Policy paper

Digital Regulation Cooperation Forum: Annual report 2021 to 2022

Published 28 April 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/digital-regulation-cooperation-forum-annual-report-2021-to-2022/digital-regulation-cooperation-forum-annual-report-2021-to-2022

Logos: Digital Regulation Cooperation Forum; Competition and Markets Authority; Ofcom; Information Commission Officer, and Financial Conduct Authority

Foreword

This is the first annual report from the Digital Regulation Cooperation Forum (DRCF) – a new form of collaboration between regulators, designed to address the future challenges of the digital world. The Digital Regulation Cooperation Forum (DRCF) brings together the major UK regulators tasked with regulating digital services:

  • the Competition and Markets Authority (CMA)
  • the Financial Conduct Authority (FCA)
  • the Information Commissioners Office (ICO)
  • the Office of Communications (Ofcom)

These 4 bodies are working closer than ever before, to bring clear, consistent and co-ordinated regulation to the UK’s digital services and economy.

During 2021 to 2022, the DRCF members formed powerful links that are changing how we approach digital regulation – at a time when the CMA is examining competition in digital markets, the FCA is tackling financial scams, the ICO is protecting people’s data and Ofcom is preparing for its new role regulating online safety. This first DRCF annual report explains how we now routinely share knowledge and skills, pool resources and work together in identifying important industry trends and innovations. As you’ll see through the progress outlined in this report, we’re already seeing the benefits of that collaboration. For example, last year Ofcom and the ICO engaged jointly with industry as Ofcom established the regulation of video sharing platforms and ICO’s Age Appropriate Design Code came into force, ensuring companies protect children’s data online. Similarly, the ICO and CMA developed a joint position on data protection and competition.

The DRCF is now firmly established. In November 2021 we were delighted to welcome our first chief executive, Gill Whitehead. She has brought expert leadership and wide-ranging experience from online and media sectors. We look forward to working with Gill over the next year.

DRCF Chair and Ofcom Chief Executive Dame Melanie Dawes CMA Chief Executive Andrea Coscelli FCA Chief Executive Nikhil Rathi UK Information Commissioner John Edwards

Introduction

We formed the DRCF in July 2020 to help us deliver more efficient and joined-up approaches to regulating digital services. [footnote 1] Last year, we published our first workplan which set out plans for bringing our aims and ambitions to life during 2021 to 2022.[footnote 2] During this first year, we built strong relationships and worked closely together to better understand the needs of the sectors we oversee and the needs of the people we protect. We achieved this through sharing knowledge and expertise and focusing our collective efforts on specific areas of focus. Last year we focused on 3 priority areas, set out in our 2021 to 2022 workplan as below:

  1. Responding strategically to industry and technological developments: Establish joint strategic projects where our cooperation helps to provide clarity for people and businesses.
  2. Joined-up regulatory approaches: Develop approaches for delivering coherent regulatory outcomes where different regulations overlap. An example of this is the CMA and the ICO’s approach to applying data protection and competition regulation in online advertising.
  3. Building skills and capabilities: Develop practical ways of sharing knowledge, expertise, capabilities and resources, for example in AI and data analysis.

In addition to these 3 priority areas, we strengthened our wider stakeholder engagement.

This aimed to:

  • build clarity through collective engagement;
  • build better communication with other regulators with digital responsibilities; and
  • develop the DRCF’s operational capabilities to ensure we have the right people and processes to deliver against our objectives.
  • our cooperation last year meant we were well placed to assist the UK Government and Parliament as they developed reforms to the digital regulator landscape.

This report sets out the progress made in the last year, structured around these priorities.

Responding strategically to industry and technological developments

In 2021 to 2022 we focused on laying the groundwork for effective and joined-up collaboration. Through the DRCF, we created single cross-regulatory teams to share knowledge and develop collective views on complex digital issues. We prioritised the following 4 digital trends and technologies:

  • algorithmic processing
  • design frameworks
  • digital advertising technologies
  • end-to-end encryption

Our progress in each of these areas is set out below.

Algorithmic processing

Algorithms are an intrinsic part of the internet and an essential component of digital innovation. As regulators of digital services, it is important to understand how and where algorithmic processing is being used, and the benefits and harms they bring to people and society. Our aim was therefore to strengthen our shared understanding of, and expertise in, algorithmic systems.

This year, we held more than 20 events with academics, industry, and the UK Government to hear a variety of perspectives on algorithmic processing.

Following this engagement, on 28 April 2022 we published our findings in 2 papers. [footnote 3] These papers set out the benefits and harms of algorithmic processing and our understanding of the current algorithmic auditing context. The first paper considers:

  • shared objectives and challenges
  • areas of common interest
  • where a common approach using regulatory principles and tools is beneficial

The second paper focuses on algorithmic audit (see Framing algorithmic audit below). It explains how these audits function in practice, the state of the market, and the potential roles for regulators in this space.

Framing algorithmic audit

Over the last 12 months, we spoke to stakeholders from industry, academia, civil society, and the UK Government about how to audit algorithmic systems effectively.

We learned that there is no single approach to audit. The nature of an appropriate audit varies on a case-by-case basis. It depends on:

  • the nature of the potential harm
  • the business model
  • the people concerned
  • the context of how organisations develop and deploy the algorithm
  • the relevant regulatory environment

In our paper on ‘Algorithmic Audit’, we proposed a framework for thinking about different forms of audit. The framework also discusses the capacity and capability of organisations to conduct such audits and explores when different types of audit may be most appropriate. The types of audit are:

Governance audit: Assessing whether the organisation followed the correct governance policies, for example through reviewing impact assessments, oversight processes or conformity assessments.

Empirical audit: Measuring the effect of an algorithm using inputs, outputs, or both. For example, by scraping, ‘mystery shopping’ or other black-box techniques.

Technical audit: Looking ‘under the bonnet’ of an algorithm at data, source code or methodology. For example, reviewing code, robust performance testing or formal verification.

Design frameworks

We want to promote regulatory certainty for firms and promote consumer trust in digital services. Our focus was to identify the broad issues around design frameworks[footnote 4], in the context of our respective regulatory remits and sectors through internal knowledge sharing. We held a series of workshops between the DRCF members to better understand the similarities and differences across different design frameworks and their potential impact on our regulatory remits.

Digital advertising technologies

Digital advertising technologies are used to deliver online advertising, including personalised and targeted adverts. Their use enables some services to be provided free at the point of use to UK consumers. However, these technologies also pose a wide range of potential risks and harms, from privacy concerns to fraud.

In this context, it is important that we collectively work to better understand the technologies underpinning digital advertising and understand more holistically how the digital advertising sector interacts with peoples’ rights.

During 2021 to 2022, both the CMA and the ICO continued investigations under their respective functions, including the CMA’s Google Privacy Sandbox investigation [footnote 5] and the ICO’s work on adtech.[footnote 6] Alongside these activities we progressed our goal of building common understandings by holding 3 internal workshops and establishing an internal forum of experts to keep each other informed of developments.

In addition, the CMA and Ofcom worked together during the year to deliver advice to the UK Government in November 2021. This advice considered how a code of conduct could apply to the commercial relationships between platforms and publishers, including in relation to digital advertising. This advice drew upon the knowledge of experts from within the DRCF’s digital advertising technologies forum (see Supporting UK Government and Parliament below).

End-to-end encryption

Encryption technologies are increasingly embedded in a variety of online services. These provide high levels of security and privacy protection for users but reduce the transparency of the services that are used. It is important for regulators that we work collectively to understand the benefits and challenges of this technology.

Our joint work on end-to-end encryption during 2021 to 2022 built on existing work by the ICO and Ofcom. This included the ICO’s consideration on related privacy issues and Ofcom’s work on online messaging and calling. Our focus was on developing a common understanding of the implications of end-to-end encryption for users, industry and the UK regulatory community. We engaged with a range of specialist and industry stakeholders to seek their views and hosted external roundtable discussions to identify key concerns.

Horizon scanning

Horizon scanning is key to our ability to understand emerging technologies and identify future regulatory risks and challenges. Doing this collectively helps us to share expertise and quickly accelerate our knowledge building in new or rapidly developing subject areas.

In November 2021, we launched a joint horizon-scanning programme to bridge gaps in our horizon scanning activity. [footnote 7] This built on the programmes of horizon scanning across each regulator. This programme will help us to develop knowledge on areas of rapid innovation and join up on engagement via external events.

As set out in our November 2021 ‘Joining up on future technologies’ policy paper, we have 3 initial priorities:

  • collating research
  • joint engagement with UK SMEs, tech start-ups and academia
  • accelerating our knowledge building via symposiums

In March 2022 we created the digital markets research portal (see below), which brought together the range of DRCF member’s digital research to help us, and wider stakeholders, access existing knowledge and identify gaps where further research is needed.

On 5 April we held the first of a series of engagement with SME’s, start-ups and academia in Manchester, focusing on cyber and fintech.

DRCF digital markets research portal

Launched in March 2022, our digital markets research portal brings together over 80 pieces of recent digital research from 8 regulatory bodies. [footnote 8] They are:

  • the DRCF members
  • the Intellectual Property Office
  • the Bank of England
  • the Advertising Standards Authority
  • the Gambling Commission

We brought together a curated selection of regulators’ most insightful and relevant research about digital markets and the emerging technologies that underpin their development. This will help us build our knowledge and informs our ongoing research programme and collective priorities.

We made this body of research easily discoverable and fully accessible in one place. We hope this better equips those interested in contributing to a better understanding of digital markets and the future of UK digital regulation.

We intend for this body of research to grow over time and to update the portal itself in response to feedback.

Joined-up approaches

The nature of digital services means that consumer issues and harms often interact with more than one regulatory regime at any given time. For example, Google’s privacy sandbox proposals [footnote 9] to remove third-party cookies from Chrome, and replace them with alternative solutions within the browser, is a response to data protection concerns about user tracking. However, it could also have broader competition and consumer impacts.

Through the DRCF we are making sure each of our regulatory regimes work well together in practice. Last year, we focused on 3 areas:

  • taking a joined-up approach to the interactions between data protection and competition, particularly advertising
  • looking at the interactions between the Video Sharing Platform (VSP) regime and the Age Appropriate Design Code (AADC)
  • considering the wider interactions in the digital regulation landscape

We set out our key progress in each of these areas below.

Data protection and competition regulation

This workstream was comprised of an ongoing bilateral policy exchange between the CMA and the ICO exploring the connections between competition and data protection. This work built on the CMA and the ICO’s collaboration as part of the CMA’s market study into online platforms and digital advertising completed in July 2021.[footnote 10]

In May 2021, the CMA and the ICO published a joint statement on competition and data protection law (the CMA/ICO Joint Statement’).[footnote 11] This set out their shared views on the relationship between competition and data protection. The statement explains how the regulators intend to work together to enhance the synergies and overcome existing tensions between these 2 policy objectives. Both regulators continue to use this statement to inform their work.

The ICO also published an Information Commissioner’s Opinion on the data protection expectations for online advertising proposals in November 2021. [footnote 12] This aimed to provide guidance to industry participants developing new alternatives to third-party cookies. The Opinion recognised the strong synergies between competition and data protection objectives. It reinforced the view that the objectives are not ‘tradeable’.

The CMA and ICO worked closely to understand, review and inform the development of Google’s Privacy Sandbox proposals (see Google Privacy Sandbox below). The aim of this collaboration was to reach an outcome that preserves competition in digital advertising, while upholding consumers’ data protection rights. We continue to cooperate as these proposals evolve. We are also working on other projects such as the CMA’s Mobile Ecosystems Market Study, as well as supporting Government in its consideration of legislative reform to the competition and data protection regimes.

Google Privacy Sandbox

In August 2019, Google announced its intention to remove third-party cookies and other functionalities from its Chrome browser. They aimed to replace their functionality with a range of tools, collectively referred to as ‘the privacy sandbox proposals’.

Following on from the CMA’s market study into online platforms and digital advertising, the CMA and the ICO established a programme of policy engagement. These discussions drew on the regulators’ shared understanding and experience of the advertising technology ecosystem. They also discussed the potential implications of the privacy sandbox on the market in each of their regulatory responsibilities. Google’s stated intention with developing these technologies is to make the web more private and secure for users, while also supporting publishers. However, there is also risk that these changes could harm competition in the digital advertising market.

This policy engagement informed the CMA’s Competition Act investigation into Google’s Privacy Sandbox proposals which opened in January 2021. It also informed the published CMA/ICO Joint Statement, and the Information Commissioner’s Opinion on their data protection expectations for online advertising proposals published on 25 November 2021.[footnote 13] The policy work and publications accompany the CMA’s legally binding commitments that it accepted from Google in February 2022, which established an ongoing role for the CMA and ICO in overseeing the development and implementation of the Privacy Sandbox tools. [footnote 14]

The value of the ongoing close policy engagement between the CMA and ICO was well demonstrated in this investigation. It enabled the joint consideration of both the potential privacy benefits of an innovative industry development for consumers, as well as the potential negative effects that development may have on competition for market participants.

The Age Appropriate Design Code (AADC) and the regulation of video-sharing platforms

Our work in 2021 to 2022 built on the ICO and Ofcom’s existing cooperation on online safety, following the introduction of the ICO’s Age Appropriate Design Code (AADC) and Ofcom’s regulation of UK-established video-sharing platforms (VSPs). We held joint workshops with the Centre for Information Policy Leadership (CIPL) and TechUK to address industry interest in the differences and similarities between these new regimes. We worked together to develop respective guidance, such as Ofcom’s guidance to VSPs [footnote 15] and the ICO’s Opinion on the use of age assurance technologies.[footnote 16] We have also commissioned joint research exploring children and parents views on age assurance online to be published later in 2022.

Interactions in the wider digital regulation landscape

In addition to collaboration between its members, the DRCF has also been active in engaging with other regulators who have an interest in the regulation of digital services.

During this last year, we engaged with regulators outside the DRCF membership via our quarterly regulator roundtable, which includes a diverse group of UK regulators with interests in digital issues.[footnote 17] Since its launch in September 2021, we have held 3 regulator roundtables.

The regulator roundtable helps us build our understanding of the priorities and experiences of regulators outside the DRCF and spot potential synergies with our priorities. Attendees share updates from their organisations and provide views on DRCF activities, including the development of the DRCF workplan for 2022 to 2023. This year, some members also contributed their digital research to the new DRCF digital markets research portal.

We also have regular engagement with the UK Regulators Network to discuss areas of mutual interest. This includes our horizon scanning work. We also shared an update on our activities with the UK Competition Network.

Building skills and capabilities

To deliver effective regulation of digital services, the DRCF members need to be able to develop and retain people with the requisite expertise and skills in these fields. Last year, our objective was to identify, prioritise and focus on the delivery of shared skills and capabilities. We approached this through a series of workshops between the people and policy team members from across the member agencies. Our outputs included developing detailed workplans setting our approach to delivering on the below 4 priorities for 2022 to 2023:

  • recruitment
  • graduates, early careers and outreach
  • building digital regulation skills
  • attracting talent

Building clarity through collective engagement

One of the most important objectives of the DRCF is to make it easier to engage with other organisations, in the UK and overseas, ensuring a joined-up approach to engagement. As well as the external engagement undertaken as part of our project work outlined above, representatives of the DRCF secretariat also undertook a range of external engagement.

This included:

  • contributing to 3 DRCF panel events, including a DRCF CEOs panel event in July organised by Global Counsel (UK Digital Regulation: Perspectives from the leaders of the CMA, FCA, ICO and Ofcom) [footnote 18], a DRCF directors panel session at the Leeds Digital Festival in October (Digital Regulation: A coordinated approach) [footnote 19], and the DCMS Future Tech Forum [footnote 20], as well as 2 events organised by the ICO and Ofcom on the interactions between the video-sharing platforms regime and the Age Appropriate Design Code;
  • meeting with international counterparts - including the Office of Privacy Commissioner, Canada; the Netherlands Authority for Consumers and Markets and the Australian Competition and Consumer Commission - to share information and discuss best practice approaches to digital regulation. This included sharing our experience of working collaboratively across regulators. Both the Netherlands and Australia have since announced the formation of regulatory forums that are similar to the DRCF[footnote 21]; and
  • engaging with the tech industry to introduce the new DRCF CEO and to gather feedback to inform the DRCF workplan for 2022-23. We are also meeting with industry bodies, such as the Internet Advertising Bureau and the Professional Publishers Association, to explain the aims and activities of the DRCF.

DRCF development

Our focus for this first workplan year was to build strong foundations for the DRCF. As part of this, we appointed a Chief Executive, expanded the core team, formalised governance of the DRCF and its projects including the development of a revised MoU [footnote 22] between the ICO and CMA, and established the key structures needed to ensure successful delivery of the DRCF’s goals.

During the year we also demonstrated our commitment to supporting the UK Government and Parliament as they develop reforms to the digital regulatory landscape. The DRCF is well placed to provide expert advice relating to how regulators can work together to achieve coherent outcomes. This year we provided written input to the UK Government and gave evidence to Parliament, as set out below.

Supporting UK Government and Parliament

Our workplan outlined our commitment to supporting UK Government reforms which create a more inclusive and innovative digital economy. In November 2020, the UK Government asked the CMA, the ICO and Ofcom for inputs on whether we needed further measures to support cooperation between digital regulators. In May 2021, these 3 regulators published a joint response. [footnote 23] It set out how appropriate legislative support for sharing information and the duties of regulators can assist cooperation between regulators on digital matters.

In April 2021, the DCMS Secretary of State asked the CMA to work with Ofcom to look specifically at how a code of conduct, proposed as part of the new pro-competition regime for digital markets, would govern the relationships between platforms and content providers such as news publishers.[footnote 24] This code aimed to ensure the terms on which platforms and publishers trade are fair and reasonable. The CMA and Ofcom provided this advice to DCMS in November 2021, with DCMS expected to publish this advice in due course.

In November 2021, we provided written and oral evidence to the House of Lords Communications and Digital Committee inquiry into Digital Regulation. [footnote 25] [footnote 26] We included an update on DRCF activities since the publication of the first DRCF workplan in March 2021, as well as further information on the development of the DRCF.

  1. The DRCF launch in July 2020 

  2. The DRCF workplan for 2021 to 2022 

  3. The benefits and harms of algorithms: a shared perspective from the 4 digital regulators, DRCF 28 April 2022; and Auditing algorithms: the existing landscape, role of regulators and future outlook, DRCF 28 April 2022. 

  4. Regulatory design frameworks encourage firms to build in user-friendly outcomes at the point of design. Examples of current and potential design frameworks include safety by design, privacy by design, and fairness by design. In the future, firms may need to comply with multiple design frameworks when designing digital products and services. 

  5. The CMA’s Investigation into Google’s ‘Privacy Sandbox’ browser changes 

  6. The ICO’s work on adtech 

  7. DRCF, Joining up on future technologies: Digital Regulation Cooperation Forum technology horizon scanning programme, November 2021 

  8. DRCF digital markets research portal 

  9. Google’s privacy sandbox 

  10. Online platforms and digital advertising market study 

  11. CMA and ICO joint statement on competition and data protection law, May 2021 

  12. ICO Information Commissioner’s Opinion on data protection in advertising (PDF, 482KB), November 2021 

  13. Data protection and privacy expectations for online advertising proposals (PDF, 482KB) 

  14. CMA secures final Privacy Sandbox commitments from Google 

  15. Ofcom guidance to for video-sharing platforms on measures to protect users from harmful material, June 2021 

  16. ICO Information Commissioner’s Opinion on Age Assurance for the Children’s Code (PDF, 1.15MB), October 2021 

  17. The quarterly roundtable is attended by the Advertising Standards Authority, the Bank of England, the British Board of Film Classification, the Electoral Commission, the Equality and Human Rights Commission, the Gambling Commission, the Intellectual Property Office and the Payment Systems Regulator. 

  18. UK Digital Regulation: perspectives from the leaders of the CMA, FCA, ICO and Ofcom 

  19. Digital Regulation: a coordinated approach to overseeing modern digital markets 

  20. Future Tech Forum - Chairs Statement London 

  21. The Dutch Data Protection Authority, Dutch regulators strengthen oversight of digital activities by intensifying cooperation, October 2021. Australian competition & consumer commission, Agencies form Digital Platform Regulators Forum, March 2022. 

  22. Revised MoU between the CMA and ICO (PDF, 4.17MB)

  23. Digital Regulation Cooperation Forum: Embedding coherence and cooperation in the fabric of digital regulators 

  24. New watchdog to boost online competition launches 

  25. Written evidence to the House of Lords Communications and Digital Committee inquiry into the work of digital regulators (PDF, 482KB) 

  26. House of Lords Communications and Digital Committee Corrected oral evidence: Digital regulation 

Back to top