Advances in technology and digitisation have led to an increasing focus on the collection and storage of personal data. The collection, storage and use of such data as customers’ contact details and search preferences may have increased the quality of service particularly in the field of advertising. However, governments and authorities across the world have recognised the need for adequate protection of such data. Most governments and authorities have implemented, or have begun to implement data protection regimes. The collection, storage and use of personal data have also raised concerns regarding competition law.
One view is that such issues are best left to data protection regimes, but some competition authorities such as those in Germany have taken a view that the collection and usage of personal data without adequate information and informed consent may constitute abuse of dominance through the imposition of unfair terms on the users. However, an appeal court has referred to the European Court of Justice the issue of whether the German competition authority can examine violations of data protection rules.
In India, the Competition Law Review Committee (CLRC) which was set up to review the Competition Act, 2002 (Competition act) observed in its report that the regulation of digital businesses that rely on user data is still novel in global competition policy and that a balanced approach is essential as consumer benefit is involved. Personal data is regulated by the Information Technology Act, 2000 (IT Act), and the Information Technology (IT) Rules, 2011. A more comprehensive Personal Data Bill, 2019, awaits enactment.
The CCI found that the take-it-or-leave-it nature of the 2021 update made it an unfair condition being imposed by a dominant player on users. The CCI found that the quality of service must be maintained by a dominant player to protect the interests of the consumer under competition law. The CCI observed that “reduction in consumer data protection and loss of control over their personalised data by the users can be taken as reduction in quality under the antitrust law”. The CCI also found that users must be informed about the precise purpose, scope and extent of sharing their data.
The CCI had previously found that the WhatsApp 2016 privacy update did not raise any competition law concern. In that case, the CCI found that any breach of the IT Act did not come within the purview of the Competition Act. However, in the 2021 case, the CCI appears to have departed from the recommendations of the CLRC report and its own previous self-restraint by requiring an investigation. The CCI appears to have failed to fully appreciate that there are the overlapping jurisdictions of a full-blown privacy regime in the IT Act, and of a comprehensive data protection regime in the Personal Data Protection Bill, 2019, when it is enacted. The CCI seems to be following the approaches of Germany and Turkey without appreciating the differences in the legal systems and interplay of competition laws and privacy laws in those jurisdictions. Such overlapping regulation regimes may create uncertainty for parties through conflicting decisions and will increase the burden of regulatory compliance.
Avinash Amarnath is a counsel and Prachi Agarwal is a senior associate at Chandhiok & Mahajan