The annual training and networking event, hosted by the International Association of Privacy Professionals (IAPP), carried some added political buzz as regulators in the US and Europe edge closer to passing major regulation to reign in big tech companies.
Apple’s Tim Cook, Microsoft’s Brad Smith, Federal Trade Commission (FTC) chair Lina Khan, and European Commissioner for Justice Didier Reynders, each got a turn at the mic, and each seemed to address a wider audience than just the privacy-minded people in the room.
In the US, personal data plays a big role in antitrust regulation—it is the commodity upon which big operators build monopoly power. Platforms, such as Apple, Google, Meta/Facebook, and Amazon, have greater access to mountains of user information, and can use that data dominance as a bulwark against competitive threats from smaller companies.
Congress has so far failed to pass comprehensive legislation to protect Americans from the data-harvesting practices of tech companies, large and small, and the entire ecosystem of data brokers and specialty data shops that trade in personal data of all kinds. But Congress is closer to passing landmark antitrust legislation that would break up the data and marketplace monopolies of big US tech companies. Both the House and the Senate have advanced versions of the Open App Markets Actwhich would compel Apple to allow iDevice users to “sideload” apps from marketplaces other than the App Store.
Apple’s Tim Cook used his keynote address Tuesday to rail against the legislation, arguing that antitrust regulation aimed at app stores could endanger the privacy and security of millions of iPhone and iPad users.
“That means data-hungry companies would be able to avoid our privacy rules, and once again track our users against their will,” he said during the keynote Tuesday. “It would also potentially give bad actors a way around the comprehensive security protections we’ve put in place, putting them in direct contact with our users.”
If the Open App Markets Act passes, the experience of installing apps on an iPhone might become more like that of downloading apps on a Mac, which has an App Store but also permits you to install apps outside of it—sometimes with dialog boxes warning of potential security risks. Experts believe that Apple may be able to isolate and scan apps from third-party app stores for security or privacy risks.
Not everybody was convinced that Cook was speaking in good faith. “Apple is arguing that antitrust laws will be bad for privacy and national security,” tweeted Rep. Ken Buck of Colorado, top GOP member of the House Judiciary’s antitrust panel. “Apple clearly doesn’t care about your privacy. . . Apple *only* cares about Apple,” Buck added. Buck is one of the sponsors of the House version of the Open App Markets Act. He made headlines early this month by predicting that Congress will indeed pass antitrust legislation covering app stores this summer.
Khan, who was sworn in as FTC chair last June, made a name for herself by publishing groundbreaking work on tech antitrust while a law student at Harvard in 2017. In short, she energized a school of thought saying that competitiveness in tech markets must be measured not only by low consumer prices, but also by the markets’ capacity to accommodate new entrants with fresh ideas.
During her IAP keynote, she spoke mainly about the FTC’s efforts to reign in companies that illegally harvest user data. But she made clear that her agency is also looking at privacy through the lens of antitrust.
“Given intersecting ways in which wide-scale data collection and commercial surveillance practices can facilitate the grasp of both consumer protection and antitrust laws, we are keen to marshal our expertise in both areas,” Khan said, “to ensure we areing the full implications of particular business conduct and strategies.”
In late March, the European Parliament and the 27 EU countries agreed on a package of antitrust regulations called the Digital Markets Act, which would rein in the power of big tech “gatekeepers” (including those that control app stores) to prefer their own products over ones from third-party sellers. The and member countries parliament have yet to officially adopt the measure, but EU competition Margrethe Vestager has said she expects the rules to come into force as soon as October.
Other keynote speakers focused more squarely on the lack of a federal data privacy law in the US Microsoft president Brad Smith pointed out that Microsoft first called for a federal privacy law back in 2005, 17 years ago. “We have to realize that comprehensive privacy legislation for the United States is not just necessary, it is long overdue,” he said. Smith said 120 countries and jurisdictions around the world have enacted privacy laws, have proposed privacy laws, or are considering updates to existing laws.
“The failure of the United States to legislate doesn’t stop global legislation, it doesn’t even slow it down,” Smith said. “It just makes our country less influential in the world.”
The lack of a federal privacy law has allowed big tech companies, such as Google and Meta to, in effect, regulate their own privacy practices. It’s also spurred the states to enact their own privacy laws, creating a patchwork of rules that makes life more difficult for everyone. Smith said he keeps a complicated spreadsheet of each state’s rules and the enforcement bodies that Microsoft must engage with.
On the other hand, the fact that the privacy regulatory debate is happening on the state level actually gives the tech giants an advantage, points out Julia Angwin, a journalist who cofounded The Markup, which covers big tech and the data economy. Angwin says the reason local news outlets have been deciated is because much of their advertising revenue was swallowed by social media. “That’s a bad thing for democracy,” she says. “What’s happening is that this policy is being written in places where people aren’t paying attention. . . the companies that have the most to gain from gaming these laws can easily influence [the wording in] them at the state level.”
Reynders spent most of his keynote talking about the Privacy Shield agreement that the US and the EU just agreed upon after an 18-month negotiation process. The agreement establishes new limits on how US law enforcement can access the personal data of EU citizens stored on the servers of US tech companies. “We now need to finalize the terms of this agreement in principal and translate them into legal text,” Reynders said.
Before the new framework can be put into effect, the Biden Administration will have to pass an executive order, and the EU parliament must review and approve the new terms. “We expect that the new framework could be finalized by the end of this year,” Reynders said.