Organisations can be forgiven if they feel caught in the middle of a perfect storm created by regulatory change, the pandemic-induced economic downturn and the prospect of a pincer-movement by Data Protection and Competition Authorities driven by the marked increase in data-driven activities.

It is becoming increasingly clear that the actions of competition authorities will have an impact on Privacy and Data Protection (PDP) compliance for businesses across different markets. Organisations may find themselves in a situation of being in compliance with data protection laws but still fall foul of competition laws, and vice versa. In this article, we consider notable recent developments and examples of how competition law requirements could drive changes in how organisations interpret data protection compliance, and how competition law could also potentially influence the development of enhanced compliance standards for certain sectors.

The intersection of data protection and competition

Data protection and competition regulations have different, but not necessarily opposing, policy and social objectives which sometimes also converge. This convergence is becoming increasingly prevalent as organisations place greater reliance on connected devices, massive datasets and large-scale analytics to monitor the effectiveness of their operations, understand more about their customers, improve products and grow market share. To understand this growing intersection, we take a brief look at some of the recent developments in this area focusing on the United Kingdom, Germany, Italy and the United States.

Recent Developments

United Kingdom

The Competition and Markets Authority (CMA) recently published its report on competition in online platforms and digital advertising, focusing on the position of large online platforms. CMA dealt directly with one of the causes of dominance of platforms, namely their exclusive access to vast quantities of personal data, and recommended ways to enhance consumer control over data, such as mandating interoperability, requiring platforms to grant third-party access to data in certain circumstances and mandating data separation. Privacy and data protection rules govern sharing and secondary usage of customer personal data, and has often been cited by platform providers has a reason for why they are unwilling to publish or share their data with competitors.

It is promising that the CMA and Information Commissioners Office (ICO) are cooperating to address circumstances where competition and data protection law intersect and to anticipate the privacy and data protection issues of any proposed interventions or remedies. Although initially focusing on platforms and digital advertising markets, the CMA will work with the ICO, under the umbrella of the Digital Markets Taskforce (DMT), to look at remedies in the data space and how they relate to the data economy and digital markets.

Earlier this year, the Financial Conduct Authority (FCA) opened a Call for Input to better understand how data and advanced analytics are being accessed and used, the value offered to market participants and whether the associated pricing and selling is competitive. This reflects the widespread use of data analysis in numerous industry sectors as means of gaining greater insights into consumer and market activities, however, it also highlights the juxtaposition between monetising data and managing risk that many organisations find themselves in.

Germany

The Bundeskartellamt (“Federal Cartel Office” or “FCO”) recently used European data protection law in its investigation of a large social media company as a standard to analyse conduct in situations where a dominant company, through its terms and conditions, gives users no choice as to how their data will be used and, when combined with personaliszation, can result in potential abusive conduct and a violation of competition law. The outcome of the investigation was an order prohibiting the combination of personal data from various company-owned and third party sources without user consent.

The FCO also recently published its report into the German smart TV sector  where it explicitly referenced violations of the General Data Protection Regulation (GDPR), particularly around transparency, and recommended the provision of more transparent information to consumers, for example by providing concise up-front information and using pictograms to inform consumers about data protection standards when purchasing a smart TV.

Italy

The Competition and Markets Authority (AGCM) announced investigations into alleged unfair practices of cloud computing services, in particular the alleged failure by some service providers to provide transparent information to users of the possibility of their personal data being collected and used for commercial purposes, and consumers being unable to give consent to the use of their data for this purpose.

United States

In the United States, Congress, the Department of Justice, the Federal Trade Commission and various State Attorney Generals have been looking into markets in the digital economy with a focus on large online platforms. For example, the House Antitrust Subcommittee, in its recent report into the state of competition in the digital economy, proposes ‘structural separation’ in some instances and mandates compatibility of services through interoperability and data portability, solutions that undoubtedly would impact how organisations use personal data in the future.

Examples of the potential impact on data protection compliance

It is clear from these developments that the actions of competition authorities will impact how organisations in each country can collect and use personal data. Below we consider how these actions, whether direct interventions or policy recommendations, could impact key areas of privacy and data compliance.

Transparency and privacy notices: With competition authorities also looking at how businesses inform consumers about how their personal data is used, especially in the context of abuse of dominance, organisations need to look beyond pronouncements of national data protection authorities to the decisions and guidance of competition authorities when developing privacy notices and embed transparency mechanisms at data collection points. This could lead to diverging requirements that are difficult to reconcile in practice, or requirements that are limited to specific sectors, potentially inhibiting innovation and creating an unlevel playing field.

Data sharing and consent: Requirements concerning third-party access to personal data would provide obvious commercial benefits to organisations, but would come with additional risks and organisations would have to implement adequate controls for sharing, receiving and processing personal data in this scenario. Furthermore, they would need to ensure that the appropriate legal basis is in place and use of consent is appropriate and compliant with data protection regulations, particularly where children are concerned. Guidance and decisions from both data protection and competition authorities could lead to uncertainty if they are not joined-up and consistent.

Contracts and vendors: Supply chain risks may arise as a result of data sharing and third-party access requirements and could be impacted in circumstances where data processors do not have the appropriate technical and organisational controls to process personal data in a compliant manner. Contracts may need to be renegotiated or, at the very least, reviews of key vendors would need to be performed.

Mergers and Acquisitions (M&A): There is closer regulatory scrutiny of corporate transaction activity to address concerns that arise when organisations make acquisitions of companies which includes ingesting large datasets, or initiate ‘data carve-outs’, particularly where the acquiring organisation already occupies a major or dominant position in the market. Organisations should consider these concerns not only in their M&A strategies but also in their integration plans post-transaction, especially where there is a plan to alter terms and conditions and privacy policies to facilitate increased data usage activities for different purposes (e.g. marketing or profiling), across a range of applications and services. The key point organisations should keep in mind is that regulatory scrutiny could negate some of the benefits of any transaction or require time-consuming or costly remediation work.

PIA, DPIA & RoPA: Changes to how data is collected and processed should be subject to a Privacy Impact Assessment (PIA) as a matter of good practice to ensure data protection risks are identified and properly managed. There may also be circumstances where the changes would likely pose a high risk to the rights and freedoms of individuals, meaning that a Data Protection Impact Assessment (DPIA) would have to be performed (for organisations subject to the GDPR). Furthermore, new data processing or changes to existing data processing, such as new data categories, changes in usage, vendors or systems, must be added to the record of processing activities (RoPA).

Security & data breach management: More data processing and data sharing inevitably poses questions about data security and the potential for data breaches. Existing security policies and controls may not be appropriate to safeguard data in a way that satisfies the requirements of competition authorities and obligations under data protection law. Organisations should ensure data minimiszation and consider whether business objectives can reasonably be met through anonymiszation or privacy-enhancing technologies such as pseudonymiszation etc.

Privacy by Design: Less scope to use and share personal data or, conversely, more data available to use for commercial purposes reinforces privacy by design as an essential part of product and process design. Decisions by competition authorities on the use of defaults, unfair terms and conditions and issues around user choice must also be considered in the context of data protection law before being implemented. In this regard, the CMA’s proposed fairness by design concept could shed some light on the intersection of data protection and competition in product design.

Codes of Conduct: More involvement by competition authorities and policymakers could serve as impetus for the development of codes of conduct under Article 40 of the GDPR, especially in cases where competition regulators mandate data sharing between industry competitors. Such a code of conduct could include measures that must be in place to safeguard privacy and data protection interests of individuals prior to sharing of data. Data protection regulators and competition authorities should collaborate to ensure that industry-wide codes of conduct do not stifle competition for data protection, by leading to alignment in companies’ privacy and data handling policies. Organisations should work with industry bodies to monitor developments and be prepared to provide feedback on proposals for new codes of conduct that are designed primarily to resolve competition issues but would impact the collection and processing of personal data.

What can organisations do to prepare?

While any organisation could be affected by the intersection of data protection and competition regulation, organisations in the digital economy and sectors that undertaken large-scale data processing, such as telecommunications, healthcare, consumer-facing financial services etc., should pay close attention to developments in this space and act accordingly. Senior leaders who steer their organisation’s approach to data and digital matters, such as Data Protection Officers, Chief Information Security Officers, Chief Data Officers and Chief Technology Officers, should do the following:

• Engage with in-house legal and technology functions regarding the potential relevance and impact of competition policy matters and to share knowledge, discuss developments and give input on data protection matters arising from competition investigations or responses to competition authority fact finding questionnaires;
• Establish a Privacy, Data & Technology committee to ensure there is appropriate visibility and scrutiny of major initiatives, products and projects involving the large-scale use of personal data;
• Consider the impact of privacy and data protection compliance obligations on M&A strategy and significant business changes (e.g. divestments), in particular where access to data is an integral element of a proposed transaction;
• Modify legal change monitoring processes to include competition law as a component of Regulatory Affairs driven activities;
• Monitor and track investigations, market studies and publications from competition authorities that focus on personal data;
• Engage with industry associations to understand views of organisational peers and to contribute to industry position papers or feedback to regulators.

How A&M can help

A&M’s privacy and data compliance and economics consulting practices have the combined expertise and experience to help you navigate the changing landscape at the intersection of data protection and competition.

• Advise on competition and data protection issues that arise from business change, strategic transformation/restructuring, and prospective transactions;
• Advise on privacy issues arising in the context of agreements and abuse of dominance investigations, including proposing remedies, to ensure compliance with privacy regulation;
• Support responses to requests for information and fact-finding questionnaires from competition authorities;
• Execute a strategic competition law management strategy including governance, market analysis and senior management reporting;
• Strategy and planning support to anticipate the impact of potential interventions or legislative changes on business processes;
• Industry research and insights to keep abreast of developments and to formulate organisational policy.

To learn more about our expertise and to understand the full scope of our data compliance work, contact one of our experts.