The UK’s Information Commissioner’s Office (ICO) and Competition Market’s Authority (CMA) have published a joint statement setting out a blueprint for their cooperation in regulating the digital economy.
The ICO and CMA affirmed there are “strong synergies” between their respective data protection and competition policy agendas, and have committed to working together to achieve positive outcomes in both areas.
“Data plays a vital role in the digital economy – from suggesting new music or films that we may enjoy, to helping us find relevant information when searching online. A well-functioning digital market needs to preserve privacy and offer competitive online services, empowering consumers,” said CMA chief executive Andrea Coscelli.
“This statement clearly shows robust data protection can support vibrant competition in digital markets, and digital firms should not use data protection as an excuse for anticompetitive behaviour. We look forward to continuing to work with the Information Commissioner’s Office to support the development of innovative digital markets that put consumers in control of their data.”
Information Commissioner Elizabeth Denham added that modern data protection regulation is vital to building a vibrant digital economy: “In our increasingly digital world, the links between data protection, competition and consumer rights regulation make our joint work timely and important.
“We look forward to continuing our cooperation with the CMA to ensure people’s data is safeguarded and digital innovation and competition is supported,” she said.
The statement said the synergies between the two regulators can be broken down into three main categories: user choice and control, standards and regulations to protect privacy, and data-related interventions to promote competition.
In the context of user choice and control, for example, the regulators said it was fundamental to both policy agendas, with effective competition enabling stronger privacy protections, and weak competition undermining them.
“In its recent market study, the CMA identified a significant concern where social media platforms offered users no choice over whether to have their personal data used for personalised advertising,” said the statement.
“It concluded that concerns around such ‘take it or leave it’ terms regarding the use of personal data were particularly acute where the platform has market power, such that the user has no meaningful choice but to accept the terms.
“Effective data protection can also support competition as rival companies seek to build consumer trust and confidence in the way that their personal data is used, and by helping to ensure that competitive pressures help drive innovations that genuinely benefit users.”
It further added, in the context of data-related interventions, that differential access to data can distort competition, meaning the regulators will work together to assess what actions will be necessary and appropriate.
Highlighting examples of potential intervention, the statement said it could take the form of, for example, restricting access to data for companies with market power by limiting their ability to combine and integrate datasets.
“One example of such an intervention that was considered in the CMA’s market study is the potential for imposing data silos on platforms with market power to restrict their ability to combine datasets for the purposes of targeting and measuring digital advertising,” it said.
Areas of tension and updated memorandum of understanding
The statement also sets out two potential tensions between the work of the regulators.
One of these again relates to data access interventions, which on the one hand could be used to create a more level playing field, but on the other could lead to more widespread processing of personal data by a greater number of data controllers.
“Should data access interventions be an appropriate remedy, we therefore think any perceived tensions can be resolved through designing them carefully, such that they are limited to what is necessary and proportionate, are designed and implemented in a data protection-compliant way… and they do not result in a facilitation of unlawful or harmful practices,” it said.
The second area of tension highlighted is the risk of data protection law being interpreted by large integrated digital businesses in an anti-competitive manner, “e.g. by unduly favouring large, integrated platforms over smaller, non-integrated suppliers”.
“As we both jointly consider the right way forward in relation to these issues, we recognise that there are significant challenges to be addressed, which will require more detailed consideration,” he statement said.
“However, we believe that competition and data protection law are strongly synergistic, and any areas of perceived tension can be reconciled through careful consideration of the issues on a case-by-case basis.”
An updated memorandum of understanding (MOU) has also signed by both regulators to reinforce their commitments, replacing a previous version from 2015 and setting out an information sharing framework for future collaboration.
“The purpose of the MOU is to enable the parties to share relevant information which enhances their ability to exercise their respective functions,” it said.
“This MOU should not be interpreted as imposing a requirement on either party to disclose information in circumstance where doing so would breach their statutory responsibilities. In particular, each party must ensure that any disclosure of personal data pursuant to these arrangements fully complies with both the UK GDPR and the DPA 2018.”
It added while the MOU sets out the potential legal basis of the information sharing, it is for each regulator to determine for themselves that any proposed disclosures are legal.
Wider regulatory cooperation
The ICO and CMA’s statement and MOU follows the Digital Regulation Cooperation Forum’s (DRCF) publication of a workplan in March 2021, which outlined how UK regulators with remits over different aspects of the digital economy can increase the scope and scale of their cooperation.
As well as the ICO and CMA, this also includes the Office of Communications (Ofcom) – which the UK government has officially confirmed will oversee and enforce a duty of care for internet companies and technology platform under the upcoming Online Safety Bill – and the Financial Conduct Authority (FCA), which joined the forum officially in April 2021.
This workplan is comprised of three priority areas: responding strategically to industry and technological developments, developing joined-up regulatory approaches, and building shared skills and capabilities.
“The nature of digital services means that different regulatory regimes will interlink and overlap,” said the DRCF at the time. “Where this occurs, we will develop approaches for ensuring a coherent regulatory approach.
“Areas of focus this year will be on the inter-relation between data protection and competition regulation, and the age-appropriate design code and the regulation of video-sharing platforms and online harms.”
It added that the regulators would also work together to build their collective technical and analytical capabilities, which will include exploring new operational models to support more efficient skills and expertise sharing going forward.
