Digital Markets, Competition and Consumers Bill

Debate between Lord Fox and Baroness Jones of Whitchurch
Lord Fox Portrait Lord Fox (LD)
- Hansard - -

My Lords, I congratulate the Deputy Chairman of Committees, who once again did a magnificent job. I speak on behalf of my noble friend Lord Clement-Jones to move Amendment 108 and speak to all the other amendments in this group that are in his name—seven in total. Talk has rightly centred on the CMA’s role in standing up for consumers. This whole group focuses on an important area where consumers are in danger of not getting the best possible treatment as a result of the flexing of market power. The amendments are designed to probe the competitive relationship between providers of a service and legitimate third-party agents who sell those services on.

Online intermediaries in marketplaces can serve a valuable role, helping consumers exercise choice and explore a wider range of options for their needs, ultimately supporting competition and innovation, as long as this is done in a transparent manner. Perhaps the most obvious arena for this sort of activity is the travel industry: flights and hotel bookings. There is of course a natural struggle between the provider of services—the airline, for example—online travel agencies or OTAs, and the third player, which is the platform. This is usually Google.

The question that this group poses is: what is the CMA’s role in the competition between these parts of the industry? It also asks: how is consumer choice maintained or enhanced in that activity? My noble friend’s amendments are designed either to explore the need to protect consumers who make bookings through a third-party agent, or to ban activity that could mislead consumers about the merits of booking through a third-party agent. There are of course other elements to these relationships, and I hope this debate can flesh those out as well.

There is certainly evidence that some low-cost airlines are extensively using their market power to advance their own commercial gain while potentially eroding protection and choice and inflating prices for millions of UK holidaymakers. For example, since December 2023, most OTAs have been prevented by Ryanair from booking flights on behalf of consumers. This rendered the OTAs unable to fulfil holidays that include a Ryanair flight. I understand that a consequence of this is that it is almost impossible for consumers to book an ATOL-protected package holiday that includes a Ryanair flight. I do not have full confirmation of that, but that is my belief. It is difficult not to conclude that this blocking was designed to push customers towards booking hotels as well as flights through Ryanair, rather than as part of a package holiday through an OTA. It is easy to conclude that Ryanair was able to do this because of the market power it holds over its routes.

For its part, in a regulatory announcement Ryanair welcomed the removal of its flights from OTA websites, promising lower fares “where necessary” to encourage all passengers to book directly on ryanair.com. The fact that it did not reference the fact that it had caused the removal of the OTAs in the first place, and its use of the phrase “where necessary” regarding pricing, are clear indications of its instinct in this move. I use this example to demonstrate how serious and real things are for this sector and the consumers it serves.

The question for debate here is: how could and should the CMA act to balance the relationships that surround service providers and third-party agents? The relevant provisions here are in Clause 223, on the prohibition of unfair commercial practices, and Schedule 19, on

“Commercial practices which are in all circumstances considered unfair”.


Together, these provisions set out a list of conduct to which the consumer protections in Part 4 will apply automatically in all cases.

The list in Schedule 19 is relatively granular, so it can be extended in scope easily to deal with these issues. For example, as set out in Amendment 136, Schedule 19 could include:

“Refusing to enter into (or otherwise blocking) a transaction with a consumer on the basis that the consumer is acquiring the trader’s product through a third party acting on its behalf”.


Secondly, it could include:

“Refusing (or otherwise blocking) third party agents, acting on a consumer’s behalf, the necessary means to make or manage the consumer’s purchase”,


thereby degrading the consumer experience. Thirdly, it could include:

“Making a materially inaccurate or disparaging claim about third party alternatives through which a consumer could otherwise acquire the trader’s product”.


Fourthly, it could include:

“Imposing higher prices for a consumer who chooses to acquire a trader’s product through a third party acting on its behalf than for a consumer who acquires that product directly, in particular without providing such consumer with a clear, accurate and complete explanation as to the reason for such a price increase”.


Fifthly, it could include:

“Any act or omission which deprives a consumer of sufficient freedom to make an informed choice as to whether to purchase a product directly from a trader or to engage a third party to make such purchase on their behalf”.


We then need to ensure that the protections afforded by Part 3, on enforcement of consumer protection law, and Part 4, on consumer rights and disputes, apply equally to consumers irrespective of whether, for example, they have made flight bookings through OTAs acting as consumers’ agents or they have booked directly with the airline. The relevant provisions of the Bill relating to the definition of a “consumer” are in Clause 147, on relevant infringements, and Clause 223, on the prohibition of unfair commercial practices.

In both cases, the definition of “trader” is already explicitly extended to circumstances in which a person is acting personally or through another third party on their behalf. This concept of indirect consumer-trader relationships should be extended to the definition of “consumer”. A new paragraph should be introduced in Clauses 147 and 223 to make it explicit that it is immaterial for the purposes of that definition whether a consumer chooses to engage with a trader directly or through a third party acting on the individual’s behalf as an agent. These proposed changes are set out in Amendments 108 and 129.

Other references to indirect booking need to be provided for—again, to include the provision that it is immaterial whether a consumer engages with a trader directly or through a third-party agent. The relevant clauses here are Clause 230, on rights of redress, and Clause 243, on the meaning of “transactional decision”. Amendments 145 and 146 would make it explicit that the protections in Part 4 apply to contracts entered into by the consumer with traders, both directly and indirectly.

Given the sort of behaviour already in the market, we also need to introduce the concept of misleading or aggressive commercial practices by a trader, which are designed either to deter consumers from booking through third parties—including OTAs, which book flights on consumers’ behalf as their agents—and/or to prevent such third parties from making such bookings. In other words, we need to outlaw those practices.

This time, the relevant provisions of the Bill are in Clause 224, “Misleading actions”, and Clause 226, “Aggressive practices”. These clauses deem commercial practices to be unfair if they involve misleading actions or aggressive practices that cause the average consumer to take a transactional decision they would not have taken otherwise. A new subsection should be introduced in each of Clauses 224 and 226 to make explicit that, for the purposes of Clause 224(1)(a), “misleading information” includes

“an action where the overall effect is to deter the average consumer from using third party agents to conclude transactions on their behalf, including disparagement relating to such third parties”.

For the purposes of Clause 226, in the context of determining whether a commercial practice uses harassment, coercion or undue influence, account should be taken of

“whether the practice significantly impedes the average consumer’s freedom of choice in respect of whether they choose to make a booking directly with a trader or to use a third-party agent to conclude transactions on their behalf”.

This is the effect of Amendments 139 and 141. The Minister will understand that this is an important example of the potential misuse of market power, to the detriment of consumers. We await his response.

Baroness Jones of Whitchurch Portrait Baroness Jones of Whitchurch (Lab)
- Hansard - - - Excerpts

My Lords, I thank the noble Lord, Lord Fox, for that introduction. He made an excellent argument about why we should include third parties working on behalf of consumers in the remit of the Bill. As he described, this particularly relates to package travel firms.

Whether using a legacy airline or a low-cost carrier, all of us will have booked flights online. These days we have unprecedented freedom to fit our travel arrangements to our specific requirements and then pay for them at home, at the office or on our phones. But how many of us have had the far less welcome experience of discovering, a few minutes later, that our deal was not as good as we thought and that there were cheaper fares for the same flight? This is frustrating and unfair, and, unfortunately, it is due to deliberate anti-competitive practices, many of which the noble Lord described.

Low-cost airlines—LCAs—have transformed the aviation landscape. They have disrupted the market, offering travellers unprecedented choice and competition. Their rise in the UK has empowered consumers, democratising air travel and making it affordable for a much broader demographic than used to be the case. The greater availability and lower cost of flights to and from the United Kingdom has, in turn, led to the rise of online travel agencies and tour operators, known as OTAs. These offer travellers a wide array of pre-packaged holiday options, which include flights, accommodation and add-on activities. The convenience of being able to plan and book an entire trip from the comfort of one’s home has fuelled the popularity of online package travel. OTAs are becoming extremely popular and convenient ways for families to plan, book and pay for their holidays.

However, in recent years the low-cost airlines, themselves once the industry disruptors, have felt threatened by the newer online travel agencies. The industry is witnessing a growing trend of complex anti-competitive actions aimed at stifling competition. One such tactic is curtailing seat availability to specific destinations, which renders them inaccessible through OTAs or individual bookings unless bundled as airline packages. Another anti-competitive tactic is to introduce cumbersome verification procedures for passengers who book through OTAs rather than directly with the airlines, adversely affecting the consumer experience. Unfortunately, in this battle for market share between the LCAs and the OTAs, the consumers are often the casualties.

The situation is made still more opaque for consumers by the existence of 13 different types of airfare. I am grateful to my noble friend Lord Leong, who has looked into this. He tells me—I will mention only the most common six—that there are normal fares, point-to-point fares, excursion fares, APEX fares, PEX and super-PEX fares, and branded fares. Additionally, some come with specific restrictions, some are non-refundable, others cannot be exchanged or transferred, and none of these restrictions is immediately obvious or consistent with ticket types.

Data Protection (Adequacy) (United States of America) Regulations 2023

Debate between Lord Fox and Baroness Jones of Whitchurch
Wednesday 22nd November 2023

(1 year, 1 month ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Baroness Jones of Whitchurch Portrait Baroness Jones of Whitchurch (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for raising his concerns about this SI this evening, and for the diligent work of the Secondary Legislation Scrutiny Committee in drawing to our attention the inadequacy of the original Explanatory Memorandum attached to it. In fact, had the details been included in the proper form in the first place, it could have saved me a lot of chasing around to establish what had been tabled when; as the noble Lord pointed out, it was not immediately clear.

For example, the Secondary Legislation Scrutiny Committee criticised the lack of an impact assessment, a variation of which has now finally been attached to the SI. As the noble Lord made clear, the original Explanatory Memorandum recorded that the impact assessment was not ready to be published as it had to be submitted to the Regulatory Policy Committee for its review. We now know, thanks to the work of the Secondary Legislation Scrutiny Committee, that the RPC judged the original impact assessment as not sufficiently robust, identifying areas of improvement which, if not addressed adequately, would generate a red-rated opinion. It reports that a revised IA was submitted to the Regulatory Policy Committee on 20 September. Can the Minister confirm whether this revised IA has now received a green rating from the RPC?

I agree with the Secondary Legislation Scrutiny Committee that, sadly, the failure to produce this proper documentation in a timely manner occurs all too often. It makes it difficult for Parliament to carry out our scrutiny role and reflects a wider decline in drafting accuracy. I understand that the staff work under intense pressure but, in this case, I see no reason why all the checks could not have been carried out before the SI was laid, even if this resulted in a slight delay.

The Secondary Legislation Scrutiny Committee also quite rightly raised concerns about the lack of contextual information in the original Explanatory Memorandum. I absolutely agreed with them on this. It was not until I read the impact assessment that the background and intent of the SI became clear. There is now a revised EM but the original printed version of the SI, which I collected from the Printed Paper Office, as I suspect the noble Lord did as well, contained the original Explanatory Memorandum, which again underlines the inadequacy of the processes adopted by the department.

In this context, I have some questions which arise from the impact assessment rather than the EM. First, is it the case that the only adequacy regulations currently in existence are with the Republic of Korea? As this is the first such agreement, how are the provisions of the regulations being monitored, and have any data breaches been identified? I hope that we would learn from that first experiment, if you like, with the Republic of Korea. Any information on how that is working would be appreciated.

Secondly, what criteria do the Government use for prioritising other potential data partnerships, as listed in the IA? Are any others near completion?

Thirdly, since Brexit and the failure of the EU privacy shield, the EU and the US have developed the data privacy framework, and we have signed up to the UK extension of that framework. In what ways does the extension vary from the EU-US agreement? If the European Commission varies that agreement, can we be assured that the UK extension will seek to reflect those changes? This would make it considerably easier for businesses to navigate the rules in the longer term.

Fourthly, since there is some sensitivity around this currently, today’s announcement that the NHS has handed US spy tech firm Palantir a contract to create a huge new data platform has rightly caused concern. Does this agreement come under the new data adequacy rules covered by this SI? Is it the case that individuals cannot opt out of the scheme, as reported in the press? What would prevent Palantir selling on the data to other US companies, provided they signed up to the US Department of Commerce’s self-certification scheme?

Incidentally, I could not see in the impact assessment any assessment of the robustness of the US rules. For example, how many data breaches are there per annum and what sanctions are taken against those who breach the rules? It is all very well having an adequacy rule, but we want to know how it is working in practice and what the US’s history has been on this. Does the Minister have any information on this?

My last question leads on to the Secondary Legislation Scrutiny Committee’s last recommendation, which has also been highlighted by the noble Lord, Lord Clement-Jones. The UK public are understandably suspicious about how their personal data could be misused or monetised by big corporations, both here and abroad. If they have nothing to worry about in this instance, it would have been helpful to hold a public consultation to provide reassurance and build confidence in the policy. As it stands, there are bound to be concerns about the underlying consequences of this proposed agreement. As the Secondary Legislation Scrutiny Committee points out, an increasing number of experts and specialist lawyers could have contributed to the development of this policy, particularly as it may be a model for other agreements in the future.

I hope the Minister can reflect on these concerns and take them back to the department. I hope that he can also address the specific questions I have raised, and that he can assure us that the lessons about the way documentation is presented to Parliament for approval in the future will be taken on board.

Lord Fox Portrait Lord Fox (LD)
- View Speech - Hansard - -

My Lords, it is a pleasure to follow the noble Baroness and, indeed, my noble friend Lord Clement-Jones. Their commentary on the process so far is quite damning. I share my noble friend’s fear that this is in danger of selling short what is an important aim of creating a viable data bridge between these two jurisdictions.

I am not going to go over the process; I will pick out a number of points from what I think is the right Explanatory Memorandum but may, of course, be the wrong one. I am acting in good faith; I think I picked it up from the table at the right nanosecond when the correct document was there.

Paragraph 7.2 of the EM says:

“DSIT officials have been working closely with counterparts in the US”.


Paragraph 25 of the Secondary Legislation Scrutiny Committee’s report says that DSIT told the committee:

“The US does not have a comprehensive data protection framework”.


The report points out, as noble Lords have said, that this framework tends to be based on a sector or state- level requirement. So who are the counterparts that DSIT talked to? There are no counterparts equivalent to DSIT who can have that competent conversation.

In practice, can they know that the treatment of data will be the same in California as it will be in Florida? If they know the answer to that question, how do they know it—who did they talk to in order to gain that information? It seems to me that the complications of data in the United States are not reflected in the Explanatory Memorandum in my hand.

That is the first point. Moving on, if you look at paragraph 7.6 in the Explanatory Memorandum, you see that it is very clear that this is a self-certifying annual process. Self-certifying is another word for ticking boxes. So, once again, how can the department be sure that this process is being properly dealt with and monitored? When we come to the enforcement of this self-certification process, is it the Department of Commerce that will be checking that this self-certification has happened? Will it be the state legislatures? Who will be the bodies in charge of this self-certification? Will there be an annual report, so we know that all these bodies are certified? Indeed, if I am giving my data to a particular organisation that is then sending that information across the United States, how do I know that that process is properly certified? It seems that these are good words but, unless they are backed up with a system and a process, they are to all intents and purposes meaningless.

The next point is picked up in paragraph 7.12 of the Explanatory Memorandum, where we talk about processors and transfers, and people in the United States who are

“indicated on the Data Privacy Framework List as participating in”

this bridge. If there is a violation from an organisation in the United States that is picked up by the Information Commissioner in the United Kingdom, what happens next? Who does what, in terms of prosecuting the organisation in the United States for wrongfully dealing with that data? Who is liable? At a corporate level, where is this dealt with? Is there some sort of corporate veil to the US company which means that the UK company is not liable? How in companies law will this operate? It seems to me that there is not the information here to answer those questions and I wonder, frankly, whether they have actually been considered.

It is quite clear that this could not have happened without the hard work and endless negotiation of the EU-US group. This rides on the back in a rule-taking process that I suppose we are going to have to get used to as things go forward. My noble friend’s point about Schrems is very true; Schrems III is coming soon, so what will the Government’s position be if it finds against the EU part of this bridge? Will we also automatically cancel the bridge? How does that then affect companies that have already transferred their data and made that decision?

There are couple of ancillary questions which are, I guess, slightly off the wall. There is an industry in this country that involves having servers and creating a UK-based server place as a safe harbour for British data. I assume the department has done an analysis of the industrial effect on those servers, because clearly many of them will be no longer needed, and data can be sent back to the United States rather than living in what are euphemistically called “clouds” but are actually server farms in the United Kingdom.

I have a final question. As the Minister knows, political parties tend to knock on doors, collect data and put that data into databases. Can he tell us what the position is on electoral databases in terms of using US-based servers to retain that data? At the moment, that is not done. Will political parties be able to move that data from servers in this country to perhaps their counterparts, assistants or supporters in the United States, in order to do analysis, targeting and whatever, or do the current rules of safe harbour still exist for electoral data?