Last Wednesday the CMA (the UK’s antitrust authority) released two documents that, taken together, suggest a worrying trend at the interface between data privacy and antitrust, potentially heralding the abolition of the ICO and the end for GDPR in the UK.
Antitrust Barges into Data Privacy
The CMA’s Digital Markets Strategy followed the release of the Furman Report into Unlocking digital competition earlier this year (which recommended antitrust policy direction to HMT for digital markets). As part of its Digital Markets Strategy the CMA announced the Online platforms and digital advertising market study.
It is of note that across the 214 pages of those three documents, all released in the past five months by UK antitrust experts, the concept of data privacy is cited twice.
Central to the CMA’s strategy and study is the investigation of consumer harm that may flow from existing data collection practices. This potential adverse effect on competition (AEC) falls squarely within the data privacy regulatory mandate.
If a likely AEC is established by the study, the CMA has made strong indications that it is minded to recommend far-reaching legislative and institutional reform to data privacy.
A Problematic New Horizon
To be clear here - all bets will be off post-Brexit and the resulting remedy could quite easily see the abolition of the ICO, repeal of the retained GDPR, and the introduction of a wholly new ex-ante data privacy regulatory regime.
As the world of antitrust condescends to data privacy this typically magisterial approach is ill-informed, mis-guided and likely counter-productive.
The second generation of data privacy regulation is immature and vulnerable. The regulator is still powering up. The BA fine aside, enforcement action is scanty. Key issues that must be resolved by caselaw, such as real-time data portability obligations, languish unaddressed. The emergent data privacy culture, so diligently encouraged over the last few years, is still running on training wheels.
To make these pronouncements at this point, announcing months of deep uncertainty over not just data privacy market practice but also the status and existence of the core regulator and supervening legislation seems a bizarre way of encouraging consumer welfare. There must be a better way for these two policy areas to meet on more even ground.
Ohalo builds tools to automate data governance. The Data X-Ray automatically classifies and scans unstructured and structured datasources for personal data, cutting down data mapping times from months to hours and allows organizations to fulfill data subject access and deletion requests in minutes. Simply sign up here or ask for a demo.