Two heads are better than one? UK CMA and ICO put their heads together about big data

What should UK regulators do about big tech tracking? The UK Competition and Markets Authority and the UK Information Commissioner’s Office recently published a remarkable document on 19 May 2021 taking strong positions in this debate.[1] The regulators have agreed:

  1. Competition between providers is needed to drive strong consumer outcomes: competition and privacy are seen to be “fully aligned” (para 2).
  2. The stronger the market position of the platform, the less meaningful the consent (para 50: meaningful choice only results from meaningful competition).
  3. Much current compliance has a tick-box quality in consumer-facing services, such as personalized experiences (or lack of) across publishers and consistent experiences (or lack of) across devices. The regulators call this out as a consumer-unfriendly practice(“take it or leave it terms,” para 51).
  4. There is an acute need for data access to enable competition, and sometimes this interoperability-based competition will help promote more targeted and less invasive information collection (para 32).
  5. There may be categories of low-risk data which do not require as much regulation on a “risk-based approach” (para 39). This signals willingness from the ICO to develop targeted approaches to only those practices raising concerns with consumers, enhancing access to data and competition in other cases where concerns do not arise.

The statement signals major changes in how competition over data will be approached by the regulators, towards a more consumer-centric approach to “privacy by design” (para 55).

The timing of the statement is also remarkable. It comes after Google proposed significant changes to data handling practices in its Privacy Sandbox proposals, which have been investigated by the UK CMA. The statement differs significantly from Google’s public position on data use:

  • Google has asserted that integrated solutions involving large data processing by the biggest platforms are the way forward.[2]
  • Legacy concepts considering first- and third-party data handling, rather than the consumer impact or risk of handling, are employed by Google to advocate limited data flow to rivals.
  • On this approach, it would be big tech and not competition that determines the balance between competition and privacy.

The regulators could not have been clearer in their rejection of this position:

 “..fair and effective competition does not rely on companies processing and/or sharing ever increasing amounts of personal data. Instead, the most important factor from a competition standpoint is that market participants compete with one another on a level playing field.”  (para 32)

This is consistent with the positions advocated by Marketers for an Open Web before the UK CMA and ICO during the Privacy Sandbox investigation. The following table summarises several the most important arguments.

Interested parties are encouraged to contact MOW’s legal representative, Tim Cowen, at [email protected] for further details, especially as the UK CMA is currently consulting on the remedies to be applied in the Privacy Sandbox case.

MOW ArgumentsCMA/ICO joint statement quotes
One cannot look at privacy and competition separately. Competition and privacy are not opposed where competition drives good consumer outcomes.   Differential access to data is at the heart of several of the barriers to entry and expansion identified;Data is an important route by which market power in one market can be leveraged into adjacent markets.Paragraph 2: “previously separate policy areas become interlinked, and different regulatory authorities are increasingly required to consider a given set of issues from the perspective of contrasting policy aims and objectives. A prime example of this is the intersection that has developed in the digital economy between the policy aims of promoting and protecting competition in digital markets and protecting the personal data of the users of digital products and services. There are many circumstances in which these two objectives are fully aligned, but we also benefit from recognising that this may not always be the case.”
Market power undermines meaningful consent.   The dominant positions of certain online players enable them to compel consumers to grant them access to vast swathes of data by preventing use of their services otherwise.Paragraph 50: “Meaningful user choice and control are fundamental both to robust data protection and effective competition. The interests of both policy objectives are best met where users have a genuine choice over the service or product they prefer, providers compete on an equal footing to attract their custom, and where individuals have control over their personal data and can make meaningful choices over whether and for what purposes it is processed.”
If privacy becomes a meaningless tick-box exercise, the consequence is a discriminatory effect on the market, resulting in non-compliance with competition law.   Monopoly terms imposed on consumers in circumstances of no choice are unlikely to reflect the terms that could apply in a competitive market.A “one size fits all” approach is insufficiently specified in factual circumstances where there are limited alternatives and is therefore exploiting consumers. Consumers need to have choice over the services they receive and over the use to which their data is subject.Paragraph 51: “effective competition can enable stronger privacy protections, and weak competition can undermine those protections. In its recent market study, the CMA identified a significant concern where social media platforms offered users no choice over whether to have their personal data used for personalised advertising. It concluded that concerns around such ‘take it or leave it’ terms regarding the use of personal data were particularly acute where the platform has market power, such that the user has no meaningful choice but to accept the terms.”
Privacy Regulations do not recognize the relevance of first and third party labels which are now legacy concepts under GDPR.   The attempt to differentiate first and third party cookies is a “privacy fixing” behaviour that does not necessarily provide the consumer with any privacy benefit, as focusing on organisational ownership ignores the sensitivity of the data transfer involved and its consumer impact.Paragraph 9: “Whether information is personal data depends on whether it relates to an identified or identifiable individual. There is no explicit reference to the distinction between first-party and third-party data in data protection law.”
Economies of Scope and Scale undermine competitive constraint on dominant platforms for privacy as well.   It is doubtful that there is any meaningful competitive constraint over large platforms because of significant network effects in data collection. Interoperation in data sets should be a priority in ensuring competitive constraint.Paragraph 28: These characteristics mean that there is a value in aggregating data, either to make use of directly or to sell on to others, and a tendency to concentration, leading to problems of market power. Differential access to data can be a barrier to competition.”  
Sharing of non-sensitive personal data is important for societal benefits from competition, because there is no consumer concern in the use of non-sensitive data.   Online advertisers need to measure and optimise the effectiveness of ads and can only do so by obtaining data.Restrictions on data flows harm the ad-funded web, and thus consumers, without any clear evidence that consumers are harmed by the collection of the innocuous data typically used for marketing (e.g. car purchase -> likely to need car insurance too).Paragraph 32: “While access to data is important to the dynamics of digital markets, it is important to note that fair and effective competition does not rely on companies processing and/or sharing ever increasing amounts of personal data. Instead, the most important factor from a competition standpoint is that market participants compete with one another on a level playing field. In circumstances where competitors in a digital market have significantly differential access to data, then competition ‘on the merits’ is likely to be undermined. As a result, consumers will have less choice, and will ultimately lose out through higher prices, lower quality, and reduced innovation.”
There should be attention to market reality and consumer impact from proposals. Appropriate policies should be based on likelihood, scale and degree of harm. Any reduction in effective competition online or disruption to competing services is likely to cause significant consumer and vulnerable consumer detriment.Paragraph 39: “The assessment of privacy and data protection harms that the ICO carries out in line with the UK GDPR is therefore a ‘risk-based’ approach, which considers the type of harm and potential damage caused.”
A non-exhaustive lists of harms related to processing personal data include societal and consumer harms where evidenced, and not just individual ones.   By distorting the Open Web and diminishing the revenue available for alternative advertising channel competitors, Google is making changes that affect not just a few competitors but the entire structure of the market without evidence that this aligns with consumer interests. Indeed, CMA analysis shows that large platforms may well collect more information than consumers want.The harm comes from the big platforms, yet it is the competitors who would constrain this activity who are undermined.Footnote 16: “These harms can be wide-ranging and include individual tangible harms such as financial or bodily harm, or the cost of avoiding or mitigating harm; individual intangible harms such as discrimination, unwarranted intrusion, misuse of personal information, or loss of control of personal data; and societal harms such as loss of trust, damage to the rule of law or democracy.”   
Regulators should push to implement pro-consumer choice solutions promoting competition over privacy where this benefits consumers.   If end consumers can be given control over their personal identity and the ID used for such purposes, then the competitive impact of the existing competitive fringe can be amplified.User-controlled identifiers can be thought of like a revolving number plate on James Bond’s Aston Martin: the consumer can be identified and can use ad-funded services, but at the touch of a button, can reset this identifier and reassert privacy.Paragraph 55: “For example, by providing an appropriate level of privacy by default, and options that allow individuals to control the processing of their data (and permit additional data collection if they are comfortable with it), such models will enable individuals to be in control, and digital businesses will in turn benefit from fair, lawful and transparent data processing undertaken in a trustworthy way. Enhanced user control will build user trust and confidence, which in turn will support a flourishing digital economy.” 

[1] CMA-ICO joint statement on competition and data protection law https://www.gov.uk/government/publications/cma-ico-joint-statement-on-competition-and-data-protection-law

[2] Michael Kleber, introducing Privacy Sandbox, https://web.dev/digging-into-the-privacy-sandbox/ at 19’ 40”.