When competition law and data protection overlap - Joint statement from the UK CMA and ICO

The well-known (and somewhat over simplistic) paradox that data protection laws aim to keep personal data contained whilst competition law wants personal data to be more freely available is the premise behind the two UK regulators’ latest collaboration. In the last two years, the UK Data Protection Authority aka Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) have developed a close working relationship. The latest example of which is the Joint Statement on how competition and data protection issues overlap in the digital economy published on 19 May 2021. The full statement is available here. The Joint Statement sets out how the two authorities can work together and develop new strategies to tackle the complex relationship in an economy increasingly relying on data as economic fuel, it being an ‘essential input’.

1. The synergies

Whilst the respective objectives of competition law and data protection are often characterized as being in opposition, the Joint Statement begins with a focus on their synergies.

1.1 User choice and control

The first common objective is the importance of customers and users having a high level of choice when it comes to both personal data and which companies they can use or purchase from.

The Joint Statement points to concerns highlighted by the CMA in its recent market study where social medial platforms with significant market power offered users no choice over whether their personal data is used for personalized advertising. Putting users in charge of their personal data would go some way in mitigating competitive harm relating to such power asymmetry. On the data protection side, a high level of control is vital in relation to a customer’s personal data, how it is handled, and whether meaningful choices can be made in relation to such data. This aim, however, is also vital for promoting competition in the UK as stronger competition between companies will also lead to sturdier privacy protections as privacy becomes an area in which businesses compete.

Both regulators are strongly supportive of measures enhancing users’ ability to control their personal data. The ICO refers to its code of practice on age-appropriate design which came into force in September 2020, whilst the CMA draws parallels with its recommendations that a ‘Fairness by Design’ be put in place on platforms with market power, to maximize user’s ability to make informed choices about the use of their personal data.

1.2 Standards and regulations to protect privacy and effective competition

The regulators share the view that well-designed regulation and standards that preserve individuals’ privacy and place them in control of their personal data can promote effective competition and enhance privacy. Unsurprisingly, the Joint Statement paves the way for future collaboration in the design of standards and regulations.

1.3 Data-related interventions to promote competition

Finally, the statement explains that in the digital market, access to and processing of data plays a crucial part in running a business. If one company therefore has access to significantly more data than another competing company this can distort competition and even encourage anticompetitive behavior. The CMA is therefore eager to work with the ICO to use data-related interventions (such as ‘data silos’ on platforms with market power to restrict their ability to combine datasets) to create a more level playing field for businesses to compete fairly whilst restricting businesses’ ability to combine and process personal data.

2. The tensions

Although most of the CMA and ICO’s objectives are largely similar, the statement highlights two areas of potential tension.

2.1 Data access interventions

The key data related remedy explored by the CMA in recent years is to grant smaller businesses or potential new entrants access to particularly extensive data sets owned by the likes of Google and Facebook. This was explicitly explored in the CMA’s market study into online platforms and digital advertising. The goal behind such proposals is to ensure smaller players or new entrants can compete on a level footing with larger incumbents or business with significant market power on account of their substantial access to data. This may however be seen as having the potential to create tensions with data protection objectives if this could lead to more widespread processing of personal data by a larger number of controllers.

However, the joint statement points out that data protection law facilitates data sharing where it is both fair and proportionate and complies with legal requirements.

In fact, the ICO has recently published a code of practice on data sharing which outlines the benefits that data sharing can bring to the economy whilst giving businesses the confidence to share data in a way that complies with data protection rules. The regulators conclude that should data access interventions be an appropriate competition law remedy ,any perceived tensions are surmountable and can be resolved through careful design. We anticipate more data access interventions in the coming years so the CMA (perhaps through the newly established DMU) will no doubt have the opportunity to apply this test in practice in the near future.

2.2 The interpretation of data protection requirements in an anti-competitive manner

The joint statement suggests that there could also be a risk of data protection law being interpreted by large integrated digital businesses in a way that leads to negative outcomes in respect of competition, e.g. by unduly favouring large, integrated platforms over smaller, non-integrated suppliers.

For instance, the regulators flag the risk that could arise from an interpretation of data protection law in which transfers of personal data between different business owned by a single corporate entity are in principle viewed as more acceptable from a privacy perspective than for example transfers of personal data between independently owned business. Such a view could be problematic; firstly from a competition point of view, incentivizing companies to integrate horizontally and vertically in order to be able to process more data thereby prejudicing the ability of smaller companies from competing in digital markets; and secondly from a privacy perspective, leading to data protection harms such as a lack of autonomy and power asymmetry.

However, the regulators conclude that it is important to note that neither competition nor data protection regulation allows for a 'rule of thumb' approach, where intra-group transfers of personal data are permitted while extra-group transfers are not. Under both data protection law and competition law, a careful case-by-case assessment is needed, regardless of the size of a company, the business model adopted, or the nature of any processing activity

In the joint statement, the authorities recognize that their rules make it significantly harder for new entrants, such as startups, to compete in digital markets. Unfortunately, the solution to this problem is not straight forward when looking at the existing structure of market. In the meantime, we can expect that access to data will become a crucial part of merger investigations analysis in the coming years. This in itself could maintain the status quo and continue to disadvantage smaller players who are unable to grow through mergers, particularly given the CMA’s tough stance to so-called ‘killer acquisitions’.

3. What next?

The joint statement is a sign that regulators and authorities in the UK are eager to set out a clear approach to tackling the new issues that the digital market raises. Specifically, this collaboration is a first step in a concerted effort to recognise the overlap in data protection and competition and harmonise the regulatory framework to ensure clarity and efficacy. The Joint Statement recognizes the significant challenges to be addressed. The collaboration of the regulators is only just beginning…

Latest insights

More Insights
featured image

Guiding through ‘the maze of food labelling’ – The most recent European Court of Auditors’ special report

6 minutes Dec 20 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
featured image

Update on recent UK data protection guidance in the financial services space

3 minutes Dec 19 2024

Read More