On 19 May the UK Competition and Markets Authority (CMA) and the Information Commissioner’s Office (ICO) published a joint policy statement setting out their shared views on the relationship between competition and data protection in the digital economy.
The statement from the UK’s competition and data protection agencies – the first of its kind globally – highlights the commonalities between promoting competition in digital markets and safeguarding people’s data. In presenting the statement, CMA Chief Executive Andrea Coscelli said:
“A well-functioning digital market needs to preserve privacy and offer competitive online services, empowering consumers. This statement clearly shows robust data protection can support vibrant competition in digital markets, and digital firms should not use data protection as an excuse for anticompetitive behaviour.”
Emphasising the importance of data in today’s economy, the statement explains how the business models of some of the world’s largest companies rely on data – including personal data – to optimise their products. It goes on to suggest that the policy objectives of fostering competition and protecting people’s data are “strongly aligned and complementary”, discussing the synergies between competition and data protection under three main headings: ‘user choice and control’; ‘standards and regulations to protect privacy’; and ‘data-related interventions to promote competition’.
The statement recognises that tensions can arise between competition and data protection in some circumstances. It focuses on two main areas:
1. Data access interventions which might help level the playing field between competitors but also risk compromising users’ privacy. The statement notes that where access to personal data falls within the scope of a remedy aimed at promoting competition in a particular market, that remedy must be designed in a way that accords with data protection law. However, the CMA and ICO consider that “any perceived tensions can be resolved” through designing data access interventions “carefully, such that they are limited to what is necessary and proportionate”.
2. Risk of interpreting data protection law in an anti-competitive manner. This risk could arise, for example, where companies interpret data protection law as being more favourable to internal (intra-group) data transfers than to external (extra-group) transfers. The statement suggests that such an interpretation would “clearly be problematic for competition”, as it would provide strong incentives for companies to integrate horizontally and vertically and make it more difficult for new entrants to compete in digital markets.
Whilst acknowledging that there are “significant challenges to be addressed, which will require more detailed consideration”, the CMA and ICO confidently conclude that:
“[…] any areas of perceived tension between competition and data protection can be overcome through careful consideration of the issues on a case-by-case basis, with consistent and appropriate application of competition and data protection law, and through close cooperation between our two organisations.”
This optimistic outlook will be put to the test as the agencies’ enforcement action in the digital sphere gathers pace.
The CMA and ICO emphasise their commitment to working together on projects that will put the joint policy statement into practice. In this context the statement refers to the CMA’s investigation into Google’s ‘Privacy Sandbox’ project (on which we commented here) and the ICO’s investigation into the use of personal data in real-time bidding in the adtech industry (see here). The agencies’ commitment to working together effectively has also been reinforced by an updated Memorandum of Understanding (MoU), signed by the CMA and ICO at the end of April. The MoU sets out a framework for cooperation and information-sharing between the two agencies, with the aim of facilitating closer collaboration.
The joint policy statement and updated MoU fit within a broader programme of work being undertaken by the Digital Regulatory Cooperation Forum (DRCF), which was formed by the CMA, the ICO and Ofcom in July 2020. (The Financial Conduct Authority became a full member of the DRCF in April this year.) Established in order to “increase the scale and scope of cooperation” between the agencies and to “address the unique challenges posed by regulation of online platforms”, the DRCF represents a shift towards a more holistic approach to regulating digital markets in the UK – a shift that is also occurring in the EU and beyond.