CCI on WhatsApp Privacy Policy: Some Inspirations, Some Questions

[Raghav Harini N is a final year B.A.LL.B. (Hons) student at ILS Law College, Pune]

The Competition Commission of India (CCI), in a recent order, has caused the Director General (DG) to investigate the controversial privacy policy and terms of service of WhatsApp (the policy). It has concluded that the policy prima facie violates section 4 of the Competition Act 2002 (the Act). This decision reflects a mature and advanced antitrust understanding of the CCI in dealing with dynamic markets. This post analyses some of the key themes of this order and raises some questions that may require policy reconsiderations.

Roads to the Present Case 

The CCI took suo moto cognisance of the policy, and examined whether it merited a detailed investigation by the DG under section 26(1) of the Act. The policy enables WhatsApp to share user data with Facebook and its subsidiaries (Para 1). This policy is mandatory and non-consensual in nature, and imposes a “take-it-or-leave-it” condition on the users, the CCI observed (Para 25). In light of the same, it sought replies from both WhatsApp and Facebook (the Opposite Parties, OP). 

Facebook, in its response to the CCI, noted that it was a separate entity from WhatsApp, and that WhatsApp had the decisional autonomy to update and revise the policies on its own; thus, Facebook cannot be impleaded as a necessary party (Para 7). The CCI, however, observed that the updated policy put Facebook’s benefits and interests at immediate stake and therefore Facebook was a necessary and proper party to the instant case. 

Key Themes of the Order 

This part explores some of the key features of CCI’s order.

The Overlap of Data Protection and Competition Laws

  Unsurprisingly, the opposite parties sought to challenge the jurisdiction of CCI citing an array of judgments. The OP, relying on the case of CCI v Bharti Airtel, assailed the jurisdiction of the CCI on the ground that its jurisdiction is secondary to the sectoral regulator. Moreover, the matter is currently pending before the Supreme Court of India. It was also observed that the policy had larger public policy repercussions beyond competition law, including national security (Para 11). The OP relying on CCI’s decisions in the cases of Vinod Kumar Gupta, Harshita Chawla, and GPay submitted that the issues that overshadow the data protection regime do not constitute a valid cause of action under the Act.

However, CCI disagreed with the OP on the reliance of Bharti Airtel judgment; borrowing the reasoning of Delhi High Court’s judgment in the case of Monsanto Holdings Private Limited v. CCI, it concluded that the Bharti Airtel ratio was applicable only in the presence of a sectoral regulator such as TRAI. Data protection and privacy do not form a sector in itself; they are legal regimes whose scope extends to the instant case (This post brings out the difference between sector and industry for the application of Monsanto and Bharti Airtel). In any case, the Act under S. 62 of the Act permits parallel legal proceedings under other laws that are applicable. (Para 12). 

Violation of Informational Self-determination

The order expresses deep concerns about the apparent lack of opt-out options in the policy, making the instant case significantly different from Vinod Kumar Gupta. In Vinod Kumar Gupta, the 2016 WhatsApp privacy policy was challenged before the CCI. The CCI concluded that the 30-day opt-out period provided a safety-valve to consumers, and therefore attracted no contravention under the Act (Para 26). To that extent, the OP could not lean on Vinod Kumar Gupta.

The policy also seems ambiguous and obscure in circumscribing its terms, scope, and extent. The order observes that several terms such as “service-related information”, “mobile device information” and “payments or business features” are not defined in the policy, which makes the scope of the sharing of the data sets opaque (Para 27). This strips users of the control over their digital footprints and data. When an individual’s agency over the data is robbed due to non-transparent and non-consensual mode of data harvest, not only does it seem inequitable, but it also has a direct bearing on the informational self-determination rights of users.   

Privacy as a Non-Price Parameter

CCI’s recent report on a market study on the telecom sector in India remarked that privacy takes the form of non-price competition in antitrust analysis, and therefore privacy breaches can be read into the Act. CCI’s decision in the instant case comes as a significant reaffirmation of this observation. The order observed that WhatsApp’s non-personalised data sharing with Facebook is opaque and imposing in nature. Moreover, the ramifications of network effects and the dominant role of WhatsApp in the relevant market may tip the market in its favour; this may enable it to compound its competitive edge by creating a walled garden, wherein the switching costs for consumers are rather high. The theories of multihoming and data portability only remain theories, without practical significance, given the negligible percentage of users resorting to rival apps such as Signal and Telecom in the wake of the announcement of the policy (Para 30-33). CCI, in light of the abovementioned concerns, observed that OP’s conduct prima facie amounted to contraventions under S. 4(2)(a)(i), 4(2)(c), and 4(2)(e) of the Act.

Concluding Remarks

At the outset, the order seems apprehensive about the manner of data extraction (non-consensual and non-transparent) and not the data extraction itself. The order is also deeply reminiscent of the German antitrust case against Facebook.

In that case, Facebook (Ireland) mandated the users to share their data with Facebook-allied-services such as WhatsApp and Instagram on a non-consensual basis. While both the Federal Court of Justice and Bundeskartellamt (the German Federal Cartel Office) did not proscribe the data collection per se, they discussed at length how data collection practices incongruent with data protection laws can be read into abuse of dominance. It prohibited Facebook from internal divestiture of its data and assigning data collected from third party sources to Facebook user accounts. To audit the implementation of remedies, it obligated Facebook to roll out an implementation plan as well.

This case assumes an indomitable role in analysing data collection standards from the antitrust lens. This case also pioneered the synchronisation of data protection and antitrust laws. The CCI can seek abundant guidance from this case in analysing the data collection standards of WhatsApp.

European Union (EU) and Federal Trade Commission (FTC) in the cases of Microsoft/LinkedIn merger and Google/DoubleClick mergers respectively set the foundations of incorporating privacy within competition law. CCI’s recognition of privacy as a non-price parameter is an important step in the Internet of Things era. Recognition of non-price parameters such as privacy and service quality acknowledges the limitations of conventional competition law in zero-pricing models. CCI’s recognition comes at an appropriate time as several data-driven mergers and vertical convergence are rapidly proliferating.

However, the instant case raises some questions that have interested competition law circles for a while. First,section 4 of the Act, as it stands today, encompasses expost-facto analysis. This means that to successfully argue a section 4 case, the informant has to establish that a tangible abuse has already taken place. The informant has to furnish evidence to prove that the other party abused its dominance.[1] However, the order has expressed concerns about the anti-competitive effects that the data collection may have on the relevant market without establishing a tangible abuse (Para 30-33). This may lead to a premature finding of abuse of dominance under the existing framework. It remains to be seen how CCI would alter the evidentiary standard to accommodate such instances. Interestingly, several antitrust agencies including the EU, Netherlands, and Germany are exploring the possibility of introducing ex-ante measures in the digital market, since an ex-post-facto assessments of digital gatekeepers can be too slow and antitrust agencies often lack the toolbox to reverse the harms that have been inflicted already.

Second, WhatsApp has clarified that the privacy updates do not concern personal accounts but only the business accounts. Assuming that this fact-in-issue remains undisputed, then the CCI’s next bottleneck would be to propose the perfect remedy. It is to be noted that in the German Facebook case, Bundeskartellamt referred to the General Data Protection Regulation (GDPR) in copious detail. In evaluating the data collection standards and asserting the privacy rights of the users, the decision kept going back to the GDPR to ensure compliance. Moreover, an antitrust remedy has to be congruent with data protection law in such cases, otherwise, they may not have significant impact. Given that the Personal Data Protection Bill, 2019 is still dormant, an evaluation of whether the remedies proposed under the Act are compliant with data protection and privacy standards may be difficult. CCI’s endeavour to explore the antitrust threads in the privacy regime is most certainly laudable and arguably puts CCI on tier-1 of global antitrust agencies, for only a few jurisdictions have explored the conflation of these regimes. However, it remains to be seen what remedies the CCI may propose in the instant case.

P.S: WhatsApp and Facebook have approached the Delhi High Court assailing the CCI order. The matter is currently pending adjudication.

Raghav Harini N

[1] Board of Control for Cricket in India v. CCI, COMPAT, Appeal No. 17 of 2013; reaffirmed in Harshita Chawla v. WhatsApp Inc, CCI Case No. 15 of 2020.

About the author

1 comment


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Top Posts & Pages


Recent Comments


web analytics

Social Media