INTERSECTION OF PRIVACY AND COMPETITION LAW

BACKGROUND

The term “data” refers to discrete bits of information that typically are prepared and kept according to their intended purposes and it has relevant value on further processing through various algorithms. There are many forms of data, including numbers or words on paper, bits or bytes stored in electronic memory, or truths stored in the mind.[1] Privacy refers to an individual’s ability to control whether, the manner in which their personal information is shared with others. This personal information can include a person’s name, address, phone number, and online or offline conduct. Businesses use data protection practices to demonstrate their trustworthiness with their users and customers. A government agency data breach, for example, may allow hostile state access to top-secret information. An organization can experience a data breach that may expose confidential information to its competitors. In certain cases, individuals can also exercise their rights under privacy regulations, such as the right to be forgotten. Facebook, for example, has decided to keep $3 billion to $5 billion of its 2019 budget for investigations into several data breaches and data abuse incidents which are not a recommended measure to ensure the right to privacy of individuals.[2]

The privacy policy of WhatsApp was revised in January 2021. WhatsApp users will now have to agree to share their data with other Facebook firms to use the service. A user previously could refuse to accept this condition using WhatsApp. A suo motu action taken by the Competition Commission of India (CCI) to investigate WhatsApp’s unilateral modification in data privacy legislation for possible abuse of dominance sparked a debate regarding the applicability of competition law in the data privacy area. Privacy was identified as a nonprice variable by the CCI, which concluded that the concerned data-sharing practice jeopardizes consumer privacy and, as a result, may have anticompetitive effects. A key element of consideration was the potential for antitrust concerns in the future, which concerns the commercialization of personal data and the effects on competition and consumer welfare.[3] The discovery of anti-competitive implications is aided by the recognition that privacy is a competitive parameter. The CCI observed, for instance, that a dominant actor who acquires excessive amounts of data may gain a competitive advantage, resulting in exploitative or discriminatory practices.

Nevertheless, Competitors are forbidden from engaging in conduct that is detrimental to consumers, whereas consumers are guaranteed a reasonable expectation of privacy under data protection law entailing major mutually exclusive elements caught in crosshairs.

DATA PRIVACY PROTECTION IN INDIA

After two years of deliberations, discussions, invitation of public comments on the Personal Data Protection Bill, 2019 (PDP Bill), the Joint Parliamentary Committee released its long-awaited report to the Parliament of India on December 16, 2021, which is aimed to regulate the digital interface with strong law for data preservation.[4] The Supreme Court of India recognized privacy as a fundamental right in 2017. Currently, the Information Technology Act, 2000 (IT Act) contains two provisions to regulate improper disclosure of personal information: Section 43A of the IT Act requires the maintenance of “reasonable security practices and procedures” in relation to any “sensitive personal data or information” handled by a body corporate, and provides for compensation to the user for misuse of their personal data, and Section 72A of the IT Act imposes a penalty on a person who violates the IT Act’s provisions.[5] With the PDP Bill taking into enactment effect, these provisions of the IT Act, 2000 would be repealed thus enabling a comprehensive framework to govern the data breach issues in India.

ALLIANCE OF DATA PRIVACY AND COMPETITION LAW

In the “CCI Telecom Report“, the CCI identified overlaps between data privacy and competition laws. Data use is defined as non-price competition, which implies that data obtained by an organization can be used to give it a competitive edge over competitors. The CCI warned in a 2020 report that network effects caused by colossal bulk of data collected will allow corporations to compete without regard to pricing, which will create a party that takes all situations. The CCI asserted previously that data collection and processing is deployed by corporations like Facebook, which have the capability of gathering an immense proportion of data. According to the CCI’s WhatsApp Suo Moto Order, in a data-driven society, competition law needs to determine whether excessive data accumulation, use, or sharing on the part of such companies would have anticompetitive repercussions.

The data protection authority can, in theory, investigate ostensibly anticompetitive actions. Those data processing activities that the data principal may reasonably expect are outlined in Section 5 of the proposed PDP Bill, 2019.[6] WhatsApp Case, which presents a prima facie case under Section 4(2)(a)(i) of the Competition Act, found an illegitimate, non-specific, or involuntary gathering of user data to be inequitable to the end-users. The injury to consumers’ privacy has been found to have anticompetitive ramifications in India, which led to the merging of privacy review and antitrust law.

Citing a background of inclusion of the competition regulator into the data privacy concerns, the CCI declined to intervene in Vinod Kumar Gupta v. WhatsApp because the informant alleged that he violated information technology laws, not competition law. As further explained in Competition Commission of India v. Bharti Airtel, if a body is accredited, it will have secondary jurisdiction over matters regarding privacy.

The Competition Commission of India has attempted to resolve competition issues that have arisen as a result of corporations’ data dominance. To review and recommend changes to the Competition Act, the Indian government established the Competition Law Study Committee (CLRC), and the report was submitted in 2019. According to the CLRC Report, our markets have seen an emergence of more innovative and disruptive business and practice models that are not adequately regulated at present. CLRC decided that the definition of price included non-monetary considerations in the form of ‘data’ under section 2(o) of the Act, and it was inclusive and broad enough to encompass non-monetary considerations.

GLOBAL PERSPECTIVE

Regulators in Europe use privacy and antitrust laws, with the latter imposing regulations on why, how, and on what basis corporations can collect and disclose data (for example, transparency and consent requirements under GDPR or access and interoperability requirements under antitrust laws). A California state law approved in June 2018 established a private right of action for security breaches and potential statutory damages, similar to GDPR. The EC in the Google Search (Shopping) Case noted the importance of data network effects in establishing market dominance. As part of the EU’s review of the general search engine industry, the Commission acknowledged that Google has a strong position and profits from each data query to improve its performance. This results in attracting more customers, generating more data, and contributing to economies of scale. Due to this, new market entrants face higher barriers to entry, as well as established players who cannot match Google’s degree of data collection, processing, and functionality thus initiating an impediment in competition.

US government agencies have formed task teams to explore privacy and big data issues as a result of privacy, big data, and competition. Innovative businesses that wish to expand novel products or offer technology-based services may find it more difficult to succeed if privacy rights are protected through competition law. This may lead to fewer competitors in the market.[7] Federal Trade Commission (FTC) lawsuits have recently been filed against Facebook’s acquisition activities, stating that instead of charging for its services, Facebook takes consumer data. The information is then sold to marketers, who provide consumers with personalized content and advertisements.

CONCLUSION

WhatsApp has changed its privacy policies following its merger with Facebook. The Indian antitrust authority’s move toward achieving equilibrium between data protection and competitive fairness is a start in the right direction toward addressing the new issues raised by WhatsApp’s behavior. Antitrust theories and models are overwhelmingly focused on price. The quantification of non-price effects has long been seen as a difficult task for antitrust enforcement. The predicament of assessing privacy effects within competitive environments is further complicated by the need to convert privacy effects into monetary values. It is rather challenging to find established analytical methodologies, or even a defined set of viable options, to determine the extent or type of privacy-based consequences in antitrust research. Until well-established, trustworthy methods are developed for evaluating competition’s impact on privacy quality, incorporating privacy issues into competition legislation is plausible remains a challenge.

The three principles laid down in the Puttaswamy judgement i.e. proportionality, legality, and necessity should be adhered to to ensure personal data sharing is not squandered upon the whims and fancies of the corporate. Increasing numbers of nations have implemented data protection regulations that have had a substantial impact on data-driven business models. Consequently, consumer data rights play an increasingly significant dominance in determining consumer harm in mergers, abuses of power, and collusions. The digital economy in India continues to expand and conquer various domains rapidly, and intersectional issues are surfacing; a harmonious construction of both legislations and cooperation between both regulatory systems is therefore imperative in ensuring both privacy and competition nuances prevalent in India.

Author(s) Name: Aathira Pillai (University of Mumbai)

References:

[1] Beal, V., What is Data? (Webopedia) <https://www.webopedia.com/definitions/data/> accessed 7 March 2022.

[2] Data Privacy Manager, 5 things you need to know about Data Privacy – Data Privacy Manager <https://dataprivacymanager.net/5-things-you-need-to-know-about-data-privacy/> accessed 7 March 2022.

[3] Economic and Political Weekly, Data Privacy and Competition Law at the Crossroads <https://www.epw.in/journal/2021/39/commentary/data-privacy-and-competition-law-crossroads.html> accessed 7 March 2022.

[4]  Iapp.org., A look at proposed changes to India’s (Personal) Data Protection Bill <https://iapp.org/news/a/a-look-at-proposed-changes-to-indias-personal-data-protection-bill/> cccessed 8 March 2022.

[5] Mondaq.com., Data Protection And Competition Law: Developments And The Way Forward – Anti-trust/Competition Law  <https://www.mondaq.com/india/antitrust-eu-competition-/1104738/data-protection-and-competition-law-developments-and-the-way-forward> accessed 7 March 2022.

[6] Observer Research Foundation, Why data protection should not be an antitrust concern <https://www.orfonline.org/expert-speak/why-data-protection-should-not-be-antitrust-concern/> accessed 8 March 2022.

[7] Morgan Lewis. Big Data, Privacy, And Competition Law <https://www.morganlewis.com/pubs/2019/09/big-data-privacy-and-competition-law> accessed 8 March 2022.