What are the implications of the new DMCC digital markets regime on (personal) data?

This month, the CMA began the process of determining which firms have strategic market status with respect to a particular digital activity under the new digital markets competition regime which came into force on 1 January 2025 (see more on this here). Whilst this new regime is grounded in competition law, some of its most significant implications will be restrictions on how those ‘SMS’ firms can process personal data.

Much like its European forebear, the EU Digital Markets Act, the UK regime is highly focused on the impact that data, including personal data, can have on competition - both in relation to user behaviour (such as ‘lock-in’ effects) and access/use of data, which can impact the ability of other businesses to compete. The CMA has already indicated that it is considering a raft of data-related measures, including requirements on SMS firms to make key data available to competitors on fair and reasonable terms; restrictions on sharing data across services; and giving consumers more control over their data.  

And yet, of course, the UK already has a robust data protection regime, and an active data protection regulator. The CMA and the ICO have been, some might say, the very model of regulatory co-operation in recent years (something the ICO and Ofcom are no doubt hoping to imitate with Online Safety). In December 2024, the CMA and the ICO published a Memorandum of Understanding for cooperation on the DMCC, committing them each to “maximising synergies and avoiding incoherence or duplication". 

One point often discussed in the context of new digital regulation is the potential for conflict with data protection law. Requirements under competition law to open up data to competitors could have the potential to conflict with principles of data minimisation and privacy. The ICO’s position on this is that, given its consultative role under the DMCC Act, any requirements under that regime “should therefore not require a firm to do anything that would breach data protection law”. However, the ICO goes on to say, “[i]f a firm does have a legitimate concern about its compliance with data protection law when complying with a conduct requirement, this should not result in firms being forced to choose between breaching data protection law or having a penalty imposed on them by the CMA”. It would seem, therefore, that the ICO is not entirely ruling out the possibility of a conflict.