Competition and data protection – CMA and ICO publish joint policy statement
On 19th May, The Information Commissioner’s Office (“ICO”) and the Competition and Markets Authority (“CMA”) released a joint statement, setting out their views on the relationship between competition and data protection in the digital economy. The statement is thought to be the first of its kind globally. It highlights a strong commitment between the two bodies to collaboratively reach regulatory solutions that balance competition with data protection.
The statement comes at a timely point within the development of the digital economy and recognises the links between competition, consumer protection, data protection and privacy. These links increasingly exist because of the central role personal data plays in the business model of online businesses.
In addition to synergy, there is recognition of potential tensions between the objectives of competition and data protection laws. Both parties recognise such tensions are surmountable, however, and the focus is on a relationship that reinforces the protection of consumer data, while also giving rise to a healthy, competitive, market.
Here’s everything that you need to know.
Complementary, overlapping objectives
In their statement and signed Memorandum of Understanding (“MOU”), the ICO and CMA underscored that their objectives are complementary and mostly overlap. They both wish to ensure consumer data protection and / or privacy, while creating a “level playing field” that promotes healthy competition for the benefit of consumers.
The announcement is a letter of intent, rather than an establishment of policies, so not much has been given away on how the two bodies will work together in practice.
However, at a headline level, the statement discusses collaboration in terms of:
- Ensuring genuine user choice: Both parties wish to ensure consumers have a legitimate choice over the services or products they choose to interact with, reinforced with a clear understanding of how their data will be used to inform that decision. In line with this, both bodies want businesses to be transparent about how they process data and offer consumers clear choices. To put this in practice, the statement advocates that digital providers design choice architecture that favours the consumer’s best interest in their default settings.
- Data-related interventions to promote competition: The ICO and CMA are both acutely aware of the potential for an unlevel competitive playing field, whereby some organisations have more access to consumer data than others. This can distort competition and also raises concerns about data protection – particularly in the AdTech field. The statement notes potential solutions to these problems in brief, such as “restricting access to data, or limiting the ability to combine and integrate datasets, for platforms with market power, in order to create a level playing field with other market participants.”
- The upholding of regulations and standards to protect privacy and ensure effective competition: Both bodies believe that well-designed regulations, which reinforce consumer privacy, will ultimately positively promote effective competition. They explain that businesses who follow data protection law are more likely to invoke trust from their customers, which in turn is “a driver of innovation, competition, economic growth and greater choice for consumers and citizens.”
Recognised tensions
As well as finding common ground between them, the ICO and CMA recognise potential policy tensions between the two disciplines. For example, when it comes to data-related interventions, the CMA would advocate sharing certain types of data to smaller businesses or new market entrants, in order to create level footing against larger incumbents in a respective field. This approach could conflict with data protection objectives, if the data subject is perceived to have lost control over their data, or it is shared in a way that is deemed beyond necessary.
As an example of this in practice, the statement references the ICO’s work in the real-time bidding (“RTB”) space, which found multiple regulatory issues with the widespread sharing of personal data in the digital advertising sector.
On the flip side of this argument, large organisations could potentially perceive data protection law in a way that unfairly allows them to have a monopoly over personal data, leading to unfair market dominance. The CMA references Google’s Privacy Sandbox as a prime example of this. As background, Google is planning to abolish third-party cookies by 2022, and replace them with a new advertising tool that does not directly share personal data.
Google has stated that the new system will improve end user privacy, but the CMA is currently investigating the move, after cries from organisations that the new system would create an uneven playing field, in favour of Google.
To remedy these potential conflicts, the statement advocates a case-by-case analysis, rather than a universal, one-size-fits-all approach. To that end, the statement does not include details on how perceived tensions will be resolved, as it appears this will depend on the specifics of each issue that arises.
Next steps and takeaways
The joint statement highlights the merging, yet sometimes contradictory, worlds of competition and data protection in the digital economy. While the statement leads to more questions about exactly how the two bodies will work together, their intent is clear: moving forward, we can expect to see increased collaboration between these regulators.
Because the statement is a letter of intent, rather than legislation, it gives very little advice to digital-led businesses about how to correctly utilise personal data – other than what is already established within the UK General Data Protection Regulation (“GDPR”). Regardless of this, businesses that process the personal data of individuals in the UK must now be aware of the strengthening relationship between the CMA and ICO, and the implications this could have in terms of joint investigations.
It’s also worth noting that the Government recently established the Digital Markets Unit (“DMU”) in the UK, to promote greater competition and innovation in the digital market, while protecting consumers and businesses from unfair practices. As a result, it’s likely that we will see new frameworks and guidance published as this merging space continue to develop. In particular, and especially in light of the Google and RTB cases, we can expect to see more guidance that addresses the conflict between data sharing and unfair competition in the future.
Need help?
If you regularly share data with other organisations or are embarking on a project which will involve data sharing, you will need to consider data protection law. If you would like to discuss the content of this blog or want to discuss what your business needs in order to become data protection compliant, we can help. Contact us for a no obligation chat.
