This article is authored by Akash Krishnan, a law student from ICFAI Law School, Hyderabad. It discusses in detail the relationship between data protection and competition laws and the conflict of opinions when it comes to the powers being exercised by the Competition Commission of India in the data privacy regime. It further discusses the need for a proper data protection regime and the impact of the role performed by the Competition Commission of India in the absence of such a regime.
Before we enter into the technicalities of the concepts, let us first understand the competition and data protection laws that are in place in India and the regulatory bodies associated with these laws.
Competition laws in India
The competition laws in India are governed by the Competition Act, 2002. The primary objective of this Act as stated in the Preamble is to prevent anti-competitive practices in the market, promote and sustain competition in markets, promote the interests of consumers and ensure freedom of trade. It provides regulations for prohibiting anti-competitive agreements, preventing abuse of dominant position, mergers and acquisitions and also prescribed penalties for any violations of the provisions.
The Competition Act created an autonomous body to act towards the enforcement and administration of the Act. This body is known as the Competition Commission of India (CCI). The relevant provisions relating to the CCI have been enumerated below:
|Section 7||Establishment of CCI: This provision provides for the establishment of CCI as a body corporate.|
|Section 8||Composition of CCI: The maximum number of members in the CCI is limited to 7. Out of these 7 members, one shall be the Chairman. There should be at least 2 members appointed along with the chairman at all given times. The number of members is limited to 6.|
|Section 10||Term of office: The Chairman and members shall hold the office for a period of 5 years from the date of appointment and are also eligible for re-appointment. The maximum age limit to hold the office is 65 years.|
|Section 18||Duties of the CCI: To eliminate practices having an adverse effect on competition in the Indian markets.To promote and sustain competition in the Indian markets.To promote the interests of the consumers.To ensure freedom of trade carried on by other participants in the Indian markets.|
|Section 19||The CCI has the power to inquire into anti-competitive agreements and the dominant position of an entity in the Indian markets.|
|Section 26||Procedure for inquiry: The CCI either on receipt of a reference made by the Central or State Governments or suo-moto action may look into a case and if it believes that there exists a prima facie case, it would direct the Director-General to cause an investigation into the matter and submit a report.|
|Section 27||The CCI has the power to pass orders and impose penalties in case of anti-competitive agreements or abuse of dominant position.|
Data protection laws in India
The Personal Data Protection Bill, 2019 was introduced in Lok Sabha as a means for protecting the privacy of an individual and ensuring the free flow of the economy. It is applicable to personal data processed within the territory of India, by the government or any Indian company or any citizen of India or body of persons incorporated under Indian law. The Bill is not restricted to the territorial boundaries of India and thus also makes it applicable on data processed by data fiduciaries or data processors not present within the territory of India if the data processing is in connection with a business/activity carried out in India. This Bill provides for the establishment of a Data Protection Authority (DPA). The relevant provisions relating to DPA have been enumerated below:
|Section 41||Establishment of the DPA: This provision provides for the establishment of DPA as a body corporate.|
|Section 42||Composition of the DPA: The DPA shall consist of a Chairperson and not more than 6 whole-time members.|
|Section 49||Powers and functions of the DPA:To protect the interests of data principalsTo prevent misuse of personal dataTo promote awareness about data protectionTo ensure compliance with the provisions of the Act|
|Section 51||Power to issue directions: The DPA is empowered to issue directions from time to time and these directions shall have a binding effect on all data processors and data fiduciaries.|
|Section 53||Power to conduct inquiry: In case the DPA is of the opinion that there is a breach in the provisions of this Act or the actions of a data fiduciary or a data processor is detrimental to the interests of the data principal, the DPA can initiate an inquiry and for the purposes of inquiry it is vested with the same powers as that of a civil court.|
|Section 54||Power of the DPA to initiate action post inquiry: The DPA is empowered to issue warnings or reprimands, temporarily suspend licenses or cancel the registration of any data processor or data fiduciary if the actions of these bodies are in violation of the provisions of this Act.|
|Section 56||Coordination between the DPA and other regulatory authorities: If any authority has a concurrent jurisdiction to deal with the matter that lies before the DPA, the DPA should act in consultation with such authority and enter into an MOU with such authority for governing the coordination of such actions.|
The tryst of CCI with data protection laws
Issue: Whether CCI has the jurisdiction to deal with matters pertaining to violation of the Information Technology Act, 2000?
Held: The Commission cited the judgement of the Delhi High Court in the case of Karmanya Singh Sareen and Others v. Union of India and Others (2016) wherein the Court held that users could always opt for deleting their WhatsApp accounts if they do not want their information to be shared with Facebook. The Commission observed that when it comes to the Right to Privacy in a digital domain and the safety of private information, the Commission does not have the jurisdiction to examine and adjudicate upon the violations of the Information Technology Act, 2000.
Non-existing “opt-out” clause
- To come to this conclusion, the CCI took into consideration the test of reasonableness laid down by the Supreme Court in Central Inland Water Transport Corporation Ltd. & Anr. v. Brojo Nath Ganguly & Anr (1986). Herein, the Supreme Court observed that if a weaker party has no meaningful choice but to give his assent to a contract even though such rules are unfair, unreasonable and unconscionable, the courts will strike down such unfair and unreasonable contracts. The Court further observed that when there is unequal bargaining power between the parties leading to the imposition of unfair terms, such terms would be deemed as unreasonable.
Jurisdiction of CCI
- The German Cartel Office (GCO) had investigated Facebook regarding its data collection policies and the lack of choice given to the users to opt-in or opt-out of the policies. After the conclusion of the investigation, the GCO held Facebook liable. It noted that an absence of an opt-out clause in the policies violates the right of the user to voluntarily agree to a contract. In light of the same, GCO ordered Facebook to amend its policies and provide voluntary consent to its users and not subject them to a mandatory data sharing policy.
- The actions of Facebook were held to be violative of the General Data Protection Regulations of Europe (GDPR) as the regulations prohibit such exploitative conduct and therefore the order of the GCO was made after proper coordination with the data protection agencies in Europe.
- What is pertinent to note is that when it comes to India, there is neither an exclusive data protection law nor a data protection regulator. The Personal Data Protection Bill is pending since 2019. This huge lacuna in the legal system allows dominant companies like WhatsApp and Facebook to exploit users in India.
Since the necessary limits or standards for the protection and use of data have yet to be defined and are subject to appeal to higher courts, the CCI’s investigation into these matters may be premature. At present, clear and comprehensive data protection legislation still needs to be implemented as soon as possible. If such legislation specifies a threshold for data collection, then the CCI could assess market power in digital markets accordingly.
The PDP Bill is a breakthrough to deal with the requirements of an evolving data protection regime of India. However, several aspects of knowledge protection (such as categorization of private data as sensitive personal data and important personal data, details on anonymized data, conditions from exemption from certain provisions of the PDP Bill, categories of Significant Data Fiduciaries (SDFs), conditions for registration as a consent manager and processing of private data and sensitive personal data of children), which can be key to an efficient and successful implementation of the new regime, are delegated to the DPA and/or the Central Government. With the inclusion of other aspects that will bridge the gap in the Bill, the Bill could be perceived as futuristic but the important impact of the PDP Bill is going to be visible once the relevant rules and regulations are in place.
The establishment of DPA and the provision regarding coordination between regulatory agencies provided under Section 56 of the PDP Bill will bring in the much needed legal mechanism in India to enforce data privacy laws and ensure that there is no abuse of position by dominant entities in the Indian digital markets.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: