More. . .

Wolfgang Kerber, "Governance of Data in IoT Contexts"

Presented at the Legal Challenges of the Data Economy conference, March 22, 2019.

Transcript

WOLFGANG KERBER: Many thanks for having me here. This was a great day and I am sure you are already a bit tired. I think this was a great presentation also for preparing for my presentation. You will see there are many links to my presentation. So do we have our slides?

So in this panel, there was, or in the last presentation about Internet of Things, and a huge really increase in data through Internet of Things. And I would like to talk really about governance of data, and so this will be very close to certain questions that has been discussed right now. Internet of Things you all know it's connected smart devices or producing data and processing data, and we have a lot of examples here.

A smart home, smart TVs, also in smart manufacturing, where you have a lot of firms with integrated information systems, smart agriculture, where agriculture machines are in the meantime collecting a lot of data. And the question is, who get access to these data? Only the manufacturers, or also the farmers? Smart retailing is a very important new development, smart cities, and I think it's very important to understand, I think we haven't really been very aware about the consequences is that IoT will be everywhere.

So everywhere where we want the offline worlds there will be also smart devices who are collecting data from you. So it's not more of the worlds that you are lock in and lock out, but offline world will be increasingly integrated in this online world, and this has huge consequences.

Now, what kind of regulatory challenges now to IoT? And one is really certainly about here security liability. So we have a lot of problems with even minimum standards of security with many devices that are sold, and this is a huge problem in regard to the cyber security is the connection reliable questions.

The also important problem is interoperability. This idea that all these devices are connected, but then you need standards and you need interoperability, and this often does not work very well because many manufacturers have their own proprietary systems, so that's also an important aspect of regulatory questions. The other is privacy data protection. We have talked a lot about that already, and what I have focused on mostly is not really data ownership, and I've already have said a lot about data ownership already, which I entirely agree, data access, and what I like to call it, data governance because this is a very general term, and this is what I would like to focus on.

Now, only some basic facts about-- so data governance you can see is a whole set of rights, so if you think of a property right perspective, a bundle of rights, but also all kind of legal rules, which are dealing really with data. And you ask, what is an optimal set of these the rights and rules, and nobody acts that way. And we have in Europe personal data, non personal data, and GDPR defined set of rights, and this is exactly what already has been presented, so it will be brief.

Important is, I think, also to emphasize that my impression is that there are many open questions in the EU data protection rules, what this really means. And also we have also legislated exemptions to the content principle, so we have a balancing interests, Article 6 (1) (f) the question of anonymization and what are the requirements for anonymization and all these things are not clearly defined so far. And so we think we have too many problems here about defining exactly these set of rights.

Important also, as an economist, you have privacy is a fundamental right. And so there might be, from accounting perspective, a trade off with economic efficiency. And so this is what we have to take into account if we think about from economic perspective on this. In the personal data, that it is a discussion we already had. So far we have, for many data, especially census data from IoT. We have no property in a formal legal sense.

So ideas, and we have to perhaps [INAUDIBLE] right about this and this is something-- this exactly is a question where lawyers have drawn me in a debate two years ago about the question, do we need a new IP, right? IP-like right on data, and I think from an economic perspective, it's not necessary and it makes more problems than solves problems.

And the interesting thing is, and then the discussion shifted very fast from the idea of exclusive right to access right in the discussion because many data are de facto exclusive data. That's exactly what [INAUDIBLE] already has explained. And therefore, there is a de facto ownership, which is not a legal ownership, but it's very important in coming facts.

Now, in regard to Internet of Things, context, the [INAUDIBLE] situation. So we have what I call a multi-stakeholder problem. So we have an ecosystem of an IoT, and there might be a number of firms in this ecosystem, which would like to use the same data. And in this context, it might not be optimal also from an economic perspective, so to one firm in this ecosystem is exclusive data holder and so we might need more complex data governance solutions for resolving this.

And this is-- what I would like to show you now is a very specific example. And this is data in connected cars. And this is what it's mostly my presentations will be about. About this current discussion about how the data governance should look like in regard to what's called in-vehicle data. So if you look at data connected cars, and you see that we, as a connected car, it's also in-vehicle data, and it's data about driving behavior, this data is technical data about the car itself, it's also data about road conditions, weather conditions, traffic conditions, and so it's a huge amount of data generated.

And there are many as a of now firms, which are interested and would like to offer services to the car users, but they need access to these data. This might be aftermarket services, this might also be as a complementary services, as navigation services, or something like that, but also insurance companies, public authorities, and the question is now how is this organized this data?

Now, there are three different models discussed. There's also discussion we had in Europe and I only show it to you. And what is now used in Europe and also really promoted by is the European car manufacturers, especially the German ones. It's extended vehicle concept. And extend vehicle concept is a very specific concept, and this means that all data are transmitted directly to an external appropriate area server [INAUDIBLE]. And they have set for exclusive, de facto control of these data.

And this is what we already have. And they also have an exclusive control about the access to the connected car itself so this is the IT systems. The second problem, yeah? And this leads to the following situation. What we have. This is the vehicle manufacturers and they have absolute control about this proprietary external server with all these data, and also controls the access to the car itself, yeah.

And all our stakeholders want is they want to get Exadatas, they have to go to the vehicle manufacturers and without their consent, they don't get any access. Those are a another solution would be you have still an external server, where all these in-vehicle data are really transmitted. But since external server is not under the control of the vehicle manufacturer, but as a control of a neutral entity, whatever this is, yeah? And then this new entity could give nondiscriminatory access to the second model that we just discussed.

The same technical solution still transmitting to an external server, but external server is as a governance of a neutral entity instead of the vehicle manufacturers. It's very clear, since now it solves a lot of problems in regard to access to in-vehicle data, but not the problem of access to the car itself. It's still a closed system, technically.

Now, the third possibility is, and this isn't a the so-called on-board application platform, and this as a technological solution. So it's a data directly stored in the car, so the car itself, it's a platform. And also, and this would mean that the car owners or car drivers would have control about the access to their own car, both in regard as the access of the car itself, from a technical perspective, but also control about the data in the car, yeah?

And this is also called on-board application platform. And you can also call it interoperable telematics system. And these are the three models that are discussed in Europe the last three years perhaps. And what we have is the extended vehicle concept.

Now, from this situation, we got a really important and controversial policy discussion. On one hand, it's very interesting. I was in a conference in Brussels about us. On one hand, it's a vehicle manufacturers, and on the other side are all other stakeholders. There were clear situation, and as independent service providers, they complain about disparate access, about this monopolization of these specific data, and they would like to-- and this has consequences into the aftermarket-- I'll come back to this-- and this might have negative effect from competition, innovation, and consumer choice in regards to this aftermarkets, and the local legislative action by the commission.

On the other hand, the vehicle manufacturers say, this is a very similar problem. This exclusive access and control is necessary because of safety and cyber security reasons. Yeah, we have no choice. We have to do it in that way. And no regulatory action needed, yeah? The US done a lot with these co-operative intelligence transport system initiative, where they really brought all the stakeholders together and had some consensus on some principles.

And then they commissioned especially a study. This TRL study, which is a very comprehensive study about this whole problem. And this study came to the result that we have considerable problems in regard to competition, and they really think that the principle fair, undistorted competition is really here violated, and they suggest, at least in the long term, transition to such an on-board application platform.

Now the European Commission they have acknowledged that they have a problem, yeah? But so far, they have not really taken action really doing something, they would like to do. But a recommendation and voluntary measures, but in the end it's an unsolved policy question in the European Union.

Now, what I have done. So I have written a bit about it and one article is in JIPITEC, end of last year. And I have thought a bit about, how can I structure this from an economic perspective, this problem? Yeah, and I asked about-- and the most important question of economist is, can you rely on market competition really finding the best solution for the governance of this in-vehicle data? Or do we have some kind of market fails? That's exactly my question.

Now, what's very important, and I think, generalizable also as a kind of IoT context is it's very important is technological decisions because the technology and decision for this extended vehicle concepts through the car manufacturers, leads to exclusive monopolistic control about in-vehicle data. And de facto, to a kind of appropriation of these in-vehicle data.

And it leads also to a closed system. So what you also have is the same what you have with your iPhone, yeah? You cannot upload another app, which is not from thee say, Apple App store. This is that for a closed technical system. This is the same-- it would also be in this extended legal concept. So in that respect, what European car manufacturers try to build up a closed ecosystems of connected driving.

This is what they want and they also think about monetizing this data. And if it would have an on-board application platform as a different technological solution, then we would have a different kind of consequence because then the car owners would have the control. The exclusive control about the access to data in the car, and therefore the car owners would be the de facto owners. So in that respect, I think it's from economic perspective very interesting that the choice of technology decides about the initial allocation of de facto control rights of data. This is first point.

The second is now the safety and security argument. I don't want to go into details, only briefly. So the car manufacturers it's, in fact, the only argument that it's necessary because of safety and security reasons. Now, the technical experts discuss this very controversially, and many think that perhaps an open interoperable telematics platform with a multi-layered safety and security system, they use those certifications, might even have little more safety and security instead of a proprietary systems. Also this is an open technical question.

But what's more important, from my perspective, and said, if you think that an exclusive technical control is necessary because of safety, then this does not justify at the same time why is there also appropriating this data because this is something very different, a very different problem. And therefore, so technical and commercial control of data can be unbundled. This is something it's very different kind of problems, and therefore, I think safety and security reason do not justify this exclusive control of in-vehicle data.

What I'm doing then is looking at possible market failure problems. And so the first one is exactly what independent service providers have complained all the time. That exclusive control has a lot of problems because it leads to foreclosure effects and foreclosure strategies on after markets, and also on other markets for complementary services in this ecosystem of connected driving. So they can monopolize aftermarketing complementary services or sell the excess to this markets to other firms. And this would be to high monopolistic prices. So I think that the concerns about foreclosure of independent service providers is justified.

From economic perspective, however, you have to ask one important question. Always of aftermarkets. What about competition between vehicle manufacturers? Yeah? And this is about the question of whether systems competition might work, so you can think about did you still have the choice of buying him a [INAUDIBLE] with all these aftermarkets and the whole ecosystem or buying a BMW with that, yeah? And there's competition between them, so the question is, how well does this system competition work?

And I don't want to get into this, but this is from an economic perspective an important question. I think it is very doubtful that this system competition would work very well because the consumers cannot assess what involves wants his entire bundle, especially those of future services also. I think that is a problem.

So second potential market failure in this ecosystem is now a topic we also have discussed over your day a bit. And this is a question it's the relationship between the vehicle manufacturers and the consumer because what you have-- if you are buying a connected car, you do not buy anymore a car only. You are buying a complex bundle of car itself, but also a contract about services updates because you need software updates also in the future for your connected car. And therefore, you are much more locked in when you buy a car, than in a traditional car.

And in one part of this contract relationship, is also is the consent to the vehicle manufacturers to use the personal data. So this privacy aspect is also part of this contracts. And then you can ask the question, which we ask also in regard here to Google and Facebook, can these consumers make rational, informed decisions about this? The problem of salience of the price of the data.

What we heard this is exactly also here important, do car users have a real choice about this and do vehicle manufacturers offer enough granular privacy options for different privacy preferences, or is this a 0, 1 decision? And very important from a legal perspective, do notice and consent solutions really work? And I think there is a huge problem in regards to this, I think also in regard to connected cost.

And then I think might be a third market failure. And that's about technological choice. Because we can say, OK, if he sees that the market has all these extended vehicles and this is surviving somehow into market. Isn't this the most efficient solution because it surviving in the market as a technology solution? The question is now, can there be market failures? And we all know that in regard here to interoperability and also the standardization, which is here are very important, there might be market failures. And the markets might not really find the best solutions for that.

So this is the one problem that's really-- that you might end up with too close proprietary systems if not enough in a interoperability with lock-in effects for users that impede on competition innovation on these secondary markets, is the one problem, and we have a lot of economic analysis about this. And the other problem is that additional standardization problem, and you have to see if you look now in the long term, what we want is an integrated mobility system in the sense of autonomous cars. And in this system, we need, in any case, in the interoperable interfaces and standards because we also need communication between vehicles and vehicle infrastructure. So if all these safety security problems about interoperable telematics system have to be solved anyway.

So I think these proprietary systems might not be a good idea in the long term in any case for some mobility systems. In that respect, open interoperable telematic platforms might be superior to proprietary closed systems, and it might be said the market has problems really in coming to solution alone only to some competition. Usually, therefore, we have collectives with a standard setting for solving these kind of problems.

Now, my result isn't this is a very preliminary aside, so it's necessary to go much deeper investigating this. But as I said, I am cautious and say, this is a potential market failure problems. But I think there's a good hint that this is really a problem. So one is the competition problems on the aftermarket and complementary services, the other is information privacy problems, and the third one, the problems with optimal technological change, choice.

My conclusion is that I think this extended vehicle concept as it is propagated and really used in Europe, might not be the best solution, that we should look for better solutions. Now, what I do not present is what is now the best as a solution. Because the governance of data is a very complex issue, also because they are very different kinds of data. I have not talked about this, yeah. We are talking about very different kind of data, and therefore, it is not easy to say what is now a good solution.

It's also investing-- in all the discussion, there has never been developed a really good alternative solution so far, so this is really an open question. But the basic idea is really searching for data governance solutions that is superior to this idea that only one stakeholder has this exclusive control, and then you are exactly about discussion about access to data as one of the solutions that you can think about, how do this?

Now, in my last slide, we have, I think, three. I only discuss now a bit what might be possible options to do that, yeah? And so this accessorizes very much what you also have told us. So no one is really about data rights and data portability so data portability is as ideas are perhaps if the car owners could use this data portability right for getting data back from the vehicle manufacturers or giving it to us as service providers, this might be a solution solving this data access problems, but in fact, it is very hard it is unclear the extent of this right, although legally, and also the practicability of the solution. So it's not clear whether this is working or what we have to do to make it work.

Then you can think directly about introducing some legislation data access rights. So the ones that, this is what you also mentioned, as its new kind of exclusive rights. Does the data produce a right, for the European Commission, which has been discarded in the meantime as a solution? The other would be defining directly data access rights in these situations, but it is very hard to do in a general way, so I think this is not, yeah, it's too hard to do in a general way and solves the problems.

Now, what I find very interesting is competition law solutions. So my main field is really competition policy. I come from that perspective, and you all know you can see the refusal to grant access to in-vehicle data is an abusive behavior, and thinking from that perspective on that, Yeah? And I was last year involved in a study for the German ministry of economic affairs about modernization of the law and abusive behaviors of firms of market power. This was preparation for the upcoming 10th Amendment of the German competition law, and we had in this study, we have a larger, certain part was about access to data exactly as these questions on a general way, not about car data, but in a general way. But also be focused directly on IoT and aftermarket problems.

Now you can think about Article 1 or 2, yeah? Always the jurisprudence, McGill and others. And usually, we know that the requirements really for applying essential facility-doctrine is very high. So it's not easy to apply this. But from an economic perspective, you can make a good argument that essential facility-doctrine can be applied much more flexible, in regard to data, because data is not protected by an IP right. But also, the costs of producing data might be very different.

And if the costs of producing data are very low, then the balancing between the benefits of sharing the data as essential facility-doctrine and as a problem of incentives or producing data, will lead more that you really make more data accessible. So in that respect, essential facility-doctrine can be used more flexible.

And then be discussed another solution and also made proposals for amending the German competition law, and this is using a very specific German provision, that's paragraph 20 of the German competition law about relative market power, where firms are bilaterally dependent from each other. I think it has a similar provision in French competition law, and the idea is that we can also use this, and we have some ideas that might be-- that we develop new case groups, and also in this paragraph 20, also amending the paragraph 20 for facilitator. I don't want to go into details.

So I think competition law can facilitate this, but practically, it's difficult because it's always exposed and it's hard really to do that. So I think that the best solution might be really looking for a sector specific solution really for the ecosystem of economic growth of connected driving, which can really also drive you to tailor governance structure to the complexity of the system, yeah. The point is we already have a sector specific regulation about access to technical information for repair and maintenance services, this already exists, but it's not adapted to a new connected conservation, and we could build on that.

And the sector specific regulation could consist of an upfront, like exit rights of protecting competition, perhaps specific rules on protecting privacy from a consent in this ecosystem of connected driving. And perhaps also technological regulation, especially also the security standards. So I think this might be the most suitable option.

My last remark is IoT context are very, very different, and therefore, what we really have to think about-- in each IoT context, you have to make a different analysis and-- especially economic analysis-- about the benefits and the costs of different governance options, and this was only an example here was in-vehicle data, how to deal with that, but this could be applied also to other kind of IoT contexts. Thank you very much.

PRESENTER: Thank you, Wolfgang.

[APPLAUSE]

Big data