CMA and ICO publish joint policy statement on competition and data protection law

The Competition and Markets Authority and the Information Commissioner’s Office yesterday released a joint policy statement on competition and data protection law, setting out their shared views on the relationship between competition and data protection in the digital economy. There is a clear intention from the agencies to work together, whether in the context of regulatory design, enforcement, or investigations.

For businesses who trade in personal data (in particular, large platforms whose revenue comes from data-driven advertising), the statement contains little in the way of new, practical guidance. Rather, it outlines at a high level the commonalities between the aims and objectives driving the agencies’ policies. 

The tensions between competition law and data protection law have been well-articulated elsewhere, but are identified in the statement to include:

• Where a data-related intervention is proposed as a remedy to a competition problem. The document cites examples from the CMA’s market study into online platforms and digital advertising, where the CMA found that Google and Facebook do enjoy significant data advantages through access to search ‘click and query’ data, user profiling data, and advertising analytics data. Many of the interventions suggested by the CMA as an outcome of that study related to data, including broadening access to Google/Facebook’s extensive data sets to smaller competitors or new entrants to the market. Such an access intervention gives rise to a natural conflict with existing data sharing and privacy obligations incumbent upon “controllers” of personal data. However, the CMA and ICO insist that “any perceived tensions can be resolved” through designing the data access interventions “carefully, such that they are limited to what is necessary and proportionate”. Presumably, this design work will be in the remit of the recently established Digital Markets Unit, although the new regulatory regime is yet to be introduced.
• Where data protection requirements may be interpreted by an industry in a way that risks distorting competition. This tension is not hypothetical; it has already arisen in relation to the GDPR, where entities with large troves of personal data (again, such as Google and Facebook) and direct access to the consumer enjoy a structural advantage and are able to self-regulate in a way that creates a moat around their existing services. While the joint statement does recognise this tension at a policy level, including in respect of the incentives that data protection obligations create towards horizontal and vertical integration, it does not proffer a solution. Instead, the agencies acknowledge the significant challenges and their intention to “jointly consider the right way forward.”

Despite these tensions, the joint statement is determinedly focused on what the agencies and their policy aims have in common, not what distinguishes them. 

The statement concludes that case-by-case analyses are likely to be required to resolve tensions between competition and data protection law, “regardless of the size of a company, the business model adopted, or the nature of any [data] processing activity". In other words, the agencies intend to work constructively with one another but they are not committing to any universally applicable approaches when it comes to their respective assessments of businesses’ obligations under data protection and competition law.