CCI VS. DPA: The Impending Conflict
Krimul Malhotra and Anchit Nayyar
2 Sept 2021 2:45 PM IST
On January 4, 2021, WhatsApp revamped its Termsand Services of Privacy Policy ("Privacy Policy") by virtue of which, users were required to mandatorily accept the terms pertaining to the sharing of their data with Facebook. The update has subsequently been challenged vide a writ petition before the Delhi High Court seeking to restrain WhatsApp from implementing its...
On January 4, 2021, WhatsApp revamped its Termsand Services of Privacy Policy ("Privacy Policy") by virtue of which, users were required to mandatorily accept the terms pertaining to the sharing of their data with Facebook. The update has subsequently been challenged vide a writ petition before the Delhi High Court seeking to restrain WhatsApp from implementing its update.
Meanwhile, the Competition Commission of India ("CCI") took suo motu cognizance of the matter and passed an order under Section 26(1) of the Competition Act, 2002 ("the Act") ordering investigation into the same. When this order was challenged before the Court in the case of WhatsApp Inc. v. CCI,("WhatsApp case") it upheld the CCI's findings and dismissed the petition.
On the other hand, the Personal Data Protection Bill, 2019 ("PDP Bill") is currently underway and seeks to establish the Data Protection Authority ("DPA") in order to specifically address the issues of Data Protection. This article seeks to analyse the significance of these proceedings before the CCI and the Delhi High Court, and its jurisdictional implications on India's yet to emerge data protection regime.
Status Quo Of Data Protection Laws In India
Unlike the European Union, India does not have a specific legislation to govern data protection. India's current data protection regime is governed by the Information Technology Act, 2000 ("IT Act") and the IT(Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011,which only require corporates to adopt practices to safeguard users' sensitive data, without providing any recognition to a user's right to privacy.
This lacuna was felt by the Apex Court in the case of KS Puttaswamy v. Union of India, wherein it held Right to Privacy to be a fundamental right under Article 21 of the Indian Constitution. It categorized 'informational privacy' as an important facet of the right and called upon the Central Government to enact a comprehensive legislative framework to govern data protection in India.
Thereafter, the PDP Bill was introduced in the Parliament in 2018 to kickstart India's data protection regime. Three years later, however, the Bill is still being analyzed by a Joint Parliamentary Committee with no end in sight.
Judicial Approach On The Interface Between Privacy And Competition Law
From a theoretical perspective, privacy and competition laws have different aims and objectives. Competition law seeks to ensure free and fair competition in the market by sanctioning anticompetitive conduct of undertakings in the market. Privacy laws, on the other hand, aim to safeguard a person's right to protection of personal data without restricting its free and legitimate movement in the economy. The increasing significance of processing of big data in today's economy has, however, blurred the theoretical lines of distinction between privacy and competition laws.
The jurisprudence on the interface between privacy and competition laws, while still at its nascent stage in India, is fairly developed in other mature antitrust jurisdictions, with different approaches being adopted by regulators for different types of conduct.
I.Exploitative Abuse
Exploitative abuse refers to conduct whereby a dominant undertaking abuses its market power to exploit its trading partners (including customers).[1] Exploitative abuses involving a user's personal data raise substantial overlaps with data protection legislations.
The issue first arose before the European Commission ("EC") in the case of Asnef-Equifaxv. Asociación de Usuarios de Servicios Bancarios ,wherein the CJEU held that issues relating to sensitivity of personal data are not within the ambit of competition laws. A similar approach was taken by the EC in Facebook/WhatsApp,
The German Antitrust Authority, Bundeskartellampt, however, while dealing with Facebook's data collection and privacy policies in 2019, sought to bring exploitative privacy policy of mandating within its antitrust scrutiny. The same was reversed by the Higher Court of Dusseldorf on merits, holding that the Bundeskartellampt acted ultra vires by basing its decision not on competition law but on data protection law. The matter has now been referred to the CJEU for final determination.
II.Exclusionary Abuse
Exclusionary abuse include conduct where a dominant undertaking abuses its market power to impair effective competition by foreclosing its competitors in an anti-competitive manner, thereby adversely affecting consumer welfare.[2]
Unlike exploitative conduct, antitrust authorities have been more amenable to theories of exclusionary harm involving user data. Both the Federal Trade Commission in Google/DoubleClick, as well as the EC in Microsoft/LinkedIn and Vodafone/Certain Liberty GlobalAssets have recognised aggregation of user data as a competition concern, and analysed various combinations from the angle of data backed market power.
III.CCI's Past Decisional Practice
Like its foreign counterparts, the CCI, prior to the current investigation, has typically refrained from bringing exploitative privacy related issues under the Act.
In Vinod Kumar Gupta v. WhatsApp Inc., the CCI held that privacy related implications arising from a change in WhatsApp's erstwhile Privacy Policy were not within the ambit of its jurisdiction, given the 'opt-out' option given by WhatsApp to its users. It further recused itself from data protection matters, which in its opinion could be adjudicated under the IT Act. Observations to a similar effect were also made in the more recent cases of XYZ v. Google and Harshita Chawla v. WhatsApp Inc., wherein the CCI refused to adjudicate upon data localisation and security issues, citing a lack of competition concerns therein.
The Commission however has been more amenable towards data related exclusionary abuses. For instance, in Jaadhu Holdings/Jio Platforms, , while dealing with the issues of potential data sharing between Facebook and Reliance Jio, the CCI held that combinations between parties which have access to user data can be assessed through the parameters of 'data backed market power'. Similarly, in XYZ v. Google, the CCI ordered investigation into the practice of Google collecting user data from the Play Store, while not providing access to the same to app developers.
A significant development was noticed in the CCI's Market Study on the TelecomSector in India. The CCI, in the study, extended the scope of competition analysis to issues relating to consumer's free consent with respect to a dominant undertaking's privacy policies. It noted that privacy can take the form of non-price competition and lowering privacy protection can amount to an abuse of dominance. It further stated that the antitrust framework can sufficiently address both exploitative and exclusionary behaviour arising out of privacy standards of dominant undertakings.
The Case Of WhatsApp V. CCI
This context aids one in understanding the approach adopted by the CCI in taking suo motu cognizance of WhatsApp's new privacy policy. In response to WhatsApp's objections pertaining to the privacy policy falling within the contours of the IT Act, the CCI held
"In digital markets, unreasonable data collection and sharing thereof, may grant competitive advantage to the dominant players and may result in exploitative as well as exclusionary effects, which is a subject matter of examination under competition law."
The CCI noted that WhatsApp's conduct of sharing its users' personal data lacked a transparent and specific consent and exceeded the legitimate expectations of its users. While holding the same to be a degradation of non-price parameters of competition, it held WhatsApp's conduct to be in the nature of imposition of unfair terms and conditions in violation of Section 4(2)(a)(i) of the Act. The same would also allow WhatsApp to leverage its dominant position in other neighbouring or unrelated markets such as those for display advertising, thereby creating entry barriers in the market in violation of Section 4(2)(c) and (e) of the Act.
The order was subsequently challenged vide a writ petition before the Delhi High Court. WhatsApp's main submissions pertained to the pending petitions in relation to the matter, depriving the CCI of jurisdiction in the matter. The court rejected these contentions and upheld the jurisdiction of CCI to form a prima facie opinion and direct investigation despite such pendency.
However, the Court went a step further when it cited the CCI's conclusions on matters of data-sharing amounting to degradation of non-price parameters of competition. It noted that these issues cannot be said to be outside the ambit of the Competition Act. The High Court's observations thus bring up key questions regarding the potential jurisdictional overlap between the DPA and the CCI.
The Impending Conflict
While the High Court's decision and the CCI's approach may not ignite possibilities of conflict in the current legal landscape, problems may arise when the PDP Bill is enforced. The issue of segregating whether the matter is purely a privacy issue inviting the jurisdiction of the DPA or one where privacy acts a 'non-price' parameter, thereby allowing the CCI to assume jurisdiction is inevitable.
Legislative Overlaps
The provisions of the PDP Bill inter alia apply to the processing of personal data of the data principal (person whose data is being processed) by the data fiduciaries (entity collecting such data) or data processors. Section 5 of the Bill obligates the data fiduciary to process the data in a fair and reasonable manner and for the purpose which the data principal could have reasonably expected for. Further, Section 6 places an embargo on the excessive collection of data stating that the same shall only be collected to the extent necessary for the processing of such personal data.
Further, Section 11 of the Bill provides for a mandatory user consent before their personal data can be collected and processed. Such consent must be free, informed and capable of being withdrawn. It further states that the provision of goods or services should not be conditional on such consent. The Bill also authorizes the DPA to take correctional measures which inter alia include issuing cease-and-desist orders, imposing penalties and providing compensation.
The inherent overlap in CCI's approach with the aforementioned provisions is already apparent in its findings in the WhatsApp case. The CCI in its prima facie order observed,
"the conduct of WhatsApp in sharing of users' personalised data with other Facebook Companies, in a manner that is neither fully transparent nor based on voluntary and specific user consent, appears prima facie unfair to users. The purpose of such sharing appears to be beyond users' reasonable and legitimate expectations regarding quality, security and other relevant aspects of the service for which they register on WhatsApp."
It is however, clear that the mandate to adjudicate upon the fairness of the consent obtained and the legitimate expectations of the users with respect to the purposes of the data collection, lies with the DPA under the PDP Bill.
The CCI had further concluded that the data collection envisaged by the privacy policy was expansive and disproportionate in light of its 'take-it-or-leave-it' nature. This is essentially within the purview of the requirement of consent and the consent-based conditionality governed by the PDP Bill. CCI's order also touches upon issues of vagueness and the absence of informed consent. Therefore, the current approach of conferring jurisdiction to the CCI, which is gaining precedential strength, is clearly at potential loggerheads with the direction in which our data jurisprudence is headed.
Judicial Approach
In the case of CCI v. Bharti Airtel ("Bharti Airtel") while dealing with the issue of overlapping jurisdiction between the Telecom Regulatory Authority of India ("TRAI") and the CCI, the Supreme Court held that while CCI's jurisdiction is not completely ousted by the mere presence of a sectoral regulator, such sector specific regulators would have the first say over common jurisdictional facts. The underlying rationale was explained as below:
"…..there may be a possibility that the two authorities, namely, TRAI on the one hand and the CCI on the other, arrive at a conflicting view. Such a situation needs to be avoided."
The scope of Bharti Airtel has however been withered down by the Delhi HC in its ruling in Monsanto Holdings v. CCI, and more recently by the Karnataka HC in Amazon Inc. v. CCI, wherein both the Courts held that the jurisdictional scheme envisaged in Bharti Airtel applies only in case of a sectoral regulator, and not, as was argued, with any and all quasi-judicial bodies.
Given the similarity in the nature of issues to be addressed by the DPA and the CCI, a situation of perverse judicial findings by both authorities may arise. For instance, if after the enactment of the PDP Bill, WhatsApp introduces a new policy update which raises concerns pertaining to the fairness of consent obtained, if the party raising such allegations were to approach both the CCI and the DPA, both would be legally empowered to analyse the fairness of such consent. In a likely scenario, where both authorities arrive at conflicting decision, it would then be complex to ascertain whose decision will prevail.
Therefore, the enforcement of the Data Protection Bill would entail this exact situation of conflicting decisions and duplicity of proceedings that the Supreme Court intended to prevent.
Ambiguity Regarding Concurrency In The Extant Legislations
The judicial and legislative framework in India necessitate the demarcation of segregated jurisdictional boundaries for both the CCI and the DPA. Currently, such harmonization can be legislatively effectuated only through the consultation mechanism set forth in Sections 21 and 21 A of the Act and Section 56 of the PDP Bill.
Section 21A of the Act states that if during the course of proceedings before the CCI, it is asked to render a decision on an issue which is governed by a statutory authority, it 'may' make a reference to such authority. The discretionary nature of the CCI's obligation was highlighted by the Delhi High Court in the case of Erricsson v. CCI ("Ericsson") as well as in the more recent judgment of Monsanto Holdings.
However, the mandate under Section 56 of the PDP Bill is such that if the DPA is called upon to adjudicate upon a matter wherein another authority may have concurrent jurisdiction, it 'shall' consult such regulator.
Therefore, while the CCI is not obligated to consult the DPA given the recommendatory nature of its legislation, the DPA is obligated to make such consultations. In a scenario where a case involving jurisdictional facts that could have appropriately been addressed by the DPA, is brought before the CCI, it can proceed without any impediments, thereby completely ousting the jurisdiction of the DPA. This is further accentuated by the Delhi HC's ruling in Ericsson, wherein the Court held that in case of simultaneous proceedings before the CCI and another quasi-judicial body, an adjudication by any of the two authorities on a common jurisdictional fact would be binding on the other.
However, the DPA while dealing with the privacy policies that have implications on competition in the market would be bound to consult the CCI since privacy has been legally recognized as a non-price parameter of competition. Therefore, despite there being a specialised statutory body to address the issues of data protection, the legislative and precedential supremacy offered to the CCI will make the former effectively redundant.
The Way Forward
While privacy issues may raise competition concerns, the CCI's current investigation and the Delhi HC's judgment is moving India's data privacy jurisprudence in a 'CCI first' direction. While the facts before the High Court did not yet warrant a stop on CCI's investigation, they also highlight the need for an effective consultation and concurrency mechanism within Indian legislations.
The consultation mechanism envisaged in the PDP Bill is clearly a step in the right direction. While it is likely that the CCI would like to enter into MoUs with the DPA to avoid jurisdictional clashes, leaving far reaching policy concerns to absolute discretion of administrative officials is the hallmark of a bad legislation. The authors thus suggest that Section 21A of the Competition Act should be amended by replacing the word 'may' with the word 'shall' to make consultation mandatory for the CCI.
Further, the Parliament should also consider enacting a set of regulations to aid regulators to enter into jurisdictional MoUs. For instance, in the UK, the Competition Act (Concurrency) Regulations, 2014 provides a robust legislative framework to assist the Competition and Markets Authority enter into MoUs with other statutory bodies, and also provides for an adjudicatory mechanism in case of deadlocks in negotiations. A similar framework should also be established in India.
While the progress with the PDP Bill is unfortunate, it will also be welcomed by CCI's 'first-mover advantage' when it finally sees the light of day. It thus becomes imperative that the Government addresses these recent developments when it enacts India's much awaited privacy legislation.