Clash of the regulators: is a coherent approach to tech regulation just a pipe dream?, Verity Egerton-Doyle, Olivia Hagyard, Ben Packer

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

How to regulate the sprawling digital economy is amongst the key policy questions of our age.

Many UK regulators have a claim on at least part of the answer, leading to a complex regulatory patchwork that presents significant challenges for businesses – not least as the different branches of regulation do not always point in the same direction. This can make compliance a key challenge for tech companies: in the absence of a coherent and holistic regulatory framework, the burden of navigating the various areas of regulation sits squarely with businesses.

The regulatory matrix

The current regulatory framework for a digital business in the UK includes interacting with, at a minimum:

the Competition and Markets Authority (CMA) on antitrust issues;
the Information Commissioner’s Office (ICO) in relation to privacy; and
(soon) the Office of Communications (OfCom), about the forthcoming online safety regime.

Telcos are regulated by Ofcom already, businesses in the financial sector must add the Financial Conduct Authority (FCA) and possibly the Payment Systems Regulator (PSR) and Bank of England to the list, and other sectors have their own regulators. Large tech companies that are considered to have “Strategic Market Status” will soon have to answer to a regulator-within-a-regulator at the CMA: the Digital Markets Unit (DMU).

And that’s just in the UK – most large digital businesses operate internationally and face similar patchworks of regulation around the world.

Clashes between regulatory objectives

As the current debate over Google’s Privacy Sandbox and the demise of the third party cookie shows, measures taken apparently to further one regulatory objective (e.g. protecting privacy and ensuring customers have more transparency and choice around how their data is used) can draw criticism under another branch of regulation (e.g. antitrust policy seeking to ensure more open access to data for smaller businesses).

There is clear potential for similar tensions to arise between privacy and the proposed online safety regime. The latter will impose obligations on platform operators to detect and deal with harmful content, but in so doing those operators will be required to process significant quantities of user data (including more sensitive, “special category” personal data). Though a regulator focusing on online safety may well feel this is justified to protect users online, a regulator wearing a privacy hat may be aghast at the level of intrusion required to achieve this goal.

And ironically, the costs of complying with new regulations alone can undermine antitrust objectives by creating barriers to entry. The oft-quoted example is that YouTube’s content moderation system cost $100m to build. Another is the GDPR – in the run-up to it becoming effective, the IAPP and EY estimated that Fortune’s Global 500 companies would spend c. $7.8bn on compliance efforts. In the financial sector, many of the neo-banks seeking to challenge their more established rivals have long bemoaned how the sheer volume and complexity of financial services regulation hinders their ability to compete.

The regulatory balancing act in an evolving market

Each branch of regulation has a slightly different ethos, but all are fundamentally driving at the same thing – protecting the public and enhancing consumer welfare. Ultimately, the question to be answered by politicians and regulators is how to balance the differing objectives, consumer benefits and consumer harms in achieving those objectives.

The question is particularly difficult to answer in dynamic digital markets which are constantly innovating and evolving – but it is critical that regulators and policy makers provide businesses with a clear direction.

Joining up the dots…but missing financial services

In March 2019, the House of Lords Select Committee on Communications put it bluntly: “Policy-makers across different sectors have not responded adequately to changes in the digital world.” The Select Committee’s recommendation was to create a new “Digital Authority”, made up of the Chief Executives of various regulators, with powers to instruct regulators to take certain actions. While no steps have been taken to implement these recommendations, the FT reports that the idea is now gaining traction.

In July 2020, a slightly less ambitious but nonetheless important Digital Cooperation Forum was launched, which brings together the CMA, the ICO and Ofcom. These three regulators worked together on the CMA’s Digital Taskforce and are said to be cooperating on the Google Privacy Sandbox investigation. Each regulator’s existing toolkit may limit them when operating alone, so this dialogue and cooperation is to be commended.

However, neither the Digital Cooperation Forum nor the Digital Taskforce include the FCA or the PSR. This is a missed opportunity. Not only because these regulators have been grappling with issues around tech disruption in the financial sector, but also because balancing potentially competing statutory objectives is hard-wired into the FCA’s statutory framework, and it has practical experience of doing precisely what must now be done in the digital sector.

The compliance challenge for tech

While consensus seems to be growing that a more holistic approach to regulating the tech sector is desperately needed, the large-scale reforms that would be required to facilitate it are certainly not imminent.

In the meantime, the burden of trying to reconcile potentially conflicting regulatory frameworks rests firmly on tech businesses themselves, who run the risk of inadvertently breaching one regulation in their attempts to comply with another. In the absence of a coherent regulatory framework, a coherent approach to compliance will be critical.

For tech businesses, this means surveying their regulatory landscape in its totality to map their different obligations and identifying where tensions arise. In some cases, trade-offs between regulatory obligations might be unavoidable. But any trade-offs should be made knowingly, weighing both legal and commercial risks, and with an eye to how the decisions taken can be explained to the regulators.

{

Britain, like many nations, is still using a whack-a-mole approach of discrete regulators tackling issues piecemeal

https://www.ft.com/content/bd8accda-fb12-4664-a8c9-182e80e8000d?segmentId=3f81fe28-ba5d-8a93-616e-4859191fabd8