Decoding CCI’s Integrationist Stance: Unpacking the WhatsApp Privacy Policy Saga

[Andaleeb Haider is a 2^nd year B.A. LL.B (Hons.) student at National Academy of Legal Studies and Research (NALSAR) University of Law, Hyderabad]

Recently, the National Company Law Appellate Tribunal (NCLAT) stayed the five-year ban imposed by the Competition Commission of India (CCI) on WhatsApp Inc. from sharing its users’ data with Meta Platforms for advertising purposes.  The CCI had imposed the ban to prevent Meta from deriving anti-competitive advantages against its rivals in the digital advertising market by accessing the personal data of WhatsApp users for targeted advertising. A monetary penalty worth Rs. 213.14 crore was levied on Meta and WhatsApp for abusing their dominant position in the market due to the take-it-or-leave-it nature of its 2021 privacy policy update.

This post examines the CCI’s decision in light of the global trend of mooting an integrationist approach between data privacy and competition concerns in digital economies where business models are based on collecting and processing users’ data for maintaining their dominance in the multi-sided digital markets. The first section of the post explores the challenges raised against CCI’s jurisdiction to decide privacy violations. The second section highlights the key findings of the NCLAT and the CCI order. The third section examines concerns regarding the integrationist approach while arguing for broader engagement within the realms of privacy protection and competition law enforcement to adapt to the needs of a dynamic digital economy.

Jurisdictional Challenges

Meta and WhatsApp challenged the CCI’s jurisdiction to examine the updated privacy policy on several basis, including the pending litigation in Karmanya Singh Sareen v. Union of India before the NCLAT. However, the NCLAT upheld the Supreme Court’s decision regarding the CCI’s prima facie jurisdiction to investigate any violation of the Competition Act, 2002 due to internal data sharing between platforms of the same ecosystem. The CCI could exercise jurisdiction in the matter irrespective of the pending litigation because the legal interests sought to be protected in both proceedings were different. While the Court was examining the detrimental effects of the updated policy on users’ privacy rights, the CCI would investigate the competition harm due to the large-scale collection and processing of user data, which is a core economic asset in the digital economy.

Key Findings in the Order

The CCI imposed the penalty after finding that WhatsApp imposed unfair conditions on the users and violated Section 4(2)(a)(i) of the Competition Act by mandating them to accept the enlarged and vague scope of data sharing with other Meta companies for advertising and other purposes in its updated policy. It created the impression that users who did not accept the update would lose access to the communication services provided by WhatsApp, which infused a sense of urgency and coercion to agree to the updated terms. This behaviour can create impediments for new entrants resulting in denial of market access in the online display advertising market in contravention of Section 4(2)(c) of the Competition Act. Additionally, Meta violated Section 4(2)(e) of the Competition Act by leveraging its dominant position in the over-the-top (OTT) messaging apps market to strengthen its position in the online display advertising markets by vertical integration of data across the ecosystem. Additionally, it banned WhatsApp from sharing data with Meta for advertising purposes for a period of five years to prevent the ecosystem from gaining an unfair advantage over their rivals.

Market power in the digital economy is dependent on a platform’s capacity to process and aggregate users’ data collected by tracking their online behaviour for creating profiles, which can be used to provide personalized and targeted ads. This enhances the value of the platform for businesses that seek to increase their profits by attracting and converting more leads into sales outcomes. It is lucrative for a new user to join a platform with a higher base of existing users as compared to its competitors due to   ease of communication, thereby creating a lock-in effect for consumers and businesses and entry barriers for competitors in the market.

The NCLAT in its order stayed this instruction of banning data sharing for advertising purposes, hence giving primacy to the commercial viability of the free business model adopted by WhatsApp instead of data protection concerns due to the vague scope of the privacy policy and competition concerns highlighted in the CCI order.  Additionally, the NCLAT has partially stayed the CCI’s direction for depositing the remaining fine subject to Meta and WhatsApp submitting a cumulative 50% of the amount within two weeks from the date of the order. It has not interfered with the CCI’s instructions to inform users regarding the purpose for collection of data other than providing WhatsApp communication services and giving users the choice to manage and opt-out of such data sharing along with the option to review and modify their choices. The order can be modified subject to enforcement of the Digital Personal Data Protection Act 2023 (DPDPA) to regulate the privacy concerns, hence the CCI’s jurisdiction on privacy concerns is not yet final.

Integrating Privacy and Data Protection with Antitrust Laws

Competition law aims to foster competition on the merits (factors including price, innovation, etc.) in the market, enabling users to exercise a real choice and protect consumer welfare. As data is the price for free services in the digital economy, non-price factors such as quality should be considered to determine consumer harm in the zero-price digital markets. Privacy is being recognized as a measure of quality and an appropriate factor in investigating antitrust violations. This integrationist approach is exemplified in the recent Court of Justice of the European Union (CJEU) decision in Meta v. Bundeskartellamt. The CJEU decided that compliance with the General Data Protection Rules (GDPR) can be considered to determine whether a dominant entity has abused its position in the market by imposing unfair conditions on users which can potentially harm their privacy. The CJEU has strictly interpreted the standard for processing personal data under the GDPR and permitted it only if it is objectively indispensable for a purpose integral to the contractual obligation of providing users with the relevant service. The CJEU found that processing the data for providing users with personalized content is not necessary for facilitating social networking and communication. The CCI in the present case has followed a similar approach by emphasizing the competition harms associated with processing data for providing personalized content while considering the degraded level of privacy protection as an incidental factor.

Hence, competition authorities may account for non-price public policy considerations when determining whether a dominant entity’s conduct impedes competition on that specific parameter to ensure consumer protection. The CCI’s decision along with its previous Market Study on the Telecom Sector in India, where it recognized privacy as an important non-price parameter to evaluate competition harm, highlights the adoption of this integrationist approach in the Indian context.  This approach is favourable because a degradation in the privacy protection standard can result in exploitative harm for consumers. Vaguely defined privacy policies conceal the harmful consequences of broad data collection – that users may not be aware about. This data can be used beyond the reasonable expectations they had while consenting to such collection. The framing of privacy policy in one market that permits the bundling of user data across all services in unrelated markets also dilutes the protection afforded to users’ personal data. Additionally, the insurmountable data advantage with the dominant incumbents due to the special features of the digital economy based on data creates exclusionary harm by reducing the ease of entry and competition.

Challenges to the Integrationist Approach

The EU’s Digital Markets Act and the Indian draft Digital Competition Bill 2024 provide an ex-ante regulatory framework for digital markets to prevent the market from tipping in favour of the dominant digital enterprises, unlike the ex-post regulation in traditional markets. They provide for the consideration of data collection, processing, sharing and privacy concerns while evaluating anti-competitive behaviour. Several concerns have been highlighted regarding this approach.

The jurisdiction of competition authorities to examine privacy concerns while investigating antitrust violations has been challenged because privacy protection is usually regulated by dedicated data protection authorities. Concerns have been voiced against the possibility of parallel proceedings before the competition law and the data protection authorities and liability arising from the same cause of action, i.e. privacy violation. However, the legal interest safeguarded by these parallel proceedings is different- promoting competition and consumer welfare for the former and protecting personal data and privacy in the latter. Therefore, simultaneous proceedings can be permitted as decided by the SC to protect the CCI’s jurisdiction in examining the present case.

Further, data protection can be used as a pretext for anti-competitive conduct by the dominant entities as they can refuse to share datasets comprising necessary inputs for rivals to compete in the market while sharing with other platforms belonging to the same ecosystem. This discriminatory self-preferencing provides the dominant entities with a comparative advantage over their rivals while claiming to protect user privacy, as evident in the  French experience in the Apple App Tracking Transparency case.

Way Forward

The current stance of the European competition law authorities as highlighted in the CJEU’s Bundeskartellamt judgement supports the contextual and ad-hoc assessment of a company’s access to its users’ personal data for providing services integral to the purpose of the contract. The NCLAT’s decision to stay the ban on sharing data for advertisement purposes owing to concerns regarding commercial viability of WhatsApp’s free business model may trivialize the competition and privacy concerns arising from accumulation of data based on coercive terms. An integrationist approach towards these concerns provides the opportunity to engage in evidence-based decision-making by adopting a nuanced and case-specific analysis where failure to comply with the mandated privacy standards may be a crucial though not the only indicator of antitrust harm. The separationist approach is not feasible in the evolving digital economy where data is emerging as a significant non-price competition parameter. Concerns regarding the possibility of contradictory outcomes in adopting the integrated approach can be resolved by broader engagement between authorities in monitoring the effects of the policies followed by the dominant entities on these fronts and providing separate remedies for specific breaches. Further research about the consequences of such an integrated approach is required before enacting the same as part of the legislative policy to avoid any repercussions for economic growth prospects.

– Andaleeb Haider