The UK Competition and Markets Authority (CMA) and Information Commissioner’s Office (ICO) have published a joint statement setting out the terms of their future cooperation to regulate digital markets (Joint Statement) – touted by the CMA and ICO as the “first of its kind globally”. This signals a step-change in antitrust, data privacy and consumer protection law cooperation between the authorities, which is reinforced by the accompanying memorandum of understanding covering information sharing and joint projects. The Joint Statement follows on from the formation of the Digital Regulation Cooperation Forum (DRCF) in April 2021 to facilitate cooperation and coordination between the CMA, ICO, Ofcom and Financial Conduct Authority. Along with other significant regulatory developments, such as the establishment of the UK Digital Markets Unit (DMU) in April 2021, digital (and “digitalising”) businesses should continue to expect to be subject to greater – and more coordinated – regulatory scrutiny in the coming years.
We set out our initial thoughts – combining our cross-sectoral antitrust, data privacy and consumer protection law expertise – below.
***
The complex interplay between competition, data protection and consumer protection is emerging as a key dynamic in the digital economy, with all areas offering important tools to enhance consumer welfare. However, alongside the opportunities for achieving greater synergies from the CMA and ICO’s future cooperation, the complex interplay between these disciplines also gives rise to a growing recognition of the potential for conflicting aims and outcomes between these disciplines and, therefore, a growing number of important – and open – questions.
Clear statement of intent from the CMA and ICO on a complementary approach
The Joint Statement makes clear that the CMA and ICO view their policy aims and functions as complementary, consisting primarily of “overlapping objectives” that deliver pro-consumer outcomes around enhanced privacy and control over personal data, with a “mutually reinforcing” relationship that will contribute to creating a pro-competitive “level playing field” with regards to data access. The exact terms of such collaboration remains unclear, but the Joint Statement indicates a strong belief in alignment, in particular in relation to:
- User choice and control: collaboration will focus on ensuring “genuine user choice” over consumers’ decisions to engage with digital products and services, as well as the collection of and control over the processing of personal data. The Joint Statement highlights shared competition, consumer and privacy concerns over “take it or leave it” terms regarding the use of personal data. Their proposed solution involves imposing a duty on businesses to design choice architecture to “allow users to choose freely” and to “deploy default settings that are in the user’s best interest” (as defined by the agencies). While this is intended to drive competition (by purporting to “reset the balance” between businesses and users) and pro-consumer effects (by giving users greater control over and benefit from their personal data), there is little consideration in the Joint Statement around, for example, the substantial benefits for UK consumers, other businesses and innovation that have resulted from the growth of digital businesses and which may be undermined by such an approach, or the delicate balance struck by the recently enacted landmark European General Data Protection Regulation.
- Data-related interventions: these are seen by the CMA and ICO as important tools to overcome “significant disparities in access to data” and promote competition. Interestingly, the Joint Statement considers a range of solutions, including imposing “data silos” to restrict the ability to combine datasets to deliver, for example, targeted advertising or advertising measurement services – this focus on datasets has similarly been raised in the European Commission’s proposed Digital Markets Act (DMA). The Joint Statement reiterates the potential for “strong synergies” in this space, with regulatory activity likely to “involve restricting the ability to combine and process personal data” in order to “creat[e] a more level playing field”. However, as also noted by the UK Government in relation to the DMU proposals, these types of intervention are complex and require considerable further thought given the likely unintended consequences and the potential for very significant policy and implementation risks.
- Consumers’ interests: the CMA and ICO assume that enhanced privacy and greater control over personal data are “outcomes that consumers care about most”. However, there is a lack of clear, persuasive evidence that this is the case. Indeed, survey evidence cited by the CMA in its Final Report on Online Platforms and Digital Advertising indicates that a majority of consumers surveyed preferred personalised advertising to non-personalised advertising. Given how fundamental this assumption is to the CMA and ICO’s proposals on user control, further robust evidence gathering is needed on this area – particularly to avoid a situation in which, for example, there is no demand for businesses to compete to engage with users in the way that the CMA and ICO imagine, even after any imposed “reset”. Such a situation could risk consumers ending up with less choice and innovation – and deriving less benefit from their personal data – relative not only to that which is available today but also that which could be developed in the future. This would seem particularly unfair to those consumers who are content with the status quo and do not share the CMA and ICO’s view of what they should be concerned about.
Inherent tensions and the need for a balanced approach
As acknowledged by the Joint Statement, the policy tensions which exist amongst these important disciplines underlines the need for a balanced approach, taking into account the nuances and principles which have been deliberately enshrined in the applicable legal frameworks and avoiding “one size fits all” solutions.
The Joint Statement suggests there should be a greater focus on the lawful basis that companies rely on for intra-group transfers of personal data, to ensure that intra-group transfers are not benefiting from an unlawful competitive advantage, as compared to unconnected companies. The ICO seems to imply that, if an intra-group transfer is relying on the legitimate interest lawful basis, the “interest” in sharing with an intra-group company will only be considered “legitimate” if there is not an adverse effect from a competition or consumer law perspective. The challenge for companies, and indeed regulators, will be how to identify when intra-group transfers could have an adverse effect from a competition or consumer law perspective (particularly given the lack of decisional precedent on this issue). This is an area that is going to require cross-specialist expertise to resolve.
Further, while the Joint Statement acknowledges the need for a case-by-case consideration of issues where there is “perceived tension between competition and data protection”, how these tensions (including around navigating the applicable legal frameworks) will be resolved remains unclear. These questions are all the more important in light of the ongoing regulatory dialogue in relation to the proposed scope of the UK DMU and, indeed, the data access, data portability and interoperability proposals in the proposed EU DMA.
Looking ahead: open questions and key takeaways
Given the fast-moving and dynamic nature of the UK’s digital economy and the collective desire to avoid unintended outcomes which risk deteriorating the current bargain for consumers, businesses, data protection and competition, undertaking the further work necessary to answer these questions will be crucial to ensuring a coherent approach. This approach should be carefully targeted to combat clearly identified and properly evidenced consumer, data protection and competition harms in digital markets. In particular, there are key open questions around the assessment of consumer benefit (i.e. the assumption that consumers’ choosing to provide personal data in exchange for services necessarily equates to an ill-informed choice, a bad bargain or harm to competition).
Going forward, digital businesses should expect:
- Increased regulatory co-operation between competition and data protection authorities, with a greater likelihood of parallel investigations.
- More focus on choice architecture and the use of “dark patterns”, the use of defaults and consumer controls – this is a key area of the DRCF’s workplan and further guidance is expected from this body.
- Future regulatory proposals centred around privacy-friendly technologies, data mobility, data portability and the use of algorithmic systems.
- Greater scrutiny over intra-group data sharing and further consideration around the use of data silos.