Banner image for 2019 Financial Markets Conference: Mapping the Financial Frontier

Interview with Robert Ledig

Robert Ledig, professor of law at the Antonin Scalia Law School at George Mason University, discussed the Economics and Regulation of Data sessions of the 2019 Financial Markets Conference. Larry Wall, executive director of the Atlanta Fed's Center for Financial Innovation and Stability, conducted the interview.

Transcript

Larry Wall: Good afternoon. My name is Larry Wall, and I'm the executive director of the Center for Financial Innovation and Stability at the Federal Reserve Bank of Atlanta. We are at the Financial Markets Conference with Robert Ledig, who is a professor of law at the Antonin Scalia Law School at George Mason University.

We have been listening to some interesting sessions on data and data privacy and data use. Bob, what were some of your main takeaways?

Robert Ledig: Larry, I think the big change here is that more and more people realize that third-party data brokers are changing the entire focus—that your behavior online is somehow now going to turn into a score that could affect your financial products and the cost of them, and whether you even get them or not. I think that is a totally different situation than when we started with Gramm-Leach-Bliley, where it was, if you were a customer of bank X, what could they do with your data with third parties?

I think that with the GDPR [Europe's General Data Protection Regulation] and with the California law, we are now going to be wrestling with whether legislation can really appropriately handle this issue, and whether there will be industry efforts to make people comfortable, and just how much do people understand about this, and certainly, how much do people in Congress understand it?

So, Larry, I think we are about to head into a whole turbulent set of waters here in this area.

Wall: You referenced GDPR and the California law. Could you say a little bit about those, and what they require?

Ledig: The idea is, a lot of information about people who are collecting your data, in relationships that you're in with them—which is different than just following you around on the web, generally, or in your social media, generally—and the idea that they have to account to you for those. That's not been part of our law, Larry. It is part of HIPAA [the Health Insurance Portability and Accountability Act of 1996].

Then [there's] the idea that you could delete, or have some of that deleted at your request—which, in the context, for example, of blockchain, which we've talked about a lot here today (since as we know, Larry, it's immutable)—how do you then call up the blockchain and say, "I want my personal data out of there"? Of course, as these things move forward, in different ways in different locations, the immutability problem is, I think, pretty significant.

The other piece is the GDPR, which... Who knows exactly how that will be interpreted? Every day there's another article about Bulgaria revoking a ruling, or Romania coming up with one. But some people believe it prohibits the use of artificial intelligence, in a significant degree. So that whole question, if that's prohibited, we've got a lot of people in the fintech industry who I don't think would be too thrilled about that.

These are the kinds of issues... I think as Congress moves forward, potentially, in addressing this—Congress has spent basically 20 years trying to do a data breach rule—and data breach, I think everyone agrees, is a relatively confined issue—how Congress would get it together to do a holistic "let's preempt California" law in the next five months, Larry—I think that would be equivalent to raising a pyramid [laughs].

Wall: Very good. You raise the issue of different rules in different jurisdictions, regarding data privacy. How do you see that playing out over time?

Ledig: Well, I think this question about data portability and movement of data into different locations and so forth raises a whole lot of jurisdictional issues. We keep seeing, in this area, if Vermont has a very tough law and also Oklahoma has a very tough law—in two different areas—that essentially sets a federal standard across the board. And then, who knows? Maybe West Virginia's legislature will come up with something.

I think that a lot of people have said that, fundamentally, the internet is interstate commerce, and therefore you really have to regulate it at the interstate commerce level, because otherwise everybody will just, you know, lose their minds. But on the other hand, the question is, some people say, "Well, a low federal standard is not going to be acceptable, and a particular state should be allowed to do more." So, like everything, it's a lot of trade-offs.

One thing I'd say, Larry, is when this whole area began in the late '90s and the early 2000s, we had a lot of questions that seemed to be legally impenetrable, and industry just moved forward, [and] ignored, largely, those questions. Now everybody signs documents online, but they don't actually have a personal electronic signature, which is what the law contemplated. So I'm very much...that we have a very creative community, and we've got a lot of smart people working on it, and I think that we can do a lot of stuff. I will put in a pitch, though, for the idea that since companies are going to make trillions of dollars off of individuals' data, perhaps there should be some sort of economic pooling arrangement that allows some of that money to come back to the consumers.

Wall: During the sessions, a recurrent theme was that context matters a lot, and that in some contexts, privacy is better. In some contexts, privacy might actually result in worse outcomes. Did that come as a surprise to you, or was that what you were expecting?

Ledig: No, I would say it's not a surprise at all. You know, there are enormous benefits to being able to walk into a car dealer at 6 p.m. on Sunday night, and walk out with a car at 7 p.m., which, in the old days, you could not have done. right? So cost, convenience—these are factors that work against each other. What I'm a little concerned about is, if you put it in a legislative process, you are making hard and fast rules that don't really shift through these things. And that's why I'm a little concerned about a midnight conference bill that says, "You may not do X," or "You may not do Y," when consumers benefit from a lot.

But the thing I'm most concerned about right now are non-FCRA [Fair Credit Reporting Act] databases that have unknown algorithms that are making determinations based on god knows what as to whether you are writing in uppercase or lowercase letters, and attributing some sort of moral failure to that.

Wall: So FCRA is...?

Ledig: I'm sorry, the Fair Credit Reporting Act—so what the credit reporting agencies do, based upon creditworthiness factors. Now, these other factors of what websites you look at, and where you shop online, and then how you attribute numbers—percentages and values—to that, I don't know how people are really going to be doing that. And I wonder how transparent they'll be, because they're likely to say it's proprietary.

Wall: Very much so. So another issue, kind of related to this, is that what's optimal privacy in one context—say, financial—might be quite different from what's optimal privacy in another area. Do you see much potential for privacy rules being sufficiently context-sensitive, or are we going to have "one size fits all"?

Ledig: Well, it's interesting that you mention that because that's been a big distinction between the U.S. and the European system, where Europe goes across the board and we have 19 sectoral rules—including for video rental, which is really irrelevant now, driver's license privacy, HIPAA, and all these kinds of things.

Your point about context, though—the other thing is, there's a generational context. When my daughter told me that all her friends use Venmo and watch each other's transactions, and I had spent six years helping people get Gramm-Leach-Bliley [GLB] put into place on the principle that these were sacrosanct and sacred transactions. Why would you want anyone to know what transactions, and what your bank statement would look like? And she looked at me like, "What's wrong with you?"

I think that it's important that we recognize—and I think some of that was in the panels today—we recognize there's so many different ways to look at that, and that's why I just think one-size-fits-all legislation, although there are reasons for it, it can have a lot of downsides as well.

Wall: Do you see much prospect that the financial services industry will be able to gather together behind a single approach and say, "Whatever works for other areas, financial services, given our needs, should bestructured in the following way"?

Ledig: Well, the interesting part about all this is that the California law has a pretty significant exemption for GLB privacy-covered people. At some level, financial institutions can say, "Hey, we'll just stay out of this." I think that's like standing on a train track on the Long Island Rail Road and saying, "We hope no trains will come by in the near future."

I would caution on that. I think that, for example, the chamber of commerce has come out with pretty robust privacy principles—people may or may not agree with them, but there's something to be said, I think, for industries saying, "We hear you. We want to do it a particular way." But of course, it's very hard to get an entire industry together because everyone's always got their own particular perspective.

Wall: Okay. Bob, you made several references to GDPR, which is the European Union's General Data Protection Regulation that imposes all sorts of constraints on what you can do with E.U. citizens. And there is this problem that firms of all types face, which is, how do we make sure that we're complying with the rules in all the different jurisdictions that we have to live in?

Quite often, the easiest solution is, "Well, let's just follow the toughest of the rules, and then we don't need to worry"—which, as you mentioned for the States, creates the potential for Vermont and Oklahoma—or California, say—to impose rules on other areas.

So how should we be thinking about this extraterritoriality, and are there things that we can do to make it a little easier, and to allow different jurisdictions to have different rules?

Ledig: Well, extraterritoriality seems to be in the eye of the beholder. When the United States pushed out Volcker [the Volcker Rule] to the whole world, I'm sure a lot of countries around the world said, "Why did this happen to us?" So maybe turnabout is fair play.

I think that one of the big questions is, both in California and in Europe, how will this actually come into play? If you are running a small business in the United States, do you really have to hire high-price people from Microsoft to help you put in place a GDPR regime? Because that may cost a lot of money, and it may not really be relevant. So I've heard various interpretations about what is the threshold at which you need to start paying attention to it.

I think a lot of the devil is in the details. Once we have more clarity as to where California kicks in and where Europe kicks in, there are obviously a lot of large companies that will get caught, either because they have U.S. people in the E.U., or Europeans coming here, or whatever. And, well, it's a nightmare, Larry.

With that thought...

Wall: Thank you very much for your time and your thoughts, Bob.