Competition Law and Privacy Protection –
A Regulatory Match Made in Heaven for Online Data Issues?
There have been recent headlines touting privacy as the new competition law, with one US commentator opining that “the role that antitrust played in the wake of the Industrial Revolution is being captured by privacy in the Digital Age”. Much can be written about this area, but suffice to say that we need look no further than investigations into Google’s search results raising both privacy and competition law concerns (see, for example, this 2012 complaint to the US Federal Trade Commission) to fire up this debate.
Back in the UK this week, the new Competition Market Authority (CMA) has provided fuel to the fire to support arguments for further wedding these two regulatory areas by issuing a call for information in relation to the commercial use of data from, and about, UK consumers. These are data that is collected both inside and outside the UK widely but primarily of concern in the context of the Web. They include:
- traditional forms of online personal data, but also ‘metadata’ collected about online consumers (defined, in this context, as the analysis of data patterns from consumers’ web searches that enable groups of users to be targeted according to some common characteristics, even if their offline, individual identities are unknown to the data controller),
- data where the consumer knows that the collection is going but also where they do not,
- data on specific transactions for goods and services (including paid for and free-at-use services), as well as data not specific to such transactions, and
- data used by businesses dealing directly with consumers (e.g. to target groups and individuals with offers), in addition to data processed by third party firms that they source from firms dealing directly with consumers who subsequently analyse this data to provide commercial services to other organisations.
The CMA wants to gather information to clarify its understanding of the benefits resulting from the collection and use of such data (e.g. increased efficiency, better quality products targeted to meet consumer needs, better targeting of advertising, and more tailored suggestions and purchasing advice for consumers), but also the risks to consumers from which they may need added protection. The latter revolves around concerns about potential impediments to market innovation that could significantly impede competition, but also consumer understanding about how data that is gathered is used.
To these ends, the CMA is seeking evidence specifically on the following topics:
- the extent to which consumer benefits from the use of consumer data arise in practice and the types of data that can generate them,
- how firms generate value from and use consumer data,
- how consumer data is collected, the level of consumer understanding about this and whether this is being done fairly (including the impact of consumer protection legislation),
- how consumer data is aggregated, bought and sold (including licensing, commercial use and re-use),
- how the collection and use of consumer data can generate value for the wider economy (such as adding value to existing sectors and creating new markets in the UK),
- whether access to data is limited such that it constrains entry or growth by potentially innovative new market entrants,
- whether low levels of awareness or understanding among consumers of the data collected and its uses, together with limited tools for them to control what data they provide, could mean that it is hard for them to have sufficient control of how their information is used.
In this context, the CMA asks questions about:
- the types of information collected, acquired and sold, to what extent data is sold or licensed to third parties (and under what contractual arrangements), and how long consumer information retains value for firms,
- how firms use consumer data, what restrictions are experiences in acquiring data and analysis (and the impact of these),
- the evidence that consumers understand and consent to the information firms collect and how it will be used, and what information or control is provided to consumers,
- how consumers benefit from firms using consumer data and whether they are aware of these benefits,
- the risks to both consumers and firms from the collection and commercial use of consumer data,
- the measures that firms are taking to raise consumer awareness, while ensuring benefits,
- what potential competition, policy, legal or regulatory changes might help to ensure or enhance the benefits for consumers and firms from the commercial use of consumer data, and
- the main developments expected in the next three years in the collection and use of consumer data for commercial purposes and the likely implications of these.
The deadline for responses to the CMA is 6 March. On the back of the information received, as well as further evidence gathering and analysis to be simultaneously carried out by the CMA, the watchdog will ultimately decide what further work may be required and publish its conclusions this summer. Recommendations for future action might include the launch of a formal market study or enforcement work.
To note, the CMA’s predecessor, the Office of Fair Trading (OFT), previously carried out an investigation into the usage of consumer data, which led to the publication of a market study on online targeted advertising in 2010. In 2013, the OFT also published a report on the economics of personalised pricing, which found that transparency and awareness about the collection and use of consumers’ information is low.
While the CMA states that it will not be examining concerns relating to individuals’ privacy and data protection in its current review (as they fall within the remit of the ICO), privacy/data protection professionals – such as myself – will be following the results of its investigation with keen interest. Opportunities for safeguarding consumer welfare (the ultimate goal of EU, and UK, competition law), and privacy protection, are surely two sides of the same ‘consumer-empowerment’ coin when it comes to the processing of personal data?