Marshall Van Alstyne
Professor, Boston University
Digital Fellow, Stanford Digital Economy Lab
Professor, Dartmouth College
Digital Fellow, Stanford Digital Economy Lab
Research Fellow, MIT
Research Fellow, Bruegel
Digital Fellow, Stanford Digital Economy Lab
Originally published in Communications of the ACM
If we are to hold platforms accountable for our digital welfare, what data rights should individuals and firms exercise? Platforms’ central power stems from their use of our data so what would we want to know about what they know about us? Perhaps a reallocation of rights will rebalance the right allocation. To date, the General Data Privacy Regulation (GDPR in the E.U.) and California Consumer Protection Act (CCPA in the U.S.) grant privacy rights to individuals, including the right to know what others know about them and to control data gathering, deletion, and third-party use. Legislation also includes data portability rights, an individual right to download copies from and upload copies to destinations of one’s choosing as protections for individuals. Neither yet covers businesses. The proposed Digital Markets Act (DMA) takes a step in that direction. The theory is that privacy empowers individuals to control what is gathered and who sees it; portability permits analysis and creates competition. By moving our data to portals that would share more value in return, we might capture more of our data value. After all, that data concerns us.
Data portability sounds good in theory—number portability improved telephony1—but this theory has its flaws.
Context: The value of data depends on context. Removing data from that context removes value. A portability exercise by experts at the ProgrammableWeb succeeded in downloading basic Facebook data but failed on a re-upload.2 Individual posts shed the prompts that preceded them and the replies that followed them. After all, that data concerns others.
Stagnation: Without a flow of updates, a captured stock depreciates. Data must be refreshed to stay current, and potential users must see those data updates to stay informed.
Impotence: Facts removed from their place of residence become less actionable. We cannot use them to make a purchase when removed from their markets or reach a friend when they are removed from their social networks. Data must be reconnected to be reanimated.
Market Failure: Innovation is slowed. Consider how markets for business analytics and B2B services develop. Lacking complete context, third parties can only offer incomplete benchmarking and analysis. Platforms that do offer market overview services can charge monopoly prices because they have context that partners and competitors do not.
Moral Hazard: Proposed laws seek to give merchants data portability rights but these entail a problem that competition authorities have not anticipated. Regulators seek to help merchants “multihome,” to affiliate with more than one platform. Merchants can take their earned ratings from one platform to another and foster competition. But, when a merchant gains control over its ratings data, magically, low reviews can disappear! Consumers fraudulently edited their personal records under early U.K. open banking rules.3 With data editing capability, either side can increase fraud, surely not the goal of data portability.
Evidence suggests that following GDPR, E.U. ad effectiveness fell,4 E.U. Web revenues fell,5 investment in E.U. startups fell,6 the stock and flow of apps available in the E.U. fell,7 while Google and Facebook, who already had user data, gained rather than lost market share8 as small firms faced new hurdles the incumbents managed to avoid. To date, the results are far from regulators’ intentions.
We propose a new in situ data right for individuals and firms, and a new theory of benefits. Rather than take data from the platform, or ex situ as portability implies, let us grant users the right to use their data in the location where it resides. Bring the algorithms to the data instead of bringing the data to the algorithms. Users determine when and under what conditions third parties access their in situ data in exchange for new kinds of benefits. Users can revoke access at any time and third parties must respect that. This patches and repairs the portability problems.
First, all data retains context. Prompts and replies provided by friends and family, sellers and strangers, remain intact. Yet, privacy could even improve relative to portability if data never leaves the system. Third parties need not receive anyone’s personal data. By moving the algorithm to the data, not the data to the algorithm, analysis can proceed on masked data that shields identities and details. Encryption can capture context benefits without incurring privacy costs. Second, data retains freshness. All data—all stocks and all flows—is present and current. Third, data retains potency. We can use in situ data to make a purchase, place a post, or receive a benefit. We do not need to reconnect to reanimate. Fourth, merchants can pool their in situ data and context as they wish, facilitating benchmarking and analytics. Context sharing reduces monopoly hold up of business services. Fifth, merchants and consumers cannot selectively edit unflattering facts and raise the risk for others.
Three Stanford Digital Fellows discuss the EU Digital Markets Act, legislation that seeks to reign in power of big tech companies like Amazon, Apple, and Google.
In situ data rights empower users to invite competition on top of the infrastructures where they already have relationships. Amazon might compete on top of Facebook to recommend books based on one’s friends. Facebook might compete on top of Amazon to recommend friend groups based on one’s readings. A startup could offer new apps and services of benefit to users without the threat of monopoly hold up by the platform itself. Competition to create value follows in a manner that other data rights have yet to enable. Open banking legislation has implemented one small step toward an in situ data right. Laws such as the E.U. Payment Services Directive II (PSD2) and the U.K.’s Open Banking Implementation Entity (OBIE) oblige banks to open access to their competitors for payment initiation services. Rather than an obligation of firms in only one sector, this should be a right of persons and firms across all sectors. This seems to work. Innovation and entry rose while fees fell in the financial sector in the E.U. and U.K. after open banking.9 With in situ rights, gains could happen in other sectors too.
A startup’s ability to offer new apps and services not approved by the platform opens critical benefits like rebalancing oversight. In situ rights would enable price and quality comparisons, and foster competition that platforms have tried to prevent.10 Why should platforms know everything about us, but refuse us basic knowledge about them? Have they influenced elections?11 Reduced vaccinations?12 Aided insurrection? Abetted balkanization?13 Research teams received user permission to track exposure to ads, misinformation and inducements to share photos with more skin.14 Facebook shut down access, claiming this exposed advertisers’ data. Facebook persisted in denying users insights from third party access the users had themselves invited, despite a scolding from the Federal Trade Commission. Social media platforms disseminate false statements of politicians on the basis that “users should decide,” yet refuse to share the context within which those decisions are to be made. Third party certification services could now identify fake news the platforms continue to spread. Should we not have the right to analyze data platforms push upon us? In situ data rights would give us that capability.
The authors express their gratitude for useful feedback provided by Guntram Wolff and the Communications Viewpoints editorial board.
1 Shin, D. H. (2007). A study of mobile number portability effects in the United States. Telematics and Informatics, 24(1), 1-14.
2 Berlind, D. (2017), “How Facebook Makes it Nearly Impossible for You to Quit”. See: https://www.programmableweb.com/api-university/how-facebook-makes-it-nearly-impossible-you-to-quit
3 Zachariadis, M. (2020) “Data-sharing Frameworks in Financial Services” Global Risk Institute; August.
4 Lefrere, V., Warberg, L., Cheyre, C., Marotta, V., & Acquisti, A. (2020, December). The impact of the GDPR on content providers. In The 2020 Workshop on the Economics of Information Security.
5 Goldberg, S., Johnson, G., & Shriver, S. (2019). Regulating privacy online: The early impact of the GDPR on European web traffic & e-commerce outcomes. Available at SSRN 3421731.
6 Jia, J., Jin, G. Z., & Wagman, L. (2021). The Short-Run Effects of the General Data Protection Regulation on Technology Venture Investment. Marketing Science.
7 Janssen, R., Kesler, R., Kummer, M., & Waldfogel, J. (2021). GDPR and the Lost Generation of Innovative Apps. NBER Conference on the Economics of Digitization https://conference.nber.org/conf_papers/f146409/f146409.pdf
8 Prasad, A., & Perez, D. R. (2020). The Effects of GDPR on the Digital Economy: Evidence from the Literature. Informatization Policy, 27(3), 3-18.
9 Zachariadis, M., & Ozcan, P. (2017). The API economy and digital transformation in financial services: The case of open banking. SWIFT Institute Working Paper 2016-001. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2975199
11 Ward, Alex (December 17, 2018). “4 main takeaways from new reports on Russia’s 2016 election interference“; Vox.
12 Ghaffary, S. & Heilweil, R. (July 22, 2021) “A new bill would hold Facebook responsible for Covid-19 vaccine misinformation,” Vox. https://www.vox.com/recode/2021/7/22/22588829/amy-klobuchar-health-misinformation-act-section-230-covid-19-facebook-twitter-youtube-social-media
13 Van Alstyne, M., & Brynjolfsson, E. (1996). Electronic Communities: Global Village or Cyberbalkans?. In Proc. International Conference on Information Systems (pp. 80-98).
14 Dwoskin, E., C. Zakrzewski & T. Pager “Only Facebook knows the extent of its misinformation problem. And it’s not sharing, even with the White House,” Washington Post, Aug 19, 2021. https://www.washingtonpost.com/technology/2021/08/19/facebook-data-sharing-struggle/