It is often thought that data protection policymakers want your personal data to be held within big firms’ walled gardens and shared with no-one, while competition policymakers want big firms to be broken up and your personal data to be freely distributed among firms. Is that right, and if so, what are we going to do about this conflict?
The UK’s data protection and competition regulators – the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) – do not claim to have all the answers yet, but they are at least working together and trying to solve the issue. Digital markets will not work well until they do.
On 19 May, the ICO and the CMA published a joint statement laying down their views. The statement discusses the importance of data in the modern economy, explaining how the business models of some of the most valuable firms in the world rely on data – and often personal data – to optimise their products and sell advertising.
The regulators say that there are strong synergies between data protection and competition law, and that any tensions between them are surmountable. The synergies come under three headings:
- User choice and control. Both data protection and competition objectives are better met if users can control what happens to their data and “privacy” becomes an area in which firms compete.
- Standards and regulations to protect privacy. Both data protection and competition policymakers help to establish clear rules and widely accepted standards to help achieve efficient market outcomes.
- Data-related interventions to promote competition. Regulatory interventions to provide or restrict access to data (e.g., data silos) can be an important tool in promoting competition in digital markets. Data silos could in principle deliver strong synergies between the interests of competition and data processing. (I have argued the same in an article on Google’s Privacy Sandbox, forthcoming in European Competition Journal).
These points all seem sensible to me, but it is the discussion of the potential tensions between the two policy areas that is more interesting. These tensions come under two headings:
- Data-access interventions – i.e., where forcing firms to share data would help level the playing field for competitors but risk compromising users’ privacy.
The regulators’ view is that these issues can be solved by carefully designing interventions in a data-protection compliant way. I would say that this is fine in theory, but in a real-life case it might be difficult to achieve the full competition benefit of the intervention without risking users’ privacy, or to do so could be disproportionately expensive. The theory will be fully tested when the regulators write the Codes of Conduct and the Pro-Competitive Interventions in the new regulatory regime for Big Tech.
- Interpreting data protection law in an anti-competitive manner – i.e., where firms (especially dominant firms) interpret their data protection obligations in a way that distorts competition, often by favouring the business models of large, integrated platforms over smaller, non-integrated suppliers. An example is where firms interpret data protection legislation as being more favourable to internal (intra-group) data transfers compared to external (extra-group) transfers.
It is tempting to see this section of the document as a shot across the bows of Google and Facebook, which have a business model of combining personal data across (often disparate) services for advertising purposes. The document reiterates the competition concerns that the CMA has previously stated in its seminal report on online platforms and digital advertising, but also includes a very interesting brief discussion on the data protection concerns regarding unfettered transfers of data within business units of the same platform. It gives an example of a legitimate interest that falls a very long way short of what Google and Facebook do. It therefore seems to heavily hint that they do not have a legitimate interest in combining users’ personal data across their various services in order to build an incredibly detailed profile to be packaged up for a high price to advertisers. (As an aside, I would add that those same users then have the privilege of paying indirectly for that high price when the goods and services they purchase are slightly more expensive.) The document also chooses not even to mention the possibility that users have properly consented to the use of their data, suggesting that the ICO does not even think that this is arguable. I look forward to seeing what comes next.
The two policymakers note they will continue working together to promote regulatory coherence in the digital economy, especially within the context of the Digital Regulation Cooperation Forum established last year by the CMA, the ICO, and Ofcom (the FCA joined last month). Their commitment to achieving regulatory coherence is demonstrated in the approach the CMA and the ICO have adopted in two high-profile projects on digital advertising. The first is the CMA’s antitrust investigation into Google’s Privacy Sandbox browser changes, where the two regulators are working collaboratively to ensure that both privacy and competition concerns can be addressed as the Privacy Sandbox proposals are developed (interesting fact: the ICO is assessing the proposals for compliance with data protection and ePrivacy law). The second is the ICO’s continued investigation into RTB and ad tech (originally launched in 2019 but then paused due to the pandemic), where the ICO will maintain a positive dialogue with the CMA on competition-related points.
Overall, I applaud the co-operation between these two regulators. I would have liked to see more specificity in the discussion of the two areas of potential tension between data protection and competition law, and the pros and cons of data silo remedies in particular, but I recognise that both regulators have ongoing and upcoming cases in the area and will not want to tie their own hands by setting out a detailed position in advance.
These issues are complex ones, which will be slowly worked out over the next few years as the Big Tech cases grind through the regulators and courts.