[By Sharmita Sawant]
The author is a student at King’s College, London.
Introduction:
Digital economies have posed complicated legal questions that mandate the expansion of legal ideologies and conceptions to assimilate the changing nature of businesses. The issues that we are faced with in these economies stand at the cusp of Data Protection, Consumer Protection, and Antitrust laws. The debate around using antitrust law to solve data-related issues has been a matter of discussion for a long time-pioneers being the Google/DoubleClick merger case in the US and EU[i]. A general progression is seen in the approach of regulating agencies and academia when it comes to addressing issues related to data markets. Maybe it is the fear of false positives, chilling effect on innovation, or the cultural lag; agencies are still squeamish about applying Antitrust rules to big data companies.
Nevertheless, the scene is changing as a nuanced understanding of the sector is making business behaviour and theories of harm more prominent. One of the examples of this change is the WhatsApp and Facebook privacy policy case in Germany and India.[ii] The data sharing policy of Facebook and its subsidiary WhatsApp has come under the radar of the antitrust authorities for abusing its dominant position in the market and imposing unfair privacy conditions on its consumers. The critical point of discussion in both these cases has been the jurisdictional issue- whether privacy breaches fall under the jurisdiction of Antitrust and, if so, what is the correct forum for adjudication of this issue.
This article will explore the Competition Law, Data Protection, and Privacy law interplay in the context of the WhatsApp privacy litigation in India. The first part of the article will outline the jurisdictional debate in the WhatsApp case, highlighting the various arguments put forth by the opposition and the Commission. Following this, the second part is dedicated to the current legal framework, which deals with privacy issues in India, its drawbacks, and its characteristics. Finally, the author looks at whether antitrust is the correct forum to answer privacy issues in the context of the WhatsApp decision.
1] WhatsApp Privacy Case 2021- An Overview:
The Competition Commission of India took suo-motu cognizance of WhatsApp’s new Privacy policy with its order dated 24th March 2021. WhatsApp’s updated privacy policy included terms and conditions which allows it to share user data across all informational categories with other Facebook Companies. It notified its users to accept the new policy on a ‘take-it-or-leave-it basis to continue using the services of the App. CCI found that the new privacy policy violates Section 4 of the Competition Act, making a prima facie case for abuse of dominant position. Both WhatsApp and Facebook are made a party to the ongoing suit.
CCI held that WhatsApp is a dominant player in the market for “over-the-top messaging apps through smartphones in India.” The Commission relied on its market analysis in the In Re Harshita Chawla and WhatsApp Inc. case to reaffirm that WhatsApp works on direct network effects, wherein, increase in the usage of a particular platform leads to an increase in its value for the other users[iii]. The network effects as well as lack of interoperability between various messaging platforms work in favour of WhatsApp. This makes it difficult for the users to switch apps easily, making the service provided by WhatsApp not substitutable.CCI noted that these conditions made WhatsApp is an entrenched entity which it is leveraging to impose unfair terms on its users.
CCI observed that privacy is a crucial non-price factor when it comes to competition. It held that a reduction in consumer data protection and privacy is considered as a reduction in quality under the Competition Act. Lower privacy not only impacts consumer welfare but also has exclusionary effects.CCI opined that integration of consumer data reinforces the dominant player’s position in the market which it can use in neighbouring or unrelated markets to increase entry barriers.
WhatsApp challenged this decision before the Delhi High Court.[iv] WhatsApp argued that CCI lacks jurisdiction in the matter due to the pending litigation before the Supreme Court, dealing with WhatsApp’s Privacy Policy under Article 21 of the Constitution. They also relied on the In Re Shri Vinod Kumar Gupta and WhatsAppjudgement wherein CCI had declined to look into WhatsApp’s privacy policy in 2016, stating that it was outside the purview of the Competition Act.[v]The court replied by clarifying that the scope of the CCI is vaster and is not confined to the issues raised before the High Court or the Supreme Court in this matter. The High Court also upheld CCI’s observation that data sharing between WhatsApp, Facebook, Facebook allied apps, or third-party apps has led to degradation of non-price factors of competitiveness, thus causing consumer harm. Stating these reasons, the court reiterated that the matter falls within the jurisdiction of CCI.
It is interesting to see how CCI’s views have changed through the years on privacy and data protection. This is a welcomed change in the right direction, but with the chaos of privacy laws in India, the jurisdictional challenge is expected to get more complicated. Especially with the new Data Protection Bill, this debate is just in its nascent stages.
2] Where are we at-Privacy and Legal Framework in India:
What happens when a data giant like Facebook or Amazon breaches its user’s privacy for monetary ends? What authorities does one approach, and what redressal does one have? Indian privacy and data protection laws at present are laid out in an overlapping patchwork fashion. Various laws, regulations, and guidelines govern a specific subset of data or a particular type of data protection breach.
Privacy is a fundamental right and is a quintessential element of Article 21 of the Indian Constitution.SinceJustice K SPuttaswamyand Anr vs. Union of India, the right to privacy can be enforced by anyone as a fundamental right, irrespective of any sector-specific legislation[vi]. Besides, personal data protection is mandated under the IT Act, 2000- specifically under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information or Data) Rules, 2011 (“SPDI Rules”). The IT Act focuses more on the security of personal information like financial details, passwords, etc. Similarly, SPDI Rules apply to a specific subset of personal information, categorized as “sensitive information” like passwords, bank account details, biometrics, medical data, and sexual orientation. These regulations, along with the IT Act, mainly deal with information being handled by individuals rather than corporate bodies. Notably, TRAI, SEBI, RBI have issued various guidelines and recommendations to safeguard specific types of data. E-commerce Rules made under the Consumer Protection Act also mandate some form of data protection to consumers shopping on e-commerce platforms.[vii] Data theft can also be approached under Section 403 of the IPC as dishonest misappropriation of moveable property.
Interestingly, under competition law, privacy and data protection have been looked at as a non-price factor in merger analysis by the CCI.[viii] Though the Competition Act does not explicitly mention privacy, or anything related to data, it is a part of the case laws due to significant changes in the digital economy. Data accumulation or data as a competition issue was first acknowledged in In Re Matrimony.com Ltd and Google LLC[ix]It was later revisited in the Vinod Kumar Gupta case which involved the 2016 privacy policy.CCI had refrained from dipping its toes in the murky waters of data protection and privacy. So, the current litigation is a step away from the path paved by the CCI and is a welcomed approach nonetheless.
Nevertheless, with greater forums comes greater confusion. With an overarching Data Protection Law still waiting to be passed by the legislature, which door to knock is the question that remains unanswered. This lack of clarity on jurisdiction creates opportunities for corporates to resort to forum selection based on lesser penalties and obligations. The IT Act and SPDI rules are known to have nominal penalties compared to the humongous turnovers of data giants (merely five to ten lakh rupees or a jail term of three years or both). Similar is the case under the consumer protection act or any other regulation. Fines under competition law are higher than any other available legislation, thus having the power to make a corrective impact. However, the question that arises is whether competition law can rectify the harm caused by lack of data protection and privacy and to what extent.
[i] See: Google/ DoubleClick (Case COMP/M.4731) OJ C184/10 (2008); In re Google/ DoubleClick FTC No. 071-0170 (2007)
[ii] See: In Re Updated Terms of Service and Privacy Policy for WhatsApp Users Suo Moto Case No.1 (2021); Facebook v Bundeskartellamt B6-22/16 (2019)
[iii] In Re Harshita Chawla And WhatsApp Inc Case No. 15 (2020)
[iv] WhatsApp LLC v Competition Commission of India &Anr. CM 13336/2021 (2021)
[v]In Re Shri Vinod Kumar Gupta and WhatsApp Inc. Case No. 99 (2016)
[vi]Justice Puttaswamy (Retd) vs UoI W.P No. 494 (2018)
[vii] Consumer Protection (E-Commerce) Rules (2020)
[viii] Marija Stojanovic. Can Competition law protect consumers in cases of a dominant company breach of data protection rules?16 European Competition Journal 531 (2021)
[ix][ix] In re Matrimony.com Limited and Google LLC Case No. 07 (2012)