What the Biden Executive Order Means for Data Protection
Last week, President Biden signed an Executive Order on “Promoting Competition in the American Economy” (“the Order” or “the EO”), published together with an explanatory Fact Sheet. The Order outlines a sweeping agenda for a “whole of government” approach to enforcement of antitrust laws in nearly every sector of the economy. Although there is a focus on particular markets, such as agriculture and healthcare, the Order includes a number of provisions with clear implications for data protection and privacy.
In our view, the overarching theme of the Order is a concern with large platforms and the accumulation of data as an aspect of market dominance. This is an approach that aligns with growing developments in the European Union, and will have continued consequences for all sectors of the economy. In addition, the Order has implications for upcoming enforcement and privacy rulemaking at the Federal Trade Commission (FTC). Finally, we note a number of other federal agencies that are tasked with, or encouraged, to pursue particular goals that impact privacy or data protection. These include: drone privacy (DOT/FAA); studying the mobile app ecosystem (Dept. of Commerce); the right to repair (FTC, DoD); Net Neutrality (FCC); and financial data portability (CFPB).
Most of the Executive Order provisions do not have immediate effect for the collection of consumer data, but instead, call for federal agencies to study, take future action, incorporate the administration’s policy in procurement and enforcement decisions, or consider engaging in rulemaking to the extent of their statutory authority. Independent commissions, which do not report directly to the President, are “encouraged” to consider rulemaking and other actions.
(1) An Overall Focus on Accumulation of Data as Relevant to Market Dominance
Although the intersection of privacy and competition law has been discussed for many years, this Order represents an important development insofar as it explicitly frames data collection as a key aspect of market dominance. The Order specifically highlights the impact of serial mergers in the technology sector on user privacy, identifying privacy and competition among “free” products as factors that should be considered as part of the enhanced scrutiny of mergers. The Fact Sheet explains that this is particularly relevant in the case of “dominant internet platforms” and acquisition of nascent competitors.
The EO states in Section 1 the policy of the administration, which all federal agencies are required to follow, and independent commissions are encouraged to pursue:
“[It is] the policy of my Administration to enforce the antitrust laws to meet the challenges posed by new industries and technologies, including the rise of the dominant Internet platforms, especially as they stem from serial mergers, the acquisition of nascent competitors, the aggregation of data, unfair competition in attention markets, the surveillance of users, and the presence of network effects.”
This framing of privacy and data protection as core elements of competition aligns not only with growing movement in the United States, but also with clear trends in the European Union. In the United States, both the FTC and state Attorneys General have brought lawsuits in recent years against Facebook, as well as state Attorneys General against Google, for alleged violations of antitrust laws. Two such claims were recently dismissed, although they could be followed by further actions from the FTC.
In the EU, the European Data Protection Supervisor (EDPS) began pushing for EU competition policy to take into account accumulation of personal data and other privacy risks as early as March 2014, in his Preliminary Opinion on privacy and competitiveness in the age of big data. Since then, antitrust regulators in Europe have started to pay increased attention not only to the role of personal data in digital markets and anticompetitive behavior, but also to the role that personal data protection and privacy safeguards might play in sanctioning that behavior, or, on the contrary, in being a barrier to competition. Significantly, the German antitrust regulator, in 2019, relied on General Data Protection Regulation (GDPR) provisions to find an abuse of dominant position in a case against Facebook, prohibiting the company to combine user data from different sources. Those findings have been challenged in Court by Facebook and proceedings are ongoing.
A key development in Brussels is the legislative proposal for a Digital Markets Act – a draft regulation published by the European Commission last year that targets “gatekeepers”, or online intermediaries providing a “core platform service”. The DMA proposes a series of ex ante rules, including a prohibition to combine personal data from different sources in the absence of valid GDPR consent.
(2) Enforcement and Rulemaking Ahead for the Federal Trade Commission (FTC)
The Executive Order “encourages” the Chair of the FTC, as well as other agencies with authority to enforce the Clayton Act, to “enforce the antitrust laws fairly and vigorously,” including in oversight of mergers, but also in areas such as protecting workers from wage collusion or unfair non-compete clauses. In addition, the Chair of the FTC is “encouraged” to exercise the Commission’s statutory rulemaking authority in a number of specific areas to promote competition, including to address “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy” and “unfair competition in major Internet marketplaces.” Sec. 5(h).
With respect to ongoing enforcement of antitrust laws, this language aligns with recent developments in the FTC, most significantly the appointment of antitrust expert Lina Khan as the Chair, who has already indicated that the FTC will take a greater role in antitrust cases. The FTC’s Bureau of Competition, working with the Bureau of Economics, enforces antitrust laws in the United States, including the Sherman Act (15 U.S.C. 1 et seq) and the Clayton Act (15 U.S.C. 12 et seq).
Earlier statements from the previous Acting Chair Rebecca Kelly-Slaughter have also indicated that the Commission would be focused on bringing more cases under the “unfairness” prong of Section 5 of the FTC Act, followed by the announcement of a new Rulemaking Group. This rulemaking, which is set to commence under “Magnuson-Moss Procedures,” is far slower than typical agency rulemaking, but could be used to promulgate federal rules on what types of data collection and use are “unfair” under the FTC Act. For example, the agency recently noted in an FTC staff blog that the sale or use of “racially biased algorithms” is unfair under Section 5 of FTC Act. Rulemaking could codify or further elaborate on this and other data collection issues.
(3) Other Agencies to Watch: Drones, Mobile Apps, Right to Repair, Net Neutrality, and Financial Data Portability
Consistent with the EO’s “whole-of-government” approach, the order outlines tasks and recommendations for a long list of other federal agencies, noting that each agency has the ability to influence market competition through both the procurement process and through rulemaking. Agencies that are under the direct control of the President (such as the Departments of Transportation or Defense) are expressly required to engage in particular tasks, such as conducting studies or commencing rulemaking. In contrast, independent federal agencies (such as the FTC, FCC, and CFPB) are “encouraged to consider” particular courses of action.
In order to help direct and coordinate the efforts of all agencies, the Order establishes a White House Competition Council in the Executive Office of the President, to monitor the implementation of the Order and to coordinate the government agencies’ response to “the rising power of large corporations in the economy.”
- Drone Privacy (DoT/FAA). The Department of Transportation “shall . . . ensure that the Department of Transportation takes action” with respect to “the emergence of new aerospace-based transportation technologies, such as low-altitude unmanned aircraft system deliveries, advanced air mobility, and high-altitude long endurance operations . . .”. Specifically, the action taken by the Department of Transportation should “facilitate innovation . . . while also ensuring safety, providing security and privacy, protecting the environment, and promoting equity.” Sec. 5(m).
- Mobile App Ecosystem Study (DoC). The Department of Commerce “shall” conduct a “study, including by conducting an open and transparent stakeholder consultation process, of the mobile app ecosystem.” The study, which must be conducted within 1 year in consultation with the Attorney General and the Chair of the FTC, and will conclude with a report submitted to the White House Competition Council on findings and recommendations for “improving competition, reducing barriers to entry, and maximizing user benefit with respect to the mobile app ecosystem.” Sec. 5(r).
- Right to Repair (FTC, DoD). In addition to the privacy issues described above, the FTC is encouraged to address in its rulemaking “unfair anticompetitive restrictions on third-party repair or self-repair of items, such as the restrictions . . . that prevent farmers from repairing their own equipment.” Sec. 5(h). A consumer protection issue that often runs parallel to many privacy and data protection debates, the “right to repair” has already been codified (twice) in Massachusetts, and was the subject of a recent FTC Report to Congress on Repair Restrictions. Similarly, the Department of Defense is tasked with submitting a plan to avoid procurement practices that “make it challenging or impossible . . . for service members to repair their own equipment, particularly in the field.” Sec. 5(s).
- Net Neutrality (FCC). The Federal Communications Commission (FCC) is “encouraged . . . to consider” reviving through rulemaking “Net Neutrality” rules similar to those previously adopted under Title II of the Communications Act of 1934. Sec. 5(l).
- Financial Data Portability (CFPB). The Director of the Consumer Financial Protection Bureau (CFPB) is “encouraged to consider” rulemaking under the Section 1033 of the Dodd-Frank Act to “facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products.” Sec. 5(t). The CFPB has been engaged since at least 2020 in rulemaking under Section 1033 with respect to consumer access to financial records. Similar approaches to Open Banking and the role of data portability are currently advancing also in the EU, with the PSD2 Directive, and in India. Of note, the FTC has already been exploring the benefits and challenges of data portability more broadly for consumers and competition.
Overall, the Executive Order represents a leveraging of the enormous power of the US executive branch towards the promotion of competition in every sector, including taking into account privacy and data protection. The Order frames this approach as a return to the policies reflected in the Sherman Act, the Clayton Act, and other laws passed in the 19th and early 20th centuries. Among other things, this ensures that competition law in the United States must now incorporate notions of power and fairness that arise from data collection, use, and privacy.
Finally, the Administration’s argument that privacy should be a factor for competition policy would be far stronger if the United States, like other countries, had a comprehensive federal legislative standard for privacy. Proliferating state privacy laws are particularly unhelpful as a point of reference, as many of the larger or more dominant platforms can point to the fact that they do not “share or sell” data as defined by the recent state laws, while smaller companies do. We hope the administration will lend its weight to efforts to break the Capitol Hill logjam on data protection legislation.