CMA and ICO publish joint policy statement on competition and data protection law


The Competition and Market Authority and the Information Commissioner’s Office yesterday published a joint declaration of principles on competition and data protection law, in which they set out their shared views on the relationship between competition and data protection in the digital economy. The agencies clearly have an intention to work together, whether on regulation drafting, enforcement or research.

For companies that trade in personal data (especially large platforms whose revenue comes from data-driven advertising), the statement contains few new practical guidelines. Rather, it outlines, at a high level, the commonalities between the goals and targets that determine the agencies’ policies.

The tensions between competition law and data protection law have been well articulated elsewhere but are listed in the statement as follows:

  • When proposing a data-related intervention to address a competition problem. The document cites examples from the CMA’s market study on online platforms and digital advertising, in which the CMA found that Google and Facebook enjoy significant data advantages through access to search and query data, user profile data and advertising analytics data. Many of the interventions proposed by the CMA as a result of this study were data-related, including expanding access to Google / Facebook’s large dataset to include smaller competitors or new entrants. Such an access measure leads to a natural conflict with the existing data exchange and data protection obligations that are incumbent on the “controllers” of personal data. However, the CMA and ICO insist that “perceived tensions can be resolved” by carefully designing data access measures to be limited to what is necessary and proportionate. It is expected that this design work will fall within the remit of the recently established Digital Markets Unit, although the new regulatory system has not yet been implemented.
  • When data protection requirements can be interpreted by an industry in such a way that there is a risk that competition is distorted. This tension is not hypothetical; It has already arisen in relation to GDPR, where companies with large amounts of personal data (again like Google and Facebook) and direct consumer access can enjoy a structural advantage and self-regulate in ways that moat around their existing services . The joint declaration, while recognizing this tension at a political level, including in relation to the incentives that data protection obligations create for horizontal and vertical integration, does not offer a solution. Instead, the agencies recognize the significant challenges and their intention to “think together about the right way forward”.

Despite these tensions, the joint declaration focuses firmly on what the agencies and their policy objectives have in common, not what sets them apart.

The statement concludes that case-by-case analysis is likely to be necessary to resolve tensions between competition and data protection law, “regardless of the size of a company, the business model used or the type of company [data] Processing activity “. In other words, the agencies intend to work constructively with each other, but do not commit to universally applicable approaches when it comes to their respective assessments of companies’ data protection and competition obligations.

{There are strong synergies between the interests of competition and data protection. We can resolve the potential for tension by carefully examining issues on a case-by-case basis and by working closely between our two organizations.