The well-known (and somewhat oversimplified) paradox that data protection laws aim to protect personal data while competition law aims to make personal data more freely available is the premise behind the recent collaboration between the two UK regulators. Over the past two years, the UK Data Protection Authority aka Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) have built a close working relationship. The most recent example of this is the Joint Declaration published on May 19, 2021 on the overlap between competition and data protection issues in the digital economy. You can find the full explanation here. The Joint Declaration sets out how the two agencies can work together and develop new strategies to manage the complex relationships in an economy that increasingly relies on data as an economic fuel, as it is an “essential input”.
1. The synergies
While the respective goals of competition law and data protection are often characterized as contradicting each other, the Joint Declaration begins with a focus on their synergies.
1.1 User selection and control
The first common goal is to give customers and users a wide choice when it comes to personal data and which companies they can use or where they can buy from.
The Joint Declaration highlights concerns highlighted by the CMA in its latest market study that social media platforms with significant market power do not allow users to choose whether their personal data is used for personalized advertising. Giving users responsibility for their personal data would help mitigate the competitive damage associated with such power asymmetry. On the data protection side, a high degree of control over a customer’s personal data, how it is handled and whether meaningful decisions can be made with respect to this data is of crucial importance. However, this objective is also vital to foster competition in the UK as increased competition between businesses will also lead to more solid data protection as data protection becomes an area in which businesses compete.
Both regulators strongly support measures to improve users’ ability to control their personal data. The ICO refers to its code of conduct for age-appropriate design, which came into force in September 2020, while the CMA draws parallels with its recommendations to introduce a “fairness by design” on platforms with market power in order to maximize the abilities of the users to make informed decisions about the use to meet your personal data.
1.2 Standards and regulations for the protection of privacy and effective competition
Regulators share the view that well-designed rules and standards that protect individuals’ privacy and give them control over their personal data can promote effective competition and improve data protection. Not surprisingly, the Joint Declaration paves the way for future collaboration on standards and regulations.
1.3 Data-related interventions to promote competition
Finally, the statement explains that the access to and processing of data in the digital market play a crucial role in running a business. If one company has access to significantly more data than another competing company, this can distort competition and even encourage anti-competitive behavior. The CMA is therefore eager to work with the ICO to limit data-related interventions (such as “data silos” on platforms with market power to use their ability to combine data sets), to create fairer conditions for companies to use, while being fair at the same time to compete ability of companies to combine and process personal data.
2. The tensions
Although most of the goals of the CMA and ICO are broadly similar, the declaration highlights two potential areas of conflict.
2.1 Interventions in data access
The key data-driven tool that the CMA has explored over the past few years is to give smaller businesses or potential new entrants access to particularly large data sets owned by Google and Facebook. This was explicitly examined in the CMA’s market study on online platforms and digital advertising. The aim of such proposals is to ensure that smaller players or new entrants can compete on an equal footing with larger incumbents or companies with significant market power because of their extensive access to data. However, this can potentially create tension with data protection objectives if it could lead to broader processing of personal data by a larger number of controllers.
However, the joint declaration points out that data protection law facilitates the exchange of data if it is fair, proportionate and complies with legal requirements.
In fact, the ICO recently published a code of conduct on data exchange that highlights the benefits of data exchange for business and at the same time gives companies the confidence to exchange data in a data protection-compliant manner. The supervisory authorities come to the conclusion that all perceived tensions can be overcome and can be resolved through careful planning, should interference with data access be a suitable legal remedy under competition law. We expect further interventions in data access in the coming years, so that the CMA (perhaps through the newly founded DMU) will undoubtedly have the opportunity to use this test in practice in the near future.
2.2 The anti-competitive interpretation of data protection requirements
The joint declaration points out that there could also be a risk of an interpretation of data protection law by large integrated digital companies with negative effects on competition, e. B. through an impermissible preference for large integrated platforms over smaller, non-integrated providers.
The supervisory authorities point out, for example, the risk that could result from an interpretation of data protection law in which the transfer of personal data between different companies owned by a single legal entity is generally viewed as more acceptable from a data protection point of view than, for example, the transfer of personal data between independent data Companies. Such a view could be problematic; firstly, from a competition law perspective, incentives for companies to integrate horizontally and vertically in order to process more data, which affects the competitiveness of smaller companies in digital markets; and secondly, from a privacy perspective, which leads to data protection damage such as a lack of autonomy and asymmetry of power.
However, regulators conclude that it is important to point out that neither competition nor data protection laws allow a “rule of thumb” approach that allows intra-group transfers of personal data while outside-group transfers are prohibited. In both data protection law and competition law, a careful individual examination is required, regardless of the size of the company, the selected business model or the type of processing activity
In the joint statement, the authorities recognize that their rules make it significantly more difficult for new entrants such as startups to compete in digital markets. Unfortunately, given the existing market structure, solving this problem is not easy. In the meantime, it is expected that access to data will become a critical part of analyzing merger control investigations in the years to come. This alone could maintain the status quo and continue to penalize smaller players who are unable to grow through mergers, especially given the CMA’s tough stance on so-called “killer acquisitions”.
3. What’s next?
The joint statement is a sign that UK regulators and authorities are keen to define a clear approach to addressing the new problems the digital market is posing. Specifically, this cooperation is a first step in a concerted effort to recognize the overlap between data protection and competition and to harmonize the legal framework in order to ensure clarity and effectiveness. The Joint Declaration recognizes the important challenges that need to be addressed. The cooperation between the supervisory authorities is only just beginning …
The content of this article is intended to provide general guidance on the subject. You should seek expert advice regarding your specific circumstances.