Daniel Schnurr: CERRE Research Fellow and Data Expert
Each month CERRE introduces a member of its academic team showcasing their background, introducing the ongoing projects they are working on, and addressing topical cross-cutting issues everyone wants to know about.
Daniel, you have a Ph.D in Information Systems, can you give us an overview of your expertise and particular research interests?
In my research I focus on the economic impact of digital technologies on individuals, businesses, and society. I am particularly interested in the rules and institutions that govern business’ and consumers’ access to data. Moreover, I am interested in consumer behavior and decision-making in privacy contexts, as well as the interaction between humans and Artificial Intelligence (AI) in digital markets.
All of these topics require a sound understanding of the underlying technologies and how they affect the economic incentives of businesses and transform our society. Conversely, economic forces and regulation shape the design and the implementation of digital technology as more and more markets undergo fundamental transformations. Consequently, this calls for an interdisciplinary research approach – and for this a background in information systems can be really valuable.
You are a newly appointed CERRE Research Fellow, but you have collaborated with the think tank before. What did your previous project look into?
In this CERRE research project, delivered in collaboration with Jan Krämer and Sally Broughton Micova, we focused on the role of data as a central economic resource in the digital economy and its crucial implications for contestability and innovation in digital markets. Most importantly, we wanted to take a deeper look on how data are creating business value in today’s markets, characterise under which conditions there is a potential harm from data agglomeration and which regulatory approaches are available to policy makers in order to mitigate such harm. The project went beyond the conventional wisdom that data are valuable per se and investigated in more depth when and how business value can be derived. As such we were able to ground our policy proposals on the basis of three concrete cases studies on online search, e-commerce, and media platforms. You can read more about the project here.
The European Commission will be launching its Data Act very soon. What does this legislation seek to achieve? What are you hoping to see in the proposal?
At the moment, we still need to wait for the official presentation of the proposal to fully understand what the European Commission wants to achieve. However, based on the available information it seems clear that the Commission is willing to take strong measures to empower users as the primary controllers of the data that is created when they use connected products and related digital services in the Internet of Things. By introducing such a fundamental right to access for users, the Commission intends to maximise the availability of created data for re-use – also for businesses and organisations that are not the original producers of a connected product nor the provider of a related service where the data is originally created.
Establishing a right to access data beyond the scope of personal data involves several trade-offs and must strike a difficult balance between different policy objectives. On the one hand, making data widely available for broad re-use promises new avenues for innovation. On the other hand, it is important not to hamper business incentives to offer connected products and data-driven services. In this context, it is noteworthy that the Data Act proposal seems to apply universally to all providers of connected products and services irrespective of size and market share. This is in contrast to rules in the Digital Markets Act (DMA) proposal that are specifically targeted to large digital gatekeepers. Here, my hope is that the Commission will also consider the incentives for businesses to offer such products and services, especially for new and emerging firms.
Moreover, it is vital that individual consumers will be supported by additional measures in their role as the primary data controllers. This is particularly important, as we know from empirical research in information systems and related disciplines that empowering users through control and transparency may sometimes achieve the opposite due to behavioural biases and limited cognitive abilities of human decision makers. Moreover, it is simply too burdensome for most people to manually manage their personal data on a universal and continuous basis – for example, think only of all the cookie banners that we currently face when browsing the world wide web. To this end, technology can play a promising role in assisting and supporting users and I am particularly interested in how the Commission will consider and integrate such approaches into the legal framework.
Why is regulation in this area important?
Data are a unique economic good with very special characteristics. Due to these special characteristics, policy makers currently face two fundamental challenges: firstly, there is significant data concentration in today’s digital markets due to data agglomeration by a few digital superstar firms; secondly, there is also substantial data fragmentation due to highly dispersed data creation and a lack of data sharing. Both these challenges pose the risk that the full collective value of data cannot be achieved without regulatory intervention. However, it is also important to keep in mind that regulation itself does come at a cost. Accordingly, innovative regulatory approaches can balance the involved economic trade-offs, while reducing regulatory costs and minimising the burden on innovative activities. In my opinion, CERRE has done very innovative work on this issue and advanced the debate on what new regulatory tools and approaches are available.
What is the general response so far, is there support or opposition to this regulation?
Naturally, such regulation will prompt very diverging feedback from different stakeholders depending on their market position and business model.
For example, there have been prominent calls in practice and academia that users should be put in a stronger position to control the data that they co-create when they are using electronic devices or digital services. The new right to access for users of connected products and services in the Data Act proposal seems to be very much in line with this idea. On the contrary, it has been reported that the regulation will explicitly prohibit firms that are designated as gatekeepers under the DMA to access the data that are shared based on this right to access. Of course, banning a selected group of firms from accessing such data sources will be very controversial – especially if these firms rely on data-driven business models that benefit from aggregating a wide variety of data sources.
More generally, there is still significant uncertainty about how rules will be implemented and enforced in practice – although this is not unusual for a regulatory proposal at an early stage. For example, one limitation to the proposed users’ right to access seems to state that shared data cannot be used to develop products in competition with the original data holder. It may seem reasonable, in principle, to preserve legitimate business interests of firms providing the original product or service, However, we already know from competition law cases that defining the threshold for competition, i.e., the relevant market, is very difficult in practice especially in digital markets. Therefore, this could entail legal uncertainty and risks for data re-users when they rely on this new right to access, which could possibly undermine the intended goals of the regulation.
There is a lot happening in the realms of digital regulation right now. What other aspects are of interest to you?
There are indeed many interesting developments at the intersection of digital technology and regulation going on at the moment. One major development is certainly the increasing role of AI and its implementation on a larger scale in more and more markets. In this context, I am particularly interested in the interaction between AI and human decision-making as this presents a large range of novel policy and research questions. For example, similar to questions around privacy and personal data, the increasing use of complex automated machines pose fundamental challenges on how much transparency and control should be given to the individual user. Here, I think it is important that regulation draws from the vivid and ongoing empirical research efforts in academia that investigate humans’ preferences, decisions, and biases when interacting with AI. A related topic concerns competition and collaboration in electronic markets where humans and AI meet. Think, for example, of today’s e-commerce markets where algorithmic sellers meet with human decision makers. This introduces many important questions on liability for algorithmic actions, price setting in these hybrid market settings, as well as the use of digital technologies on behalf of regulatory agencies, so called RegTech. Even more so, algorithmic content moderation on social media platforms and automated algorithmic coordination of platform ecosystems, such as on ride-hailing platforms, have a tremendous impact on our everyday life and pose important policy and research questions.
Looking to the future, what other areas of data regulation should be considered at European level?
One evolving topic that I am particularly interested in is data altruism, i.e., the use and donation of data for the common good. Here regulation could likely play a more active and facilitatory role in unlocking the social value of individual-level and sensitive data. Think, for example, of the health domain where possibly large social gains could be achieved based on access to greater quantities of high quality, fine-granular data. In my opinion, there is a lot of potential for further initiatives that go beyond the initial steps in the Data Governance Act and sector-specific regulation in some Member States. At the same time, there are exciting research opportunities to evaluate which approaches can prove effective.
A second, very fundamental question is whether our data protection and privacy frameworks are fit for a (not-so-distant) future where machine learning applications will make automated decisions based on learning from data on a large-scale basis. For example, how effective is a ‘right to be forgotten’ that allows people to erase personal data if this data is irreversibly learned by algorithms that will continue to consider the information learned from this data? In my opinion, this will be an important policy topic, especially given the current European data protection framework, as more and more data becomes available and AI becomes a general-purpose technology. Here again, technical expertise about the involved digital technologies is important to develop regulation that can effectively achieve the intended policy goals.
