Data Protection and Competition Law: Developments and the Way Forward
The article provides a brief overview of the existing legal framework on data privacy in India, analyses the CCI's decisional practice in this regard, and suggests an appropriate way forward for the CCI on this matter.
In the last decade, the digital sector has witnessed tremendous growth in India and worldwide. While this growth has given rise to new business models, opened up new markets, and unlocked significant efficiencies, it has also raised concerns that tech giants may use the excessive amounts of user data they hold, to influence digital markets to their advantage.
In this background, the Competition Commission of India (the "CCI") has initiated investigations into several players such as WhatsApp, Facebook and Google. However, there are also apprehensions regarding the use of competition law (instead of privacy and consumer legislations) to address such concerns.
This note provides a brief overview of the existing legal framework on data privacy in India, analyses the CCI's decisional practice in this regard, and suggests an appropriate way forward for the CCI on this matter.
A. WHAT DOES THE LAW ON DATA PRIVACY IN INDIA CURRENTLY LOOK LIKE?
In 2017, the Supreme Court of India ("Supreme Court") recognized the right to privacy as a fundamental right.1 Currently, the Information Technology Act (2000) ("IT Act") includes two provisions2 to regulate improper disclosure of personal information: (i) Section 43A of the IT Act requires the maintenance of 'reasonable security practices and procedures' in relation to any 'sensitive personal data or information' handled by a body corporate, and provides for compensation to the user for misuse of their personal data;3 and (ii) Section 72A of the IT Act imposes a penalty on any person (including an intermediary) who intentionally discloses personal information without the consent of the user.
However, the Government of India has recognised that specialised legislation regulating privacy rights is required4 and to this end, it has formulated the Personal Data Protection Bill, 2019 ("PDP Bill"). The PDP Bill is currently under consideration by the Parliament, and is expected to be presented in the first week of the Winter Session5, which usually commences around the last week of November. The PDP Bill, once in force, will repeal Section 43A of the IT Act.
The PDP Bill defines personal data as data "relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline […] and shall include any inference drawn from such data for the purpose of profiling"6. It increases compliance related requirements, gives individuals more control over their information, sets up a regulator to monitor data protection issues (the Data Protection Authority of India ("DPA")), and sets out directions for data storage and localization. Further, the PDP Bill gives the DPA extraterritorial powers and allows for monetary penalties for non-compliance. Notably, the PDP Bill also allows the Government to exempt its agencies from some or all provisions that protect users' data privacy.
Separately, the MEITY has also issued a report on the framework for governance in respect of non-personal data (the "NPD Report") in July 2020.7 Non-personal data is data that cannot identify an individual, and includes aggregated data.8 However, contrary to the principles under the Competition Act, 2002 (the "Competition Act"), the NPD Report appears to characterize a dominant position as a per se violation of competition law, and suggests that the Competition Act may be a tool to protect competitors (instead of competition). It states that "companies with the largest data pools have outsized, unbeatable techno-economic advantages" and that this "has left many new entrants and start-ups being squeezed"9, indicating that this advantage is problematic at the outset.
Accordingly, while it is a positive development that the Government is cognizant of the need for explicit privacy rights, the framework for such regulation, including in respect of the interplay of various regulators, must be established after a thorough study and consultation.
B. WHAT IS THE RELATION BETWEEN DATA PRIVACY AND COMPETITION LAW?
The CCI, by way of the Competition Act, is charged with the responsibility to "prevent practices having an adverse effect on competition and sustain competition in the market". Under the Competition Act, the CCI can look into the three aspects of competition law:
• Anti-competitive agreements between enterprises under Section 3 of the Competition Act,
• Abuse of dominant position by an enterprise under Section 4 of the Competition Act, and
• Regulation of mergers and acquisitions under Sections 5 and 6 of the Competition Act.
The application of the Competition Act could become complicated in digital markets which are often 'zero-price markets', a concept that is at odds with the traditional legal and economic theories relating to competitive harm. In addition, such markets have other unique characteristics including complexity in determining market power or market shares; low entry barriers for players- juxtaposed against network effects which may not allow new entrants to expand or achieve economies of scale; and the ability of customers to multi-home yet at the same time be locked-in due to the lack of inter-operability (thereby complicating the analysis in respect of switching costs).
While the CCI has had several opportunities to examine the digital sector since its inception in 2010, only recently has it analysed data as an asset. In January 2021, the CCI issued a report10 on the telecom sector in India (the "CCI Telecom Report"), noting the intersection of data privacy and competition law. It identifies the use of data as non-price competition, indicating that data collected from users by an enterprise may be used to the competitive advantage of the enterprise over its competitors. In another report of 202011, the CCI has also noted that network effects resulting from large amounts of data collected allow companies to compete on a level that does not relate to pricing and creates a system of 'winner takes all'.
Accordingly, data could be used as a proxy for assessing market power, and once such a determination is made, the misuse of data could be considered to cause an appreciable adverse effect on competition.
i. Data as an Indicator of Market Power
The CCI has issued an order initiating an investigation against WhatsApp and Facebook under Section 26(1) of the Competition Act ("WhatsApp Suo Moto Order") which considers data as a non-price competitive parameter.12
In its order, the CCI considered its decisional history regarding WhatsApp13 to establish its market power and stated that "given its popularity and wide usage, for one-to-one as well as group communications and its distinct and unique features, WhatsApp seems to be dominant". This finding is important, since it relies on the number of users on the platform creating a network effect.
In relation to data usage, the CCI has previously held that companies such as Facebook have the "potential to collect and process significant amounts of customer data"14. In the WhatsApp Suo Moto Order, the CCI takes this theory forward to state that "in a data driven ecosystem, the competition law needs to examine whether the excessive data collection and the extent to which such collected data is subsequently put to use or otherwise shared, have anti-competitive implications, which require anti-trust scrutiny".15
The CCI has also taken a similar approach in its assessment of combinations, where it has noted that in "new age dynamic markets" traditional market share analysis may only provide a starting point for inquiry, but is not the sole guiding parameter for assessment of market power. Recent decisions in such markets have also factored in net neutrality and potential data exchange issues.
ii. Abuse of Dominant Position by Manipulation of Data
The CCI Telecom Report provides the following illustrations of abusive conduct: (a) a low privacy standard implying lack of consumer welfare; (b) lower data protection, which could also indicate exclusionary behaviour; and (c) leveraging a data advantage across various services.
In the WhatsApp Suo Moto Order, the CCI appears to endorse this theory of harm, and opines that data-sharing by WhatsApp with Facebook amounts to degradation of non-price parameters of competition, and that this conduct prima facie amounts to imposition of unfair terms and conditions upon the users of WhatsApp (Facebook is also included in the investigation as a direct beneficiary of this privacy policy).
C. IS THIS THE RIGHT TIME FOR REGULATORY INTERVENTION BY THE CCI?
While the CCI Telecom Report identifies data as a metric for non-price competition, it also acknowledges that privacy could, fundamentally, be a consumer protection issue; as opposed to competition law which is aimed at preserving and fostering competition, and not protecting individual market players (i.e., competitors or consumers).
The CCI should act in conjunction with other agencies (in this case, the proposed DPA) that have been specifically empowered to set standards for data protection. While the CCI could take cognizance over an anti-competitive digression from such standards, its venturing to assess what constitutes an 'excessive amount of data' could create conflicting positions with other regulators who may be in a better position to make such assessments in any event.16
Further, the CCI is clearly still developing its position on misuse of data. The CCI has correctly in the past closed matters which were based on 'bald assertions' and 'assertions which are neither corroborated nor otherwise substantiated in any manner'17 and has also refused to hold 'potential future exclusion'18 as a theory of harm. Yet, the investigations initiated by the CCI in the MMT Interim Order and the WhatsApp Suo Moto Order appear to be based on uncorroborated statements.
Given that the requisite boundaries or standards for data protection and usage are yet to be settled and are in appeal before higher courts, the CCI's investigation of these issues may be premature. An approach which may be helpful is for the CCI to be more liberal with preliminary hearings; this would serve to clarify the underlying technology and business models to the CCI and also optimize the use of CCI's investigative resources.
The need of the hour remains that a clear and comprehensive data protection legislation be implemented at the earliest. If such legislation specifies a threshold for data collection, the CCI could then assess market power in digital markets accordingly. Interestingly, the MEITY has already issued a notification that defines a 'significant social media intermediary' as a social media intermediary with 5 million or more registered users in India.19 Therefore, it would be sensible for the CCI to refrain from creation of thresholds or standards in the realm of data, and instead fortify its understanding of the underlying concerns via market studies and preliminary conferences and focus on effects based approaches.
In the meantime, enterprises in digital markets are advised to review their privacy policies, and adhere to best practices for user data collection such as transparency in end use and advertising.
1 In a landmark judgment delivered in August 2017 (Justice K.S Puttaswami & Anr. v. Union of India), the Supreme Court has recognized the right to privacy as a fundamental right as a part of the right to "life" and "personal liberty". "Informational privacy" has been defined to mean that the information about a person also needs to be given protection under privacy rights. The Supreme Court stated that every person should have the right to control commercial use of his or her identity and that the "right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone" emanates from this right.
2 Section 43A and Section 72A of the IT Act, introduced pursuant to the Information Technology (Amendment) Act, 2008
3 The Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 (as clarified) provide further insight into the expressions 'sensitive personal data or information' and 'reasonable security practices and procedures'.
4 See the Office Memorandum dated July 31, 2017 issued by the Ministry of Electronics and Information Technology ("MEITY") re: Constitution of a Committee of Experts to deliberate on a data protection framework for India, available at https://www.meity.gov.in/writereaddata/files/MeitY_constitution_Expert_Committee_31.07.2017.pdf
5 Bill tracking available at https://prsindia.org/billtrack/the-personal-data-protection-bill-2019.
6 Section 3(28) of the PDP Bill available at https://prsindia.org/billtrack/the-personal-data-protection-bill-2019.
7 This was subsequently revised in December 2020.
8 See The Personal Data Protection Bill, 2019: All you need to know, Anurag Vaishnav, dated December 23, 2019 as available at https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-all-you-need-know
9 See Appendix 2: Data – Trends and Socio-Economic Impact, on page 41, Report by the Committee of Experts on Non-Personal Data Governance Framework, Ministry of Electronics and Information Technology, Government of India, Dated December 16, 2020, available at https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf
10 CCI's published Market Study on the Telecom Sector in India: Key Findings and Observations, January 22, 2021, available at http://cci.gov.in/sites/default/files/whats_newdocument/Market-Study-on-the-Telecom-Sector-In-India.pdf. Interestingly, the CCI Telecom Report also clarifies that it intends to maintain formal and informal channels of communication with the proposed DPA. These channels are intended to ensure that regulatory decisions are robust and consistent in the light of overlapping jurisdictions.
11 See the Market Study on E-Commerce in India: Key Findings and Observations, Competition Commission of India, January 2020, available at https://www.cci.gov.in/sites/default/files/whats_newdocument/Market-study-on-e-Commerce-in-India.pdf; also see Summary of Workshop Proceedings: CCI Workshop on Competition Issues in the Telecom Sector in India, February 2021, available at http://cci.gov.in/sites/default/files/whats_newdocument/Proceedings-Telecom-Workshop.pdf
12 CCI's order under Section 26(1) of the Competition Act in In Re: Updated Terms of Service and Privacy Policy for WhatsApp Users, Suo Moto Case No. 01 of 2021, dated March 24, 2021 as available at https://www.cci.gov.in/sites/default/files/SM01of2021_0.pdf; the WhatsApp Suo Moto Order has been since taken before the High Court of Delhi as a writ petition on the ground that the CCI is overreaching its jurisdiction by investigating a matter on privacy which is pending before the Supreme Court and the High Court of Delhi. The Delhi High Court dismissed the appeal for lack of merits to interdict the CCI investigation.
13 CCI's orders under Section 26(2) of the Competition Act in Harshita Chawla v. WhatsApp Inc. and Facebook Inc. ("Harshita Chawla Order"), Case No. 15 of 2020, dated August 18, 2020 as available at https://www.cci.gov.in/sites/default/files/15-of-2020.pdf and Shri Vinod Kumar Gupta v. WhatsApp Inc. ("Vinod Gupta Order"), Case No. 99 of 2016, dated June 1, 2017 as available at https://www.cci.gov.in/sites/default/files/26%282%29%20Order%20in%20Case%20No.%2099%20of%202016.pdf
14 CCI's orders under Section 31(1) of the Competition Act in Facebook / Jio, Combination Registration No. C-2020/06/747, dated June 24, 2020 as available at https://www.cci.gov.in/sites/default/files/Notice_order_document/order-747.pdf and Google/ Jio, Combination Registration No. C-2020/09/775, dated November 11, 2020 as available at https://www.cci.gov.in/sites/default/files/Notice_order_document/Order775.pdf
15 See also the CCI's interim order under Section 33 of the Competition Act in Federation of Hotel & Restaurant Associations of India (FHRAI) & Anr. v. MakeMyTrip India Pvt. Ltd. (MMT) & Anr. along with Rubtub Solutions Pvt. Ltd. v. MakeMyTrip India Pvt. Ltd. (MMT) & Anr. ("MMT Interim Order"), Case No. 14 of 2019 and 01 of 2020, dated March 9, 2021 as available at https://www.cci.gov.in/sites/default/files/Interim_Order_14-of-2019and01-of-2020.pdf. Here, the CCI noted that "in winner takes all platform markets, if the impugned conduct is not based on the merits, eliminating such anti-competitive behaviour at the earliest assumes utmost importance. Network effects coupled with even small actions by the platforms may exclude and marginalize rivals, and further strengthen these effects that may be difficult to dilute at a later stage" (emphasis supplied).
16 CCI's order under Section 26(1) of the Competition Act in In Re: Updated Terms of Service and Privacy Policy for WhatsApp Users, Suo Moto Case No. 01 of 2021, dated March 24, 2021 as available at https://www.cci.gov.in/sites/default/files/SM01of2021_0.pdf.
17 CCI's order under Section 26(1) of the Competition Act in XYZ v. Alphabet Inc. & Ors., Case No. 07 of 2020, dated November 9, 2020 as available at https://www.cci.gov.in/sites/default/files/07-of-2020.pdf.
18 CCI's order under Section 27 of the Competition Act in Matrimony.com Limited v. Google LLC. & Ors. and Consumer Unity & Trust Society (CUTS) v. Google LLC. & Ors., Case Nos. 07 & 30 of 2012, dated February 8, 2018 as available at https://www.cci.gov.in/sites/default/files/07%20%26%20%2030%20of%202012.pdf
19 Notification dated February 25, 2021 available at https://www.meity.gov.in/writereaddata/files/Gazette%20Significant%20social%20media%20threshold.pdf