Concurrency between regulators has exponentially increased over recent years. Often, regulators have complimentary aims and have found strength in numbers. Many regulators are wise to companies trying to play one off against the other and have increasingly woken up to the fact that having a joined-up approach (where appropriate), avoiding unnecessary duplication, sharing information, and working collaboratively can enhance output and delivery.
This is a topic we have covered previously when, in the UK, the Information Commissioner’s Office (“ICO”) and the Competition and Markets Authority (“CMA”) released their joint statement on competition and data protection issues in the digital economy.
Since the joint statement, there has been an even greater drive for concurrency between UK and EU authorities, and for regulators to work seamlessly together to achieve their strategic objectives across the UK and EU. This article sets out some of the key collaborative initiatives between various regulators, particularly between competition and privacy regulators, but more importantly, reflects on what this means for businesses. Are there any downsides? Often businesses are unaware of, or agnostic, as to how the competition authorities gather and use the data they glean from consumers and businesses, let alone that it may then be shared with other regulators for different purposes (and vice versa).
Perhaps the more pertinent issue is whether the authorities are cooperating in a way that benefits businesses, and how such cooperation in fact impacts those companies that are compelled to deal with the authorities. Is the relevant information being fed into antitrust assessments, and are there appropriate checks and balances on how information is being shared and used? Are the right voices being heard? These are issues that could gain momentum given the drive for increased cooperation.
Turning first to various cooperation initiatives between different regulators.
As part of the CMA’s launch of the Digital Markets Unit (“DMU”), it gave a clear steer on its intention to work alongside business, the government, other regulators, and academics to compile the necessary evidence, knowledge and expertise so once the new strategic market status regime is in place, it can hit the ground running. As part of this initiative, the DRCF was formed in July 2020, to ensure a greater level of cooperation and coherence between regulators in the UK, given the unique challenges posed by the regulation of online platforms. Initially consisting of the CMA, ICO and OFCOM, the Financial Conduct Authority (“FCA”) joined in April 2021; and other regulators, such as the Payment Systems Regulator (“PSR”) also contribute.
The DRCF set up an overarching regulatory framework which guides each of the member bodies, with the aim of ensuring that they’re not working at odds with each other, duplicating, or coming up with different and conflicting solutions to the same problem. The Forum has already been actively engaged in the CMA’s investigation into Google’s privacy sandbox (see below).
The DRCF published its first workplan in 2021. The four priority areas identified in relation to the workplan were: design frameworks, algorithmic processing, digital advertising technologies and end-to-end encryption. More recently, the DRCF’s 2022/2023 workplan was released, which focuses on:
Following on from the release of the workplan, the DRCF announced a call for views on the benefits and risks of how sites and apps use algorithms. Although the DRCF recognises the utility of algorithms, their concerns relate to Machine Learning (“ML”) or Artificial Intelligence (“AI”), which they believe can pose significant risks to consumers. These risks include introducing or amplifying harmful biases that lead to discriminatory decisions, or unfair outcomes that reinforce inequalities; and could mislead consumers and distort competition. The DCRF considers regulators need take measures to mitigate the nature and severity of these risks.
In a letter to the DCMS Secretary of State on 28 April 2022, the CEO of the DRCF emphasised that the “joined-up approach is important not just between the DRCF member regulators, but also with other UK regulators whose remits may connect with ours on digital issues” and that they “will also look for opportunities to engage with regulators bilaterally and via the UK Regulators Network’s working groups, [on issues] such as their cyber security, data strategy and digital exclusion groups”. This has already been actioned and regulators, such as the Advertising Standards Authority and the PSR, are keen to take part and share their views and learning.
An online repository of all the research papers and reviews that the groups have co-authored was created, and is a useful resource to identify priorities for different sectors. Several papers have already been deposited by a selection of regulators.
The CMA and ICO have long realised the benefits of working “hand in glove” and the input each brings to the table as subject-matter experts in an area that has many close links and intersections. This is encapsulated within their Memorandum of Understanding (“MoU”), which sets out the broad principles of collaboration and the legal framework governing the sharing of relevant information and intelligence between the two organisations. Though much of the collaboration will be undertaken through the DRCF.
The most notable output of their collaboration to date concerns Google’s Privacy Sandbox.
The Privacy Sandbox case is a good example of different regulators working concurrently. The investigation concerned Google’s proposals to remove third party cookies (“TPCs”) on Chrome and replace TPCs functionality with the ‘Privacy Sandbox’ tools, while transferring the key functionality to Chrome.
The CMA and ICO entered into a dialogue with Google, which offered commitments in June 2021 that went out to consultation, with revised commitments subsequently being agreed in November 2021. Commitments include the ongoing involvement of both the CMA and ICO in developing and testing the Privacy Sandbox proposals, recognising the expertise both regulators bring to the table. Notably, other regulators also fed into this process.
In addition to the DRCF’s workplan and reports, the CMA recently published the 2022 concurrency report. The annual concurrency report assesses the operation of concurrency arrangements within the UK. Concurrency involves cooperation between the CMA and regulators across competition enforcement and competition-related activities and tools, with the aim of increasing the effectiveness of enforcement.
The CMA states that “the concurrency arrangements form a key part of the UK’s competition regime and have an important role in enhancing competition and making markets work more effectively in the regulated sectors”. Some highlights of concurrent work include the CMA’s study into electric vehicles and charging, where it worked closely with OFGEM, and the ‘Loyalty Penalty’ super complaint. This was a complaint by the Citizens Advice Bureau that longstanding customers were paying more than new customers (i.e., a loyalty penalty) in five essential markets: cash savings, home insurance and mortgages - regulated by the FCA; and mobile and broadband – regulated by Ofcom. The FCA and OFCOM conducted reviews with the CMA’s support, which resulted in steps taken to address price differentials and improve competition for consumers.
Overall, the CMA will always have an involvement in any competition law investigation led by a concurrent competition authority and will review draft decisions in advance as well as have regular catch ups. Therefore, the sharing of information between them assists in developing legal thinking and applying new approaches to policies and procedures in a coherent way (where appropriate). This is also why playing regulators off against each other is not always a fruitful endeavour given their close cooperation.
MoU’s form the bedrock of much cooperation and sharing of information between the UK regulators. These underpin the networks or forums that the UK regulators regularly attend where they share relevant information on their caseloads and key concerns or issues they are facing.
Authorities may include in their requests for information (“RFI’s”) or consultations that information received (including confidential information) may be disclosed to other regulators in order to facilitate their functions. Few businesses are sufficiently alert to this. Depending on the audience, a business may want to adapt its tone, nuance, or emphasis in respect of the information it provides. Given strict timelines when responding to an RFI or consultation, thinking about how information is provided or presented and who it might be subsequently shared with, is often not a priority. Though not giving those issues due consideration may cause difficulties later. This is explored further below.
The UK has made concerted efforts to ensure close cooperation between its regulators and not just between its concurrent competition authorities. Regulators in the EU have also noted the importance of cooperation.
In a recent address to the International Competition Network (“ICN”) annual conference, Vice-President Vestager noted that “when markets move fast, cooperation across borders becomes more necessary than ever” and highlighted the Commission’s “work with the CMA where we cooperated to jointly open investigations on Facebook's use of advertising data and of the Google-Facebook Open Bidding agreement, Jedi Blue” were important examples of this. Likewise, the Commission and CMA recently opened parallel investigations into the automotive sector with coordinated dawn raids at premises of companies across numerous EU Member States and the UK.
Even though, post Brexit, the CMA is no longer a member of the European Competition Network, it is still a member of the ICN and the Organisation for Economic Co-operation and Development (the “OECD”) where top officials meet on a regular basis. Likewise, the concurrent UK competition authorities will want to keep open communication with the Commission and other EU regulators.
There is, however, no formal competition cooperation agreement between the Commission and CMA post Brexit despite both sides aiming to conclude it by the end of 2020. However, businesses should note this has not deterred both competition authorities from working together.
Given the synergies between data protection and competition law, it is interesting to see how cooperation between competition authorities and privacy regulators has been approached across the EU. Some countries take a more formal approach to cooperation, for example, Spain, the Netherlands and France. These countries have formal cooperation policies in place with their local data protection agency, thereby closely mirroring the UK.
In France, there has been increased cooperation between the French Competition Authority (“FRCA”) and the French data protection agency (“CNIL”). Since 2017, regulators (including the CNIL and the French Competition Authority) have been holding biannual meetings to take joint actions. The CNIL published a white paper on data protection issues in the payment sector which referred to the sector investigation carried out by the FRCA.
In Spain, the National Markets and Competition Commission’s (“CNMC”) president stated that the CNMC aims to work more closely with judges and other regulatory bodies, including the Spanish Data Protection Agency (“AEPD”), Spain’s data protection authority. In addition, there is a general cooperation protocol between the CNMC and the AEPD, which was agreed on 26 July 2018.
Meanwhile in the Netherlands, the Dutch Authority for Consumers and Markets (“ACM”) and the Dutch Data Protection Authority (“AP”) most recently updated their cooperation policy in July 2020. The ACM, the AP, the Dutch Authority for the Financial Markets, and the Dutch Media Authority are working together as part of a wider cooperation platform, which is called the Digital Regulation Cooperation Platform (“SDT”), which was launched in October 2021, similar to the DRCF in the UK.
By contrast, Belgium, Denmark, Poland, Finland and Italy have no formal cooperation policy or protocol in place. This does not mean the competition authorities don’t see the benefit in cooperation with the privacy regulator, or do not cooperate. Certainly, in Finland the Deputy Data Protection Ombudsman acknowledged that competition and privacy matters have converged and closer cooperation between the regulators is needed. Likewise, in Poland, the Polish Competition and Consumer Protection Authority has cooperated in recent years with the Personal Data Protection Office, mainly in consumer protection matters, though tends to ask the data protection office to investigate issues as opposed to working together on investigations. However, in Belgium, the President of the Belgian Competition Authority (“BCA”) stated it could not cooperate closely with the privacy regulator without a specific protocol in place, which the BCA was working on in March 2020, with no developments since.
Germany is slightly different in that it has no formal basis for cooperation between the German competition authority (the Bundeskartellamt) and the data protection authorities, but the Bundeskartellamt has its own competencies in the area of consumer protection, including data privacy, as transferred to it by law in 2017. It can therefore conduct sector enquiries if there are grounds for suspicion of serious violations of consumer law provisions (such as data privacy, unfair competition, or the law governing the use of general terms and conditions). This may be a model that other countries wish to look at more closely given the close links between data protection, privacy and competition law as demonstrated in a number of big tech cases.
Although there is no consistency in cooperation between privacy and competition regulators, many member states have noted the increasing overlap of the regulators and the benefits of working together. In addition, there are other external influences on collaboration, such as by the ICN, which has a Steering Group Project on ‘Competition Law enforcement at the Intersection between competition, consumer protection and privacy’ (2020) and the work the OECD does in this space, not least, the committee meetings held between the various competition agencies where these issues are discussed. Though given the regulators’ own priorities and competing agendas, more effective cooperation is only likely where authorities have a formal arrangement in place in order to help push effective collaboration forward and having a framework for doing so.
In the UK, close cooperation between the regulators is business as usual and closer and more frequent cooperation is clearly here to stay. The EU is largely emulating this and cooperation between the Commission and CMA continues post Brexit. What needs to happen more immediately, is for businesses to understand and think more carefully about what the implications of this is for the information they have provided or need to provide to the authorities. A simple illustration is what happens to information provided to the CMA, which may be shared between its various internal divisions, such as between the mergers and antitrust units: this has led to the opening of antitrust investigations on the back of information provided as part of a merger notification.
Closer cooperation between different types of regulators and agencies of course has many positive aspects as it usually means that market experts are involved who can give their expert opinion and views. However, cooperation alone is not enough: it needs to be effective with the right levels of talent to support it. Competition authorities also need to be more open about the fact that non-competition concerns may form part of their competition law analysis (such as social, environmental, and other influences – even political), hence the need to listen to other types of regulators. Though simply tapping into an authority that understands a particular market is key, which has proved important to the DRCF.
Even though the benefits of cooperation seem clear, what is less clear is the implications for those businesses that share their information with regulators. Often this is done in response to a consultation, or an RFI whether as part of an investigation or merger enquiry. Businesses may be asked to consent to their information being shared with other regulators more widely as part of that process. Though consent may not always be necessary depending on the legislative framework (for example, where a statutory ‘gateway’ is available).
A reciprocal and continuous form of information sharing could be concerning for businesses who cooperate with one regulator, on the basis their information could be shared with other regulators for another purpose and who could then rely on that information. The authorities would argue that they are streamlining their processes and minimizing duplication, but businesses may want to present information differently depending on the audience. Not least, in the UK it could potentially mean more requests made to different regulators holding the information under the Freedom of Information Act (“FOIA”). All FOIA requests need to be specifically dealt with each time by the regulator under its own framework, which raises the prospect of different determinations.
The crux of this is that when replying to authorities, businesses should carefully consider the confidentiality of their submissions and how information may be used by other regulators. Businesses are effectively on notice that their information will likely be shared and used for different purposes.
Regulators actively want to ‘streamline’ information requested so that businesses do not need to answer multiple information requests. Even though it sounds sensible in practice, the reality can be a loss of control over one’s information – especially if it’s passed on to and relied on by others. Therefore, businesses should always think about why it would be appropriate to grant consent to their information being shared and to whom their information is being shared with. Where consent is granted, it is good practice to consider whether any specific parameters or requests for the handling of that information should be made. At the very least, businesses should consider very carefully what is confidential or may be more sensitive in another context. In particular, highlighting to the authorities from the outset why something should not be shared as it is confidential and how the sharing of that information will harm their business interests. Such arguments should be made up front as it can be harder to raise confidentiality at a later stage.
Overall, if a business is given the option to consent to its information being shared, then pausing and thinking of the implications is key. Whereas it may ultimately result in quicker enforcement, a trade off could be this is at the cost of a business’s rights of defence.
Top Tips when sharing information with the regulators Think about:
|
Visit our Competition & EU Law page here.