The Global Antitrust Economics Conference

THE GLOBAL ANTITRUST ECONOMICS CONFERENCE

Panel 2: Consumer Protection & Antitrust Tuesday, 8 December 2020

Nicolas Charbit: Hello, everyone. This webinar is now live and I see our first attendees are joining in. All panelists can see the names of all attendees by clicking on Participants. You are welcome to use the chat to say hello to our speakers. We also use the chat to share references, documents, and articles. Gio and Carolina, who are assisting me today with Ariel, will share these references in the chat. This is the second webinar of the Global Antitrust Economics Conference in partnership with NYU Stern and Concurrences. I am Nicolas Charbit. I am the Chief Editor of Concurrences Review. I am very happy that it is possible to have this conference in spite of the health crisis. Last year we were more than 100 in New York at NYU Stern and this today we have 100 attendees registered from forty-five countries. Today’s panel will focus on consumer protection and antitrust. We had a great panel yesterday on global class action, and we will have the last panel on AI in antitrust tomorrow. This conference is made possible free for all thanks to the sponsorship of Analysis Group, Axinn, Bates White, The Brattle Group, Charles River Associates, Cornerstone Research, Cravath, Labaton Sucharow, Orrick, White & Case, and Winston & Strawn. It is now time to start and I will give the floor to my colleague Ariel. Ariel Salvaro: Thank you very much, Nicolas. Hello, everybody. Good afternoon/good evening/good morning, wherever you might be calling us from. My name is Ariel Salvaro. I am Associate Law & Economics Editor at Concurrences. We are happy to welcome you to the second webinar of the 2020 Global Antitrust Economics Conference. Thank you all for joining, thank you to our speakers for being with us, and thank you to our sponsors of today’s webinar, Winston & Strawn, Bates White, and Cornerstone Research, for making it possible to offer today’s webinar free for all. While we are waiting for more participants to join, please don’t hesitate to say “hi” in the chat, as people are already doing. We will share some article suggestions that you can access with your Concurrences+ subscription, and feel free to share via the chat your own article suggestions on the topic of today, which is consumer protection and antitrust. After the webinar we will be releasing the video and the podcast of today’s proceedings, and then later on we will also be making available the transcript and the synthesis of

1 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

today’s discussion. You will be able to access all of those as well online with your Concurrences+ subscription. For further reading about today’s topic you will be able to find popping up shortly in the chat a few suggestions from the Concurrences team. As you can see, the first article is from the U.S. Department of Justice Antitrust Division, and a few more articles are going to be coming up shortly. With that being said, I give the floor back to Nicolas. Nicolas Charbit: Thank you, Ariel. Our keynote speaker today is Andrew Smith, Director of the Bureau of Consumer Protection at the U.S. Federal Trade Commission in Washington, D.C. The panelists are Jeffrey Amato, Partner at Winston & Strawn in New York; Joseph Farrell, a Partner at Bates White and a Professor at the University of California at Berkeley; Kinshuk Jerath, Professor of Marketing at Columbia Business School in New York; Thomas Philippon, Professor at NYU Stern in New York; and the moderator is Scott Hemphill, Professor at NYU School of Law in New York. The program today is, as usual, after this very short welcome by myself and Ariel, we will have the keynote speech by Andrew for about ten to fifteen minutes maximum, followed by a panel discussion of a bit less than one hour, in order to have thirty minutes of Q&A. As you know, the Q&A is the most exiting part of this webinar. Usually we have more questions online than live. We will see if that is the case today. You will be able to ask your questions in the Q&A. Ariel is going to explain how the Q&A is going to work. Ariel Salvaro: If you are joining this webinar on Zoom for the first time, you can ask questions by using the Q&A box, which you will find in bottom right corner of your screen. You can submit questions for speakers throughout the presentation and you can also vote on questions that were submitted by other guests. At the end of the panel discussion when we start the Q&A, we will start with the most-highly-voted question first and move down the list one by one. As far as the mics, all participants’ mics and videos are turned off for the duration of the webinar. However, we will turn your mic on if your question has been selected so that you can ask it live. There is also a chat box that you will see at the bottom of your screen, which is separate from the Q&A box. You can use the chat box to liaise with the Concurrences team regarding any connection issues you might be having or any practical questions about the webinar. Please make sure your questions are asked in the Q&A box so they can be voted on and we can see them and make sure they are answered. In the chat you will find at the end of the webinar a certificate of attendance. A link to download the certificate of attendance will be sent only in the chat. You will not be able to get it later through email. The download link will be accessible for one hour only. We encourage you to print it out and add your name at the dotted line. Finally, as I mentioned before, documentation is going to be available for Concurrences+ subscribers a couple of hours later and in the days following the webinar on Concurrences.com. 2 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

With that being said, over back to you, Nicolas. Nicolas Charbit: It’s over to Andrew, our keynote speaker. Andrew, the floor is yours.

KEYNOTE SPEECH: Andrew Smith | Director, Bureau of Consumer ​ Protection, U.S. Federal Trade Commission, Washington, DC Andrew Smith: Thank you, Nicolas and Ariel, for having me to speak at this with my distinguished colleagues. Fortunately, I will have ten to fifteen minutes maximum because the discussion will be more interesting, but hopefully I will be able to tee up a couple of ​ issues that we can talk about. Today’s topic is consumer protection and antitrust. I have to offer my standard disclaimer, which is that I speak only for myself and not for the Commission or for any individual Commissioner. But I will also offer a particularly tailored disclaimer for this discussion, in that I know about this much [indicating] about antitrust, but hopefully I know a lot about consumer protection, so that will be the focus of my remarks and then we can have the antitrust scholars react. The FTC obviously has two missions: consumer protection and competition. For as long as I have been associated with the Commission, which is about twenty years at this point, the confluence of consumer protection and competition have been sort of a Holy Grail. The Commissioners themselves frequently have experience with both missions and they are always interested in the intersection between these two, and occasionally we even have Commissioners or Chairmen who have experience at the Commission with both missions. For example, our former Chairman Tim Muris was the Head of the Bureau of Consumer Protection and then the Head of the Bureau of Competition. Another Commissioner, Tom Rosch, was the Head of the Bureau of Consumer Protection in the 1970s and then went on to a distinguished career as an antitrust lawyer at Latham & Watkins. So you do find this, but more often than not the twain never meet. There is, though, one issue that I see now at the Federal Trade Commission where there is cross-pollination between the two Bureaus, and that’s data protection. First, I want to define a little bit what I mean by data protection. Data protection has two complementary threads. One is what I will call intentional disclosures and uses of data, which is really privacy: what a company intends to collect, how it intends to use it, how it intends to disclose it to others. And then there is unintentional or unauthorized access to data, which is more in the nature of data security, information security, cybersecurity, so hacking and things like that. Sometimes it is hard to distinguish between those two, but I think when we are thinking about how best to protect consumers that has been a useful distinction to me between privacy/intentional disclosures and uses and unintentional/information security. So how does this interaction happen? We have had over the last two-and-a-half years actually a great deal of interaction, both publicly and privately, with our counterparts in the Bureau of Competition, more so now that the Bureau of Competition has created the not-so-new Technology Enforcement Division where they really do focus a lot on issues relating to consumer data. We have been having regular meetings with our counterparts in the Bureau of Competition to spot issues, to identify trends, and to share our knowledge of the markets that are affected here. 3 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

We also have regular meetings not just at the level of the leadership of the Bureau of Competition and the Bureau of Consumer Protection, but meetings and interaction between the divisions of the Bureau of Consumer Protection and the Bureau of Competition. These are our Privacy Division, for example, or our Advertising Practices Division or our Division of Litigation and Technology Analysis, where many of our technologists live in the Bureau of Consumer Protection. For the past two years we have had Hearings on Consumer Protection and Competition in the 21st Century. This was an initiative from our Chairman early on in his tenure to have public hearings talking about new issues and new trends in consumer protection and competition. These hearings also demonstrate the close cooperation. We have had hearings on privacy, on data security, on big data, and on algorithms, and I will talk a little bit about what we learned from those. We also had what was a first for me, a joint workshop between the Bureau of Competition and the Bureau of Consumer Protection on data portability. I will talk a little bit about data portability issues as well. For a long time I think we have thought of competition and data protection as being complementary of one another. My predecessors in this job and also earlier directors of the Bureau of Competition have talked about, for example, data protection issues relating to mergers and acquisitions and how data privacy should be considered in mergers as a nonprice dimension of competition. A prior director of the Bureau of Competition in fact said that the FTC might in the future challenge a merger based on reduced competition over privacy protections, and I can see that continuing to be an issue for our Commissioners now. In addition, the aggressive privacy practices of an acquiring company might diminish consumer welfare. We have always said that acquirors need to honor the privacy promises made by the predecessor company. That trend goes back more than ten or fifteen years. I and my predecessors have said that acquirors need to honor the promises of the companies that they are purchasing. Data could be used by an acquirer to enhance its competitive position, such as by targeted marketing to the acquired’s customer list or using acquired data to enhance marketing models or other predictive algorithms, again issues that have been highlighted by current and prior management at the FTC. Acquisition of unique or hard-to-replicate data sets also might diminish competition. This is what we saw in the 2014 case with respect to CoreLogic. There was a requirement that was imposed by the FTC that CoreLogic license to its competitors bulk data from real estate assessments and real estate recording offices’ bulk data following its acquisition of DataQuick Information Systems. That was a specific requirement imposed because of the potential competitive power of this unique data set. Again, this is sort of tried and true. I think that current and former management of the FTC has seen that there could be these competition effects of data in mergers and acquisitions. With respect to market conduct, data portability was again the topic of a workshop of the Bureau of Competition and Bureau of Consumer Protection. Companies might erect obstacles to easy portability of data, which could contribute to the capture of customers, making it more difficult for them to move to more efficient providers of services, which is something that we would be concerned with on both the consumer protection and the

4 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

competition side of the house; as well as network effects caused by the use or collection of data, so dominant platforms using their advantage in data about buyers and sellers to exclude new competitors and develop new products and services. Again these have been the subjects of blog posts by Bureau Directors current and past. We know about the complementary aspects of data protection and competition. There also might be some tension there. For example, I just talked about data portability. Data portability can provide a powerful tool for consumers to unstick themselves from a service provider that they are unhappy with and plug their data into another service provider and in so doing enhance their welfare and competition. Data portability, though, because it allows for the removal of data in an easy-to-remove format and an easy-to-read format and an easy-to-translate-to-a-new-platform format, might also present data security concerns. So if the data can be removed by me, what safeguards are in place to ensure that it cannot be removed by somebody else or somebody pretending to be me? We see that also in other contexts, for example, advertising technology and the adtech stack. From a competition viewpoint, a disaggregated adtech stack of a lot of different players, people competing to offer different services at lower prices and better levels of service, might be something that would be laudable from a competition standpoint but might create risks to consumers if there are a lot of different hands touching data, just in terms of the data leakage that might occur in the adtech stack and ensuring that every participant who touches that consumer data would have adequate data security protocols in place to ensure that data is protected. Another potential for friction between data protection and competition is just the protection of data generally. The sale of consumers’ names and information for marketing might be the kind of thing that would be laudable from a consumer protection standpoint, if the legislative goal is to prevent the sale of data about consumers for marketing purposes, but then the prohibition of that type of sale could limit the ability of a new entrant into a market to gain traction. This is an issue that was raised in our 21st Century Hearings. The example that was used was an outdoor equipment company that is just starting up and wants to try to buy a list of individuals who are interested in fishing and hiking so that it can market to them and get its initial customers. If those lists are not available because of privacy restrictions, it might be difficult for that start-up to enter a new market. Another issue that was highlighted in our 21st Century Hearings was the effect of privacy regulation generally. There was some talk about the General Data Protection Regulation (GDPR) in those hearings. The first idea is that regulation can entrench incumbents. For example, detailed regulation might be more efficiently handled by large incumbents because they can spread the cost of regulation over more units sold. Bank of America might have a lower cost of regulation per unit sold than a little community bank in the middle of Kansas. In doing that, that regulation then can advantage that large incumbent. Large incumbents also might have less need to obtain data about prospective customers from third parties. There are some companies that might have — because of the services they offer, the ubiquity of the services that they offer, or the fact that they are collecting data in connection with my mobile device where I conduct all of my business — all of the data that they need about consumers and do not need to obtain data from third parties, and they certainly have no interest in providing data to third parties. So restrictions on 5 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

the sale or purchase of personal data might have the effect of entrenching that incumbent. Finally, large incumbents might have more touchpoints with consumers, making it easier for them to obtain consumer consent for the use or sharing of data. This again was an issue that was raised in our 21st Century Hearings in connection with GDPR. The hypothesis is that GDPR may have enhanced the competitive position of some players in the EU online advertising market because they have these multiple touchpoints and they are more able to obtain consent from consumers and thereby use and share data in ways that other companies cannot. I am intrigued by the idea of the cross-pollination between the Bureau of Competition and the Bureau of Consumer Protection. For one reason, I think it is another factor in why the FTC can be such an effective privacy regulator, because we do understand not only consumer protection and unfair and deceptive practices in the marketplace, but we also have this whole other side of our brain that addresses competition issues and understands those and is very interested in markets and efficiency and consumer welfare from a competition standpoint. I like the idea that we have both missions, I like the idea that we have been able to find this intersection between data protection and competition, and I am intrigued to hear more about both what you all have to say about the complementary aspects of data protection and competition as well as those aspects of data protection and competition that may be in tension with one another. I am going to stop there and turn it over to you, Scott. Scott Hemphill: Terrific. Thanks Andrew. That was super-helpful. A lot for us to think about here. A robust set of synergies between the two roles and, of course, a set of tensions to manage — for somebody to manage — maybe the FTC, maybe a regulatory modality promulgated in Europe.

Panel: Jeffrey Amato | Partner, Winston & Strawn, New York ​ Joseph Farrell | Partner, Bates White | Professor, University of California, ​ Berkeley Kinshuk Jerath | Professor of Marketing, Columbia Business School at ​ Columbia University, New York Thomas Philippon | Professor, NYU Stern School of Business, New York ​ Andrew Smith | Director, Bureau of Consumer Protection, U.S. Federal ​ Trade Commission, Washington, DC ​ ​ Moderator: Scott Hemphill | Assistant Professor, NYU Stern School of ​ ​ Business, New York

Scott Hemphill: I want to start with one of the very last things that Andrew raised. I am going to turn to Thomas first on this. Andrew made the comment, and I think it is a generalizable point, about the extent to which GDPR might help entrench incumbents. I think we have known 6 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

for a while — whether you want to think of it as a matter of regulatory economics or a question of industrial organization — that regulation can be the friend of incumbents. AT&T is a famous example. Maybe we are seeing some version of that today. ​ Thomas, help us think about this. Are there useful analogies that we can think about here? How do we make improvements? GDPR puts us in one spot in Europe, which may or may not apply in a “Brussels effect/California effect” sort of way to other jurisdictions. How do we improve on the current state of play? What are your reactions to this? Thomas Philippon: Thank you very much, Scott, and thank you, Andrew, for that really great introduction. To set the stage, what comes to mind are two metaphors. One metaphor is finance and Basel and the other metaphor is the World Trade Organization (WTO). In finance I think we have learned for sure over time that there is a tradeoff between protecting consumers and having competition in the banking system. Many of the regulations we impose in finance are so detailed and burdensome that for the best part of the past fifty years we did not really have much competition in banking. That is changing slowly thanks to fintech. But if you think about it, it is very clear in my mind that by the 2000s we were way past the point on the curve where we had too many regulations; however, in fact we were not protecting consumers in any meaningful sense but were entrenching the incumbents, keeping their margins high, and not offering cheap products to people the way it should have. Thankfully, it is getting better today, mostly thanks to changing technology brought about by fintech, and we see salaries are going down in asset management and in banking services, at least in some places, a lot actually in emerging markets where the effect is the most remarkable. One thing is clear to me: How do we avoid that in the case of the digital market? I completely agree with Andrew’s point about we have to strike the right balance. The GDPR is one good starting point because it is clear that something was needed. It is also clear that this is so complicated and burdensome that it will definitely have the side effect of entrenching the incumbents. Now, the difference with finance is there is no Basel group working to have uniform rules around the world — I think that train has left the station — so we will not have uniform worldwide regulation in any of the things we care about in that market. At best, we will have coordination, but the rules of the game are going to be different in China, the rest of Asia, Europe, and the United States. We are not in a game where we can hope to all meet in Basel like we did in the 1980s during banking crisis. We understand the race to the bottom is too big, so let’s put some floor on the capital requirements is not the game here. I think the game should be more let’s try to learn from each other. The main reason I am very eager, even as a European, to hear and see what is going on in the United States is precisely because I know how imperfect the GDPR is and I know that the only way we are going to improve that is if the American regulators try to come up with their own version, hopefully fixing some of the issues and improving the tradeoff between competition and regulation. I think that is the first analogy that to me is clear, and I agree with Andrew on that — but just with one caveat, which is we are not in a world that is going to coordinate fully; we are in a world where we are going to 7 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

learn from each other and perhaps there is going to be some competition between jurisdictions and countries. The other big analogy in my mind is the WTO and trade in general. This one actually is more particular to the fact that this market is dominated by U.S. firms. The thing about regulation is I do not think that is a first-order issue — people want to protect their regulations in any case — but the fact that this market is dominated by U.S. firms adds a layer to it. I think there the key issue is: How do we make sure that we can have free market competition and free trade in digital services? I think the useful analogy here is regulations on manufactured goods, say cars for instance. Given how many hours we spend in cars on average each year, given the impact that the safety of cars broadly speaking has on our lives, it is very clear that the game is such that local regulators can choose mileage standards and pollution standards. It is very well accepted that any given society has the right to say, “These are the rules of the game. You need to comply with these regulations. Once you comply, free competition, you can enter and compete with everybody.” The question is: How do we get there in digital services? We are very far from there because we are nowhere near the point where we can say, “This is the set of rules and this is how you should comply.” But if we want to have free trade in digital services, then this has to be the end game because what is for sure not going to happen is that we will have sovereign nations or societies that would like to have their own rules of the game and are prevented from designing their own set of rules because of various issues, some technical and some having to do with the behavior of the large firms, because that would be the same as saying, “You cannot impose safety regulations on cars.” If that had been the case forty years ago, we would have no trade in cars today. That’s obvious. The solution is to find a way to have rules, compliance, verification, and then after that free trade and competition. I think that is where we need to go. Scott Hemphill: Jeff, let me turn to you and pick up on a piece of what Thomas said in his first two remarks. We are doomed to a patchwork, right? We are not going to have uniform data protection regulations. This patchwork is something that we live with in the United States, or have for a while as it is. You live in this world. What do you make of it? How do we make headway? Jeffrey Amato: First, thank you for being on this esteemed panel of great antitrust practitioners and Director Smith. In the United States there is a patchwork of regulations that needs to be accounted for if we are to solve the problem about regulation and privacy incurring costs on and entrenching incumbents. Companies must deal with the DOJ, the FTC, and varying state law regulations, many of which also vary depending on the industry that one is operating in. And compounding that we have companies with any sort of global presence needing to comply with the GDPR. Another development here that needs to be accounted for is the California Consumer Privacy Act (CCPA), which recently went into effect and imposed sweeping new requirements regarding the disclosure of how businesses collect and use personal information. It has a broad scope and application similar to the GDPR. Navigating all this is very expensive and burdensome. 8 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

On top of all those regulatory costs, one thing that needs to be considered is in the United States there is still the unique world where there is a thriving plaintiff’s bar that seeks to enforce consumer protection policy, including in the privacy and antitrust realms, through class action litigation wherever there are laws enacted by state, local, or federal governments, and the consumers there are going to continue to seek redress in an uncertain world and push the boundaries of those laws potentially beyond what was intended by the government. We have seen this with the Illinois Biometric Data Privacy Act spurring class action litigation, and most recently with the CCPA that has seen a flurry of class action litigation this year against Zoom, TikTok, Marriott, and Ring. These are things that, if government really wants to lessen the burden of regulation on companies and allow for entrants to enter the market, have to be considered. Take for example in antitrust, where even though there is no federal law allowing for indirect purchaser settlements, the effect of indirect purchaser actions on companies has been very burdensome. I think the cumulative total of antitrust class settlements in 2013–2018 was almost $19.3 billion. So on top of legal compliance, companies must ​ ​ always be vigilant to the potential for civil liability that extends beyond the contour of the regulations imposed and I think it is incumbent upon the regulators and policymakers to understand the challenges facing companies in this realm. Scott Hemphill: Joe, let me turn to you. In managing some of these tensions that Andrew laid out, the FTC obviously in the United States has a central institutional role. I think among the points of interaction between these two roles, competition and consumer protection, there is one touchpoint, a point of interaction, beyond the ones that Andrew mentioned, which is the Bureau of Economics, which sits alongside the Bureau of Competition and the Bureau of Consumer Protection and helps out on both sides, and perhaps sometimes is in a position to think about the interaction. That is the bureau that, as probably most on the call know, Joe has led. I wonder if you have any reactions about how well that works in trying to marry the two, or at least adjudicate between them, and how you go about trying to get the balance right. Joseph Farrell: Thank you, Scott, and thank you, Andrew, for focusing on the interaction and the potential for complementarities and the risk of conflicts because I think it is really important. When I went to the FTC’s Bureau of Economics in 2009, one of the things that I was prospectively most excited about was being part of an organization that really took advantage and took account of these complementarities. In my time there I would say yes that happened, but it was a little more difficult and problematic and lower bandwidth than I would have hoped. Perhaps it is worth pausing a moment to talk a little bit about the institutional structure. You made some points about this, Andrew, but let me make some others. The bulk of the professional staff at the FTC is in one of two bureaus, the Bureau of Consumer Protection that Andrew heads and the Bureau of Competition which he mentioned. Those professional staff are almost exclusively lawyers by training and practice. Then there is a third bureau, as Scott mentioned, the Bureau of Economics, 9 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

which straddles the two and historically has been thought to be, along with the Commissioners and their offices, a bridge between the two lawyer-intensive bureaus, the Bureau of Competition and the Bureau of Consumer Protection. One thing internally at the Bureau of Economics that undermines, I’m afraid, that ability to act as a bridge is that within Bureau of Economics there are two divisions, the Division of Consumer Protection and the Antitrust Division. Nevertheless, within the Bureau of Economics we had multiple meetings every week between myself and the deputies and staff for the two missions. My predecessor, Michael Salinger, even put up a poster, which I displayed in my office subsequently, showing an economist lifting two dumbbells to correspond to the two missions. So all that is good. In my experience, without getting into any confidential specifics, I thought that when problems or disagreements or conflicts arose between Bureau of Competition and the Bureau of Consumer Protection or between the consumer protection and competition missions, it was fairly easy to identify them and address them. There weren’t turf wars or anything like that that I remember or saw. What I think was less effectively done was just the day-to-day and more positive sharing of minds and search for complementarity. So I am delighted to hear from Andrew that you have put in place regular meetings both at the bureau director level and at the divisional level. We will talk maybe about some of the substantive issues in a little while. Thank you. Scott Hemphill: Great. Let me move on to a second topic. We have talked a little bit already about some of the tensions that Andrew laid out, so I would like to turn to some of what Andrew described as synergies between the two missions. I think it is a standard and much-thought-about idea among competition afficionados these days that firms, digital platforms in particular, might compete on privacy protection and on data protection, that it would be essentially a form of quality competition, so you could just basically take the 2010 Horizontal Merger Guidelines and plug in “data protection” wherever you see “quality competition.” Of course there are some prerequisites to making that work, among them that consumers have some idea of what the quality is of the offering and that they care, that they actually view that as a salient attribute of quality for them. I would like to spend some time exploring that idea. Joe, let me have you lead this one off. You have done some writing on related issues. To what degree is it feasible to think of this as just another form of quality competition? Joseph Farrell: Thank you, Scott. I think that is a really central question. For the most part, when we think about competition mostly working pretty well in most of the economies markets, one of the things that relies on is that when firm A makes a better offer to customers ​ than firm B, firm A will attract customers away from firm B — in other words, demand ​ ​ ​ ​ ​ follows value. There was an article published in the 1970s with the glorious and very insightful title “On the folly of rewarding A while hoping for B.” Once you have heard the title I think you’ve got most of what is in that article honestly, but it is a glorious title and I think it really captures things. 10 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

If consumers do not respond to privacy because privacy is not one of their top concerns, that is very consistent with demand following overall true value. If we are worried about privacy and consumers are not, we should probably let them follow their own instincts. On the other hand, if consumers are very concerned about privacy but for whatever reason — perhaps information, perhaps something else — demand does not follow that aspect of value, then we’ve got a problem because we are rewarding other aspects of value over privacy while hoping for privacy to be given its proper weight in firms’ decisions. This is a familiar idea in antitrust — basically, the issue of how a firm organizes or manipulates related markets, and in particular complementary markets. The Chicago School of antitrust has the principle called the “one monopoly rent theorem.” I think that is a terrible name. A better name, which Bill Wizer and I tried to push, but I’m not sure how far we got, is “internalization of complementary efficiencies.” If you have a firm selling printers, they have an incentive to organize the supply of replacement ink cartridges efficiently to the extent that consumers will push back in their demand for printers on anything anti-consumer in the way the printer manufacturer organizes the structure of replacement cartridges. That applies to monopolizing it, licensing it, having it be total chaos — whatever. That only works if a variety of conditions hold, one of them being that when you are in the market for buying a printer you see and can respond to what the aftermarket policies are going to be. That is the foundation of the aftermarket area of antitrust. We see similar things arising in drip pricing — in fact, you can view that as analytically the same — and in the exploitation of standard-essential patents. Those are just a couple of areas. To me at least, it is very helpful. I like to say that the Chicago School view of antitrust economics broadly, and perhaps particularly the “one monopoly rent theorem,” is not something that you would necessarily regard as true, but it is helpful in organizing your thoughts. Understanding why it is not true when it is not true is in my experience very helpful for rigorous and clarifying thinking, so that to me is an important part of where we can take advantage of the intersection between competition and consumer protection. Scott Hemphill: Great. Andrew Smith: Scott, I have a quick question for Joe on the “one monopoly rent theorem.” The idea is the printer and the toner, and if I knew that they were going to kill me on the toner, that it would only print five pages and it would cost me $40 for every new cartridge, then I would not get that printer. But that is difficult for me to evaluate, right? So it is sort of like a credence good. People use the terms credence good and credence attribute in different ways. It would be difficult for me upon purchase of the printer to understand, unless I was an educated consumer, the effect of the toner. The same issue with privacy. It is difficult for me to understand and appreciate when a company says, “This is what we collect, this is how we use it, this is how we disclose it” — and let’s assume that is all truthful and they keep those promises — it is hard for me to evaluate what the risks are to me. But if I knew that they would then be selling it to someone to try to sell me payday loans, I might say, “I’m not crazy about that. I would rather do business with somebody else.” 11 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

We could address this through substantive regulation and say “no sale of personal information for payday loans” and that would address the problem neatly. But how do we respect consumer sovereignty but also address the consumers’ inability to evaluate the risks in connection with that transaction? Joseph Farrell: Just to be clear, I am not saying the “one monopoly rent theorem” view is correct in this context. I think it is not for basically the reasons that you described. In terms of enforcement or the issues that you raised, it pushes you to look not only for where there is an important issue but for where there is an important issue plus an information gap. Important issue means not just that it matters, but that it matters in a way that sets consumer interests against the narrow or immediate interest of the firm plus the information gap. With that conflict but without the information gap, you have the internalization of the “one monopoly rent theorem,” and without the conflict you do not have a problem. So I think you need both of those things, and I think where you see both of those things there is very apt to be a problem. And then, as you pointed out, there is a huge further question of what you do about it. But at least this gives us a screen. If you think about it, the economy is completely full of transactions that have implications for something — if it is privacy, data sharing, complementary purchases, or what happens down the road — and we need some principles to guide us, whether they are conscious/formal or informal/unconscious, in where you look most closely for problems. I think looking for where there is an important issue, conflict of incentives, and an informational problem or something that prevents the internalization is a pretty good start on that. Scott Hemphill: Yes, sure. Thomas Philippon: One thing on this example. I think it is a great example because it also shows the constative part of the issue. I think, Andrew, your issue with printers is mostly solved actually. I got a printer last week from Amazon. I can tell you if you buy a printer online half of the reviews are about the cartridges. The first thing you learn if you look at consumer reviews is whether people who bought it before are happy with the way you can buy cartridges. That’s interesting because technology has solved that problem via additional customer feedback. The problem we have with privacy is that the complexity is such that nobody can give feedback. Even if I have the experience of using Twitter or Facebook or WhatsApp, there is no way for me to give feedback to the next user about whether I am happy about the quality of the goods and the dimension of privacy because I don’t even know there is an added lay-off issue here. Scott Hemphill: One of the nice things in the printer context is if there are enough people like you who read the reviews and the price is identical to everybody else, your diligence on my behalf may rescue me from laziness because I can just hope that enough people like you are 12 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

disciplining the price. In a service like Facebook, I think that is far from clear. Even if somebody could be diligent, what they see is going to be what everybody else sees. Thomas Philippon: We need a critical mass of people who have the information. Peter Diamond wrote that many years ago. Scott Hemphill: And an absence of discrimination among the customers is the other piece. Kinshuk, do you want to jump in here? Kinshuk Jerath: Yes, sure. First of all, thank you. It’s great to be on this panel and thanks for all the thought-provoking discussion here. I will talk about the aspect of people’s preferences on privacy and also whether people understand privacy policy. I am a marketing professor, so how consumers view things is one of the very big things that we study. Indeed, there is a lot of confusion that people have about privacy policies, and it is not clear to people how to understand them, it is difficult for firms to compete on them, and people do not understand what the downstream implications are of all of that. One of the many interesting efforts here relatively recently has been how can we help consumers best understand what these privacy policies entail. We have all gone to websites where they ask you “please sign our privacy policy notice,” and you agree, and then at least what I do is scroll down all the way, look for the “I agree” button, and I agree, often not fully realizing what I agree to, just hoping that it is all good. This is the experience of many consumers. Recent efforts have been made to find technical solutions to this which can then hopefully be implemented by industry. One such effort is the Usable Privacy Project, which is housed in Carnegie Mellon University, and back when I was there I was part of it also. The effort there is to use new techniques — like natural language processing and crowd sourcing — for some of the aspects of these policies, in the sense that you take some policies and you farm them out to real consumers and pay them to annotate what these policies entail. Once you have this kind of a learning set, you can use machine-learning and text-mining techniques to then say, “This is what these policies imply.” The effort here is to distill down these very difficult privacy policy notices and their implications into something simpler that consumers can understand. It is not just about consumers. It is also about how websites should communicate their privacy policy. So it helps on both sides to maybe come up with what you could call a “privacy nutrition label” sort of thing. It is not clear that it can be distilled into something that simple, but the effort is there. A second part of this whole effort is they are motivated by things like the “privacy paradox,” an inconsistency between the concerns of people regarding privacy and their actual behavior. If you ask consumers “Do you want to share data?” they will say “No,” but then they go to a website and there is an offer, like three days of free access, and suddenly they sign on to everything. This is the privacy paradox and this happens repeatedly.

13 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

The second part of the effort in this stream of work is: What behavioral nudges can we give to consumers to make them think a bit more carefully? Again going back to some of the points I have been raising, we do not really know if consumers care about privacy. There are some who do, but they may be behaving in a way that ex post they might ​ regret. How can you prevent that? There are efforts on that front. Scott Hemphill: Great. That’s helpful Jeff, building on that a little bit, how optimistic or pessimistic are you about the prospect of consumers coming to know privacy policies, whether it is from some analogy to reading Amazon reviews or picking something up from the kinds of nutrition labels that Kinshuk is thinking about? How important is it that they be able to do so? Jeffrey Amato: We are certainly seeing more transparency. Just today Apple unveiled a new privacy policy that included nutrition labels for apps. I think with transparency consumers will start to become more knowledgeable about what data they are providing and what is happening with it. For companies with ever-changing regulations it is important to be transparent about data practices and potentially start competing on these things. More than ever the companies that collect or share data must be clear to consumers and customers about their data practices and explain what information is collected and what is done with the data. Consumers do not necessarily have a uniform view of data privacy. Some may think that term is limited to sensitive Personally Identifiable Information (PII), such as Social Security numbers, health care, or financial information. Others take a broader view, such as consumer preferences, Internet search history, browser trends, and location data. As technology evolves, that definition of what is “private data” will also evolve. For example, are consumers tuned in to data such as facial recognition information being used by companies? That may be one of the next evolutions here. Companies need to be clear with their customers and they need to live up to their promises. From a competition perspective, we are seeing how privacy policies can be parameters of competition and potentially their own relevant product market, depending on the materiality and the use of the data at issue. The question can arise whether privacy policies themselves could amount to strategic information the exchange of which could give rise to an impact on competition. For mergers and acquisition deals we may see increasing scrutiny of privacy policies and potentially the need for behavioral remedies prohibiting the degradation of privacy policies post-merger. One notable example of this was the Facebook/WhatsApp merger ​ and its aftermath that has been the subject of much commentary and study. Now that these things are in play, companies need to be cognizant that there are competition risks with respect to privacy policies and it is more likely that it could come into focus as part of future competition investigations or civil lawsuits.

Scott Hemphill: 14 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

Let me stay with you, Jeff, for just a minute. You mentioned Apple and nutrition labels. I just can’t resist. When we think about the implications of competition (or its lack) for privacy, we naturally gravitate toward the business-to-consumer (B2C) rather than the business-to-business (B2B) space and we think about B2C and the effect on consumers. But of course these strategic interactions and the effects of competition are also felt in B2B spaces. Here I am thinking especially about app developers. There is a big suit that was filed recently by Epic, the makers of the Fortnite game, against Google and Apple. ​ ​ I wonder if you would reflect a little bit on the possibility that from a data extraction standpoint you could have an interaction between an app developer, let’s say, and the mothership platform, as opposed to the consumer business interactions that we have been talking about so far. Jeffrey Amato: That is a really good point, Scott. We are seeing the tensions between privacy and competition play out in the Northern District of California Federal District Court in the lawsuit between Epic and Apple, where Epic contends that Apple’s requirement that developers use the Apple App Store’s in-app payment system is a monopoly preventing competition in that market. Apple has responded that it requires the developers to use it because it is necessary for privacy and security safeguards. What is interesting is that we have seen the litigation battle spin into the streets so to say, where Epic has taken to a PR battle against Apple, selling anti-Apple merchandise and branding itself as the “anti-monopolist,” and you have Apple responding with its new privacy features. So they are not just battling in the courthouse but they are battling for downstream customers in their PR campaigns at the same time. But you are right about the privacy nutrition labels. If you peel away the label, behind it you have Apple collecting a vast amount of information about which apps are successful, monitoring how users spend time in them, and then developing its own apps to compete with those developers and pushing them out of the market, get in their market space. That is something that needs to be monitored. Scott Hemphill: Kinshuk, I think you have something else you want to add before I move to the next topic. Kinshuk Jerath: I just want to add a brief thought. I recently came across a study that I found really interesting. It was done in Portugal by a telecom company. They found that post-GDPR when consumers were defaulted to opting out of sharing data, after a few weeks more people opted in to sharing their data than pre-GDPR. The reason was that, even if consumers still did not understand the privacy policy, the consumers felt that with GDPR in place firms are going to be more serious about implementing whatever their privacy policy is. This connects to a previous discussion that we were having, about whether consumers understand privacy policies but also whatever they infer about what firms are going to with their privacy policy in terms of implementing it. That might be something interesting for our listeners.

Scott Hemphill: 15 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

Great. Thomas Philippon: It is very efficient. This is exactly like, in a good way, when you fly in a plane you put your life at risk in this plane — there’s no question about it, it is a zero-one outcome — and you have complete confidence precisely because of all the regulations in the background. So the fact that good regulation makes people more willing to take risks. to trust the business, is a good outcome, not a bad outcome. Let’s be very clear on that. Kinshuk Jerath: Yes, indeed. The firm then reported that they actually had better data on consumers, which led to better outcomes, overall higher revenue, happier consumers, etc. It is a short-term study, so we will see what happens in the long run, but definitely that is the direction now. Andrew Smith: Two quick things. First, I want to echo what Thomas said about trust. Trust is everything. I am increasingly now of the view, after twenty years of practicing consumer protection law and two-and-a-half years as the Director of the Bureau of Consumer Protection, that our whole job is trust, building trust, so that consumers can participate. If they think that the game is rigged, if they think that their data is going to be unsafe, or they think that their data is going to be shared with people with whom they don’t want it to be shared, that is inconsistent with their expectations, then they don’t play. If the game is rigged, they don’t play, and that is a disaster. What we want is for people — like Thomas was saying about flying in planes — to engage in Internet commerce, to buy things online, and to interact with apps on their mobile devices because all of those things improve consumer welfare and create economic activity and everybody wins. That’s point one. I was really gratified that you used the word “trust” because I have kept coming back to that frequently over the last several years — like “What is it that we’re doing here? What’s the point of this?” — and the point I think now is trust. The second thing is on privacy policies there is a sort of backlash against privacy policies and privacy notices. In the legislative debates about regulation, I can’t tell you how many times I have heard people say, “Notice and choice is a failed paradigm; notice and choice does not work.” It may not work, but I hope that is not the case for a couple of reasons. One is I don’t know that we have really given notice a fair shake. Wouldn’t what Kinshuk is talking about with the nutrition label be great? We actually have something like that in the financial world, the notices that you get in your credit card statement every year that are uniform and that you can compare from bank to bank. Privacy is complicated, unfortunately, so it is hard to reflect everything in that little notice. And I think people probably still do not opt-out when given the choice. I don’t know what that means. Does that mean they are not reading it? Does that mean they do not care? I am not sure. But here is my pitch for notices. Jeff talked about it being so important for companies to keep the promises they make. I bet we have probably brought 150 privacy and data security cases that are premised on our general authority to prohibit unfair and 16 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

deceptive practices. I’d bet that you can count on your fingers the number of those cases that do not allege deception somewhere in that complaint. This is a key factor in our ability to redress consumers and to combat privacy violations because companies say clearly, “This is what we do” and when they break that promise we are able to take legal action. If someone were to ever ask me — and they haven’t — what kind of a privacy law I would advocate, I would say there are a lot of bells and whistles, but a requirement to have a notice would be very important because that would buttress a lot of law enforcement. Joe, did you want to raise something? Scott Hemphill: I will recognize Joe briefly because I do want to give us a chance to talk about our last topic and we are going to lose that opportunity depending on how long Joe talks. Pressure. Joseph Farrell: I will be brief. Can I suggest, Andrew, that you modify the slogan to say “warranted trust” or “justified trust” because trust that is unwarranted can be even more harmful than a lack of trust? Having said that, I also want to echo the distinction between trust and lack of deception. If you have a market in which consumers have become justifiably cynical, that is apt not to be an environment where you can have competition flourishing — you can make a better offer, but nobody believes it. A completely trivial point, but I don’t know if it will matter, is: By using the word “trust” are you setting yourself up for completely illusory disagreements with the antitrust side of the agency? Scott Hemphill: Don’t go there. I don’t want to get into that semantics fight. Let me instead take as our segue the joint notion here of Andrew and Joe, this idea that warranted trust is an effective facilitator of trade, and let’s dwell for a little while in what that trade might look like. I want to think now about privacy, or information flows as an inverse, not in terms of the intrinsic value of privacy but instrumental value — its effects in, for example, more effective targeting of ads, improved matches between users and advertisers or between users and products. The umbrella notion here is that when access to consumer data by a merchant or by an advertiser is mediated by a platform, what are the effects of that information sharing for consumer welfare, for platform profits, and for merchants? The effects on merchant profits have been a big focus of a lot of people right now who have been thinking about Amazon or other product platforms. This is a constellation of issues that Kinshuk and Thomas have both thought a lot about. Kinshuk, let me start with you, and then let’s turn to Thomas, to give us a perspective on how we should think about how that move now from information back to competition might work.

17 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

Kinshuk Jerath: You mentioned the intrinsic value of privacy versus the instrumental value of privacy. Intrinsic value is “I just do want to give up my privacy; I don’t feel good about that.” Instrumental is “If I give up my data, what will happen downstream?” The instrumental aspect has turned out to be pretty important and I have done some work on that. A nice paradigm that I think can be used to think about this is to think of two-layered markets. One is you can think about the advertising market and what happens in the advertising market that affects the retail market. Often the advertising market subsidizes or makes our consumption of content completely free and so we give up our data. Firms get this data or platforms get this data and then what can happen next is that this better data leads to better consumer targeting. Let’s say there is a competitive situation where there are different firms: The firms can now better identify their consumers, the ones who they think will be more likely to buy from them. Once that happens, firms can actually start splitting the market or divide the market better or price discriminate better. This can sometimes actually lead to reduced consumer surplus — “Yes the consumption of digital content is free, but now I am being shown ads for products that I want to buy”— and the product prices are higher because the firms can split markets better. That is what research has shown. I think when we realize that, a policy like GDPR then makes a lot of sense because if consumers can think through that, then when consumers realize that “this is actually coming back to hurt me,” they might want to opt out of sharing data, and therefore GDPR in that sense will help improve consumer outcomes once again. Just to be mindful of time, that is the basic idea. I think the main point here is to think of advertising markets and then their impact on retailing markets or product markets. Scott Hemphill: Great. Thomas, let me turn to you. Thomas Philippon: I tend to think about the instrumental value of information in the context of what we call today the “gatekeeper effect.” On December 15th the European Union is going to come ​ out with its new rules for digital services. One of those is going to deal with the obligations or requirements for gatekeeper platforms. They are going to include, for instance, restrictions on the use of data by merchants to create their own product and things like that. When I think about the instrumental value of information, it is more in that context. What I find in my research is the idea that in a world in which part of what makes you a gatekeeper is the fact that you have good information about one side of the market, this is the best way to enhance your market power with respect to the other side of the market. The main issue there is not privacy per se — in other words, if you give customers the choice, they would share all of their information; they don’t mind. The thing that they don’t internalize is that if they share their information with only one platform, that platform then is going to have more monopoly power vis-à-vis the

18 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

merchants, and that is going to result at the end of day in either higher prices for the consumers or fewer choices by restricting entry of merchants. I think what is interesting there is if you go through the logic of these models, broadly speaking they are always ambiguous. Data sharing could be inefficiently low. In fact, in many of these models consumers are less willing to share information than they should be because they do not take into account the fact that by sharing more they encourage entry, which is good for everybody. So these models are from the get-go ambiguous, which I think reflects the state of where we are. But they also point to two forces that perhaps distinguish traditional retailers from very large Internet platforms. The risk of excessive data gathering by the platform is increasing the quality of their search-and-matching technology and the quality of their information-gathering technology. There it is hard to make sense because the model tells you that the fundamental economic issue existed for 150 years, but the quantitative part and the likelihood that you end up in an environmental space where there is such a thing as too much information gathering by the platform is more likely today precisely because of technological changes that make the search engines and the information gathering more efficient. Scott Hemphill: So, Thomas, your response to “Isn’t this just like Walmart and aren’t Amazon store brands just like CVS store brands?” would be the nature and density and real-timeness of the information that is being collected? Thomas Philippon: Correct. If you think about welfare as a function of information, it is typically an inverse U shape. You want people to share information because otherwise nobody could enter — “If I don’t know what people like, I would never want to try a new product.” The inflection point comes from the excessive market power of the platforms. The fact that Amazon is so efficient at both the matching technology on the platform and gathering information creates the concern. But of course, the flip side of that is that anything like GDPR is going to have no impact on that. That has nothing to do with privacy at the individual level. Scott Hemphill: So if only I could have some kind of user review that could tell me in an intelligent and intelligible way where the “sweet spot” was in terms of how much information I should be sharing with the platform to get optimal matching without too much exploitation — that’s a lot to ask. Kinshuk, I think you have something you want to add here, and then I am going to open it up to questions. Kinshuk Jerath: I just want to add on to Thomas’s remarks. Thomas, you were focusing on the consumer information that can be learned and that impacts the merchants side. I have done some work on information flow the other way, where there is merchant information that impacts the consumer side. What is happening quite a bit at Amazon — there is recent legislation about this in the European Union — is that Amazon is arm-twisting third-party sellers, not treating them 19 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

well. Something that happens here is that Amazon tracks them all the time, cherry picks the best ones once it identifies them, and then that leads to some of these good sellers or product sellers that sell good products counter-signaling themselves as bad sellers or sellers of not-such-good products just to hide under the radar from Amazon. Because Amazon is cherry picking and these guys are counter-signaling, this of course then hurts the consumers because consumers do not get as much access to these good products just because these sellers are trying to hide. So the information can flow the other way also, and in this sense it is actually under-sharing of information by the sellers which then ends up hurting the consumers. Scott Hemphill: Let me hand it over to Ariel for questions. Ariel Salvaro: Thank you, everybody, for a very interesting discussion so far. We have three questions. The first one comes from Fawaz Alshahwan. Fawaz, if you are here, Carolina from the Concurrences team is going to unmute your mic so that you can ask your question to the panel directly. Question [Fawaz Alshahwan]: First, thank you for the conference. It is very informative. Regarding the conditions that the websites ask us to agree to before signing up, some of these conditions have some privacy aspects that I usually would not accept but I have to accept because I need the information in that website or I need to participate. I like what you said about educating the consumers about their privacy, or education in general, but sometimes consumers do not have the option; they have to accept. Because the website or the company providing the service is so big, I have to accept, so I jeopardize my information in exchange for that. Is there anything that competition authorities can do about that, at least from the advocacy perspective? Scott Hemphill: That is a tough one. Who wants to take this in the first instance? I was going to try to put Andrew on the spot as an enforcer, but he may resist that. Andrew Smith: For “take it or leave it” terms and conditions, if they are keeping their promise, I think it would be hard. We generally have the ability to address deceptive or unfair practices in commerce, and it would be hard for me to construct an argument that this is either. As long as they are being upfront about it and tell you, “This is what you get and you must agree to it in order to continue on this website,” it is hard to come up with a deception theory. As for unfairness, unfair conduct is conduct that causes substantial injury, that is not avoidable by consumers, and has no offsetting benefits. I think each one of those prongs might be difficult to satisfy in “take it or leave it” terms and conditions. But it is always going to depend on the facts. Joe has thought as much or more about deception and unfairness as I have, so maybe he has a theory for how that might be actionable. I don’t want to put him on the spot, but I guess I am. 20 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

Joseph Farrell: I would echo Andrew to say it depends on the facts. By and large, if somebody is providing something that is so valuable that effectively you must have it, then in the classical price-only world of conventional market analysis they would charge a heck of a lot, and mostly we would not think of that as a competition or a consumer protection problem. It is not clear to me how that becomes different if the charge is in the form of data use or privacy provisions. That is perhaps intuitively troubling. I would agree with Andrew that it is not entirely clear what might turn that into a legitimate case. Andrew Smith: I would say one qualification on that might be if there is anticompetitive conduct. So it could be a competition issue. If, let’s say, you think about raising the price of a pharmaceutical, that could be a competition problem to the extent that you are suppressing other sources of supply and things like that. Joseph Farrell: Yes. But I think then the case is you are suppressing other sources of supply, not you are charging a lot for this pharmaceutical, although obviously that is part of the effects. I think a competition case would start from: “What are you doing to these other sources of supply? Have you signed pay-for-delay deals? Are you bringing sham patent litigation? Are you doing exclusive dealing in an exclusionary way?” That would be the focus I think. Scott Hemphill: Great. Perhaps we can take another one. Ariel Salvaro: The next question comes from Nathan Hipsman from Cornerstone Research. Nathan, if you are online, Carolina is going to let you unmute your mic so you can ask your question. As a reminder, focus just on the question so we can get to as many as possible. Question [Nathan Hipsman]: I am interested in the distinction between privacy as potentially an intermediate good versus a final good and whether the opacity of the relationship between privacy polices and the end outcomes — perhaps something like price discrimination — might be part of the reason that consumers appear not to care, and whether there is any policy approach that we might take to that problem. Scott Hemphill: This is an important issue. Who is willing to take a crack at this? Kinshuk, why don’t you start? Kinshuk Jerath: Nathan, thank you for hitting the nail on the head. Another name for intrinsic value of privacy is think of it as final good versus an intermediate good, which is the instrumental value of privacy. 21 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

I think you are quite right that consumers do not quite understand what all the downstream effects are of sharing their data. I do think that partly explains why they are more willing to share their data than might be optimal for them. I can’t speak much on policy, frankly. I am a marketing professor, so I don’t think I am the best person to speak on policy. But again, based on some of the examples that I mentioned, it does seem that regulations like GDPR and the discussion about it bring these things more to light. I think we will see that consumers will make more careful decisions. But again, some of these decisions might go in a counterintuitive direction, like the study I cited earlier that showed with the GDPR in place and consumers were opted out by default, at least in that one study, more consumers opted in. If we think of instrumental value of privacy or data as an intermediate good, that is not necessarily always bad for consumers. It actually could be good for consumers to be sharing their data, and we have already seen some effects of that. I think education around overall about the impact of sharing data would be a very good thing in general for consumers. Scott Hemphill: Thomas, do you want to jump in here? Thomas Philippon: The issue is also that what is salient and visible is very different for the consumers than the merchants in these things. I think the striking fact in the data is how little price discrimination there is on the consumer side. These guys could price-discriminate a lot more than what they actually do, but I think the reason they do not do it is because they understand it is not a one-shot game, and in fact if they were known to price-discriminate, then we would start to withdraw our information from them. If we knew they would use our information to price-discriminate against us, we would be more likely to not share. In fact, the equilibrium is more likely not to price-discriminate and, therefore, in exchange we share all of our information. From what we see, the problem is more on the other side, on the B2B side; that is where more of the price discrimination takes place, and that market is very opaque. You can scrape Amazon’s prices for everything that is consumer-facing and nothing for anything that is not consumer-facing. That is the issue. Scott Hemphill: I have something I want to pose to the panelists, but you can go ahead and ask a question. Ariel Salvaro: The final question that we have from the audience is from Cristian Santesteban from Red Creek Economics Consulting. Cristian, if you are online, Carolina is going to let you unmute your mic so you can ask your question. Question [Cristian Santesteban]: I am curious about something that came up in the panel about the “nutritional label” aspect of privacy. In more concrete form, what dimensions are you envisioning or are you considering it would include, given the complexity of privacy as something that is hard to define? Given that you have thought about it, perhaps you could shed more light on that. 22 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

Scott Hemphill: Kinshuk, do you to kick that off? Kinshuk Jerath: Sure. It is not a simple problem. Developing the label will never be simple if the problem is not simple. This is not my personal work so I don’t know too much about it, but part of the work being done is about understanding what is it that consumers care about in these privacy policies. Going back to Nathan’s question, I think one important aspect of these labels, which seems to be missing now from the thought process, would be: What is the instrumental downstream impact of sharing my data with this firm? Definitely one of the dimensions that is being considered in the research is how far and wide is the data shared and what kind of data is shared with whom, which obviously then impacts the downstream impact. If I had to argue for one thing to certainly be added, it would be some estimate of the downstream impact — just like a nutrition label gives me a way to think about how it will affect my health, this is how it will affect my experience in ways that I cannot directly imagine. It is not just a textual summary of that big notice, but it should be maybe some sort of estimate of the implication of sharing data on this website at this point. That can be very different for different kinds of services in that case. For example, for financial services it could be different versus if I am just buying a mattress or something. I may want to share the same data in one case and not in the other case. Scott Hemphill: Let me pose one question to the panelists. We have talked about a bunch of different relationships between antitrust and data protection or between antitrust and privacy, some complementarities, some tensions, a couple of different causal relationships. One that we haven’t really talked about is the extent to which in response to an antitrust violation one might propose and implement remedies that have a data protection or privacy implementation or implication. The concrete example I want to play with, if people are willing to, is Facebook. There have been reports that Facebook is under investigation from both federal and state antitrust enforcers on antitrust grounds, not data protection grounds directly, in particular with respect to acquisitions of nascent rivals like Instagram. By way of disclosure, I have been an advocate in favor of those investigations. I don’t mean to talk about the merits of the antitrust case; I am only interested in the remedies for present purposes. Let’s imagine state and/or federal enforcers bring an antitrust case that is successful, that they establish that the acquisition of a nascent competitor is an antitrust violation, and that the harms that flowed from that included some kind of privacy harm — that is, that Facebook’s level of privacy protection was lower than it would have been had there been an independent Instagram, or a WhatsApp if you prefer that example. And if you don’t like my specific example, pick some other specific example. The question is: What, if anything, can one do in response with respect to privacy? That is, what are the prospects for implementing if you think there was a privacy harm? To what degree can we think about privacy-protecting remedies after the fact, once we have established an antitrust harm? If we think really fully rewinding to the previous 23 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

status quo isn’t available and that simply undoing the transaction is not going to put the genie back into the bottle, what is the prospect for implementation of a kind of privacy conduct remedy in the antitrust space as a way to protect privacy or to protect data? And just to add one little thing here, one might have a competing agenda of encouraging interoperability. To come back to the tension that we were talking about before, one could imagine people on the competition side saying, “What we really need is interoperability to stand up new competition to Facebook,” and then people on the privacy side saying, “I think what we need is really strong privacy protections to remedy the harm to privacy that perhaps we think occurred in the past.” Any reactions? Joseph Farrell: Well, Scott, you have suggested many different strands and I think I have about twelve seconds to comment. Let me just say there is a sense in which an antitrust remedy is analytically similar to regulation — it’s regulation enforced by a consent decree or court order, as opposed to a regulatory body — and so it is going to inherit whatever advantages and difficulties there are to the regulatory solution, which makes me wonder how closely it is going to be tailored to whatever this hypothetical antitrust harm is. But obviously it is going to depend on the details. Scott Hemphill: Thanks for that reaction. Thomas Philippon: Part of the tension is to some extent the issue with privacy is that once the harm is done it is very hard to do anything, like once the milk has been spilt. So the question then is: Even if the harm is in the privacy space, should the remedy be in the privacy space? That is another question. Andrew Smith: Remedies in privacy cases have been a little bit of a challenge for us. One of the things that we have been doing for many, many, many years is requiring third-party assessors to come in and evaluate originally data security programs and now privacy programs. In our order against Facebook from a year or two ago, we also required the company to do privacy assessments whenever there is any major change. You have these procedural remedies. In some other recent cases we have had other remedies too. I’m not sure if these have showed up in publicly reported cases yet, but they will eventually. For example, if you use data to model and build an algorithm or train an algorithm that is ill-gotten data, then the requirement is to destroy the algorithm. So there are those types of remedies. Scott Hemphill: Wow, that’s a big one. Andrew Smith: Right, it is a big one. And we have gotten these in settlements and I think we could probably get these in litigation. It is sort of an injunctive type of relief.

24 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.

But you are right, the genie is out of the bottle. So what do you do? You maybe go to those third parties to whom you disclosed data and you require that you ask for it back; we have done that in some cases. You give a notice to consumers saying, “We disclosed your data without your consent to these people,” so consumers might be able to protect themselves. But you are right that the remedies are tricky. I am not talking about antitrust remedies. These are just remedies in our cases where companies have broken their privacy promises. But remedies is an issue where our Commissioners are very, very interested and have been very vocal in their statements in connection with our cases. Thanks. Scott Hemphill: Understood. From my standpoint, thanks to everybody for an extremely stimulating discussion. I really appreciate everyone’s candor and liveliness. It has been a lot of fun. Ariel Salvaro: I would also like to say thank you to Andrew, Jeffrey, Joe, Kinshuk, Thomas, and Scott for a very interesting discussion. I want to give all the attendees a few final important details. If you check in the chat, you should see a download link for the certificate of attendance. As I mentioned at the beginning, the certificate of attendance is only going to be available via that download link, so before the Zoom finishes you want to make sure that you click on the download link. Once you click on it, it is going to be available for the next hour. Wherever you save it, download the PDF and then you can add your name to the attendance certificate. As all previous Concurrences workshop attendees know, we always send an online survey after the webinar to get your feedback and try to be better every time. The materials will be available for all Concurrences+ subscribers. Tomorrow you will be able to get the PowerPoint presentations, the panel video, and the podcast, and in a few days you are going to be able to get the transcript and the synthesis. Tomorrow is the third and last webinar that is part of the Global Antitrust Economics Conference. The topic will be “AI in Antitrust.” The keynote speech will be by Hal Varian from Google, followed by a panel composed of Katherine Forrest from Cravath, Swaine & Moore, Michal Gal from the University of Haifa, John Harkrider from Axinn, Amy Ray from Orrick, moderated by Chris Conlon from NYU Stern School of Business. Thank you again very much everybody for a great, interesting discussion. I am happy to give my data to any of you anytime. This is now the end of the Webinar. Be safe, keep going, and we will see you on the next one.

25 The Global Antitrust Economics Conference 8 December 2020 Verbatim transcript of oral presentations provided by Concurrences without prior vetting by the speakers.