TACD Annual Forum 2019: Consumer Protection in the Digital Sphere

The 19th TACD Annual Forum took place on Tuesday, 4 June 2019 in Washington D.C. The conference   examined, through panel discussions, the impact that technology has on consumer protection through the lens of trade, food, competition and financial services. The need for effective privacy protections in the U.S. was also a major subject for discussion. The Forum brought together over 120 participants from civil society, policymakers, business and academia.

The Forum was designed to engage the audience as much as possible in the discussion. All plenary discussions were followed by Q&A sessions, offering participants a chance to contribute actively to the debates.

The Twitter hashtag (#TACDFORUM2019) was used over 200 times on the day. The main tweets have been compiled into a Twitter moment which can be found here.

 

Opening session: showcasing 20 years of the TACD network, challenges and achievements by its EU and U.S. Chairs

The public forum kicked off with a session led by the TACD Chairs Monique Goyens (The European Consumer Organisation (BEUC) and EU TACD Co-Chair) and Ed Mierzwinski (U.S. Public Interest Research Group and U.S. TACD Co-Chair).

Mr Mierzwinski outlined the challenges consumers face in the digital world, and the unprecedented intrusion on people’s private lives in the U.S. He concluded that currently civil rights laws do not extend to buying and selling, so we need to expand them because digital rights are civil rights.

Ms Goyens discussed fighting deregulation and the effects of deregulation in Europe. She explained how consumer vulnerabilities are increasing in the digital sphere, which now covers all important sectors of life. Consumer policy should address this expansion, but this is not what is happening. We are witnessing a strong push by tech companies to stay away from regulation, which is something that is not acceptable from a consumer perspective.

Tech giants have managed to build a reputation of being indispensable, but their business models and actions are not transparent, open or inclusive. This business model is flawed and its legitimacy should be brought into question. Policy makers need to create new rules and consumer organisations have a strong role to play.

 

 The case for privacy/data protection laws in the U.S.

In the first plenary session of the day, our panellists discussed the need for data protection laws in the U.S. The EU implemented the General Data Protection Regulation (GDPR) in May 2018, which defines standardised data protection laws throughout the European Union, increases privacy and data rights of EU residents and gives regulatory authorities greater powers to take action against organisations that breach the regulation. The U.S. does not have a similar law in place. Given the major recent privacy and security problems such as the Facebook Cambridge Analytica scandal, there has been an increased interest in creating a federal data protection law. During this session moderated by Natasha Singer from the New York Times, panellists focused on what a U.S. federal data protection law might look like and how it might be enforced.

Johnny Ryan, Brave, gave a (privacy-respecting) business perspective and spoke about where the burden of responsibility should be placed. Different models were considered, but Mr Ryan argued that putting the burden on the individual via an opt-in system was not the way to go because it required the individual to be fully informed and companies to be transparent and accountable, which was not always the case. Mr Ryan also spoke about common standards, which could encourage the free flow of data between markets.

Nicole Ozer, American Civil Liberties Union of California, spoke about California’s Consumer Privacy Act (CCPA), which protects the privacy rights of consumers in the State of California. California’s new law would give consumers control over their lives, the information about them and balance the power between companies and consumers. Despite it being a good start, Ms Ozer thought that it needed to be stronger, particularly in terms of its enforcement provisions. She argued that there is nothing like regulation to spur innovation.

According to Laura Moy, Georgetown Law Center on Privacy and Technology, privacy is no longer about individual control over personal data. Nowadays it is also about the harms the use of personal data can do to society as a whole. She argued that U.S. legislation should therefore include meaningful use restrictions to prevent harmful uses of personal data, as well as specific anti-discrimination provisions.

Jaryd Malbin, representing the search engine DuckDuckGo, stressed that there is a risk of digital manipulation by platforms. According to him, it is often the case that despite consumer requests not to be tracked, consumers are still tracked. He argued that passing a narrow privacy law on tracking could force compliance and ensure that consumers are protected.

Consent was touched upon several times, and the argument moved towards it not being a one-time assertion. If a user had consented at one point, they should also be able to retract that consent at a later stage. Building an accountability system to assess how information is being used was considered important.

All panellists came to the conclusion that there are two essential components that go hand in hand: regulation and enforcement. Without regulation there would be no rules in place and the responsibility would be upon each individual, but without a proper enforcement mechanism, the worst actors would be able to get away with not following the rules.

 

Part 2 of this session was a conversation with The Honorable Rohit Chopra, Commissioner, U.S. Federal Trade Commission and moderated by Natasha Singer from the New York Times

After the first panel, New York Times journalist, Natasha Singer, sat down for a Q&A with the U.S. Federal Trade Commission’s (FTC) Commissioner Rohit Chopra. During this session, Commissioner Chopra spoke of the growing consensus that dominant technology firms pose real concerns when it comes to our civil rights, national rights, homeland security and competition. He reiterated the importance of cracking down on repeat offenders. The FTC is aggressive in naming individuals who break the law.

Enforcement was again considered to be important, with monetary penalties, bans on bad practices and individual accountability being ways to ensure enforcement. He said that the FTC should think about prohibiting certain business practices and use individual liability to ensure large tech firms comply with privacy and other laws.

When it comes to the GDPR and a similar legislation being implemented in the U.S., Commissioner Chopra thought it necessary for the U.S. to go beyond some of the elements of the GDPR.

Privacy for all:  consumers take action

In the second panel discussion, moderated by Klaus Mueller, VZBV – The German Consumer Federation, TACD members Consumer Reports, Euroconsumers, Privacy International and the Norwegian Consumer Council showcased their achievements on bringing companies to account for privacy violations.

The Norwegian Consumer Council’s Finn Myrstad presented recent research on so-called Dark Patterns, explaining how users are manipulated and deceived into certain behaviours online, for example how Facebook uses online formats and design to encourage users to agree to certain anti-privacy terms and practices, such as facial recognition. This research lead to a European wide coordinated action against Google for breaching the GDPR[1]

Euroconsumers, represented by Els Bruggeman, presented their class action against Facebook. The Facebook Cambridge Analytica scandal revealed that data of millions of Facebook users had been shared with third parties without their consent. Following this, Euroconsumers launched a campaign “My Data is Mine” that aimed to highlight the need for consumers to be able to take informed decisions about when and with whom their data is shared. The campaign helped to explain the need to lay foundations for the development of a data economy which should become more responsible, sustainable and respectful of consumer rights. It also identified a set of three principles: i) that the privacy and security of every consumer is respected; ii) consumers must have full control over their data; and iii) consumers should get a fair part of the value created by the companies using their data. Ms Bruggeman argued that personal data belongs to the individual, who should get a fair part of the value it creates and be compensated if their data is misused.

Justin Brookman presented U.S. Consumer Reports’ work on privacy standards and testing of software for privacy/security issues. The goal was to provide the marketplace with more information, providing accountability for poor practices and push companies toward better privacy and security. Through the testing, certain apps and products were found to be vulnerable to hacking. The result of this would be that a huge amount of personal information is exposed to hackers. Mr Brookman concluded by speaking about the need for policy to complement testing – i.e. the need for adequate legal baseline requirements.

Finally, Ailidh Callander presented Privacy International’s investigation of data brokers and their campaign to empower people to access and delete their data. In November 2018, months after implementation of the EU’s GDPR, Privacy International filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK, asking them to investigate these companies’ practices. Privacy International’s complaint showed that many companies fail to comply with the basic data protection principles of transparency, fairness, lawfulness (is there a legitimate interest or consent?), purpose limitation, data minimisation and accuracy. The complaint was accompanied by step by step guidelines showing how an individual can prevent their data from being exploited. Ms Callander touched upon the legal argument against profiling, i.e. that it does not comply with the data protection principles

The European based organisations were all in agreement that the GDPR had empowered organisations in Europe to help with enforcement and aid authorities in taking appropriate actions.

Digital trade: are consumers at risk?

The breakout session on digital trade, moderated by Doug Palmer from Politico, looked at how consumers’ interests on digital issues would be impacted by upcoming trade negotiations.

Maryant Fernández Pérez, Senior Digital Policy Officer at BEUC, explained BEUC’s position on the WTO e-commerce negotiations, explaining the opportunities that we need to seize  (e.g. on consumer protection) and sensitive issues that should not be part of the negotiations (e.g. data flows and data protection, net neutrality, Artificial Intelligence or cybersecurity). Regarding data flows, she talked about the need for stronger safeguards for privacy and data protection and welcomed the EU position as a compromise. She clarified that “interoperability” or “comparability” of data protection rules should not be the way forward as it does matter what level of protection other countries provide. In this sense, neither the USMCA nor the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) are a model to follow. If global data protection rules are sought, countries and companies should look at the Council of Europe’s Convention 108+, the only international binding treaty on data flows and data protection. Trade is not the place to put human rights like privacy at risk.

Both EU and U.S. consumers groups BEUC and Public Citizen, represented by Burcu Kilic, stressed that they considered the EU approach of rejecting localisation while supporting the countries’ right to legislate to protect privacy as a good compromise for trade agreements. The development of e-commerce has the potential to boost the competitiveness of the economy and improve consumer choice and welfare, but this is only possible if consumer trust and confidence are strengthened. Essential requirements of such trade negotiations were considered to be transparency and putting consumers at the centre of negotiations. Ms Kilic also spoke about digital rights being human rights, whilst data protection is a social protection.

The EU Delegation to Washington D.C.’s Tomas Baert explained that a good trade policy starts at home and that we need to be realistic when developing digital trade policy. The more we trade, the bigger the need for regulation. What is essential is the need for a policy space that will protect personal data and privacy.

Providing an industry perspective, was David Snead, i2coalition, who spoke of the importance of understanding the internet infrastructure, how it works and why data flows are important. One of the i2Coalition’s demands was to ask for the interoperability of privacy rules to ensure more legal certainty. For example, by having a definition of personal data.

Benefits and risks of open banking

 Open banking has opened the door to easier financial transactions and a more convenient way of online purchasing; however, through this recent technological development, consumers provide their financial data to third parties, who analyse their spending patterns in order to offer tailor made products to them. This breakout session, moderated by Ira Rheingold, National Association of Consumer Advocates, discussed the benefits and risks of such developments in banking.

On the EU side, Farid Aliyev, BEUC, focused on the UK as a leading example in this area, where the Competition and Markets Authority (CMA) has developed mandatory specifications for payment initiation and customer account information. Regulations have spurred innovation in the FinTech industry and have helped make progress towards building consumers’ trust.

The U.S. is somewhat lagging behind certain EU countries and has not addressed the concerns as well as the EU has. David Friedman, Federal Deposit Insurance Corporation (FDIC), talked about the U.S regulatory regime, which limits consumers’ liability for fraudulent transactions. However, the liability on Fintechs after a consumer has given their credentials, has not yet been tested in court, so its enforceability is still unclear.

Betterment, an online financial advisor, obtains affirmative consent from customers. The approach, which involves users being made fully aware of what they are consenting to was greeted with enthusiasm by the audience.

According to Linda Jun, Americans for Financial Reform, the public has become hyper-aware that data is being abused and misused. She emphasised the importance of people clearly and unequivocally understanding what they are consenting to, who precisely their data is being shared with and what it is being used for.

Finally, the use of Sandboxes was touched upon. This provides developers with a testing environment to test and monitor their software under laxer rules. Whilst this was considered an effective tool for innovation, the downside is that here are no reporting requirements.

Who has the safest food?

The EU and U.S. were pitted against each other in this breakout session, which took the format of a TV game show, whereby the contestants were split into two teams and asked a series of questions related to the effectiveness in each of the two jurisdictions’ food safety regulations. Consumer Reports’ Jean Halloran acted as game show host and asked contestants a set of questions on topics ranging from Genetically Modified Organisms (GMOs) and antibiotics in food to bacterial contamination.

The EU team was made up of Monique Goyens, BEUC, and Sue Davies, Which?, whilst the U.S. team included Thomas Gremillion, Consumer Federation of America and Sarah Sorscher, Center for Science in the Public Interest. Answers revealed a set of important differences between the two. For example  that the EU prohibits hormones in beef, whilst the U.S. allows them; that the EU requires pre-market safety approvals for GMOs, whilst the U.S. does not; and that the EU does not require cheese to be pasteurised to prevent listeria, while the U.S. does. The winning team was the EU, who was found by the audience vote to have safer food than the U.S.

The game show concluded with statements from Lorenzo Terzi, Delegation of the European Union to the United States (as EU respondent) and Brian Ronholm, Wilson Sonsini Goodrich & Rosati (as U.S. respondent) who discussed the implications for EU-U.S. trade. Both respondents remarked on the possibility of getting the best of both (regulatory) worlds in terms of food safety adopting the highest standards through trade agreements or other mechanisms.

Competition and access to medicines

The session on competition and access to medicines was moderated by Public Citizen’s Peter Maybarduk.  Jamie Love, Knowledge Ecology International, set the scene by talking about the situation in the U.S.:  high prices mean many people struggle to pay for medicine they need, leading to people either not taking the drugs because they cannot afford it, or not taking the recommended amount. Without competition from generic drugs, which are cheaper, pharmaceutical companies can set high prices and increase them at will. He explained how competition policy can prevent such market abuses and help balance the possible negative effects of intellectual property protections, as well as ensure that competition is not disrupted in a way that can harm consumers as a result of price increases, less choice or hampering the ability of firms to compete based on the effectiveness of their product.

John Rother, National Coalition on Health Care, talked about binding arbitration in Medicare (the U.S. national health insurance programme) price negotiations and enforcing compliance. He explained the steps in the arbitration process and the cases where arbitration works well. For example, a positive example of a binding arbitration process is in the state of New York, where a law prevents surprise medical bills when patients are seen by out-of-network doctors at in-network hospitals. The law lead to a decline, by 34%, of out-of-network bills, as well as emergency room doctors dropping their prices by 9%. He concluded by explaining how binding arbitration helps Congress, taxpayers and national security.

Els Bruggeman, Euroconsumers, explained the Belgian perspective on how they tackle excessive pricing. Belgium has a good public health insurance system that keeps health care affordable and accessible to everyone, but due to high prices of medicines, the health service continuously comes under pressure. Pharmaceutical companies are charging excessive prices for new products, which has a huge impact on the health system. The main reason for this is the lack of competition. Over the last few years, Euroconsumers has launched several cases against pharmaceutical cases. The most recent case was filed against Leadiant for abusing its dominant position to raise prices for a drug by up to 300 times – from 39 euros per month in 2004 to 14,000 euros per month in 2019. The reasoning provided by Leadiant was questioned by Euroconsumers in this case. Ms Bruggeman finished by explaining why there is a need for more transparency: costs of R&D and clinic trials are kept hidden, as are the contracts that are negotiated between pharmaceutical companies and individual companies, which leads to different prices in different countries

Afton Cissell, Staff to Congressman Lloyd Doggett, focused on the policy side of the pharma industry and the challenges in creating and enforcing policies in this area. She said that lower drug prices and Medicare negotiations is something that Congressman Lloyd Doggett’s office has fought for. Focusing on the low-hanging fruit was considered a good option, e.g. stopping the anti-competitive behaviour used by drug companies, requiring access to samples to promote cheaper generic drugs and requiring price transparency.

 Platforms power – competition and data

The Forum ended with a lively final session moderated by Robert Weissman, Public Citizen, that focused on technology corporations and their powers through accumulation of vast amounts of people’s personal data. The trend towards corporate concentration in the digital economy and its potential for harmful impacts on consumer choice and access to information were discussed. The exclusionary principle, where competitors are not able to enter the market given the huge concentration from larger corporations, was highlighted by Agustin Reyna, BEUC. He explained the EU’s competition enforcement components that focus on the impact of: i) price, ii) choice; and iii) quality, but he asked whether privacy and accumulation of data should also be a parameter when applying competition laws, for example in merger investigations.

Rainer Wessely, Delegation of the European Union to the United States, explained that finding the right balance to deal with these challenges is crucial. As an example, users of an online search engine may not be necessarily aware that they are not presented with choices best suited to their preferences. Maria Coppola, FTC reiterated this point, saying that consumers were not getting the best search results as the search engines were providing only a select list of results rather than everything available. In terms of current U.S. laws, she stated that current legislation has worked well, but that there is more to be done.

Charlotte Slaiman, Public Knowledge, spoke of the many competition laws in the U.S. that are not antitrust laws, and how the U.S. does not have an expert regulator tasked with digital platforms.

The panel concluded by saying that the need for intense antitrust scrutiny for online data-accumulating corporations was imperative, as well as collaboration between the agencies.

 

References

[1] “Seven GDPR complaints filed against Google over user location tracking”