During the 2016 acquisition of LinkedIn by Microsoft, the EU Commission sought assurances from the parties that they would not marginalise the competitors who offered privacy policies that were friendlier to the consumers than LinkedIn’s.
With this, the Commission had conceded that there was need to fit data protection as part of consumer welfare, more so where mergers are to occur in “markets in which privacy is shown to be an important parameter in the eyes of (a significant number of) consumers”.
On May 19, 2021, the UK’s Information Commission Officer’s office (ICO) and the Competition and Markets Authority (CMA) released a joint statement highlighting the need for collaboration between the two regulators in order to promote regulatory coherence”.
The statement highlighted areas of synergies and tensions and ways competition regulation could facilitate effective data protection and vice versa.
In a digital economy where consumers have meaningful choice and control, the ICO and CMA were in agreement that an incentive of competition on privacy will arise as competitors seek to have an edge over one another.
AREAS OF TENSION
In regard to potential areas of tension, the joint ICO and CMA statement found that there was a potential risk of interpreting data protection law in a manner that would limit competition.
Such an instance would arise where large integrated firms are allowed to share data among subsidiaries of a larger company, but at the same time not allowing smaller non-integrated firms to take part in the data sharing.
Both authorities found that this would have an effect of having firms deliberately integrate vertically and horizontally so that they can have access to and process more personal data, which will subsequently lead to undermining both competition and innovation.
To embrace harmony, enhance predictability in decisions by supervisory authorities and promote regulatory coherence, both the Office of the Data Protection Commissioner and Competition Authority of Kenya (CAK) should join forces and pursue synergy.
Just as the CAK signed a memorandum of understanding with local sector regulators such as the Communications Authority of Kenya (CA) and the Central Bank of Kenya, so should it with the Office of the Data Protection Commissioner.
Parliament through both the Competition Act 2010 and the Data Protection Act 2019 left room for the collaboration required.
The CAK is mandated by the Competition Act to negotiate agreements with any regulatory body according to which concurrent jurisdiction is exercised over competition matters within the relevant industry or sector.
The purpose of this express mandate is to identify and establish procedures for management of concurrent jurisdiction; promote cooperation; provide for exchange of information and protection of confidential information; and ensure consistent application of competition principles.
On the other hand, the Data Protection Act empowers the Data Commissioner to enter into association with bodies or organisations within and outside Kenya involved in the regulation of processing of personal data and ensuring that the processing lies within the principles set out in the Act.
Mergers between entities that rely on the processing of personal data, say advertising, financial services firms, fall within the said principles set out in section 25 of the same Act.
When Chrome, a Google browser, announced that it was doing away with third-party cookies by end of 2021, privacy crusaders lauded this move.
However, small firms saw this move as Google trying to use privacy as an excuse to limit competition by strengthening its position in advertising by causing spending to be concentrated in its ecosystem.
Such complaints made the UK CMA to open investigations on Google “Privacy Sandbox” proposal. The ICO, for its part, is assessing whether the proposals are in compliance with data protection laws.
Kenya being among African countries with both data protection and competition regulation authorities can set the tone, especially with the growing digital marketplace. By December 2021, the the Africa Continental Free Trade Agreement (AfCFTA) protocol on e-commerce ought to be in place so as to better place Africa in the global digital marketplace.
With more and more companies exercising data power, Kenya has the chance to demonstrate how competition and data protection regulators can cooperate and enhance both meaningful competition that will uphold the consumers’ right to privacy.
In a nutshell, a collaboration between both regulators will ensure that it will not just be the economic harms brought about by market power that are being scrutinised, but also broader societal harms and in this case, the right to privacy, which is a plus for consumers and small players in the market.
Despite there not being a collaborative framework between the two regulators, any entity intending to acquire a company that processes vast amounts of personal data, should go the extra mile and conduct a data protection impact assessment as part of the due diligence.
Karanja is a data protection compliance & commercial law practitioner