26 May 2023

Data portability and interoperability: A primer on two policy tools for regulation of digitized industries

Sukhi Gulati-Gilbert and Robert Seamans 

Scholars and policymakers are excited by the prospect that digitization—the growing use of software across industries—can help boost economic growth in the U.S. and other countries (Furman and Seamans, 2019). However, some have expressed concern that increasing dominance by a few large companies in each sector of the economy means the gains from economic growth will not be equitably distributed. Competition policy—a set of regulations, laws, and other policies designed to lower barriers to entry, leading more firms to enter and compete in a market—may help to address the issue of increasing market dominance. The resulting competition between entrants and incumbent firms could potentially lead to lower prices and more innovative products and services, all of which benefits consumers.

There are a variety of competition policy tools available to policymakers, including sector-specific regulations (some of these are highlighted in President Biden’s “Promoting Competition in the American Economy” executive order) and the use of the Justice Department and the Federal Trade Commission (FTC) to block mergers and revisit past mergers (as the FTC is doing in its case against Facebook’s acquisition of Instagram and WhatsApp).

In this article we describe two other tools, data portability and interoperability, that may be particularly useful in technology-enabled sectors. Data portability allows users to move data from one company to another, helping to reduce switching costs and providing rival firms with access to valuable customer data. Interoperability allows two or more technical systems to exchange data interactively. Due to its interactive nature, interoperability can help prevent lock-in to a specific platform by allowing users to connect across platforms. Data portability and interoperability share some similarities; in addition to potential pro-competitive benefits, the tools promote values of openness, transparency, and consumer choice.

After providing an overview of these topics, we describe the tradeoffs involved with implementing data portability and interoperability. While these policy tools offer lots of promise, in practice there can be many challenges involved when determining how to fund and design an implementation that is secure and intuitive and accomplishes the intended result. These challenges require that policymakers think carefully about the initial implementation of data portability and interoperability. Finally, to better show how data portability and interoperability can increase competition in an industry, we discuss how they could be applied in the banking and social media sectors. These are just two examples of how data portability and interoperability policy could be applied to many different industries facing increased digitization. Our definitions and examples should be helpful to those interested in understanding the tradeoffs involved in using these tools to promote competition and innovation in the U.S. economy.

INTEROPERABILITY

Interoperability is a general design solution that can be applied to all kinds of systems, digital and physical. The lightbulb threading in ceiling lights, for example, is interoperable with many different manufacturers’ lightbulb threading. When choosing a replacement, you generally aren’t restricted to one lightbulb manufacturer as a result of interoperable design. As another example, Legos of different shapes are interoperable with one another because their connection mechanisms are standardized across shapes.

When it comes to digital systems, interoperability refers to the ability of technical systems to exchange data seamlessly and interactively. Email is a canonical example. When sending an email, users can interactively exchange data with someone using a different email provider. Gmail and Hotmail are interoperable because someone using Gmail can interactively exchange data (send and receive emails) with someone using Hotmail. Interoperability can be enabled through varied technical architectures. One possibility is formal protocols that multiple parties agree to adhere to, as in the case of email which uses the Simple Mail Transfer Protocol (SMTP). Another example is an application programming interface (API) which one company might define for other organizations to use. Both architectures can enable interoperability, but how the architecture is defined and by who impacts efficacy and governance.

Interoperability is almost always partial and doesn’t have to be between two systems of the same kind. For example, a photo editing application may be given access to the photos stored on your phone. By accessing your stored photos, the photo editing application is interoperating with the phone operating system although they are two different pieces of software. The interoperability is also partial—the photo editing application does not exchange all pieces of data with your phone.

Seamless data integration across software applications has benefits which vary from domain to domain. Interoperable cybersecurity tools, for example, can help quickly disseminate threat detection information and increase the chances that a threat will be effectively detected and mitigated across organizations. In other cases, interoperability can make it possible for new entrants to innovate upon existing technologies. For example, thanks to protocols which enable interoperability, the ability to build a browser is not confined to laptop or operating system manufacturers. This has led to greater diversity in the web browsers available to internet users.

At the market level, interoperability has the potential to address lock-in due to network effects. Network effects describe a scenario in which the more users there are on a platform, the more others want to join the platform (and do not want to join a competing platform). This can shift the nature of competition from “competition for the market” to “competition in the market” (Scott Morton et al., 2021). While many digital platforms benefit from network effects, they can lead markets to tip to a single firm. Later entrants have a hard time breaking into the market, even if they offer higher quality services, because customers are effectively locked into their current platform choices. Interoperability between platforms helps to reduce this lock-in by allowing new platforms to enter the market and compete for customers with higher quality and more innovative products.

Examples of the role played by network effects abound in the case of digital communications competition. Closed network messaging systems are one example. Messaging services benefit from network effects: I more people one can reach from their current messaging app, the less likely they are to switch to a rival messaging app. For example, it may be tough for a new messaging app to convince a WhatsApp user to switch over because an existing WhatsApp user has a network already using WhatsApp. If WhatsApp were interoperable with the new player, the user could still message their WhatsApp network from the new app. This gives the new messaging application a better chance at attracting new users.

DATA PORTABILITY

Data portability is a model in which customers—which could be individuals or organizations—maintain possession of some core data about themselves that they can port from one company to another. A customer might choose to do this if they find a rival that offers lower prices or higher quality. Under a data portability model, a customer could move their data from one social media provider, search platform, bank, video streaming platform, or any other service provider that uses their data to a competitor.

Data portability helps reduce switching costs. Consider a customer who has an account with a video streaming platform. Over time, there is a large amount of useful data generated: movies watched, the number of episodes of various series watched, themes searched for, etc. All of this history is potentially useful when searching for new content to watch. If the customer can’t “bring” this information with them to a competing video streaming platform, they need to re-create it on the competing platform, and this is costly in terms of time and effort. If this cost is too high, the customer may decide not to switch to the competitor, even if the competitor offers lower fees or higher quality content. If instead the customer can bring this information with them, via data portability, then the switching cost is lower (and perhaps low enough to induce the customer to switch). Moreover, the original provider may lower prices to entice the customer to stay. Either way, the customer benefits.

A good analogy for data portability is telephone number portability, which was mandated in the U.S. through the Telecommunications Act of 1996. Telephone number portability allows customers—which again could be an individual or organization—to take their phone numbers from one provider to another. Studies of the U.S. telephone number portability policy suggest that it led to lower prices. For example, Park (2011) estimates phone plan prices dropped between 1-7%, depending on the customer’s plan because customers could more freely shift their business from one company to another without losing their phone number. The estimated range in Park’s study highlights the differential effect of the policy on customers.

Data portability has been touted as a particularly useful competition policy tool in highly digitized industries. Firms in these industries rely heavily on consumer data for a variety of digital activities including targeted advertising, pricing, and various business analytics. Artificial Intelligence (AI)-enabled firms use such data to train their algorithms (Bessen et al., 2022). Thus, data portability would not only allow customers to leave for “better” rivals but also would potentially allow those rivals the ability to make their own products better over time, via the use of data from a customer who switches to them.

Common implementations of data portability are similar to interoperability but differ in a few key ways. First, data portability does not necessitate a continuous, interactive exchange. Users download their data once and from there choose if and how they’d like to share it. As they generate new data, that data is not automatically forwarded or exchanged somewhere. Second, interoperability inherently concerns two systems whereas data portability does not. To become interoperable, two systems must consent to use the same protocols and exchange data. To make data portable, one system can set up export abilities. Often, this export capability is opened up not just between corporations but to the user, which has the potential to enable greater personal control over data for individuals.
CHALLENGES

While data portability and interoperability can be beneficial to consumers and businesses, they can also be challenging to implement. Here are a few considerations which impact both data portability and interoperability to varying degrees:

Data Scope

For both data portability and interoperability it is important to consider what data is exchanged. For example, consider a customer who is a member of an online shopping site and then decides to switch to a rival service. Would the data include only basic information about the customer, or would it also include information about sales that have been made to the customer or information about offers to the customer (of which a subset resulted in sales)? In a digital setting, the data is often co-created by the firm and its customer. For example, the data about which offers the customer selected from a set of offers presented by the firm to the customer is co-created by the customer (i.e., what the customer selects) and the firm (i.e., what the firm chooses to show the customer). There are no current U.S. laws defining which party has rights over this data. Other considerations include the age of the data. Should a customer have the right to port all of their data from the start of their history with the firm or only for a certain period of time (e.g., the most recent week or month)? Older customer data may not be useful to the firm, but the firm would nevertheless need to store it if mandated by law.

Security

Moving data across organizations comes with important security considerations. Data sharing increases the number of places where sensitive data is stored which, in turn, increases the risk of a confidentiality breach. Even when the risk of a breach does not increase, the impact of a breach might be more significant. If an organization aggregates data from multiple data providers, a breach can expose data well beyond their own user base.

In addition to risk of privacy breaches, companies and industries have differing security practices. One company may encrypt data while another does not. One organization may have much longer data retention periods than another. One organization may be bound by state legislation (such as the California Consumer Privacy Act), while another may not. Sharing data across different sets of practices and obligations presents a challenge to maintaining best practices across company lines. While implementing any data sharing mechanism, special care should be given to minimize the security risks of sharing data across different actors by adhering to the maximal security practices between the sharing entities.
Intuitive Design

Data sharing mechanisms are not always intuitive to users, and it is a design challenge to ensure that users understand the consequences of interoperability on their data. If two messaging services are made interoperable, for example, the user interface should make clear to users when they are communicating across services with different privacy and security policies. One may be encrypted, while the other is not. Users who are expecting default encryption should be clearly informed of the change without an unreasonably disrupted user experience.

In addition to designing an intuitive implementation of interoperability, the prior question of which features to make interoperable can be complicated to answer. If two social media sites are made interoperable, what does that include? Is it simply the text content of one’s feed? Does it also include the order of a feed, powered by proprietary ranking algorithms, or site-specific features like Snapchat’s signature disappearing messages? Which features are included—or not included—determines which application provides a more compelling experience and defines the ground on which applications can compete with each other.
Governance

The way a data sharing mechanism is implemented codifies a governance structure over said data. Consider a hypothetical travel deals website, we’ll call it Rainforest, which elects to make their data portable and a hypothetical new startup called Desert which consumes Rainforest’s data. Existing Rainforest consumers may download their data from Rainforest and upload it to Desert. However, Rainforest is unilaterally in control of the data format. If one week they change the format without letting anyone know, Desert’s new consumer onboarding flow will break.

There are implementations of data sharing mechanisms which promote a multilateral governance structure. Let’s say our hypothetical website Rainforest decides to adopt a common protocol defined by a standards body for transaction information which will allow them to interoperate with any other service using the protocol. In this case, Rainforest will lose the ability to quickly iterate on the protocol, but Desert and other players will not be subject to arbitrary or unpredictable changes. In fact, this is not an uncommon scenario; there exist multiple standards bodies which define common protocols. The World Wide Web Consortium (W3C) is an example of a standards body that maintains specifications for core web technologies such as HTML.

One difference between interoperability and portability is that interoperability is inherently bilateral. All systems that interoperate must continuously adhere to interoperable system designs—whether that means sticking to a common protocol or calling and maintaining functions provided by one system to another (application programming interfaces). Data portability can be unilateral: one party making data available for download makes that data portable.

Cost

Who pays to make data portable or interoperable? In some cases, the technical investment required to implement portability or interoperability is high and could vary depending on the party implementing the portability or interoperability solution. For example, given that firms have a better understanding than customers about how the data is stored and accessed, it probably makes sense for firms rather than customers to bear the cost. In addition, given that portability and interoperability solutions likely involve relatively high upfront fixed costs and relatively low variable costs to implement, these solutions are likely lower cost (per customer) for a large firm to implement compared to a small firm. Because there are likely differential effects for small versus large firms, regulators may want to create carve-outs or other protections for small firms. For example, the EU’s Digital Markets Act (DMA) is directed at the largest tech platforms (at least 45 million monthly active users), thereby implicitly exempting smaller ones.

The example of telephone number portability provides a history lesson in costs. The issue in this case was that telephone networks needed to be upgraded in order to allow telephone number portability, and these upgrades were expensive (apparently costing U.S. carriers $3 billion). A paper by Gans, King and Woodbridge (2001) highlights some of the tradeoffs involved for a regulator determining who should bear the costs of number portability. They argue that the originating carrier should bear the cost, not the customer or the competing carrier. Such a solution incentivizes the originating carrier to invest in new technology to allow easy and low cost portability of the number, preserves incentives for competitors to enter, and allows the customer to benefit from the increase in competition.

However, part of the reason telephone number portability was costly was the need to upgrade physical capital. Software should be much easier to update and adjust to allow for data portability and interoperability, and so costs should be relatively lower compared to telephone number portability. While estimates of the cost of data portability are difficult to assess, the Information Technology & Innovation Foundation (ITIF) estimates data portability costs associated with all industries in the U.S. (ranging from banking to email to entertainment) to be approximately $500 million, annually.
Firm Responses

Firms can change their behavior in response to new policies in unanticipated ways. In principle data portability reduces switching costs, making it easier for a customer to leave an incumbent provider for a competitor. Policymakers anticipate that the incumbent provider will respond by lowering the price or improving quality. But what if the incumbent provider undertakes other actions to hold on to the customer? Again, an example from telephone number portability is instructive. Apparently, after Hong Kong implemented wireless number portability in 1999, firms changed their fee structure such that calls within the network were lower priced than calls outside the network. While customers did benefit from these lower prices, the new fee structure dampened incentives for competitor firms to enter the market and compete for customers because any customer that switched would then bear higher prices when calling their old friends still in the original network.

APPLICATIONS

There are many potential applications for data portability and interoperability. Here we’ll do a deeper exploration into two: banking and social media. Banking is relevant because “open banking” has been implemented in Europe and serves as an interesting model. Social media is an interesting space where implementations are more theoretical but have garnered widespread interest among regulators and industry players.
Banking

There are a number of countries that mandate some form of “open banking” which is typically a mandate or regulation for banks to provide information about accounts and transaction data via APIs. In 2017, following orders and rulemaking from the Competition Market Authority (CMA), the body responsible for regulating market competition in the UK, the nine largest UK banks were required to make current account transaction data available via APIs for third parties to build software applications. The CMA’s explicit intent was to benefit consumers and small businesses via increased competition in banking and increased opportunities for digital innovation. CMA required that the nine banks fund the Open Banking Implementation Entity (OBIE) which was tasked with developing the APIs and overseeing implementation of the APIs. Apparently the initial rollout of APIs was difficult, with most banks missing the deadline for API release (Jones and Ozcan, 2021). A study by Babina et al. (2022) provides evidence that open banking regulations lead to increased venture capital backing for new entrants and innovators in the banking industry.

It is notable that that UK’s Open Banking relies on interoperability rather than data portability. Arguably, data portability would also help to increase competition—an explicit intent of the CMA. However, payments are a real time service and so require real time data exchange. Data portability would be clunky in this case, with a business needing to download data from one provider before uploading to another. Interoperability allows for this interaction to more or less be seamless. Additionally, in banking there is less need for rival firms to access customer data to use in training and updating algorithms in order to provide consumer value; hence, there is less of a need for data portability to mitigate switching costs.

A final point to highlight is that many of the challenges we describe in the section above have been to varying degrees anticipated by regulators. For example, the OBIE was intended to address governance issues and is paid for by the UK’s nine largest banks (not the banking customers or other parties that may benefit from interoperability). In addition, regulators anticipated differential costs on banks, and so the UK’s Open Banking rules are specifically targeted at these nine banks; all others are exempt. U.S. regulators have also long recognized the need for differential regulation based on the size of the banking institution. For example, larger banks face a different set of regulations than smaller banks, including stricter auditing requirements and more frequent reporting. Thus, it is reasonable to assume that differential regulation would be applied in the case of any open banking laws passed in the U.S.

The U.S. does not currently have any open banking regulation as in the UK. However, President Biden’s executive order “Promoting Competition in the American Economy” specifically encourages the Consumer Financial Protection Bureau (CFPB) to consider “commencing or continuing a rulemaking under section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products.” To this end, the CFPB started a rulemaking process in October 2022 and is soliciting input on implementation, including scope of data covered, whether certain firms should be exempt, how to mitigate risks to consumers, and a variety of other areas.
Social Media & Digital Messaging

Interoperability and data portability have gained increased interest as antitrust concerns emerge in the social media and digital messaging spaces. To some extent, social media providers have implemented forms of data portability to comply with the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, both of which introduce restrictions on the collection and use of personal user data. Facebook offers the Download Your Information tool, allowing users to download their data. However, these efforts haven’t been sufficient to introduce competition into the space. Facebook is unilaterally in control of the download format—which means they can change it at any time—and it’s not necessarily designed to facilitate easily importing data into a new social network. Offering the data also doesn’t resolve complicated consent dynamics where data is co-created by customers on the site. It would be difficult to port connections from one social media site to another without the consent of friends and connections.

Interoperability might be more promising when it comes to introducing competition, since competitors would have access to some portion of Facebook’s content in real time. The proposed ACCESS Act, a bipartisan bill introduced by Democratic Sens. Mark Warner (VA) and Richard Blumenthal (CT) and Republican Sen. Josh Hawley (MO) in 2019, would directly mandate social media providers render their services interoperable with other providers. However, it’s still unclear what this would look like. What features would be made interoperable? How can we ensure all parties consent to the proliferation of their information across other sites? None of these challenges are insurmountable, but each design choice can influence the efficacy of interoperability and the types of social media sites we see emerge.

There are some existing efforts to determine what interoperable social media could look like. The ActivityPub protocol, defined by the World Wide Web Consortium W3C, is a protocol meant to enable decentralized social media. ActivityPub defines an API for creating and maintaining content across federated servers. ActivityPub is in use by a group of social networks called “The Fediverse” which have implemented various forms of decentralized social media. One of these social networks, Mastodon, has recently seen a large increase in users in response to recent changes in leadership at Twitter. Unlike Twitter, Mastodon is built on decentralized architecture. Instead of one, central governing body, users choose a server which aligns with their individual views but are able to communicate with users on different servers.

Regulators may mandate or otherwise incentivize companies of a certain size to interoperate with others. In fact, the Digital Messaging Act (DMA) which entered into force in Europe in November of 2022 mandated that large messaging platforms implement interoperability. The legislation has great potential to open the market up to competitors, as explained above, but mandating any technical implementation brings security and design risks along with it. This is especially true in the case of digital encrypted messaging, where we don’t have consensus on the best and most secure method to enable interoperability. Companies will be implementing complex frameworks on a short timeline. When the DMA takes effect in May of this year its impact on the market and consumer experience will provide valuable insights to inform whether and how the U.S. will follow suit.

CONCLUSION

Regulators around the world have been considering and implementing interoperability and data portability policies to address competition policy and other issues related to digital platforms. In this article we define interoperability and data portability, lay out challenges associated with each, and describe how these policies have been used or are considered being used in banking and social media.

In addition to these two industries, data portability and interoperability have been discussed as potential policy solutions in other industries as well. For example, the 21st Century Cures Act requires exchange of health data by the end of 2022, with testing taking place throughout 2023. As another example, some local governments are encouraging interoperability of student data across educational institutions.

We’ve discussed interoperability and data portability, two important tools which can be useful to regulators when thinking of avenues to promote competition and empower users. We’ve also analyzed some of the challenges in using such tools. To ensure these tools are successful in introducing meaningful competition, the implementation must be secure and easy to use, specify funding and governance mechanisms, and anticipate responses by firms and consumers alike. We urge regulators to not dismiss these as mere implementation challenges that technical bodies can easily figure out. The contours of an industry and complexity of implementation directly impact the efficacy of either interoperability or data portability as a solution. Rather than silver bullets, enforcing interoperability and data portability is one important technical regulatory tool in an increasingly digitized society.

No comments: