On May 19, 2021, the United Kingdom’s Competition and Markets Authority (“CMA”) and the Information Commissioner’s Office (“ICO”) published a joint statement setting out their shared views on the relationship between competition and data protection in the digital economy.
Both authorities recognize that the digital economy has the potential to have a hugely positive impact on people’s lives, from improvements to public services to companies driving innovations that can make. However, they have made clear that their collective position is that this can best be achieved where digital markets are competitive, consumer and data protection rights are respected, and citizens are empowered to exercise meaningful control over their own data. In their view, there are strong synergies between the interests of data protection and competition, as demonstrated by the close working relationship which has developed between the CMA and ICO in recent years.
Summary of Key Findings
The joint statement sets outs the CMA and ICO’s shared views on the relationship between competition and data protection, particularly in relation to:
-
the important role that data – including personal data – plays within the digital economy
-
the strong synergies that exist between the aims of competition and data protection
-
the ways that the CMA and ICO will work collaboratively together to overcome any perceived tensions between their objectives, and
-
practical examples of how the CMA and ICO are already working together to deliver positive outcomes for consumers
The proposed workplan sets out in concrete terms how the authorities are adopting a joined up approach to regulation across the digital regulatory landscape in the UK, with practical steps to reinforce their respective ability to cooperate along with ambitious plans to support capability sharing, including secondment programs, colocation of teams and the development of a shared center of excellence. Both authorities make clear that they are committed to developing and fostering a culture of cooperation and collaboration with each other, and note they are already working together on some of their most high-profile investigations. According to the joint statement, this demonstrates how UK consumers will benefit from a collaborative approach between the two authorities.
By way of example, the joint statement describes the CMA’s Competition Act investigation into Google’s proposals to phase out support for third-party cookies on its Chrome browser and replace them with a ‘Privacy Sandbox’ approach. In addition to considering the impact of the proposals on competition in digital advertising markets and on user experience, the investigation will also build in consideration of data protection aspects by the ICO. Similarly, the ICO’s investigation into the use of personal data in real time bidding in digital advertising is another example described in the joint statement. In this investigation, the ICO’s focus is on the data protection aspects of a system that processes the personal data of millions of people every day, with a series of audits underway, and the investigation will now also include consideration of the impact on competition by the CMA.
The joint statement makes clear that the CMA and ICO will continue to engage proactively on these issues impacting the digital economy, including through the work of the UK’s Digital Regulation Cooperation Forum.
Ultimately, the joint statement acknowledges that the CMA and ICO will continue to ensure their overlapping objectives relating to competition and data protection in the context of the UK digital economy are strongly aligned and complementary. According to the CMA and ICO, more competitive markets will deliver the outcomes that consumers care about most, which increasingly includes enhanced privacy and greater control over personal data. In addition, both the CMA and ICO have concluded that their relationship is mutually reinforcing: they consider that well-designed regulation and standards that preserve individuals’ privacy and place individuals in control of their personal data can promote positive competitive outcomes. In turn, with appropriate and targeted regulation, competitive pressures can be harnessed to incentivize responsible innovations that protect and support users. Further, they each consider that the creation of a so-called level playing field is fundamental for enabling effective competition to thrive. In this respect, according to them, data protection laws help to achieve a level playing field with regards to data access, by ensuring that processing of personal data by all parties is fair and lawful and individual rights are upheld.
Practical Implications of Collaboration between CMA and ICO
Notwithstanding their commitment to working collaboratively, the joint statement itself highlights existing tensions between competition law and data protection law, including the use of data-related interventions as a remedy to an identified competition law problem. The joint statement contains examples from the CMA’s market study into online platforms and digital advertising in which the CMA found that certain market participants, especially so-called digital gate-keepers, have significant data advantages through access to search ‘click and query’ data, user profiling data, and advertising analytics data. Many of the proposed interventions or remedies suggested by the CMA related to data, including broadening access to digital gate-keepers’ data sets to smaller competitors or to new entrants to the market. However, such a per se access intervention to third parties gives rise to a conflict with existing data sharing and privacy obligations incumbent upon so-called “controllers” of personal data. However, the CMA and ICO insist that any “perceived tensions” can be avoided or otherwise remedied through designing the relevant data access interventions “carefully, such that they are limited to what is necessary and proportionate”.
The joint statement concludes with an acknowledgement that a case-by-case analysis is likely to be required to resolve tensions between competition and data protection law. As a result, whilst the authorities clearly intend to work constructively with each other, they are not committing to a one-size-fits-all approach when undertaking their respective reviews and assessments of businesses’ obligations under applicable competition and data protection laws.
Conclusion
The joint statement makes clear that the CMA and ICO are committed to working together both in respect of regulatory and legal developments on the one hand, and in relation to collective or otherwise complementary investigations and other enforcement actions on the other. Whilst the joint statement sets out the authorities’ commitment to working together, it contains very little in the way of actual or practical guidance for businesses who handle large amounts of personal data (particularly those businesses active in data-related activities within the UK digital economy). However, in terms of key takeaways, it is clear that any business which handles personal data in the UK will need to be mindful of the close relationship between the CMA and ICO, including potential joint investigations or at the very least sharing of information between the authorities to ensure they are aligned when dealing with any alleged breaches of competition and/or data protection laws. Likewise, it is expected that the regulatory landscape in the UK will continue to develop especially with respect to the use of data-driven remedies and outcomes when addressing perceived competition law infringements by businesses involved in or otherwise handling large amounts of personal data in the UK.