The UK’s Information Commissioner’s Office (ICO) and Competition Market’s Authority (CMA) have published a joint statement setting out a blueprint for their cooperation in regulating the digital economy.
The ICO and CMA affirmed there are “strong synergies” between their respective data protection and competition policy agendas and have committed to working together to achieve positive outcomes in both areas.
“Data plays a vital role in the digital economy – from suggesting new music or films that we may enjoy to helping us find relevant information when searching online. A well-functioning digital market needs to preserve privacy and offer competitive online services, empowering consumers,” said CMA chief executive Andrea Coscelli.
“This statement clearly shows robust data protection can support vigorous competition in digital markets, and digital firms should not use data protection as an excuse for anticompetitive behavior. We look forward to continuing to work with the Information Commissioner’s Office to support the development of innovative digital markets that put consumers in control of their data.”
Information Commissioner Elizabeth Denham added that current data protection regulation is vital to building a vibrant digital economy: “In our increasingly digital world, the links between data protection, competition, and consumer rights regulation make our joint work timely and essential.
“We look forward to continuing our cooperation with the CMA to ensure people’s data is safeguarded, and digital innovation and competition is supported,” she said.
The statement said the synergies between the two regulators can be broken down into three main categories: user choice and control, standards and regulations to protect privacy, and data-related interventions to promote competition.
For example, in the context of user choice and control, the regulators said it was fundamental to both policy agendas, with effective competition enabling stronger privacy protections and weak competition undermining them.
“In its recent market study, the CMA identified a significant concern where social media platforms offered users no choice over whether to have their personal data used for personalized advertising,” said the statement.
“It concluded that concerns around such ‘take it or leave it’ terms regarding the use of personal data were particularly acute where the platform has market power, such that the user has no meaningful choice but to accept the terms.
“Effective data protection can also support competition as rival companies seek to build consumer trust and confidence in the way that their personal data is used, and by helping to ensure that competitive pressures help drive innovations that genuinely benefit users.”
In the context of data-related interventions, it further added that differential access to data can distort competition, meaning the regulators will work together to assess what actions will be necessary and appropriate.
Highlighting examples of potential intervention, the statement said it could take the form of, for example, restricting access to data for companies with market power by limiting their ability to combine and integrate datasets.
“One example of such an intervention that was considered in the CMA’s market study is the potential for imposing data silos on platforms with market power to restrict their ability to combine datasets to target and measure digital advertising,” it said.
Areas of tension and updated memorandum of understanding
The statement also sets out two potential tensions between the work of the regulators. One of these again relates to data access interventions, which on the one hand, could be used to create a more level playing field, but on the other, could lead to more widespread processing of personal data by a more significant number of data controllers.
“Should data access interventions be an appropriate remedy, we, therefore, think any perceived tensions can be resolved through designing them carefully, such that they are limited to what is necessary and proportionate, are designed and implemented in a data protection-compliant way…, and they do not result in a facilitation of unlawful or harmful practices,” it said.
The second area of tension highlighted is the risk of data protection law being interpreted by large integrated digital businesses in an anti-competitive manner, “e.g., by unduly favoring large, integrated platforms over smaller, non-integrated suppliers”.
“As we both jointly consider the right way forward about these issues, we recognize that there are significant challenges to be addressed, which will require more detailed consideration,” he statement said.
“However, we believe that competition and data protection law are strongly synergistic, and any areas of perceived tension can be reconciled through careful consideration of the issues on a case-by-case basis.”
An updated memorandum of understanding (MOU) has also been signed by both regulators to reinforce their commitments, replacing a previous version from 2015 and setting out an information-sharing framework for future collaboration.
“The purpose of the MOU is to enable the parties to share relevant information which enhances their ability to exercise their respective functions,” it said.
“This MOU should not be interpreted as imposing a requirement on either party to disclose information in circumstances where doing so would breach their statutory responsibilities. In particular, each party must ensure that any disclosure of personal data under these arrangements fully complies with both the UK GDPR and the DPA 2018.”
It added that while the MOU sets out the potential legal basis of information sharing, each regulator must determine that any proposed disclosures are legal.
Wider regulatory cooperation
The ICO and CMA’s statement and MOU follow the Digital Regulation Cooperation Forum’s (DRCF) publication of a work plan in March 2021, which outlined how UK regulators with remits over different aspects of the digital economy can increase the scope and scale of their cooperation.
As well as the ICO and CMA, this also includes the Office of Communications (Ofcom) – which the UK government has officially confirmed will oversee and enforce a duty of care for internet companies and technology platforms under the upcoming Online Safety Bill – and the Financial Conduct Authority (FCA), which joined the forum officially in April 2021.
This work plan comprises three priority areas: responding strategically to industry and technological developments, developing joined-up regulatory approaches, and building shared skills and capabilities.
“The nature of digital services means that different regulatory regimes will interlink and overlap,” said the DRCF at the time. “Where this occurs, we will develop approaches for ensuring a coherent regulatory system.
“Areas of focus this year will be on the inter-relation between data protection and competition regulation, and the age-appropriate design code and the regulation of video-sharing platforms and online harms.”
The regulators would also work together to build their collective technical and analytical capabilities, including exploring new operational models to support more efficient skills and expertise sharing going forward.