CMA’s proposed regime to ‘take on’ tech giants – a privacy perspective
14 July 2020
The UK's Competition and Markets Authority ("CMA") published its final report on its market study into online platforms and digital advertising, calling for "a new pro-competition regulatory regime to govern the behaviour of major platforms funded by digital advertising, like Google and Facebook". It is proposed that the new regime would be overseen by a ‘Digital Markets Unit’ which would be given powers of intervention.
You can read our general thoughts on this here but in this article we consider the CMA’s data protection considerations which, according to the CMA, arise as a result of Google and Facebook’s dominance.
Lack of control
The CMA’s view is that a lack of competition means consumers are left with a ‘take it or leave it’ offer resulting in the consumer providing more personal data to platforms that they would like to do so.
In this regard the CMA notes that Facebook does not allow users to turn off personalised advertising and, even where some platforms (including Google) allow choice in principle, the choice is not “provided in a way that users can realistically be expected to engage with” because exercising choice is time-consuming and complicated. The CMA goes on to note that “platforms’ choice architecture… nudges consumers into making choices that are in the best interest of the platforms”.
Consequently, the CMA are proposing a requirement for platforms to provide a service that does not include personal advertising and imposing a duty on platforms to ensure they are maximising users’ ability to make informed choices.
The General Data Protection Regulation obliges organisations to provide individuals with certain information about (amongst other things) how and why their data is used. This transparency requirement is at the heart of ensuring that processing is fair, and key to achieving compliance is ensuring that the information is presented in a user-friendly way and is easy to read.
However, the CMA is of the view that many online platforms are failing in this regard, with complex terms that stretch thousands of words, and, to demonstrate that users are not reviewing the terms (and that transparency has not been achieved) they measured visits to Google’s privacy page, finding that users spend an average of just 47 seconds on the page, with 85% of visits lasting less than 10 seconds.
Mark Zuckerberg, in his testimony before the US Senate, was (incredulously) asked “how do you sustain a business model in which users do not pay for your service”. The somewhat dumbfounded response was “Senator, we run ads”.
While many users may understand that Facebook monetises its services through ads, many may not appreciate the extent to which their data, and not just the advertising space, that contributes to Facebook’s advertising revenue (according to the CMA, publishers earn around 70% less revenue when they are unable to sell personalised advertising).
The CMA note that it is the vast amount of data collected by Facebook and Google that give a competitive advantage and creates a significant barrier to entry. Accordingly, platforms are incentivised to interpret data protection regulation in a way that maintains this dominance, by acting in a “quasi regulatory capacity” and denying smaller third parties access to data (which could be provided in a compliant manner).
On a similar note, the CMA has remarked that the user is not adequately compensated for the use of their data. In a well-functioning market, say the CMA, users might be rewarded (i.e. paid) for using online services. While an interesting concept, it remains to be seen how this would sit with the ICO and other European regulators which are typically reluctant to accept that users can trade their privacy rights for services (hence ‘cookie walls’ currently being largely prohibited by some European Regulators).
It will be interesting to see how the CMA’s recommendations will be adopted by the Government and what the interplay will be between competition law and data protection regulation. Many online platforms – not just the dominant players – will be concerned that overlapping regulation will harm business and will feel that consistent interpretation and enforcement of existing privacy regulation amongst European regulators is required before adding an additional layer.
If consistency is to be achieved, the CMA will need to work with the UK Information Commissioner’s Office. It’s therefore interesting to note that, together with Ofcom, the CMA and the ICO launched (on the same day as the CMA’s report) a ‘Digital Regulation Cooperation Forum’ which will aim to ensure that “online services work well for people and businesses in the UK”.
If you’d like to discuss any of the issues set out in the CMA’s report, please get in touch.