The juxtaposition of privacy and Competition Law

INTRODUCTION During the last decade, the digital business has expanded at a staggering rate in India and across the world. Even though this development has resulted in the emergence of new business models, the expansion of new markets, and the unlocking of significant efficiencies, it has also sparked concerns that tech giants may exploit the […]

by RAMA PRIYADARSHINI PADHY ND MUSKAN PRAKASH MESHRAM - February 11, 2022, 2:00 am

INTRODUCTION

During the last decade, the digital business has expanded at a staggering rate in India and across the world. Even though this development has resulted in the emergence of new business models, the expansion of new markets, and the unlocking of significant efficiencies, it has also sparked concerns that tech giants may exploit the vast amounts of user data that they possess in order to manipulate digital markets to their advantage. Due to this, the Competition Commission of India (the “CCI”) has opened investigations against several players, including WhatsApp, Facebook, and Google. The investigations are ongoing. However, there are concerns regarding the use of competition law (rather than privacy and consumer protection legislation) to deal with such issues in the long run.

WHAT IS THE RELATIONSHIP BETWEEN DATA PRIVACY AND COMPETITION LAW?

“Prevent anti-competitive practices and promote market competition,” according to the Competition Act, is the mission of the Competition Commission of India. Under the Competition Act, the CCI has the authority to examine three areas of competition law:

1. Business agreements that are anti-competitive under Section 3 of the Competition Act are defined.

2. According to Section 4 of the Competition Act, a corporation may not misuse its dominant position and may not engage in price-fixing.

3. Sections 5 and 6 of the Competition Act govern the mergers and acquisitions that take place between companies.

When it comes to digital marketplaces, which are frequently referred to as ‘zero-price markets,’ the execution of the Competition Act may be complicated. This is because the phrase ‘zero-price markets’ violates common legal and economic assumptions regarding competitive harm. Several unique characteristics are present in such markets, including the difficulty in determining market power or market share; low entry barriers for players, which contrasts with network effects, which may prevent new entrants from expanding or achieving economies of scale; and the ability of customers to multi-home while remaining locked-in due to a lack of interoperability in the market (thereby complicating the analysis in respect of switching costs).

While the CCI has had several opportunities to review the digital sector since its inception in 2010, it has never previously looked at data as an asset or a source of value. “In January 2021, the CCI issued a report on India’s telecom business (the “CCI Telecom Report”), which highlighted the interaction between data privacy and competition regulations.” It categorizes data utilization as non-price competition, suggesting that information collected from customers might be used to an enterprise’s benefit in a price battle. “Additional warnings came from the CCI in 2020 research, which said that network effects resulting from enormous amounts of data collected allow firms to compete on a level unrelated to pricing, ultimately leading to a ‘winner takes all’ system.”

It is possible that data will be utilized as a proxy for evaluating market power, and if this determination is made, data misuse may be found to have a major adverse influence on competition.

“The CCI has issued an order launching an investigation against WhatsApp and Facebook in accordance with Section 26(1) of the Competition Act (“WhatsApp Suo Moto Order”), which recognizes data as a non-price competitive feature.”

For the purpose of determining market strength, the CCI examined its decisional history regarding WhatsApp and concluded that “given WhatsApp’s popularity and widespread use for one-to-one and group chats, as well as its distinct and distinctive features, WhatsApp appears to be dominating.” This finding is crucial since it is based on the platform’s user base, which has the potential to create a “network effect.”

Regarding data collection and processing, the CCI has said that firms such as Facebook have the “potential acquisition and processing of vast amounts of personal information about its users.” As stated in the WhatsApp Suo Moto Order, the CCI advances this theory by stating that “in a data-driven ecosystem, competition law must consider whether excessive data collection and the extent to which such data is subsequently used or otherwise shared have anti-competitive consequences that require antitrust scrutiny.”

According to the CCI, a similar approach should be used in evaluating mergers and acquisitions, noting that in “new age dynamic markets,” conventional market share analyses may serve as a starting point for investigation, but should not be used as the primary guiding metric for determining market dominance. “Recent decisions in these areas have taken into consideration issues such as net neutrality and the potential for data sharing concerns in the future.”

MISUSE OF A DOMINANT POSITION VIA THE MANIPULATION OF DATA

“The CCI Telecom Report provides the following examples of abusive behaviour: (a) a lax privacy standard indicating a lack of concern for the welfare of customers; (b) lax data security, which may also imply exclusionary behaviour; and (c) exploitation of a data advantage across a wide range of products and services.”

“In the WhatsApp Suo Moto Order, the CCI seems to support this notion of damage, opining that WhatsApp’s data-sharing with Facebook weakens non-price competition characteristics and that this behaviour prima facie amounts to imposition of unfair terms and conditions on WhatsApp users (Facebook is also included in the investigation as a direct beneficiary of this privacy policy).”

IS IT PROPER FOR THE CCI TO INTERFERE IN THE MARKET VIA REGULATORY MEANS AT THIS TIME?

When it comes to non-price competition, the CCI Telecom Report recognizes that data is a key metric; however, it also acknowledges that privacy may be fundamentally a consumer protection issue; this is in contrast to competition law, which is focused on preserving and fostering competition rather than protecting individual market participants (i.e., competitors or consumers).

Other bodies (in this case, the proposed DPA) that have been granted specific jurisdiction to set data protection laws should collaborate with the CCI in order to achieve the best results. While the CCI may be alerted to an anti-competitive deviation from such criteria, its foray into determining what constitutes an “excessive volume of data” runs the risk of generating conflicting viewpoints with other authorities who may be better equipped to make such determinations in any case in the first instance.

Furthermore, the CCI’s position on data exploitation is still in the process of being refined. The CCI has previously dismissed cases correctly based on “bald assertions” and “statements that have not been corroborated or otherwise substantiated in any manner,” and it has also refused to accept the notion of “potential future exclusion” as a basis for determining damages. Despite this, the CCI’s probes into the MMT Interim Order and the WhatsApp Suo Moto Order seem to be based on unconfirmed facts, according to a report by the Financial Times.

Given the fact that the essential restrictions or standards for data protection and usage have not yet been established and are now being disputed in higher courts, the CCI’s investigation into these issues may be a step too far. Increasing the leniency of the CCI at preliminary hearings might be a feasible answer, as it would enable the CCI to have a better understanding of the underlying technology and business models, while also allowing it to make better use of the CCI’s investigation resources.

This is the latest example of the dispute that exists between competition and privacy authorities over the manner in which and by whom data businesses should be controlled, as previously reported. According to the data protection authorities, since they are responsible for users’ privacy, they should have the last word in any disputes regarding personal information. “Competitor regulators, on the other hand, say that since the privacy-related actions of large technology companies reduce customer choice, they should be treated as a non-price problem that has an impact on consumer welfare.” Consequently, they argue, they have the right to govern within their regulatory jurisdiction If taken at face value, these opposing viewpoints indicate that privacy and competition are diametrically opposed to one another. Data protection laws, on the other hand, protects users’ reasonable expectations of privacy, while competition law forbids action that is damaging to consumer welfare. However, the situation is not as straightforward and straightforward as it seems. However, rather than being mutually exclusive challenges, privacy and competitiveness issues often cross, to such an extent that enforcement by one regulator may push a company to act in a manner that the other does not permit.

Take, for example, “the case of HiQ vs. LinkedIn, which was decided by the Ninth Circuit Court of Appeals in 2019. LinkedIn terminated HiQ’s access to profile data on the grounds that the latter was gathering personal information despite users expressly opting into a privacy choice referred to as ‘do not broadcast’ in respect of profile alterations, according to the company.” Specifically, HiQ said that its company could not exist without access to data kept on LinkedIn’s servers and that LinkedIn’s refusal to provide access constituted unfair competition, given the latter’s intentions to develop its own data analytics business. Although LinkedIn had deliberately chosen to prohibit broadcast, the Ninth Circuit concluded in favour of HiQ because it believed that competitive interests outweighed privacy concerns.

Other, harsher steps are not ruled out shortly. According to EU Commissioner Margrethe Vestager, the European Commission may order firms to share data with rivals if doing so would result in more competition. In the past, competition regulators have used data-access remedies to get access to corporate information (such as business plans or technical data), but applying them to data firms that deal with personal data is guaranteed to have significant consequences for user privacy.

It seems unlikely that one will be able to resolve these issues until he commits to a more coordinated regulatory approach. For example, in all circumstances where competition disputes generate privacy issues, the competition regulator will ensure that the data protection authority is not only informed of the investigation but that it is also included in the final finding. In cases where this has not been done, courts hearing appeals from a regulator’s decision should strike a balance between the interests of consumers and the rights of individuals to personal privacy.

If settling these conflicts has proved challenging in the United States and Europe, where privacy authorities are well-established, think how much more difficult it will be in India, where we still do not have a data protection law in effect.

Numerous other organizations have come in to fill the hole left by the absence of a data protection authority that provides rules on how data corporations should operate. Industry-specific legislation on how personal data should be used has been established in several different industries, including the financial sector. Unfortunately, rather than offering clarity, the resulting jumble of compliances has only served to further muddle the waters even more.

Indian competition regulator, the Competition Commission, has weighed in on the dispute, declaring in its Market Survey on Telecom that privacy is a non-price concern in competition and comes within its regulatory jurisdiction. It then followed up on that declaration by calling for an investigation into WhatsApp’s recently proposed amendments to its privacy regulations, which was approved by the company.

Following these developments, it seems that the Indian competition authority aims to incorporate privacy-related issues in its mandate for data-driven organizations. If we already had a data protection organization, this may have worked out perfectly. But since we don’t have someone who is campaigning for personal privacy, the regulation of Indian data firms will now be very much in the ‘competition-first’ mode. As a result, when it comes to difficulties at the nexus of competitiveness and privacy, our data jurisprudence will suffer as a result of this decision.

CONCLUSION

Experts say that India cannot afford to keep postponing the approval of a privacy act indefinitely.

These kinds of inter-jurisdictional differences highlight just how important this problem has grown. Any further delay would result in a regress in data law to a level that our data sector cannot bear.

An immediate and comprehensive data protection legislation must be enacted, and it must do so as quickly as possible.

This is an urgent demand at this time. “If such legislation creates a threshold for data collection, the CCI might then conduct an analysis of market power in digital markets. Contrary to popular belief, the Ministry of Electronics and Information Technology (MEITY) earlier released a notification defining a “major social media intermediary” as one with at least 5 million registered users in India.”

Therefore, it would be prudent for the CCI to refrain from developing data-related criteria or standards and instead focus on improving its understanding of the underlying problems through market research and preliminary conferences, with a particular emphasis on effects-based methods and techniques

Meanwhile, firms that operate in digital markets are asked to review their privacy policies and adhere to industry best practices for data collection, such as being transparent about data use and advertising, to avoid being blacklisted from the marketplace.

Regarding data collection and processing, the CCI has said that firms such as Facebook have the “potential acquisition and processing of vast amounts of personal information about its users.” As stated in the WhatsApp Suo Moto Order, the CCI advances this theory by stating that “in a data-driven ecosystem, competition law must consider whether excessive data collection and the extent to which such data is subsequently used or otherwise shared have anti-competitive consequences that require antitrust scrutiny.”