Align First Party Sets debate to the position of G7 regulators

[jwrosewell]

On 19th May shortly after the 1st F2F day the UK’s Competition and Markets Authority (CMA) and Information Commissioners Office (ICO) released a joint report title Competition and data protection in digital markets: a joint statement between the CMA and the ICO.

The UK are leading the G7, which also includes Canada, France, Germany, Italy, Japan, the US and EU, on matters related to online harms. The announcement includes the following quote.

In a sign of stronger cooperation to address concerns over the market power of big tech platforms, international regulators and policymakers will meet with the UK’s Competition and Markets Authority in the autumn to discuss long term coordination and enforcement.

The report is not only highly relevant to the G7's approach, but also first party sets as debated with TAG, and also other proposals in PrivacyCG such as so called Bounce tracking.

Some extracts for the time poor include.

22. (Box B) There is no explicit reference to the distinction between first-party and third-party data in data protection law.

32. In circumstances where competitors in a digital market have significantly differential access to data, then competition ‘on the merits’ is likely to be undermined. As a result, consumers will have less choice, and will ultimately lose out through higher prices, lower quality, and reduced innovation.

39. The assessment of privacy and data protection harms that the ICO carries out in line with the UK GDPR is therefore a ‘risk-based’ approach, which considers the type of harm and potential damage caused.

50. Meaningful user choice and control are fundamental both to robust data protection and effective competition. The interests of both policy objectives are best met where users have a genuine choice over the service or product they prefer, providers compete on an equal footing to attract their custom, and where individuals have control over their personal data and can make meaningful choices over whether and for what purposes it is processed.

55. For example, by providing an appropriate level of privacy by default, and options that allow individuals to control the processing of their data (and permit additional data collection if they are comfortable with it), such models will enable individuals to be in control, and digital businesses will in turn benefit from fair, lawful and transparent data processing undertaken in a trustworthy way. Enhanced user control will build user trust and confidence, which in turn will support a flourishing digital economy.

77. For example, such risks could arise from an interpretation of data protection law in which transfers of personal data between different businesses owned by a single corporate entity – such as a large platform company – are in principle viewed as acceptable from a privacy perspective, while transfers of personal data between independently-owned businesses are not, even if these businesses are functionally equivalent to those of the platform and the data is processed on the same basis and according to the same standards.

78. If implemented in practice, such an interpretation would clearly be problematic for competition, as it would provide strong incentives for companies to integrate horizontally and vertically in order to be able to process more personal data. It would also undermine the ability of challenger or new entrant firms that are not vertically integrated, including small start-ups, to compete in digital markets.

I believe we will make more meaningful progress if we align the work of Privacy CG and the W3C more widely to this report.