Oct 27, 2023Digital Personal Data Protection Act: Yet Another Jurisdictional Overlap?
Introduction
The boon of technology has changed the way consideration is paid for services. Against the working of traditional markets, ‘zero price markets’ have emerged where services are paid for using ‘data’. Data has gained significant economic value, and possession of data is now often considered as a competitive advantage over other players in the market.
Widespread collection of user data has given rise to platform-based ecosystems of digital products and services. This has raised eyebrows of the competition regulators across the world as one big entity with high volumes of data may put other players in the digital market at a disadvantage. For a ‘free’ service, Indian users almost never hesitate to share their personal data with the service providers. The new Digital Personal Data Protection Act, 2023 (‘DPDP Act’) seeks to fill this gap of requiring ‘user consent’ before collecting and processing user data. The DPDP Act has been enacted into law but is yet to be enforced by the Central Government.
This article explores the interplay between the introduction of the DPDP Act and the existing competition enforcement concerns in relation to data collection and digital markets. While the DPDP Act is a welcome step, it may also raise overlapping jurisdiction issues between the Competition Commission of India (‘CCI’) and the Data Protection Board (‘DPB’) as envisaged under the DPDP Act.
What is DPDP Act?
The DPDP Act requires data fiduciaries such as digital service providers to seek user consent for collecting and processing personal data. Personal data is defined to include any data that can be used to identify an individual. However, any personal data that is made publicly available by the data principal (the individual whose personal data is collected) will not be protected by the DPDP Act.
The DPDP Act clarifies that if the data principal seeks to withdraw their consent, they need to bear all consequences resulting from withdrawal of such consent. This implies that the data fiduciaries may deny access to their services to such data principals who have withdrawn their consent. Further, the data fiduciaries are required to erase all personal data if the data principal has withdrawn their consent or when the purpose of collecting such data is fulfilled.
In essence, the DPDP Act mandates ‘free consent’ by a data principal before a service provider can process/use user personal data. However, the DPDP Act provides no recourse on consequences that a data principal may face if consent is withheld or withdrawn.
CCI’s View on Data Protection
The rise of platform-based markets has created an ecosystem of digital players who provide goods and services which are based on continuous collection of user data. These datasets in large volumes are considered as ‘big data’ which feed into advertisement algorithms, machine learning, artificial intelligence, etc. In Matrimony v. Google, the CCI referred to ‘big data’ as the ‘oil’ of the current century.[1] In the same case, the CCI also observed that although data-based markets result in great gains for users, it also results in loss of control over personal data.[2]
The CCI was initially hesitant in interfering with data protection allegations and considered them outside the purview of the Competition Act, 2002 (‘Competition Act’).[3] However, in the market study of the telecommunication sector, the CCI has acknowledged the need of ‘free consent’ for collection of data by dominant undertakings. In the market study, the CCI also observed that when a dominant entity acquires data, it can cross link them with multiple services to retain the users in the ecosystem.[4]
More recently, when WhatsApp mandated acceptance of its privacy policy for its users to continue using WhatsApp, the CCI stepped in and initiated an investigation.[5] Interestingly, for the first time the CCI emphasized on how consent for sharing user data needs to be ‘free’, ‘optional’, ‘well informed’, and ‘without withdrawal of services’, failing which it may be considered as an imposition of unfair conditions by a dominant undertaking.[6]
Overlap Between Data Protection and Competition Law
It is clear that the requirement of consent for collecting and processing user data, at least by dominant undertakings, is squarely covered by both the DPDP Act and the Competition Act. The cause of tension between the two lies in the individual objectives of the statutes. While the DPDP Act seeks to prevent exploitation of personal data, the Competition Act is aimed towards preventing dominant undertakings from unfairly seeking consent for collecting personal data for their own commercial advantage.
To understand the overlap, let’s consider a hypothetical situation similar to the WhatsApp case where company ‘X’ is dominant in the market for providing internet calling services and conditions its ‘free’ services over users giving consent for sharing their personal data. If a user refuses to give consent, X may stop providing its services to such a user.
While this may pass the muster of DPDP Act, it can still be considered anti-competitive by the CCI. This is because services by a dominant entity are essential for the user and a ‘take it or leave it’ condition would practically force the user to give consent. For the CCI to find such a condition to be kosher, it is likely to take a “fairness and reasonability test”[7] where the CCI may assess the following factors:
i. Whether the users have the option to easily switch to X’s competitors providing similar internet calling services?
ii. Whether the data requested by X is necessary for providing its services?
iii. Do users have an option to only give consent for data that is essential for providing services by X?
iv. Do existing users have an option to continue using X’s services without sharing data?
v. Whether there is an objective justification behind withdrawal of services by X?
On the other hand, in a scenario where consent is given under a false pretext or where data is processed without clear consent, a remedy would lie under the DPDP Act. In such situations, the CCI may also exercise jurisdiction if the data collected by a dominant undertaking is not for the purpose of providing services but to hoard data for commercial purposes such as targeted advertising.
Conclusion
Both the DPDP Act and the Competition Act are concerned with dissemination of personal data to digital players and its legitimate use. Needless to say, if the data fiduciary lacks market power, the CCI will have no jurisdiction. While the DPDP Act is clear in its limited purpose of protecting user data, parallel allegations under the Competition Act cannot be ruled out. The CCI has asserted that in any situation, it will remain the exclusive body to resolve antitrust and competition related issues.[8] This creates yet another case of exercise of parallel jurisdiction between the CCI and the DPB.
The Supreme Court (‘SC’) in Competition Commission of India v. Bharti Airtel Limited[9] (‘Airtel Decision’) has held that in case of a jurisdictional overlap, the specific sector regulator would first decide on the overlapping issues and the CCI’s jurisdiction will be activated if the findings of the sectoral regulator indicate anticompetitive conduct. The Airtel Decision is likely to serve as the guiding principle in a possible overlap of jurisdiction between the CCI and the DPB.
[1] Matrimony v. Google, Case No. 7 and 30 of 2012, paragraph 86.
[2] Ibid, paragraph 85.
[3] Vinod Kumar Gupta v. Whatsapp, Case No. 99 of 2016, and Harshita Chawla v. Whatsapp, Case No. 15 of 2020.
[4] Market Study on the Telecom Sector in India, Competition Commission of India, paragraph 70.
[5] In Re: Updated Terms of Service and Privacy Policy for WhatsApp Users, Suo motu Case No. 1 of 2021.
[6] Ibid, paragraphs 29 and 30.
[7] Indian National Shipowners’ Association v. Oil and Natural Gas Corporation Limited, Case No. 01 of 2018, paragraph 135.
[8] Supra 5, paragraph 72.
[9] Competition Commission of India v. Bharti Airtel Limited, Civil Appeal No. 1183 of 2018, paragraph 91.