Out-Law / Your Daily Need-To-Know

CMA and ICO strengthen ties on UK digital markets regulation

Out-Law News | 27 May 2021 | 1:49 pm | 3 min. read

The UK’s primary competition regulator and data protection authority have signed a new agreement pledging to work more closely together in the way they regulate digital markets in the UK.

The revised memorandum of understanding (MoU) signed by the Competition and Markets Authority (CMA) and Information Commissioner’s Office (ICO) will underpin information sharing arrangements which provide, among other things, for the CMA to notify the ICO if it identifies any potential breaches of data protection law when undertaking its regulatory activities. The MoU also gives scope for the ICO to provide data protection advice to the CMA to help the CMA carry out its functions and duties.

In a joint statement issued alongside the MoU, the CMA and ICO said that, in the digital economy, the CMA’s policy aims of promoting and protecting competition in digital markets and the ICO’s role in protecting the personal data of the users of digital products and services can be “interlinked”. However, while they identified scope for “synergies” in performing their regulatory activities, they also highlighted “tensions” which they believe “are surmountable”.

Competition law expert Alan Davis of Pinsent Masons, the law firm behind Out-Law, said the enhanced cooperation arrangements agreed by the CMA and ICO build on the establishment of the Digital Regulation Cooperation Forum (DRCF) within the framework of which both regulators work with Ofcom and the Financial Conduct Authority (FCA) to ensure a greater level of cooperation over the regulation of online platforms.

“The joint statement highlights the importance of personal data in the digital economy from the perspectives of both competition and data protection, and provides insights into the regulators’ current thinking and likely focus in future cases,” Davis said. “It also lists a range of ‘pro-privacy and pro-competition outcomes’ which the agencies believe can emerge from competitive digital markets with well-targeted data protection regulation. Those outcomes, it said, include digital service providers seeking to compete with each other on the basis of the level of privacy protection their services afford consumers.”

“While the agencies acknowledge that ‘competition efficiencies associated with data sharing may in some cases be in potential tension with data protection objectives’ they believe that ‘appropriately targeted regulatory approaches can help produce competitive and well-functioning yet privacy-preserving digital markets’.”

In their statement, the CMA and ICO said that the “strong synergies” between competition and data protection objectives fall under three main categories: user choice and control; standards and regulations to protect privacy; and data-related interventions to promote competition.

On user choice and control, they said they are “strongly supportive in principle of measures that enhance users’ ability to control their personal data, decide for what purposes and how it should be processed, and exercise their rights” and said that “requiring providers of digital services to design choice architecture in a way that allows users to choose freely, and to deploy default settings that are in the user’s interest rather than those of the service provider, can be highly valuable in supporting both competition and data protection goals”.

The regulators also said that “appropriate” data protection regulation can lead to greater competition in the market and in turn “drive innovations that protect and support users”. It cited “the development of privacy-friendly technologies, clear, user-friendly controls, and the creation of tools that support increased user-led data mobility” as examples of such innovation. “The incentives to deliver these forms of innovation are greater in the presence of targeted regulation than without,” they said.

Among the data-related interventions which the regulators said could be used to promote competition, they highlighted the CMA’s powers to provide or restrict access to data, including personal data.

Data access interventions and the risk of interpreting data protection law in an anti-competitive manner were two of the areas which the regulators highlighted as presenting a risk of tension between competition and data protection laws. However, they said those tensions can be overcome through a careful, joined-up approach in their work. For example, they said pro-competitive data access remedies must be carefully designed to ensure “they are limited to what is necessary and proportionate, are designed and implemented in a data protection-compliant way, that related processing operations are developed in line with the principles of data protection by design and by default, and they do not result in a facilitation of unlawful or harmful practices”.

Davis said: “The CMA and ICO already collaborate on certain projects, and the adoption of the new MoU and joint statement is likely to spur further and more coordinated enforcement. Businesses active in the digital sector may face increasingly sophisticated and wide-ranging regulatory scrutiny as the two agencies join forces, and as the DRCF work plan for 2021-22 is implemented.”