Tech Regulatory Overhaul Series: The Excess of ACCESS
This article is part of Project DisCo’s Tech Regulatory Overhaul Series on the package of House Judiciary bills targeted at the most successful U.S. tech companies. Previous installments in this series have covered the Ending Platform Monopolies Act and the introduction of these antitrust-related proposals.
This post assesses H.R. 3849, the “Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act of 2021” introduced by Representatives Scanlon (D-PA) and Owens (R-UT). The bill would impose sweeping requirements on specific covered platforms to build new technical interfaces to transfer data to competitors and potential competitors and to enable interoperability between their services.
First, the good news: while the majority of the House Judiciary bills appear to have been drafted with little regard for consumer welfare, data portability and interoperability are concepts that can have user benefits if carefully implemented. Enabling consumers to take data with them between services may lower switching costs, support multi-homing, and promote competition. Recent beneficial developments in this space include a Supreme Court ruling that prevents the use of copyright to hinder software interoperability and the emergence of the open source Data Transfer Project that has produced new user-directed business-to-business portability tools that are already securely in operation.
Unfortunately, though the ACCESS Act is pointed towards these potential benefits, it fumbles in nearly every aspect of its approach to establishing requirements for the development and implementation of portability and interoperability systems.
A Failure to Meaningfully Engage on Substance
Mandating that businesses build new technical interfaces to enable direct transfers of data and the synchronization of their product features implicates serious issues that extend far beyond competition policy. For example, requiring the automated transfer of sensitive personal data to third-parties raises a host of obvious privacy and security concerns that threaten to undermine user autonomy without appropriate safeguards. Furthermore, requiring that competitors intermingle their services to enable interoperability risks locking in dominant technologies while limiting competition on product differentiation and restricting both the ability and incentives for companies to innovate. Unfortunately, the sponsors of the ACCESS Act do not appear to have grappled with these complicated technical challenges or the need to balance inherent policy trade-offs in a meaningful way.
Despite a 16-month investigation and 8 more months of legislative drafting, the ACCESS Act copies large swaths of text (as well as its backronym) from S. 2658, the ACCESS Act of 2019 sponsored by Senator Warner. However, while Senator Warner’s bill targeted discrete services such as online messaging and multimedia sharing, the 2021 copycat takes a blunderbuss approach by imposing undefined interoperability requirements broadly upon the diverse online services of “covered platforms.” The unclear scope of “interoperability” as used in the Act is sure to leave targeted businesses, consumers, and potential competitor beneficiaries scratching their heads as to what changes to industry practice are actually being sought through this legislation.
One reason for the ongoing limitations and shortcomings in this debate may be that Judiciary members appear to be approaching their plans for imposing data portability and interoperability requirements on technology companies as if they can simply replicate the FCC’s Rules implementing phone number portability from the early 2000s. However, as is often the case, the road to impracticable tech policy is paved with reductive analogies. As academics Peter Swire and Gus Hurwitz have explained, public-facing phone numbers are a far simpler portability use case than the complex, fast evolving, and differentiated data processing operations that are necessary for providing high tech products and services in the modern economy.
Punting the Hard Questions
Lawmakers are aware of the risks at stake in mandating data portability and interoperability requirements. At a February hearing, Representative Owens asked what “guardrails” might be needed to protect data subject to portability and interoperability requirements – to which witness John Thorne replied “that’s going to be a hard engineering question for you to address.” Unfortunately, the ACCESS Act shows that lawmakers have chosen not to do the work of answering these hard questions.
In requiring the design and implementation of new portability and interoperability systems, the ACCESS Act leaves fundamental definitional issues, policy trade-offs, and technical specifications to various Federal Trade Commission (FTC) rulemaking processes. The FTC is a sophisticated regulatory agency and rulemaking can serve an important function for implementing statutory requirements and keeping laws fit-for-purpose in light of changes in technology. However, grants of sweeping rulemaking authority that lack grounding in clear baseline terms and directions are an invitation for drawn out, combative processes where substantive rules oscillate as the balance of political power in Washington cycles.
Perhaps the most disappointing feature of the ACCESS Act is the lack of recognition that compliance would be an onerous technical undertaking. Even the European rules governing data portability recognize that direct transfers between separate entities can only be required where “technically feasible,” but the ACCESS Act adopts a ‘nerd harder’ stance in assuming away any issues of practicability. The Act imagines that sophisticated technical standards and requirements for new interfaces can be set through a mere 180-day rulemaking process following the designation of a covered platform, with an even shorter timeframe for implementation. Additionally, in practice building and maintaining these transfer systems would require frequent adjustments, but the Act would prevent companies from undertaking most improvements without first seeking prior FTC approval.
Examples of hard questions that must be resolved as part of any successful data portability or interoperability framework that the ACCESS Act implicates but fails to meaningfully address include:
- What does “interoperability” actually mean and under what circumstances would building “interoperability interfaces” be required?
- What user data would be subject to data portability requirements?
- How should organizations secure data in-transit?
- How should organizations verify the identity of a requesting user and a third-party recipient?
- How can or should organizations obtain consent when data subject to transfer relates to multiple individuals?
- Who are “potential competing businesses” that will presumptively be granted access to new interfaces?
- What liability rules apply and how does liability follow transferred data?
As drafted, elements of the ACCESS Act are likely to cut against high priority issues for key stakeholders that may raise significant friction as the bill advances. For example, digital services are engaged in important efforts to develop and expand best practices in online trust & safety in order to limit the spread of unlawful and dangerous content such as anti-American propaganda, health disinformation, and harassment. The ACCESS Act’s interoperability requirements could handcuff the ability of digital services to police such harmful materials by requiring that they permit the transmission and display of posts, messages, and advertisements from bad actors operating from separate services, even after that actor has already been blocked by the covered platform or another user.
Separately, the ACCESS Act raises tensions with the Administration’s recognition of the national security risks of foreign adversaries accessing large repositories of Americans’ data. The Act takes a presumptively pro-data sharing stance, including to foreign firms (and potential competing firms) that are subject to government access rules that lack the robust evidentiary and process protections that exist under American law. The Act also places the bulk of the responsibility for monitoring competitors’ usage of data on covered platforms themselves, without considering how a covered platform can prevent harmful secondary uses of information after it leaves their systems. Finally, the Act would put successful American businesses at a disadvantage vis-à-vis their foreign competitors by lacking requirements that foreign firms provide reciprocal portability and interoperability.
Industry-led efforts have shown the promise and benefits of deliberative, carefully scoped approaches to enabling user-directed data transfers that have moved ahead of the regulatory curve. Unfortunately, the ACCESS Act disregards lessons and best practices from this history and instead seeks to leapfrog to a hypothetical end-state of open access without due consideration of outstanding technical and policy questions. Should Congressional leaders seek to meaningfully promote data portability and interoperability, it will be necessary to engage with technical and policy challenges upfront while supporting legal conditions that will promote continued pro-consumer innovation in this space.