Congress is trying to implement long-awaited consumer privacy reforms, but the latest iteration risks endangering competition and deepening power disparities within the market.
Last month, the House Energy and Commerce Committee voted (53-2) to advance the American Data Privacy and Protection Act (ADPPA), a bipartisan bill aimed at how companies handle consumer data and personal information. The proposed legislation will regulate a broad array of industries — any individual or entity subject to the FTC Act, in addition to common carriers and nonprofits. The goal is to create a uniform, comprehensive federal privacy framework that preempts existing state laws and functions similarly to the rules promulgated in the European Union.
Yet, the EU’s General Data Protection Regulation (GDPR) should be a warning, not a model for U.S. data privacy legislation, given its harmful effects on competition and innovation. Legal experts and scholars have noted that the “price of data protection… was much higher than previously recognized.”
There is a clear lesson from the GDPR: Well-meaning privacy laws can have the unintended consequence of penalizing smaller companies within technology markets. The Federal Trade Commission, the agency tasked with enforcing the ADPPA, is well aware of these potential dangers. In 2018, a few months after the GDPR was enacted, the FTC held a hearing to discuss its potential impact on innovation and competition. During the hearing, Professor Renato Nazzini noted there was “no doubt” that “privacy regulation may have a negative impact on competition” by creating an uneven playing field that favors certain companies over others.
In 2020, professors Garrett Johnson and Scott Shriver reiterated this concern after analyzing data on web technology vendors. The week after the law went into effect, “website use of web technology vendors for EU users [fell] by 15%. Websites [were] more likely to drop smaller vendors, which increase[d] the relative concentration of the vendor market by 17%.” The professors concluded that “the GDPR had the unintended consequence of increasing the industry’s relative concentration [and that] relative concentration increases in the top web technology vendor categories that represent most of the industry.”
In other words, privacy legislation inadvertently benefits market incumbents, increasing their power relative to competitors. It makes sense, given that they have more resources to comply with onerous government regulations.
Congressmen, especially the dozens who supported antitrust reform last summer, should be cautious about how bills like the GDPR can dampen competition. Such legislation holds no promise for increased innovation or gains in efficiency. In fact, it actually worsens conditions for innovation and new market entrants.
A recent paper published by the National Bureau of Economic Research found that the GDPR hindered the ability of new companies to enter the market, thereby creating a “lost generation of apps.” Using data collected from the Google Play Store, the study found that “GDPR precipitated the exit of over a third of available apps… and following its enactment, the rate of new entry fell by 47.2 percent.” For consumers, this is unrealized potential, unseen innovation that could have been superior and more affordable than existing offerings. The authors concluded that “whatever the privacy benefits of GDPR, they come at substantial costs in foregone innovation.”
As the conversation surrounding the ADPPA continues, lawmakers should thoughtfully consider the lessons learned from across the pond. Ultimately, the GDPR inadvertently punished smaller firms that lack the resources to comply with the law. The ADDPA, while substantially different in many of its provisions, retains the same risk of creating market distortions and hurting consumers.