarily focused on rules governing privacy and control over data. But reflecting the distrust of big tech and the goal of regulators to facilitate smaller competitors, advocates of GDPR at the European Commission found ways to argue that “new Regulation will remove barriers to market entry – a factor of particular importance to small and medium-sized enterprises.”

The commission argued that GDPR would enhance Europe’s attractiveness as a business location. They believed that consent-based privacy regulation (where individuals have to give explicit consent before their data can be used elsewhere) would encourage firms to offer a more extensive array of services and reduce restrictions on data flows between companies. 

The reality is much more complex. While regulatory uncertainty on privacy remains an issue in other jurisdictions, GDPR may have facilitated business more favorably for large and established companies rather than the “small and medium” firms to which early advocates gave lip service.

Early research into this question suggested the one-time consent approach employed by GDPR might disproportionately benefit large companies offering a more extensive scope of services and therefore visited by users more frequently. The reason lies in the transaction costs imposed by privacy consent requirements. Such one-time transaction costs fall disproportionately on smaller firms that provide fewer products and services. 

The empirical evidence of this consequence has become more pronounced since the GDPR’s implementation. A recent study published in the Journal of Economics and Management found that market concentration among ISPs (Internet Service Providers) increased by 17% in aggregate just a week after the GDPR was introduced. The research showed that large firms like Google and Facebook, whose web technology offerings drive increased concentration, have been further entrenched in the market. This is because websites are likely to drop smaller vendors that are less likely to be robustly compliant with regulations in the short term. 

In a different research effort, a group of international scholars found that Google’s market share increased slightly after the GDPR was introduced. The authors consider it likely that although GDPR was costly for Google, those costs were lower in relative terms than they were for smaller competitors, meaning that, “some firms—and most strikingly Google—lose relatively less such that their market shares increase after the GDPR.”

The above research supports our previous analysis that showed that smaller firms are having a harder time dealing with the burdensome requirements of GDPR, making competition in the industry even more difficult for startups. 

Expect this tension between regulatory goals on privacy and data on one hand and competition authorities’ fervor to strike back at big tech on the other, to play out more directly in the U.S. soon. The California Consumer Privacy Act (CCPA), following on the heels of GDPR, likely finds many supporters in common with current FTC and DOJ antitrust battles with Amazon and Google, respectively.

Those reflexively favoring most or all current efforts against big tech should consider what their top priorities truly are. This tension between privacy rules and barriers to entry is likely the tip of the iceberg when it comes to unintended conflicting outcomes of ambitious tech regulations. As multiple agencies from the U.S. and its states to Brussels and its member nations fight onward with a list of goals that continues to grow, the regulatory-compliance outlook for tech companies continues to become complicated and expensive. 

Lawmakers and officials in the U.S. should carefully watch the impact of GDPR in Europe in order to critically evaluate the real-world implications of privacy laws and their potential to undermine other stated goals such as competition. A reevaluation of the current approach is essential to prevent further imbalances and ensure that regulations serve their intended purpose.