• CCL NLUO

CCI Trying to Broaden its Ambit: Data Protection under Competition Law?



Author: Umang Motiyani


5th year student at ILS Law College, Pune




I. Introduction


The Competition Commission of India ("CCI") is responsible for the enforcement of competition law in India. Established under the Competition Act, 2002 ("the Act"), CCI has a responsibility to prevent any practice that will have an appreciable adverse effect on the competition in a given market.


Initially, the enforcement and objective of the Act were restricted to price-based advantages while assessing anti-competitive agreements, abuse of dominant position, or mergers and acquisitions. However, with the evolving inter-relations between competition and other laws such as technology and data privacy, the line marking CCI’s jurisdiction has been re-drawn time and again. In this article, the author will focus on CCI’s jurisdiction with respect to data protection and privacy concerns, especially revolving around changes in the WhatsApp Inc. ("WhatsApp") privacy policy case.


II. Vinod Kumar Gupta v WhatsApp


After being acquired by Facebook Inc. ("Facebook") in 2014, WhatsApp introduced many changes to its privacy policy via public announcement in 2016. To continue availing services of WhatsApp, users had to share their account details and other information with Facebook. The first case against WhatsApp’s privacy policy in India was filed by Vinod Kumar Gupta under Section 19(1)(a) of the Act in 2017, alleging those changes violated Section 4 of the Act.


In this case, the CCI concluded that "the market for instant messaging services using consumer communication apps through smartphones in India" was the relevant market. The complaint alleged that WhatsApp was abusing its dominant position in the relevant market by compelling users to share their account details and other information with Facebook, claiming it would result in better and improved online advertisement and product experiences available on user’s Facebook pages.


However, in this case, the CCI issued an order against any prima facie case of contravention of provisions of Section 4 of the Act since a 30 days opt-out period was granted to users who did not wish to share their data with Facebook. The order also concluded that infringement of a right to privacy or breach of the Information Technology Act, 2000 (“IT Act”) does not fall within the jurisdiction of the CCI.


III. CCI’s Suo Moto Case


In January 2021, WhatsApp again revised its terms of services and privacy policy relating to messaging between businesses and their customers on WhatsApp. However, the policy promised that the users’ privacy was not being compromised as personal conversations were still protected by end-to-end encryption. The new condition mandates that the user can continue to use WhatsApp messaging services only by agreeing to the changed conditions of allowing data sharing between WhatsApp and Facebook. If the user did not agree, they could delete their account completely and not be allowed to use the platform.


Unlike the previous case where an option was given, this mandatory acceptance and imposition of the “take-it-or-leave-it” condition raised concerns in stakeholders using WhatsApp on daily basis. The CCI observed that ‘in a data-driven ecosystem’, unreasonable data collection and its sharing may grant undue advantage to dominant players in the market. Where the breach of the IT Act provisions did not fall under the ambit of CCI, any act leading to exploitative and exclusionary effects can be subject to investigation under competition law. Thus, the CCI took suo moto cognizance of the revised privacy policy and issued an order under Section 26(1) for a detailed investigation by the Director-General and directed to submit an investigation report within 60 days.


IV. International Perspective


A. European Union


The WhatsApp-Facebook privacy policy issue is not a fresh issue globally. The European Commission ("EC"), in 2014, approved the acquisition of WhatsApp by Facebook for a purchase price of USD 19 billion. Post-acquisition, WhatsApp was successfully merged as a wholly-owned subsidiary of Facebook. The EC recognised that privacy-related concerns flowing from the increased concentration of data due to the proposed acquisition did not fall under the ambit of competition law but under data protection rules. A similar approach was affirmed in the Microsoft/LinkedIn case, where the privacy issue was analysed under the General Data Protection Regulation ("GDPR"), EU’s data protection regime which has established one single set of rules for companies processing personal data.


However, in 2016, when WhatsApp announced changes in its privacy policy to share user data, including phone numbers, with Facebook, it led to widespread condemnation. The changes made were in contravention to information Facebook had filed with the EC under Article 4 and response filed under Article 11(2) of EC Merger Regulations. Hence, in 2017, a total fine of EUR 110 million was levied on Facebook. But the fine was only to address contraventions under EC Merger Regulations and not against the privacy concerns. Facebook was prohibited from collecting data from WhatsApp by the European data protection authorities under the GDPR instead.


Additionally, in February 2019, Germany’s Federal Cartel Office ("FCO") issued a decision against Facebook for abusing its dominant position in the market of social networking platforms. The FCO observed that Facebook was collecting user’s data from their wholly-owned companies (like WhatsApp and Instagram) and other third-party sources, as a mandatory condition to use its platform. Thus, Facebook was prohibited from combining any user data without voluntary consent from the FCO that would help them create a unique database and gain further market power.


The FCO’s approach, where they recognised data as an asset, was questioned by the national court following an appeal by Facebook. The court rejected the notion that violation of data protection law can automatically entail a violation of competition law. It recognised that, despite an attempt to deal with concerns of growing digital market problems, the FCO’s competence did not include data protection.


B. The United States


The tech giant has also faced charges by the US Federal Trade Commission ("FTC"), for deceiving users about their ability to control the privacy of their personal information. Facebook was charged the highest-ever penalty imposed on any company – USD 5 billion for violating consumers’ privacy. This was one of the largest penalties for any violation assessed by the US government. The order imposed restrictions on Facebook’s business operations and required them to restructure their privacy policy. The penalty was imposed for a violation of FTC’s 2012 settlement order with Facebook which required them to maintain a reasonable privacy program that safeguards user information. Thus, the penalty levied on Facebook is related to a breach of consumer privacy rules as well as explicit promises made to consumers, and not competition law.


V. Critical Analysis


Although one cannot deny the anti-competitive aspects of the collection of data by dominant players of the market, a distinction between privacy and competition laws must be observed. Similar to EU and US conclusions, competition laws cannot be applied where it relates to secondary criteria. As discussed by the Supreme Court of India in CCI vs Bharti Airtel Limited and Others, the agency with primary jurisdiction should regulate matters.


Since the CCI has introduced the importance of non-price factors (like privacy) driving competition in its recently released report on “Market Study on the Telecom Sector in India” the overlap with other laws will increase. However, if a non-competition regulatory authority with specialised jurisdiction can solve the problem of anti-competitive practice as well, the CCI should take a back seat. Here, inspiration can be taken from EU’s Four Vs’– variety of data, velocity at which the data is collected, volume and value of the data collected – a qualitative rather than quantitative approach. This approach helps to examine whether the data sets have the potential to create an undue advantage for the entities acquiring them.


VI. Conclusion


In the growing digital communications market, which primarily expands on data aggregation, the CCI can conclude that the dominant player in the market should not be allowed to deprive the consumer of the right to ‘freely consent’ to the use of their data. It can prevent discriminatory access to accumulated data, especially by major market players, which can raise concerns of barriers against new entrants or even existing rivals in the market, and hinder their reach to consumers. Accordingly, the CCI will be able to analyse whether there is an appreciable adverse effect on the competition in a given market.


Thus, we conclude that competition law in India covers privacy concerns along with the impact of dominant players in maintaining competitive markets, especially for technology and data-intensive companies.



0 comments