This article is authored by Akash Krishnan, a law student from ICFAI Law School, Hyderabad. It discusses in detail the relationship between data protection and competition laws and the conflict of opinions when it comes to the powers being exercised by the Competition Commission of India in the data privacy regime. It further discusses the need for a proper data protection regime and the impact of the role performed by the Competition Commission of India in the absence of such a regime.
Table of Contents
Introduction
Long gone are the days when competition in the market was restricted to the physical domain. Today, with millions of users preferring online transactions, a large quantity of personal data is available in the digital domain. The question that comes to our mind in such scenarios is whether data privacy is just a myth in this modern world or are there strict laws in place to protect individuals from personal data breaches? If yes, who is responsible to protect the data in the digital domain? This article will discuss the answers to all these questions and discuss in detail the possibility of harmonious construction of competition and data protection laws while critically analysing the jurisdictional conundrum in the Competition Commission of India’s (CCI) investigation against the privacy policy of WhatsApp.
Before we enter into the technicalities of the concepts, let us first understand the competition and data protection laws that are in place in India and the regulatory bodies associated with these laws.
Competition laws in India
The competition laws in India are governed by the Competition Act, 2002. The primary objective of this Act as stated in the Preamble is to prevent anti-competitive practices in the market, promote and sustain competition in markets, promote the interests of consumers and ensure freedom of trade. It provides regulations for prohibiting anti-competitive agreements, preventing abuse of dominant position, mergers and acquisitions and also prescribed penalties for any violations of the provisions.
The Competition Act created an autonomous body to act towards the enforcement and administration of the Act. This body is known as the Competition Commission of India (CCI). The relevant provisions relating to the CCI have been enumerated below:
Section No. | Provision |
Section 7 | Establishment of CCI: This provision provides for the establishment of CCI as a body corporate. |
Section 8 | Composition of CCI: The maximum number of members in the CCI is limited to 7. Out of these 7 members, one shall be the Chairman. There should be at least 2 members appointed along with the chairman at all given times. The number of members is limited to 6. |
Section 10 | Term of office: The Chairman and members shall hold the office for a period of 5 years from the date of appointment and are also eligible for re-appointment. The maximum age limit to hold the office is 65 years. |
Section 18 | Duties of the CCI: To eliminate practices having an adverse effect on competition in the Indian markets.To promote and sustain competition in the Indian markets.To promote the interests of the consumers.To ensure freedom of trade carried on by other participants in the Indian markets. |
Section 19 | The CCI has the power to inquire into anti-competitive agreements and the dominant position of an entity in the Indian markets. |
Section 26 | Procedure for inquiry: The CCI either on receipt of a reference made by the Central or State Governments or suo-moto action may look into a case and if it believes that there exists a prima facie case, it would direct the Director-General to cause an investigation into the matter and submit a report. |
Section 27 | The CCI has the power to pass orders and impose penalties in case of anti-competitive agreements or abuse of dominant position. |
Data protection laws in India
The Personal Data Protection Bill, 2019 was introduced in Lok Sabha as a means for protecting the privacy of an individual and ensuring the free flow of the economy. It is applicable to personal data processed within the territory of India, by the government or any Indian company or any citizen of India or body of persons incorporated under Indian law. The Bill is not restricted to the territorial boundaries of India and thus also makes it applicable on data processed by data fiduciaries or data processors not present within the territory of India if the data processing is in connection with a business/activity carried out in India. This Bill provides for the establishment of a Data Protection Authority (DPA). The relevant provisions relating to DPA have been enumerated below:
Section No. | Provision |
Section 41 | Establishment of the DPA: This provision provides for the establishment of DPA as a body corporate. |
Section 42 | Composition of the DPA: The DPA shall consist of a Chairperson and not more than 6 whole-time members. |
Section 49 | Powers and functions of the DPA:To protect the interests of data principalsTo prevent misuse of personal dataTo promote awareness about data protectionTo ensure compliance with the provisions of the Act |
Section 51 | Power to issue directions: The DPA is empowered to issue directions from time to time and these directions shall have a binding effect on all data processors and data fiduciaries. |
Section 53 | Power to conduct inquiry: In case the DPA is of the opinion that there is a breach in the provisions of this Act or the actions of a data fiduciary or a data processor is detrimental to the interests of the data principal, the DPA can initiate an inquiry and for the purposes of inquiry it is vested with the same powers as that of a civil court. |
Section 54 | Power of the DPA to initiate action post inquiry: The DPA is empowered to issue warnings or reprimands, temporarily suspend licenses or cancel the registration of any data processor or data fiduciary if the actions of these bodies are in violation of the provisions of this Act. |
Section 56 | Coordination between the DPA and other regulatory authorities: If any authority has a concurrent jurisdiction to deal with the matter that lies before the DPA, the DPA should act in consultation with such authority and enter into an MOU with such authority for governing the coordination of such actions. |
The tryst of CCI with data protection laws
One of the first cases wherein data protection laws were examined by the CCI was In re: Vinod Kumar Gupta and WhatsApp Inc. (2016). The matter, in this case, arose during the release of the 2016 updated privacy policy by WhatsApp. The relevant facts and observations, in this case, have been provided below.
Brief Facts: After the acquisition of WhatsApp by Facebook, WhatsApp had introduced multiple changes in its privacy policy whereby the users of WhatsApp were forced to share their account details and other information with Facebook for availing the services of WhatsApp. It was alleged that WhatsApp had a dominant position in the market and was installed in over 95% of smartphones in India and it was abusing its dominant position by forcing the users to share the data with Facebook. This data was in turn used by Facebook for targeted advertisements thereby violating Section 4 of the Competition Act 2002. Under the privacy policy, WhatsApp was authorised to download/extract vital information from the phone of the user and therefore a violation of the Information Technology Act, 2000 was alleged as well.
Issue: Whether CCI has the jurisdiction to deal with matters pertaining to violation of the Information Technology Act, 2000?
Held: The Commission cited the judgement of the Delhi High Court in the case of Karmanya Singh Sareen and Others v. Union of India and Others (2016) wherein the Court held that users could always opt for deleting their WhatsApp accounts if they do not want their information to be shared with Facebook. The Commission observed that when it comes to the Right to Privacy in a digital domain and the safety of private information, the Commission does not have the jurisdiction to examine and adjudicate upon the violations of the Information Technology Act, 2000.
What is to be noted in the aforesaid Order of the Commission is that the CCI had no jurisdiction to delve into matters falling under the Information Technology Act 2000. However, on 24th January 2021, the CCI shifted its position in this regard and passed a suo moto Order directing the Director-General to initiate an investigation into WhatsApp for abuse of dominance under the Competition Act. Let us now discuss this suo-moto order in the matter of In Re: Updated Terms of Service and Privacy Policy for WhatsApp Users (2021).
Brief Facts: In February 2021, WhatsApp updated its privacy policy wherein the users were compelled to accept the new policy and agree with mandatory data sharing with Facebook.
Observations
Non-existing “opt-out” clause
- WhatsApp is undoubtedly a dominant player in the over-the-top messaging apps through the smartphone market. This was also observed by the CCI in its order in the matter of Vinod Kumar Gupta and WhatsApp Inc. During the 2016 update, users had the option to opt-out of the data sharing policy within 30 days of acceptance to the updated terms of service and privacy policy. But in the present scenario, the 2021 policy does not provide for such an opt-out clause. Instead, it is a mandatory clause compelling all users to accept data sharing with Facebook in order to continue using the services of WhatsApp. This condition was deemed to be an unreasonable condition. In the absence of an opt-out clause and the take-it-or-leave-it nature of the 2021 policy clearly indicates abuse of dominant position by WhatsApp and therefore the violation of Section 4 of the Competition Act is evident.
- To come to this conclusion, the CCI took into consideration the test of reasonableness laid down by the Supreme Court in Central Inland Water Transport Corporation Ltd. & Anr. v. Brojo Nath Ganguly & Anr (1986). Herein, the Supreme Court observed that if a weaker party has no meaningful choice but to give his assent to a contract even though such rules are unfair, unreasonable and unconscionable, the courts will strike down such unfair and unreasonable contracts. The Court further observed that when there is unequal bargaining power between the parties leading to the imposition of unfair terms, such terms would be deemed as unreasonable.
Jurisdiction of CCI
- The German Cartel Office (GCO) had investigated Facebook regarding its data collection policies and the lack of choice given to the users to opt-in or opt-out of the policies. After the conclusion of the investigation, the GCO held Facebook liable. It noted that an absence of an opt-out clause in the policies violates the right of the user to voluntarily agree to a contract. In light of the same, GCO ordered Facebook to amend its policies and provide voluntary consent to its users and not subject them to a mandatory data sharing policy.
- The actions of Facebook were held to be violative of the General Data Protection Regulations of Europe (GDPR) as the regulations prohibit such exploitative conduct and therefore the order of the GCO was made after proper coordination with the data protection agencies in Europe.
- What is pertinent to note is that when it comes to India, there is neither an exclusive data protection law nor a data protection regulator. The Personal Data Protection Bill is pending since 2019. This huge lacuna in the legal system allows dominant companies like WhatsApp and Facebook to exploit users in India.
- These factors led to the examination of the privacy policy and terms of service in light of the data protection expectations of Indian users by the CCI. By doing this, the CCI was actually acting outside its jurisdiction and based its observations on a fictional law. Although that was the need of the hour, such conduct by the CCI cannot be deemed as the correct interpretation of the law.
Held: The privacy policy was deemed to be unfair and it was held that WhatsApp had abused its dominant position in the market.
Conclusion
Since the necessary limits or standards for the protection and use of data have yet to be defined and are subject to appeal to higher courts, the CCI’s investigation into these matters may be premature. At present, clear and comprehensive data protection legislation still needs to be implemented as soon as possible. If such legislation specifies a threshold for data collection, then the CCI could assess market power in digital markets accordingly.
The Ministry of Electronics and Information Technology has already issued a notification defining a ‘significant social media intermediary’ as a social media intermediary with at least 5 million registered users in India. It has also issued a direction to WhatsApp to withdraw its new privacy policy. Therefore, it would make sense for the CCI to refrain from creating thresholds or standards in the data realm and instead strengthen its understanding of the underlying concerns through market research and preliminary conferences and focus on effects-based approaches.
The PDP Bill is a breakthrough to deal with the requirements of an evolving data protection regime of India. However, several aspects of knowledge protection (such as categorization of private data as sensitive personal data and important personal data, details on anonymized data, conditions from exemption from certain provisions of the PDP Bill, categories of Significant Data Fiduciaries (SDFs), conditions for registration as a consent manager and processing of private data and sensitive personal data of children), which can be key to an efficient and successful implementation of the new regime, are delegated to the DPA and/or the Central Government. With the inclusion of other aspects that will bridge the gap in the Bill, the Bill could be perceived as futuristic but the important impact of the PDP Bill is going to be visible once the relevant rules and regulations are in place.
The establishment of DPA and the provision regarding coordination between regulatory agencies provided under Section 56 of the PDP Bill will bring in the much needed legal mechanism in India to enforce data privacy laws and ensure that there is no abuse of position by dominant entities in the Indian digital markets.
References
- https://www.legal500.com/developments/thought-leadership/cci-order-on-whatsapp-policy-is-cci-filling-up-the-vacuum-of-the-data-protection-regulator/
- https://www.mondaq.com/india/antitrust-eu-competition-/1104738/data-protection-and-competition-law-developments-and-the-way-forward
- http://competitionlawblog.kluwercompetitionlaw.com/2021/06/18/the-jurisdictional-conundrum-in-competition-commission-of-indias-investigation-against-whatsapp/
- https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__blob=publicationFile&v=4
- https://www.competitionpolicyinternational.com/data-sharing-between-whatsapp-and-facebook-the-cci-opens-an-investigation-against-the-social-juggernauts/
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
https://t.me/joinchat/L9vr7LmS9pJjYTQ9
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.