Firewalls: separation short of a breakup

Pallavi Guniganti

12 July 2019

Firewalls: separation short of a breakup

Credit: iStock/Nastco

“Break up Big Tech” has become a rallying cry on both ends of the political spectrum, as people around the world worry about dominant technology companies’ ability to buy up potential rivals and extend their reach into other areas of business. Pallavi Guniganti considers whether firewalls – separating business units operationally while keeping them under the same corporate umbrella – could address some of these competition concerns.

Andreas Mundt doesn’t seem to be afraid of much. As president of Germany’s Federal Cartel Office for nearly a decade, he has taken enforcement decisions that were opposed by his own government and by other competition authorities. He has led the way in antitrust investigations of Amazon’s most-favoured-nation clauses for third-party sellers on its Marketplace retail platform, and of Facebook’s tracking users across the web. Mundt also does not fear nuance in his policy positions; he has both criticised proposals for a general regulation for platforms, and called for regulation to level the playing field between online and offline markets.

But even Andreas Mundt has hesitated to break up big tech. Speaking in Colombia in May, he said: “Policymakers are very good at debating about divesting companies. I’m not so confident that it would be an option for a small competition agency in Europe to break up one of these tech giants. I think that would be a political issue. And that is nothing that is feasible for the time being.”

For example, in the Federal Cartel Office’s big case against Facebook, the agency did not demand the divestiture of every business beyond the core social network – the “Mark Zuckerberg Production” that began in 2004. Instead, the Federal Cartel Office prohibited Facebook from conditioning the use of that social network on consent to the collection and combination of data from WhatsApp, Oculus, Masquerade, Instagram and any other sites or apps where Facebook might track them.

The decision does not limit data collection on Facebook itself. “It is taken into account that an advertising-funded social network generally needs to process a large amount of personal data,” the authority said. “However, the Bundeskartellamt holds that the efficiencies in a business model based on personalised advertising do not outweigh the interests of the users when it comes to processing data from sources outside of the social network.” 

The Federal Cartel Office thus aims to wall off the data collected on Facebook from data that can be collected elsewhere. It ordered Facebook to present a road map for how it would implement these changes within four months of the February 2019 decision, but the time limit was suspended by the company’s emergency appeal to the Düsseldorf Higher Regional Court.

In Colombia, Mundt described the kind of remedy he had ordered for Facebook as not exactly structural, but going in a “structural direction” that might work for other cases as well. Keeping the data apart is a way to “break up this market power” without literally breaking up the corporation, and is the first step to an “internal divestiture”, he said. 

Mundt claimed that this kind of remedy gets to “the core of the problem”: big internet companies being able to out-compete new entrants, because the former can obtain and process data even beyond what they collected on a single service that has attracted a large number of users.

He used terms like “silo” rather than “firewall”, but the essential idea is to protect competition by preventing the dissemination of certain information. Antitrust authorities worldwide have considered firewalls, particularly in vertical merger remedies, as a way to prevent the anticompetitive movement of data while still allowing for some efficiencies of business units being under the same corporate umbrella. 

Notwithstanding Mundt’s reference to a “structural direction”, competition authorities including his own have traditionally classified firewalls as a behavioural or conduct remedy. They purport to solve a specific problem: the movement of information. 

Beyond mergers, they also could apply to existing conglomerates such as Amazon, its Alexa Fund investment arm and its Marketplace for third-party sellers. The European Commission and Austria’s Federal Competition Authority are investigating Amazon over its use of Marketplace sellers’ data. US senator Elizabeth Warren has said that one reason to require “large tech platforms to be designated as ‘Platform Utilities’ and broken apart from any participant on that platform” is to prevent them from using data they obtain from third parties on the platform to benefit their own participation on the platform. 

Amazon tweeted in response to Warren: “We don’t use individual sellers’ data to launch private label products.” However, an Amazon spokeswoman would not answer questions about whether it uses aggregated non-public data about sellers, or data from buyers; and whether any formal firewall prevents Amazon’s retail operation from accessing Marketplace data.

If the problem is solely that Amazon’s own retail operation can access data from the Marketplace, structurally breaking up the company and forbidding it and other platforms from participating on those platforms may be a far more extensive response than is needed. A targeted response such as a firewall could remedy the specific competitive harm.

Other aspects of big companies that can give them an advantage – such as the use of profits from one part of a company to invest in another part, perhaps to undercut rivals on prices – would not be addressed by firewalls. They would more likely require dividing up a company at the corporate level. 

Still, if Andreas Mundt is right that data is the central concern, then the way forward might be found in firewalls.

Crumbling down

Or “Chinese walls”, as the English-language version of the Federal Cartel Office’s May 2017 guidance on merger remedies calls them. The guidance disfavours them, stating that such obligations are “not suitable to remedy competitive harm” because they require continuous oversight. Employees of a corporation in almost any sector will commonly exchange information on a daily basis, making it “extremely difficult to identify, stop and prevent non-compliance with the firewall obligations”, the guidance states. In a footnote, it acknowledges that other, unspecified jurisdictions have regarded firewalls “as an effective remedy to remove competition concerns”.

For example, the UK’s Competition and Markets Authority takes a more optimistic view of the ability to keep a firewall in place, at least in the context of a vertical integration to prevent the use of “privileged information generated by competitors’ use of the merged company’s facilities or products”. In addition to setting up the company to restrict information flows, staff interactions and the sharing of services, physical premises and management, the CMA also requires the commitment of “significant resources to educating staff about the requirements of the measures and supporting the measures with disciplinary procedures and independent monitoring”.

The European Commission’s merger remedies notice is quite short. It does not mention firewalls or Chinese walls by name, simply noting that any non-structural remedy is problematic “due to the absence of effective monitoring of its implementation” by the commission or even other market participants. A 2011 European Commission submission to the Organisation for Economic Co-operation and Development was gloomier: “We have also found that firewalls are virtually impossible to monitor.”

The US antitrust agencies have been inconsistent in their views, and not on a consistent partisan basis. Under Republican president George W Bush, the Department of Justice’s antitrust division’s 2004 merger guidance said “a properly designed and enforced firewall” could prevent certain competition harms. But it also would require the DOJ and courts to expend “considerable time and effort” on monitoring, and “may frequently destroy the very efficiency that the merger was designed to generate. For these reasons, the use of firewalls in division decrees is the exception and not the rule.” 

Under Democratic president Barack Obama, the Antitrust Division revised its guidance in 2011 to omit the most sceptical language about firewalls, replacing it with a single sentence about the need for effective monitoring. Under Republican president Donald Trump, the Antitrust Division has withdrawn the 2011 guidance, and the 2004 guidance is operative.

Deputy assistant attorney general Barry Nigro said in March that the Antitrust Division is “sceptical” of firewalls, “because we would worry that there would be cheating. We would worry that it would be difficult to enforce.” He might accept a firewall depending on how competitively sensitive the information is and the degree of separation between parts of a company, he explained. If the business units that are supposed to be walled off from each other actually interact on a daily basis, are housed in the same building and have friendships between their workers, “I’m going to be like, ‘I don’t know, I know how people are’,” Nigro said.

At the Federal Trade Commission, on the other hand, firewalls had long been relatively uncontroversial among both Republicans and Democrats. For example, the commissioners unanimously agreed to a firewall remedy for PepsiCo’s and Coca-Cola’s separate 2010 acquisitions of bottlers and distributors that also dealt with a rival beverage maker, the Dr Pepper Snapple Group. (The FTC later emphasised the importance in those cases of obtaining industry expert monitors, who “have provided commission staff with invaluable insight and evaluation regarding each company’s compliance with the commission’s orders”.) 

In 2017, the two commissioners who remained from the Obama administration both signed off on the Broadcom/Brocade merger based on a firewall – as did the European Commission, which also mandated interoperability commitments. And the Democratic commissioners appointed by President Trump voted with their Republican colleagues in 2018 to clear the Northrop Grumman/Orbital ATK deal subject to a behavioural remedy that included supply commitments and firewalls.

Several months later, however, those Democrats dissented from the FTC’s approval of Staples/Essendant, which the agency conditioned solely on a firewall between Essendant’s wholesale business and the Staples unit that handles corporate sales. While a firewall to prevent Staples from exploiting Essendant’s commercially sensitive data about Staples’ rivals “will reduce the chance of misuse of data, it does not eliminate it,” Commissioner Rohit Chopra said. He emphasised the difficulty of policing oral communications, and said the FTC instead could have required Essendant to return its customers’ data. Commissioner Rebecca Kelly Slaughter said she shared Chopra’s “concerns about the efficacy of the firewall to remedy the information sharing harm”.

The majority defended firewalls’ effectiveness, noting that it had used them solve competition concerns in past vertical mergers, “and the integrity of those firewalls was robust.” The Republican commissioners cited the FTC’s review of the merger remedies it had imposed from 2006 to 2012, which concluded: “All vertical merger orders were judged successful.”

Republican commissioner Christine Wilson wrote separately about the importance of choosing “a remedy that is narrowly tailored to address the likely competitive harms without doing collateral damage”. Certain behavioural remedies for past vertical mergers had gone too far and even resulted in less competition, she said. “I have substantially fewer qualms about long-standing and less invasive tools, such as the ‘firewalls, fair dealing, and transparency provisions’ the Antitrust Division endorsed in the 2004 edition of its Policy Guide.”

You can’t trust ’em

Firewalls are designed to prevent the anticompetitive harm of information exchange, but whether they work depends on whether the companies and their employees behave themselves – and if they do not, on whether antitrust enforcers can know it and prove it. Nigro at the Antitrust Division questioned the effectiveness of firewalls as a remedy for deals where the relevant business units are operationally close. The same problem may arise outside the merger context.

For example, Amazon’s investment fund for products to complement its Alexa virtual assistant could be seen as having the kind of firewall that is undercut by the practicalities of how a business operates. CNBC reported in September 2017 that “Alexa Fund representatives called a handful of its portfolio companies to say a clear ‘firewall’ exists between the Alexa Fund and Amazon’s product development teams.” The chief executive from Nucleus, one of those portfolio companies, had complained that Amazon’s Echo Show was a copycat of Nucleus’s product. While Amazon claimed that the Alexa Fund has “measures” to ensure “appropriate treatment” of confidential information, the companies said the process of obtaining the fund’s investment required them to work closely with Amazon’s product teams. 

CNBC contrasted that example with Intel Capital – a division of the technology company that manages venture capital and investment – where a former managing director said he and his colleagues “tried to be extra careful not to let trade secrets flow across the firewall into its parent company”. 

Firewalls are commonplace to corporate lawyers, who instil temporary blocks to prevent transmission of information in a variety of situations, such as during due diligence on a deal. This experience may lead such attorneys to put more faith in firewalls than enforcement advocates do.

Diana Moss, the president of the American Antitrust Institute, says that like other behavioural remedies, firewalls “don’t change any incentive to exercise market power”. In contrast, structural remedies eliminate that incentive by removing the part of the business that would make the exercise of market power profitable. 

“Firewalls are some of the easiest things to work around, because it’s just a promise by the firm not to share information between affiliates. There’s no amount of policing, monitoring or compliance that completely assures the firm abides by that after a merger or conduct violation,” Moss says. Indeed, leaving in place the incentive structure and market power gives the company “every incentive to develop workarounds to a firewall”. 

No internal monitoring or compliance ensures the firewall is respected, Moss says, unless a government consent order installs a monitor in a company to make sure the business units aren’t sharing information. This would be unlikely to occur, she says.

“Given how valuable data is to the platform business model, if you start limiting the ability to share data internally, there will be very strong incentives to violate a firewall requirement. Data is critical to the value proposition. Then you’ll have an ineffective remedy and you’re back to square one,” Moss says.

Yet Moss sees market power, not the ability of a platform owner to compete on that platform, as what enforcers should guard against. “How do you incent companies to continue to invest in a standalone, regulated platform?” she asks. “It could be OK for a platform owner to compete on its own platform, so long as it doesn’t have enough market power to have the ability and incentive to exclude rivals.”

Moss’s 2011 white paper on behavioural merger remedies, co-authored with John Kwoka, reviews how well such remedies have worked. It notes that “information firewalls in Google-ITA and Comcast-NBCU clearly impede the joint operation and coordination of business divisions that would otherwise naturally occur.” 

Lina Khan’s 2019 Columbia Law Review article, “The Separation of Platforms and Commerce,” repeatedly cites Moss and Kwoka in the course of arguing that non-separation solutions such as firewalls do not work.  

Khan concedes that information firewalls “in theory could help prevent information appropriation by dominant integrated firms.” But regulating the dissemination of information is especially difficult “in multibillion dollar markets built around the intricate collection, combination, and sale of data”, as companies in those markets “will have an even greater incentive to combine different sets of information”, she said.

Don't confuse the problem with the issue

Yet neither Khan nor Moss points to an example of a firewall that clearly did not work. Khan writes: “Whether the [Google-ITA] information firewall was successful in preventing Google from accessing rivals’ business information is not publicly known. A year after the remedy expired, Google shut down” the application programming interface, through which ITA had provided its customisable flight search engine.

Even as enforcement advocates throw doubt on firewalls, enforcers keep requiring them. China’s Ministry of Commerce even used them to remedy a horizontal merger, in two stages of its conditions on Western Digital’s acquisition of Hitachi’s hard disk drive. In 2012, Mofcom imposed both structural and behavioural remedies on the deal. These included requiring Western Digital to hold Hitachi’s HDD business separate, and to establish firewalls to prevent the exchange of competitively sensitive information between that business and Western Digital. Three years later, Mofcom allowed some integration between the merged companies, but still mandated: “Western Digital will build a firewall between the two sales teams to ensure that they do not exchange competitive information.”

If German courts allow Andreas Mundt’s remedy for Facebook to go into effect, it will provide an example of just how effective a firewall can be on a platform. The decision requires Facebook to detail its technical plan to implement the obligation not to share data on users from its subsidiaries and its tracking on independent websites and apps. 

A section of the “frequently asked questions” about the Federal Cartel Office’s Facebook case includes: “How can the Bundeskartellamt enforce the implementation of its decision?” The authority can impose fines for known non-compliance, but that assumes it could detect violations of its order. Somewhat tentatively, the agency says it could carry out random monitoring, which is “possible in principle… as the actual flow of data – eg, from websites to Facebook – can be monitored by analysing websites and their components or by recording signals.”

As perhaps befits the digital difference between Staples and Facebook, the German authority posits monitoring that would not be able to catch the kind of “oral communications” that Commissioner Chopra worried about when the US FTC cleared Staples’ acquisition of Essendant. But the use of such high-tech monitors could make firewalls even more appropriate as a remedy for platforms – which look to large data flows for a competitive advantage – than for old economy sales teams that could harm competition with just a few minutes of conversation.

Rather than a human monitor installed in a company to guard against firewall breaches, which Moss called “expensive and ridiculous”, software installed on employee computers and email systems might detect data flows between business units that should be walled off from each other. Breakups and firewalls are both longstanding remedies, but the latter may be more amenable to the kind of solutions that “big tech” itself has provided.

Comments Add your comment

Add Your Comment