The synergies between competition law compliance and data protection compliance are becoming more pronounced, even more so since the UK Information Commissioner's Office (ICO) and the Competition and Markets Authority (CMA) recently set out their blueprint for co-operation in digital markets.
UK CMA and ICO cooperation on digital markets
Overview
Why the need for collaboration?
Personal data has long been said to be the oil that drives the digital economy, and it is this intersection that gives rise to the collaborative statement issued by the ICO and the CMA. For the digital economy to work at its best, digital markets must be competitive, and consumer and data protection rights must be respected so that people can exercise meaningful control over their data and how it is used. A more competitive digital economy will result in stronger protection of privacy rights. It is this concept which sits at the heart of the collaboration between the ICO and the CMA.
How will the collaboration bear out in practice?
The ICO and the CMA have identified three main categories of synergy between competition and data protection objectives, and indicated that many regulatory interventions in digital markets can be designed in a way which supports both objectives:
- User choice and control – meaningful user choice and control is important to both strong data protection and effective competition. If users have a genuine choice over the service or product they prefer (including choice and control over their data, how it is processed and for what purpose) then this will enhance both data protection policy and effective competition.
- Standards and regulations to protect privacy – well designed regulation on privacy and data protection can help to both promote effective competition and enhance privacy. Competitive pressures can be used to drive innovations that protect and support users, such as the development of privacy friendly technologies.
- Data related interventions to promote competition – interventions to provide or restrict access to data can be an important tool in promoting competition in digital markets.
Two examples of collaboration between the CMA and the ICO, and the intersection between data protection and competition, are the CMA's recent investigation into Google's Privacy Sandbox, and the ICO's investigations into real time bidding in the AdTech industry.
GOOGLE PRIVACY SANDBOX
Earlier this year, the CMA opened an investigation into Google's proposals to disable third-party cookies and other functionality on its Chrome browser (known as the "Privacy Sandbox" proposals), and complaints that Google's proposed replacement technology would disadvantage online publishers and, ultimately, consumers. In order to ensure that it addressed legitimate privacy concerns over the move (in Google's view, the replacement technology would protect consumers' privacy to a greater extent) the CMA and ICO have worked closely in reviewing the proposals and in assessing the effectiveness of alternatives to third party cookies.
Google has now offered legally binding commitments which, significantly, will involve both the CMA and the ICO in the development of Google's Privacy Sandbox proposals going forward. This is a significant example of the collaborative partnership between the CMA and the ICO, and of the close relationship between the interests of competition and data protection.
REAL TIME BIDDING IN ADTECH INDUSTRY
The ICO has been conducting a series of audits focussing on the processing of personal data by data management platforms in the real time bidding industry. The ICO will also review the role of data brokers in the system. In conducting its investigations, the ICO intends to maintain a positive dialogue with the CMA in relation to any competition related points which arise.
What will this mean for businesses?
On a day to day basis, not much. However, it does raise the possibility that if as a business you find yourself under investigation for, say, breach of competition law, you may well find that if the CMA has specific concerns on the data protection front, it brings the ICO in, so that what you thought was an investigation into your conduct on the competition front, also becomes an investigation into your data protection compliance. The collaboration is yet another reminder of the need for boards to be on top of their regulatory compliance, across the piece.
The joint statement is supported by a Memorandum of Understanding, which sets out how the CMA and the ICO will practically work together in the future.
