FTC Hearings on Competition and Consumer Protection in the 21st Century

Submission to Federal Trade Commission

August 13, 2018

Competition and Consumer Protection in the 21^st Century Hearings, Project Number P181201
Federal Trade Commission, Office of the Secretary
600 Pennsylvania Avenue, NW
Suite CC-5610 (Annex C)
Washington, DC
20580

Re: Submission on Hearings on Competition and Consumer Protection in the 21^st Century

The Office of the Privacy Commissioner of Canada (“OPC”) welcomes the opportunity to provide a submission to the Federal Trade Commission (“FTC”) in relation to its Hearings on Competition and Consumer Protection in the 21^st Century and specifically on the intersection between privacy, big data and competition.

The FTC announcement identifies a number of issues and questions that are of direct interest to our Office, and we appreciate the opportunity to share our views on these matters.

The intersection between privacy, big data, and competition

The scale and pace of technological advances and their application to consumer products and services are placing significant strain on the ability of individuals to protect their privacy. Innovation in the areas of data analytics, artificial intelligence, Big Data and the Internet of Things raises novel and highly complex privacy risks realized through expanded data uses and the creation of new business models.

Recognizing these technologies are necessary for economic growth and to improve consumer services, they must be used in a manner that respects the privacy of individuals. People want both – consumer value and privacy protection.

While privacy and competition law analyses are distinct from a regulatory perspective, they do share common challenges for how technologies such as Big Data factor into their respective applications. This has already led to greater collaboration and/or awareness among regulators. For example, “Freemium” business models and companies that use personal information are challenging how businesses address both privacy and consumer protection obligations. This new environment has implications for a number of different regulators across disciplines.

Global Efforts to Understand the Intersection of Privacy, Consumer Protection and Competition

Our Office has taken note of the increasing global interest with respect to discussions about the intersections between privacy, consumer protection and competition. This global interest is evidenced by collaborative efforts within international regulator forums that have arisen organically to better understand and map out these intersections.

We believe these are worthwhile endevaours. As personal information becomes an often necessary input in digital economy business models, privacy and data protection are increasingly material factors of consideration for consumers when making purchasing decisions. As a result, there is a growing focus on the intersection of consumer protection and privacy issues to support innovation, consumer protection, privacy rights, and trust in the digital economy.

For example, the International Conference of Data Protection and Privacy Commissioners (“ICDPPC”) passed a resolution in 2017 on the Collaboration between Data Protection Authorities and Consumer Protection Authorities for Better Protection of Citizens and Consumers in the Digital Economy.^{Footnote 1} As part of this resolution, an international working group of regulators (including the FTC and the OPC) was established to explore international collaboration between Data Protection Authorities and Consumer Protection Authorities with the aim of securing better data protection outcomes for citizens and consumers by identifyng areas of opportunity for effective cooperation.

Preceding the above, with its first meeting in May 2017, the Digital Clearing House network (“DCH”) spans regulatory spheres in bringing together agencies from the areas of competition, consumer and data protection with the goal of sharing information and exploring how best to enforce rules in the interests of the individual.^{Footnote 2}

Finally, limited to the realms of consumer protection and privacy, a linkage has been leveraged between the International Consumer Protection and Enforcement Network (ICPEN)^{Footnote 3} and the Global Privacy Enforcement Network (GPEN).^{Footnote 4} To this end, GPEN has been granted observer status with ICPEN and the two networks have established a formal cross-network link. This has led to collaborative activities including a presentation by a GPEN representative at the 2016 Munich ICPEN meeting on the subject of “the practicalities of working together as enforcement authorities and networks, on matters spanning privacy and consumer protection.” This presentation included a case study of the Ashley Madison Breach investigation which revealed both privacy and consumer protection contraventions (carried out jointly by the OPC, Australian OAIC and the FTC).

The implications associated with the use of algorithmic decision tools, artificial intelligence, and predictive analytics

Consumer choice, as driven by disruptive innovation, can be a positive thing in respect to driving competition through the emergence of new and competitive markets.

The Financial Technology (“FinTech”) sector is an excellent example of an emergent market which is attracting regulatory interest in such a context.

The scale, importance and complexity of this arena cannot be underestimated. Emergent technologies are by their very nature complex and dynamic, and whilst the end product delivered to the user may appear simple in both its application and ease of use – the supporting algorithms and associated proliferation of data sitting behind many popular web-based applications are unlikely to be fully understood by the majority of consumers.

From a privacy perspective, these issues are relevant as they play a central role when contemplating valid consent and how informed individuals are concerned about what is happening to their personal information. The Internet of Things, for example, already involves the seemingly invisible sharing of information amongst interconnected devices. Advances in artificial intelligence and predictive analytics push business practices such as algorithmic transparency further to the background, which raises questions of how informed and aware individuals are about these practices and whether they have the information and ability to meaningfully exert their desired control choices.

It is the opacity of data usage in innovations such as those noted above that have contributed to the OPC’s adjustment in balance towards more proactive compliance and promotion efforts. This includes the launch of a Business Advisory Directorate, whose activities include engaging with organizations to address privacy issues with new programs and initiatives before they are launched.

Tools to deter unfair and deceptive conduct related to privacy and data security

Our Office recently worked collaboratively with both the FTC and the Australian Privacy Commissioner on the joint investigation into Ashley Madison.^{Footnote 5} While the Ashley Madison case was initially identified as a breach of security safeguards matter (which is a privacy issue), our investigation also uncovered that the company was marketing privacy and security in a deceptive manner. Fabricated trustmarks of the type used on the Ashley Madison website (in the form of bogus “Security Awards”) are not uncommon in online misleading advertising cases, and this issue (misleading trustmarks) has been recognized by many consumer protection or competition authorities. To the extent that it has transcended into the privacy realm, it is illustrative of how organizations are increasingly aware that ‘privacy’ and ‘security’ considerations have become material to consumers’ purchasing decisions and can be marketed as such. In short, privacy matters more than ever to consumers, and businesses are taking note.

A feature of consumer protection, the concept of ‘deception’ is also being increasingly referenced in the OPC’s investigative outcomes. To that end, the Personal Information Protection and Electronic Documents Act (PIPEDA) specifically references ‘deception’ under the principles of ‘Consent’ and ‘Limiting Collection’, stating that consent shall not be obtained through deception. For Privacy authorities, the inclusion of deception provisions represents a potential tool that in certain circumstances may allow a regulator to address a traditional consumer protection issue where it also represents a privacy issue. Contraventions under PIPEDA based on deception have been found in the Ashley Madison (2016) and Aaron’s Spyware (2013) investigations, both of which, benefited from the assistance of the FTC.

The above also illustrates a second important tool – collaboration. As stated by Commissioner Therrien: “In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live”.

To the extent that privacy authorities have the ability to collaborate and share information with regulators that have a consumer protection mandate, it advances the ability to address matters spanning both consumer protection and privacy issues. Our joint investigation with the FTC on Ashley Madison was made possible through the APEC Cross-Border Enforcement Arrangement. That said, the OPC does not have similar information sharing arrangements with other purely consumer protection authorities, including the Competition Bureau of Canada (aside for sharing pursuant to the Canada’s Anti-Spam Legislation).

Information sharing instruments between privacy authorities and consumer protection authorities would represent a key tool to address matters where privacy and consumer protection intersect. For example, the Norwegian data protection authority and Norwegian consumer protection authority have worked collaboratively to address issues arising in ‘smart watch’ cases.^{Footnote 6} Furthermore, in 2016, the Dutch data protection authority and Dutch consumer protection and competition authority concluded a collaboration agreement to address matters within their respective competencies that may intersect.^{Footnote 7}

In short, being able to develop and identify further collaborative tools amongst data protection and consumer protection authorities is an important first step towards deterrence. This is also in line with the commitments outlined in the ICDPPC Resolution on the Collaboration between Data Protection Authorities and Consumer Protection Authorities for Better Protection of Citizens and Consumers in the Digital Economy.

We also note that consumers need to be protected from bad actors as well as illegal conduct by organizations that are generally responsible but sometimes cross the line. Stronger enforcement can serve as an incentive for corporate executives to focus the mind and invest in privacy. Our Office has heard from stakeholders that companies will put their compliance resources where the biggest risk lies. To this end, companies are more likely to listen to authorities that have strong enforcement powers – including those to impose sanctions or fines. The fact that the FTC regularly imposes financial sanctions in the millions of dollars in support of deterring unfair and deceptive conduct does not seem to have dampened innovation in the United States.

The state of antitrust and consumer protection law and enforcement

Authorities’ minds have also recently turned to the question of a growing intersection between privacy and antitrust matters.

As suggested by Giovanni Buttarelli, the European Data Protection Supervisor, we may soon face what he called “a perfect storm of excessive market power, informational asymmetry and unaccountable algorithms. If a person has in effect only one choice of service provider in a digital market, then they are inevitably in a weak position to negotiate better quality of freedom of expression and privacy.”^{Footnote 8}

As companies with large amounts of personal data consolidate, privacy issues may intersect with competition issues considered in merger reviews. Additionally, as online companies grow in influence due to their vast stores of valuable consumer information, privacy issues are intersecting with the traditional competition issue of “abuse of a dominant position.”

While the policy goals behind antitrust and privacy laws may be different, they are both areas where privacy and personal information are increasingly being explored as part of the enforcement and oversight activities. Along with consumer protection laws, the state of enforcement of all of these three (3) areas are being explored to review how the laws – or the enforcement actions – may need to adapt or evolve in the face of changing technologies influencing business models.

In this context, we again reference the development of the Digital Clearing House, an informal network of regulators in the areas of privacy, consumer protection and antitrust. The first task of authorities in this forum is to better understand the dynamics of these intersections, in order to chart a course on how best to address these issues to the benefit of consumers.

The growing interest in antitrust and privacy is a worthwhile and timely discussion, especially given the changes in how emerging technologies are influencing business models in the digital economy. The more competition and privacy enforcement authorities can collaborate and discuss issues of mutual interest, the stronger consumer protection frameworks can be developed to support innovation, consumer protection, and privacy rights.

Closing

While much of the discussion about the relationship between privacy and competition oversight is indeed nascent, it is an important first step in fostering a dialogue on the core challenges for enforcement authorities across the spectrum of consumer issues. The common challenge is to create an open, dynamic and innovative economy while at the same time building the foundational elements to foster trust and transparency.

We appreciate the FTC providing us the opportunity to provide these comments.

Best regards,