Bits of advice: how to regulate data access
Recent policy reports point towards differential access to data as a source of market power and a barrier to competition, especially (but not exclusively) in markets for digital services. One controversial policy solution currently being debated is mandated data-sharing. If this is the way forward, how should the regulation be designed? In this first article of a new series, we explore the merits and pitfalls of two classic regulatory approaches—rules-based and goals-based regulation—and what the best of both worlds might look like in the case of digital markets.
Governments and policymakers around the world are debating new regulatory proposals for the digital sector. One of the points of contention is whether the largest firms should provide access to their data, and if so, how. For instance, the EU’s Digital Markets Act (DMA) proposals include provisions that mandate large digital gatekeepers to give business users access to data about end-users. This is part of a wider regulatory trend towards opening up access to data, which started in banking and is spreading to other sectors.1 Implicit in the proposals is the conviction that, at present, there is an insufficient amount of data-sharing between businesses, undermining competition and competitiveness.
In this article, we consider: how should data access be regulated in light of traditional regulatory guiding principles and best practice? What are the merits and pitfalls of enforced data-sharing? And what policy recommendations can we draw from this?
Fundamentally, the policy objective of more data-sharing could be achieved through either rules-based or goals-based regulation. Generally, goals-based regulation mandates firms to meet certain objectives, but without detailing the exact process that must be followed. This gives firms much more flexibility in determining how to achieve the goals, taking into account the firms’ specific circumstances and opportunities. This contrasts with rules-based regulation, which specifies the procedures that must be followed in order for firms to comply with the regulation.
We explore whether and how a mix of these two approaches may provide the best of both worlds—for instance, by combining goals-based regulation with appropriate rules-based ‘safe harbours’—and consider in particular the market conditions of digital services markets.
There is an ongoing debate around digital platforms and their market power, which may originate from (among other things) the concentration of data that these platforms possess.2 Several prominent proposals have been put forward in attempt to remedy such concerns.3
One such legislative proposal is the European Commission’s DMA.4 It intends to prevent large digital platforms from abusing their market power and to facilitate the entry of new competitors into the market. In essence, the DMA constitutes a list of obligations and prohibitions for firms that are designated as ‘gatekeepers’, with non-compliance resulting in fines of up to 10% of worldwide revenue. Many of these obligations relate to appropriate access being given to data.5 However, there is an ongoing debate as to the proportionality and effectiveness of these remedies,6 and the terms of access largely remain to be determined (as discussed in the box below).
The terms of data access
The DMA proposes that for firms designated as gatekeepers, access to data should be either on fair, reasonable and non-discriminatory (FRAND) terms, or on fair and non-discriminatory (FAND) terms, depending on the market.1
These terms are normally applied to products that are an important input for a downstream market, such as standard essential patents (SEPs) or wholesale access to the networks of telecoms firms with significant market power.2
However, providing access on FRAND terms can also limit the extent to which owners of the critical input are able to reap the rewards of their investment in acquiring or building the input, and also reduce the incentive for other firms in the market to invest in their own inputs.
Determining what ‘FRAND’ and ‘FAND’ mean in practice is the subject of extensive debate. In the case of SEPs, this often requires a comparable transaction to have taken place on market terms—something that may not fully exist in terms of access to data. In the case of wholesale access to a telecoms network, this would be based on a measure of costs (including the cost of capital), plus an allowance to compensate investors for the risks taken.3
Note: 1 European Commission (2020), ‘Proposal for a Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act), December, Article 6.1(j). The DMA noticeably speaks specifically of ‘FAND’, rather than the much more conventional ‘FRAND’. However, the omission of ‘reasonable’ is likely to be semantic: in essence, both ‘fair’ and ‘reasonable’ capture the same principle of balancing potentially competing objectives or reference points. Indeed, in the USA, the same condition used to be referred to as ‘RAND’, omitting ‘fair’ rather than ‘reasonable’. See also Niels, G., Jenkins, H. and Kavanagh, J. (2016), Economics for Competition Lawyers, 2nd edition, Oxford University Press, para. 8.52. 2 An SEP is a patent that claims an invention that is required to comply with a technical standard. See: Shapiro, C. (2000), ‘Navigating the patent thicket: Cross licenses, patent pools, and standard setting. Innovation policy and the economy’, in J. Lerner and S. Stern (eds.), Innovation Policy and the Economy, Volume 1, pp. 119–50. 3 See also Oxera (2021), ‘If data is so valuable, how much should you pay to access it?’, 26 February.
In the recent and widespread policy debate regarding the digital sector, one of the main points of contention is how best to improve competition by mandating some form of data-sharing.
The core argument is that because using consumer data for one purpose in most cases does not diminish its use for another purpose (i.e. it is non-rivalrous), sharing access to data may enable more firms to develop competitive products and services by removing bottlenecks, improving outcomes for consumers.
This is not only relevant in data-intensive sectors such as digital services or financial services (see the box below for a case study in the context of payments)—with the increasing adoption of artificial intelligence and the Internet of Things, both the supply of and demand for data is likely to grow even in sectors that were traditionally less data-intensive.7
Case study: the EU Revised Payment Services Directive (PSD2)
PSD2 came into force in the EU in January 2018. Its basic objective is to increase competition in the payments industry, including entry from non-banks, and to provide for a level playing field. This is pursued by harmonising consumer protection and the rights and obligations for payment providers and users.
Next to requiring strong customer authentication,1 one of the key provisions of PSD2 is to open access to bank account data to third-party banks and non-banks, removing the role of the customer’s bank as gatekeeper.2 In essence, PSD2 sets the standard for banks to release their data in a secure and standardised form—which would then become available to financial technology (‘fintech’) start-ups and larger technology players that could then offer innovative services around payments.3
PSD2 does this by requiring banks to allow third parties (which have been authorised by the relevant consumer) to access the consumer’s data and provide services to the consumer at no additional cost relative to what the bank would charge the consumer directly. In other words, where banks provide consumers their data for free, a third party acting on behalf of the consumer also receives the data for free.
Note: 1 ‘Strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data. See: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366. 2 McKinsey (2017), ‘Data sharing and open banking’, 5 September. 3 Support Centre for Data Sharing, ‘Intro to open banking and data sharing’, 22 April.
A lack of sufficient data access can also have direct implications for competition, and a shared concern of the recent regulatory proposals is that such data-sharing is not yet sufficiently widespread. For instance, data collection can exhibit economies of scope in cases where a dataset has multiple applications. In such cases, data gathered in one digital services market can be a valuable asset for entering other digital services markets, especially if there are overlapping consumers.8 A lack of sufficient data access can therefore maintain a degree of market power in the business that collects the data.
On the other hand, the benefits from access to data can only be reaped if there are sufficient incentives to collect the data in the first place, implying that the terms under which data access is regulated are of crucial importance. For instance, research by Andrei Hagiu (Associate Professor of Information Systems at Boston University) and Julian Wright (Oxera Associate and Professor of Economics at the National University of Singapore) shows how mandated data-sharing policies risk reducing the incentives of both incumbents and new entrants to collect data. In particular, incumbents will have a reduced ability to appropriate the gains from their investment in data collection, and challengers have a reduced incentive to compete to attract customers and collect data in the first place—as they anticipate the possibility of obtaining data via mandated data-sharing instead.9
In light of the pros and cons from data-sharing, we assess below the form of regulation intended to ensure that data access could or should be adopted.
The case for goals-based regulation
The key characteristic of goals-based regulation is that unlike rules-based regulation, it focuses on meeting objectives without detailing the process that must be followed by firms.
For instance, rather than imposing a particular speed limit, a goals-based regulation would, for instance, require drivers to drive in a manner that is ‘reasonable and prudent’.10
Goals-based regulation can force a regulated firm to consider the consequences of compliance decisions more carefully, rather than simply following a prescribed course of action. This has two key positive effects. First, it can prevent attempts to circumvent the regulation through technical loopholes (especially in more complex settings). Even if legally compliant, such compliance risks rendering the regulation ineffective.
The risk of technical loopholes being left open is likely to be especially high in digital markets, where any rules-based regulation is bound to be complex in order to account for the fast-moving nature of data-intensive sectors and a multitude of risks having to be prevented.11
As for the second key positive effect, the flexibility afforded to firms under goals-based regulation to set out how best to satisfy a regulatory objective incentivises firms to innovate in how the regulatory objective is achieved. If firms and their management are better placed than regulators to determine what modifications are required to their business to achieve a given regulatory objective, goals-based regulation is more efficient than direct access regulation.12
One example of such a goals-based approach (although with significant rules-based elements) is UK regulation of financial services providers. The goal is to treat customers fairly, with the burden being on firms to show how they intend to do so.13 The approach is supported, however, by rules in particular high-risk environments.
Although goals-based regulation can be desirable, there are some aspects of rules-based regulation that are preferable. We outline these in the next section.
The case for rules-based regulation
Whereas the main advantage of goals-based regulation is its flexibility, the main advantage of rules-based regulation is its predictability.14 This can have a number of positive effects.
First, rules-based regulation can prevent harm from arising, as the regulator can immediately assess whether firms are compliant, providing legal certainty to firms. Conversely, goals-based regulation can mean that the regulator only intervenes after the goal was not achieved, and harm may have already arisen.
Second, rules-based regulation creates a more equal playing field by imposing uniformity in how firms comply. A benefit of goals-based regulation is that competing firms may come to different and innovative conclusions on how to best meet the objective. However, this ‘competition on compliance’ may actually involve a cost that is (relatively) larger for smaller firms than for larger firms. Moreover, this cost difference may even be larger than under a much simpler rules-based approach. As such, small businesses in particular often do not welcome goals-based regulations.15
This raises the question: which principle should be pursued in the case of regulation for increased access to data? Should we set goals and let firms decide for themselves how to meet those, or should we to impose rules to ensure certainty and consistency?
Getting the best of both worlds
Overall, firms and consumers are likely to benefit from data access regulation that takes the best of both regulatory frameworks. One way in which both types can be combined is through accompanying binding outcomes with non-binding guidelines and ‘safe harbours’—allowing those who wish to be innovative in compliance to do so, whereas those who consider this too costly or uncertain can follow the rules set out in the guidelines. This can prevent the risk of unintended consequences as a result of indiscriminately putting many obligations on digital services providers.16
In essence, safe harbours are a tool for the regulator to allow firms to self-select the appropriate type of regulation (more goals-based, or more rules-based) while ensuring that policy objectives are achieved. An example of a safe harbour in the context of dark patterns is provided in the box below.
Safe harbour: dark patterns and the Deceptive Experiences to Online Users Reduction (DETOUR) Act
There appears to be a growing concern that online interface designs are used to steer users in ways that benefit the online service, but may be unintended or even harmful to the users themselves—for instance, by pre-selecting choices, or highlighting or hiding certain options. Such deceptive online interface designs are called ‘dark patterns’.1
With the aim of reducing dark patterns, the DETOUR Act was introduced in the USA in 2019.2 The Act intends to make it unlawful for online services with more than 100m monthly users to design a user interface with the intention or effect of impairing user autonomy or decision-making.
In light of potential difficulties in identifying such user interfaces, a safe harbour was included for firms engaging in conduct that establishes ‘default settings that provide enhanced privacy protections to users or otherwise enhance their autonomy and decision-making ability’. Such a safe harbour is essentially rules-based: changing the default setting to the most privacy-friendly option provided is clearly defined, and compliance does not depend on the outcome (i.e. whether users actually decide for the privacy-friendly option).
We further examine the issues regarding dark patterns in the next article in this series.
Note: 1 Stigler Center (2019), ‘Stigler Committee on Digital Platforms: Final Report’, September; OECD (2021), ‘Roundtable on Dark Commercial Patterns Online’, 19 February; FTC (2021), ‘Bringing Dark Patterns to Light: An FTC Workshop’, 29 April. For more on dark patterns, see also https://www.darkpatterns.org. 2 DETOUR Act, S. 1084, 116th Congress, (2019).
Below, we identify two main considerations that determine whether—in digital services markets—goals-based or rules-based regulation is preferable to achieve the regulatory objective of increased data access being granted to firms, taking as given that some form of data access regulation will be implemented.
The first key consideration is that digital services markets are fast-moving and inherently complex. For instance, the EU’s Digital Services Act (DSA) considers that the ‘rapid and widespread development of digital services has been at the heart of the digital changes that impact our lives’, 17 while the DMA considers that at least part of the opacity of online advertising services markets is linked to ‘the sheer complexity of modern day programmatic advertising’.18 An implication of these factors is that it can be hard for regulators to keep up, with rules-based regulation running the risk of quickly becoming outdated.
The second key consideration is that the regulation appears to be aimed at a small number of large firms that have overlapping but generally different business models, as competition in digital services markets is mainly characterised by a small number of firms that provide tightly integrated ‘ecosystems’ of services. Because each of these firms are active in some—but not all—of the separate services, rules-based regulation is at risk of failing to take these complexities into account.
The two main traditional approaches to regulation in the context of data access regulation—rules-based or goals-based—have advantages and disadvantages, with a mix of the two often being preferable. Overall, the market conditions in digital services markets imply that goals-based regulation is likely to be better suited to achieving the stated goal of increased competition in digital services markets through more data-sharing, among other things, due to the sector’s fast-moving nature and complexity.
However, this is not to say that the advantages of rules-based regulation should be disregarded in designing data access regulation—rules-based safe harbours and non-binding guidelines remain useful tools to ensure that those who consider innovative approaches to compliance too costly or uncertain are not deterred from participating in the market.
2 See, for instance, European Commission (2019), ‘Competition policy for the digital era: Final report’;
HM Treasury (2019), ‘Unlocking digital competition: Report of the Digital Competition Expert Panel’, March; Stigler Center (2019), ‘Stigler Committee on Digital Platforms: Final Report’, September.
3 In addition to the DMA, the European Commission has put forward other legislative proposals relating to how data is used by firms, such as the Digital Services Act (DSA) and the Data Governance Act (DGA).
5 See articles 6(g), 6(h), 6(i), and 6(j) of the DMA.
9 Hagiu, A. and Wright, J. (2020), ‘Data-enabled learning, network effects and competitive advantage’, working paper; Hagiu, A. and Wright, J. (2020), ‘When data creates competitive advantage’, Harvard Business Review, 98:1, pp. 94–101. See also Oxera (2021), ‘Data-enabled learning: policy implications’, Agenda, 13 April.
10 This approach has been used in the US State of Montana in 1995, where the regulator implemented a ‘basic rule’ of ‘reasonable and prudent’ daytime driving in place of the speed limit. This rule was in place until 1998, after which a rules-based speed limit was reintroduced. The reintroduction was in part because the Montana Supreme Court invalidated the ‘basic rule’.
Dr Timo KleinSenior Consultant
The CMA has launched its Green Agreements Guidance to help businesses co-operate on environmental goals. This new guidance will help businesses understand how they can collaborate on environmental sustainability goals while adhering to the law.1 Oxera welcomed the opportunity provided by the CMA to comment on the draft… Read More