This post examines the CCI’s decision in light of the global trend of mooting an integrationist approach between data privacy and competition concerns in digital economies where business models are based on collecting and processing users’ data for maintaining their dominance in the multi-sided digital markets. The first section of the post explores the challenges raised against CCI’s jurisdiction to decide privacy violations. The second section highlights the key findings of the NCLAT and the CCI order. The third section examines concerns regarding the integrationist approach while arguing for broader engagement within the realms of privacy protection and competition law enforcement to adapt to the needs of a dynamic digital economy.
Jurisdictional Challenges
Meta and WhatsApp challenged the CCI’s jurisdiction to examine the updated privacy policy on several basis, including the pending litigation in Karmanya Singh Sareen v. Union of India before the NCLAT. However, the NCLAT upheld the Supreme Court’s decision regarding the CCI’s prima facie jurisdiction to investigate any violation of the Competition Act, 2002 due to internal data sharing between platforms of the same ecosystem. The CCI could exercise jurisdiction in the matter irrespective of the pending litigation because the legal interests sought to be protected in both proceedings were different. While the Court was examining the detrimental effects of the updated policy on users’ privacy rights, the CCI would investigate the competition harm due to the large-scale collection and processing of user data, which is a core economic asset in the digital economy.
Key Findings in the Order
Market power in the digital economy is dependent on a platform’s capacity to process and aggregate users’ data collected by tracking their online behaviour for creating profiles, which can be used to provide personalized and targeted ads. This enhances the value of the platform for businesses that seek to increase their profits by attracting and converting more leads into sales outcomes. It is lucrative for a new user to join a platform with a higher base of existing users as compared to its competitors due to ease of communication, thereby creating a lock-in effect for consumers and businesses and entry barriers for competitors in the market.
Integrating Privacy and Data Protection with Antitrust Laws
Hence, competition authorities may account for non-price public policy considerations when determining whether a dominant entity’s conduct impedes competition on that specific parameter to ensure consumer protection. The CCI’s decision along with its previous Market Study on the Telecom Sector in India, where it recognized privacy as an important non-price parameter to evaluate competition harm, highlights the adoption of this integrationist approach in the Indian context. This approach is favourable because a degradation in the privacy protection standard can result in exploitative harm for consumers. Vaguely defined privacy policies conceal the harmful consequences of broad data collection – that users may not be aware about. This data can be used beyond the reasonable expectations they had while consenting to such collection. The framing of privacy policy in one market that permits the bundling of user data across all services in unrelated markets also dilutes the protection afforded to users’ personal data. Additionally, the insurmountable data advantage with the dominant incumbents due to the special features of the digital economy based on data creates exclusionary harm by reducing the ease of entry and competition.
Challenges to the Integrationist Approach
The EU’s Digital Markets Act and the Indian draft Digital Competition Bill 2024 provide an ex-ante regulatory framework for digital markets to prevent the market from tipping in favour of the dominant digital enterprises, unlike the ex-post regulation in traditional markets. They provide for the consideration of data collection, processing, sharing and privacy concerns while evaluating anti-competitive behaviour. Several concerns have been highlighted regarding this approach.
The jurisdiction of competition authorities to examine privacy concerns while investigating antitrust violations has been challenged because privacy protection is usually regulated by dedicated data protection authorities. Concerns have been voiced against the possibility of parallel proceedings before the competition law and the data protection authorities and liability arising from the same cause of action, i.e. privacy violation. However, the legal interest safeguarded by these parallel proceedings is different- promoting competition and consumer welfare for the former and protecting personal data and privacy in the latter. Therefore, simultaneous proceedings can be permitted as decided by the SC to protect the CCI’s jurisdiction in examining the present case.
Further, data protection can be used as a pretext for anti-competitive conduct by the dominant entities as they can refuse to share datasets comprising necessary inputs for rivals to compete in the market while sharing with other platforms belonging to the same ecosystem. This discriminatory self-preferencing provides the dominant entities with a comparative advantage over their rivals while claiming to protect user privacy, as evident in the French experience in the Apple App Tracking Transparency case.
Way Forward
The current stance of the European competition law authorities as highlighted in the CJEU’s Bundeskartellamt judgement supports the contextual and ad-hoc assessment of a company’s access to its users’ personal data for providing services integral to the purpose of the contract. The NCLAT’s decision to stay the ban on sharing data for advertisement purposes owing to concerns regarding commercial viability of WhatsApp’s free business model may trivialize the competition and privacy concerns arising from accumulation of data based on coercive terms. An integrationist approach towards these concerns provides the opportunity to engage in evidence-based decision-making by adopting a nuanced and case-specific analysis where failure to comply with the mandated privacy standards may be a crucial though not the only indicator of antitrust harm. The separationist approach is not feasible in the evolving digital economy where data is emerging as a significant non-price competition parameter. Concerns regarding the possibility of contradictory outcomes in adopting the integrated approach can be resolved by broader engagement between authorities in monitoring the effects of the policies followed by the dominant entities on these fronts and providing separate remedies for specific breaches. Further research about the consequences of such an integrated approach is required before enacting the same as part of the legislative policy to avoid any repercussions for economic growth prospects.
– Andaleeb Haider