Donald Dinnie, Director, and Heather Irvine, Director, Deneys Reitz
The recent regulatory steps against insurers in the UK for exchanging pricing data using market analysis software has highlighted the fact that exchanges of commercially sensitive information by competitors may place them at risk of a complaint under the Competition Act, 1998.
Section 4(1)(b) of the Act prohibits any formal or informal agreement or understanding between two or more competitors to fix either the selling price or the purchase price of a product or service. This prohibition is very broad in scope: it applies not only to an agreement between competitors (a contract, arrangement or understanding, whether or not legally enforceable), but also to concerted practices. A concerted practice is co-operative or co-ordinated, direct or indirect conduct between firms that replaces the independent action, but does not amount to an agreement. Competitors cannot justify a contravention of section 4(1)(b) on the basis that the practice does not actually harm competition, or has compensating efficiency or other advantages. Importantly, even a first time contravention of this section of the Act can attract a fine of up to 10% of turnover of the competitors involved.
An exchange of pricing or other commercially sensitive information between competitors may facilitate or encourage collusive agreements and behaviour between competitors – for example, ‘price-signalling’ which effectively substitutes co-operation or collusion between competitors for true competition. An exchange of commercially sensitive information between competitors may thus amount to price fixing which is a contravention of section 4(1)(b) of the Act. This is most likely to be the case where pricing or other commercially sensitive information is exchanged in advance (relating to what price competitors intend to charge, for example), but may also be the case where the information is current. Even exchanges of historical pricing or other data may be problematic if this gives competitors a detailed insight into the pricing philosophy of their rivals. Competitors must therefore avoid exchanging sensitive information regarding pricing, the timing or level of price increases, costs and customer data.
Our competition authorities are likely to adopt the same approach as that recently taken by the United Kingdom’s Office of Fair Trading (OFT), in relation to an exchange of pricing data by a number of insurers. After an investigation, the OFT found that there was an increased risk of price-fixing among insurers who used particular market analysis software which enabled them to see the pricing information they and their competitors supplied to brokers. The OFT said that this practice raised competition law concerns because the information they exchanged was confidential and not public, and included, not only their competitor’s current, but also their future pricing plans. The OFT did not prosecute the insurers involved after they agreed to certain formal commitments, including that they would only exchange anonymous, aggregated information which was already publicly available in policies being sold by brokers.
Given the massive penalties and negative publicity which can result from a complaint to the competition law authorities, competing insurers need to check with their legal advisors before exchanging any competitively sensitive information.
Insurers will also need to consider the effect of protection of personal information legislation once it is finalised and operative. The legislature is currently considering the Protection of Personal Information Bill 2009 which will significantly impact the exchange of information.
One intention of the Bill is to promote the protection of personal information processing by public and private bodies, by introducing information protection principles to establish minimum requirements for the processing of personal information and issuing codes of conduct.
The proposed law aims to introduce measures to ensure that personal information of an individual is safeguarded when processed by responsible parties. That information includes information relating to an identifiable, living, natural person and where applicable, to identifiable, existing juristic persons and includes information regarding race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscious, belief, culture, language and birth.
Processing is widely defined and is not only collection, but also recording, organization, storage, updating, modification, retrieval, use and dissemination of information.
The legislation is not intended to apply to the processing of de-identified information; however, and accordingly, subject to competition law concerns to the extent that pricing data is de-identified, the provision is unlikely to fall foul of the contemplated legislation.
The draft legislation contemplates that personal information must be collected directly from the data subject (the persons whose information is processed) except, among other things, where the data subject has consented to the collection of the information from another source and collection of the information from the other source would not prejudice a legitimate interest of the data subject.
Personal information can only be processed if the data subject consents to the processing or it is necessary to carry out actions for the conclusion and performance of a contract to which the data subject is a party.
The further processing of that information is permissible where the data subject has consented to the further processing of the information.
The proposed legislation will have far-reaching consequences for insurers in all aspects of their business, not only in respect of exchange of pricing data. It is essential that insurers participate in the drafting process. At the moment, the technical committee would, no doubt, welcome insurers’ input.
The proposed legislation articulates eight core information protection principles: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.
It also contemplates allowing the data subject or the regulator to institute a civil action for damages in an appropriate court against a responsible party for any breach of provisions of the legislation. The court may make an award in an amount that is just and equitable, including payment of damages and compensation for patrimonial and non-patrimonial loss suffered as a result of breach of the legislation, aggravated damages, interest and costs.
Once reasonable expenses of that litigation have been recovered, the balance, if any, must be distributed to the data subject, at whose request proceedings were brought.
There are significant criminal penalties including imprisonment and fines for breaches of the proposed legislation. Data sharing and data processing is the next issue to need compliance functions.