India: Regulators must balance growth and innovation with user protection

This publication is a part of the GCR Data & Antitrust Guide first edition of 2024^[1]

Introduction

Data-driven markets in India have grown at breakneck speed in the past decade, aided by the Government of India’s (GoI) pro-digital approach. There are at least four factors driving India’s digital growth, the first being government schemes such as the Digital India programme,^[2] which helps to bridge the digital divide. Second, competitive data plans by telecommunications companies offered highly affordable data plans^[3] that led to a rapid adoption of internet-enabled phones, reaching the hands of almost every Indian, regardless of location or economic situation. Third, changing demographic profiles and increasing disposable per capita income led users to spend on digital markets that are accessible on their smartphones. The final fillip came with covid-19, which pushed offline businesses online to stay viable.

Yet, Indian online markets are far from saturated. Regulators are therefore balancing the continuation of growth and innovation that is crucial for the Indian economy, while protecting the data and interests of Indian users. Whether the existing regulatory framework or proposed regulations can achieve this balance is an ongoing debate.

Existing data-specific regulations

Currently, the Digital Personal Data Protection Act, 2023 (the DPDP Act) (enacted but yet to be enforced)^[4] is the primary law that governs the protection and regulation of personal data in India. It is similar to the European Union’s General Data Protection Regulation (EU GDPR).^[5] The DPDP Act, and the Information Technology Act, 2000 (the IT Act) and various guidelines under it, including the Intermediaries Guidelines, 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (the SPDI Rules)^[6] (together, the IT Guidelines), regulate most personal data-related issues.

Although the primary objective of the DPDP Act is to regulate the use of personal data, the primary purpose of the IT Guidelines is to regulate the activities of data-heavy platforms such as social media, news publishers, ‘over-the-top’ (OTT) channels and online gaming intermediaries. When the DPDP Act’s provisions take effect, the specific provisions of the IT Act that govern data privacy will be repealed (i.e., the SPDI Rules and Section 43A of the IT Act (as amended by the IT (Amendment) Act 2008^[7])).

The DPDP Act is not as exhaustive as the EU GDPR, however, and imposes baseline data protection obligations on data fiduciaries (defined as any entity that determines the processing of data). The key points introduced by the Act include: (1) baseline definitions of data processor (i.e., any entity that processes data) and data principal (i.e., any entity whose data is being processed); (2) enabling the government to designate a significant data fiduciary (i.e., any data fiduciary notified by the GoI)^[8] that will be governed by stricter guidelines for data processing, such as undertaking periodic audits and impact assessments, and appointing data protection officers; (3) a ban on collecting and processing data belonging to minors; and (4) introducing a consent architecture that requires any data fiduciary to disclose the reason it is collecting personal data, to use accessible language when asking for consent, to limit use of the data to the acquired consent from the data principle, and mandatorily publish concise and unambiguous privacy notices to obtain informed consent from data principals for processing their data. Data principals who consented before the DPDP Act came into effect are allowed to withdraw that consent or air their grievances.^[9]

None of these regulations covers business (or non-personal) data and its effect on competition. There is no clarity as to whether the GoI will regulate non-personal data in the Digital India Act, which may be proposed following the general election in June 2024.^[10] Keeping in mind the novel issues that can be raised in data-driven markets, the GoI will propose that the Digital India Act supersedes the 23-year-old IT Act.^[11]

Antitrust regulation in data-driven markets in India

The DPDP Act and the IT Guidelines do not specifically address competition-related issues raised by data-driven markets. As a result, they do not conflict with the (Indian) Competition Act, 2002 (as amended) (the Competition Act).

Equally, there is no special treatment under the Competition Act of data-related issues, but the Competition Commission of India (CCI) has investigated, and is in the process of investigating, conduct in several technology markets under the Competition Act. In fact, since 2012, there have been antitrust inquiries into small and big technology companies (including Google, Apple, Meta, Amazon) and Indian start-ups (including Flipkart, Zomato and Swiggy). The CCI has issued four contravention decisions against technology companies to date.

The CCI has used the Competition Act to examine allegations of anticompetitive harm, including: (1) the manner of collecting, processing and accumulating data; (2) exploitative and exclusionary abusive practices that may result from data-driven network effects;^[12] (3) construing user consent through necessary voluntary steps;^[13] and (4) the interrelationship between privacy and competition law.^[14]

There have also been various market studies, including several by the CCI, to understand competitive harms in data-driven markets; for example:

the Standing Committee on Finance Report, 2022 suggested amendments to the Competition Act in line with the rising digital economy;
a CCI market study on the pharmaceutical sector,^[15] which covers the changes resulting from online pharmacies and their use of users’ data;
a CCI market study on the telecommunications sector,^[16] which sets out the conflict between allowing access to data and protecting privacy, in the context of competition in the telecommunications market; and
a CCI market study on e-commerce,^[17] which sets out concerns about business models in internet-enabled or e-commerce businesses in three distinct sectors: online retail, online travel and online food delivery. The study sought to future-proof competition compliance by providing a set of voluntary self-regulating measures that businesses with market power ought to adopt.

Recent updates

Indian antitrust rules were updated by amendments to the Competition Act (i.e., Competition Amendment Act, 2023 (the Amendment Act), introduced by the Ministry of Corporate Affairs. Although the Amendment Act and other recent amendments to regulations do not move the needle significantly for competitive assessment of data-driven markets, they do clarify that antitrust rules govern data-related markets; for example, the amendments not only explicitly prohibit hub-and-spoke cartels but also apply a modest evidentiary threshold for proving the existence of such a cartel (unlike precedents^[18] in which only ‘active’ collusion was considered to justify a finding of a hub-and-spoke cartel, the Amendment Act expressly penalises not only participation but also the intent to participate in hub-and-spoke cartels, increasing its applicability to online platforms).^[19]

Similarly, the amendments revised the scope of vertical agreements to include platform markets that may have earlier been interpreted to be limited to buy–sell relationships. Most clearly, the amendments introduced the deal value threshold (DVT) as part of merger control (although at the time of writing, the amendments have not yet come into effect). DVTs will allow the CCI to review investments in asset-light digital companies, based on the value of the investment (i.e., if it exceeds 20 billion rupees and if the target has ‘substantial business operations’ in India).^[20] A key justification for the introduction of the DVT is the claim that technology mergers or acquisitions have ‘escaped’ review;^[21] however, there appears to be little to no evidence that antitrust intervention would have been merited in these cases, even if they had been subject to ex ante merger review.

Network effects have been important in the CCI’s assessment of data-driven markets. The CCI frequently observes that control over user data across the supply chain could result in ‘network effects’ entrenching an entity’s market position.^[22] In respect of WhatsApp, the CCI observed that data concentration gives it a competitive advantage in the market of OTT messaging apps, and that the ‘network effect’ of WhatsApp makes it difficult for an end user to switch from WhatsApp. Based on this observation, the CCI initiated an investigation against Meta to assess whether end users are unfairly forced to accept WhatsApp’s updated privacy policy, which allows Meta to share user data across Meta companies.^[23]

Interestingly, the CCI has also used the concept of network effects to impose penalties calculated using total revenue generated from all products and services of technology platforms, such as Google, and online travel aggregators, such as MakeMyTrip^[24] (i.e., on the basis of the interdependent nature of digital ecosystems where one product or service reinforces the value of other products or services). The CCI’s ability to rely on network effects to impose larger penalties is supported by the Amendment Act and newly introduced the ‘CCI (Determination of Monetary Penalty) Guidelines, 2024’, which give the CCI the power to impose penalties on ‘total global turnover from all products and services’ where the calculation of relevant turnover is not feasible (although the scope of what is feasible is not defined).

What next?

The most recent and noteworthy development for data-driven markets came on 12 March 2024 with a report^[25] prepared and released by the Committee on Digital Competition Law (CDCL) alongside the draft of the Digital Competition Bill, 2024 (DCB) presented by the CDCL for public consultation.^[26] The DCB is modelled on the EU Digital Markets Act, and the CDCL was set up by the GoI in February 2023 to examine and report on the need for a separate ex ante law for competition in digital markets. The DCB, if enacted as an Act in its current form, will designate systematically significant digital enterprises (SSDEs) that offer any one or more of the core digital services (CDSs) set out in Schedule 1 to the DCB. The CDCL relied on network effects in digital markets^[27] to recommend designating SSDEs based on not just financial but also user base thresholds (relating to the number of business users and end users of the CDSs in India). Enterprises are required to self-notify the CCI if they exceed the thresholds,^[28] and the CCI can separately designate SSDEs for a period of three years, renewable automatically unless proven otherwise. Obligations that can be imposed on SSDEs in relation to their CDSs (such as e-commerce services, advertising services, etc.) include no self-preferencing, no restrictions on the use of third-party applications, no anti-steering policies, no tying and bundling, fair and transparent dealing with end and business users, and data use obligations that prohibit the use of non-public data of business users to compete with them or the cross-use of personal data without consent, and enable data portability for business and end users in a format and manner that will be subsequently specified.

The draft DCB also empowers the CCI to notify specific obligations, tailor-made for each CDS. In the event of non-compliance, the CCI may levy harsh penalties (up to 10 per cent of total global turnover), issue cease-and-desist orders against business practices, and initiate new complaints suo moto (including for conduct outside India). SSDEs, on the other hand, can avail themselves of the newly introduced settlement and commitment mechanism, as well as appeal any decision by the CCI. This proposed ex ante legislation reflects increasing regulatory concern about data collection in technology markets.

The next sections briefly cover data-related competition concerns specific to healthcare and artificial intelligence (AI), online advertising, e-commerce and financial services.

Healthcare and artificial intelligence

India has an ecosystem that integrates smart devices with personal health data, resulting in innovative business models.^[29] In addition, AI has emerged as a powerful tool leveraging healthcare data. AI applications are already used by consumers, service providers and life sciences companies to support diagnosis, treatment recommendations, patient engagement and administrative tasks.^[30] To the extent that AI needs significant volumes of data, entities controlling large healthcare data sets have become increasingly important.

India does not have a separate legal framework for all health data-related issues, such as ensuring accuracy, lack of bias, etc., and there are no separate laws regulating AI, cloud computing or machine learning. The consent mechanism under the DPDP Act (once enforced) will apply to how health data should be accessed and shared.

Existing data regulatory framework in healthcare sector

The government has taken various initiatives to maintain the benefits of health technology while ensuring data security and privacy. The introduction of electronic health record (EHR) standards in 2013 by the Ministry of Health and Family Welfare represented a crucial step in ensuring data standardisation and security for healthcare services.^[31] Standardised collection and storage of data (with prior consent) will enable data collected through one source to be used by other entities without format or other compatibility issues.

Additionally, the Digital Information Security in Healthcare Act (DISHA) of 2018 (yet to be enforced) provides a framework for a national digital health authority responsible for promoting e-health standards, protecting the privacy of electronic health data, and managing its storage and sharing.^[32] DISHA prioritises patient privacy and secure storage of digital health data, with the aim of minimising data breaches and ensuring that sensitive health information is used only with patient consent.

More recently, discussions about the creation of a national health stack programme have gained momentum. The aim of the programme is to establish a comprehensive digital health record system for all citizens^[33] and a robust framework in the Indian healthcare sector for data compatibility.

Through EHR and DISHA, the GoI is taking active steps to develop an effective framework that encourages innovation without compromising competitive conditions.

Key competition concerns

Data dominance and potential abuse

A vast amount of healthcare data is now collected through technologies including wearables and apps, on which the data collected ranges from heart rate, blood sugar, sleep pattern, blood pressure, fitness and biometric information.^[34] This kind of data, if controlled by a few entities, could confer a significant advantage (and the ability to exclude). Companies could also exploit this data for targeted advertisements, or by selling it to third-party advertisers. At the same time, given the sensitivity of healthcare data, disseminating this data or making it available for purchase is also not a viable solution.

Algorithmic bias

There are concerns that AI implemented in healthcare could reflect biases from the data on which it is trained, potentially leading to one or more unfair decisions, unequal access to healthcare services and anticompetitive conduct; for example, AI might underestimate the needs of certain minority groups, limiting their access to appropriate healthcare.

As for antitrust regulation, although the CCI has reviewed and dismissed allegations of algorithmic collusion, it has not specifically looked into the abuse of dominance concerns regarding the use of data in connection with AI.^[35] Specifically in the pharmaceutical sector, during the past 12 years, the CCI has primarily focused on physical pharmaceutical distribution.^[36] These cases, however, did not delve into issues on data exclusivity, data protection and competition concerns.

A pharmaceutical report by the CCI^[37] for the first time preliminarily explored the interplay between data privacy and competition law in the healthcare industry. The study observed that, with the advent of e-pharmacies and the concentration of data on a few platforms, there may be concerns about the collection, storage, security and sharing of data. Although the CCI noted that data and digital technology can improve access to and efficiency of healthcare delivery, it would nevertheless need to be alert to potential competition harms arising from the disproportionate collection and use of data by digital platforms. It noted the change brought by online pharmacies, and their corresponding use of users’ data that could lead to breach of patient data protection and prescription privacy. The CCI suggested that e-pharmacies adopt self-regulatory measures to ensure privacy and security of information until relevant data protection laws to safeguard patient privacy and protect sensitive personal medical data are enforced.

What next?

To understand the critical dynamic between the advancement of technology and the concerns it raises, in March 2024, the CCI announced its intention to launch a market study on the potential competition law issues raised by AI.^[38] The study is still in its nascent stages and the CCI’s intention is to understand the AI better to ensure that regulation keeps up with technology. The CCI is on the right path as it is important to understand the nuances of technology before attempting to regulate it. The healthcare sector requires a careful balance between regulation and innovation. Overregulation may discourage industry players from investing in research and development.

Online advertising

As markets have moved online, so have marketing and advertising. Advertisements are now targeted and personalised through the use of complex algorithms, machine learning and personal data. This can raise data management issues, including fair use, data protection and privacy, as well as data access and data dissemination.

Regulatory framework and key competition concerns

The GoI primarily relies on the IT Act and the DPDP Act to ensure data privacy and prevent the misuse of data.

Regarding antitrust regulation, with the massive ongoing and growing success of online markets in recent years, particularly during and following the covid-19 pandemic, online advertising is gaining regulatory attention. The CCI, however, has so far conducted a limited number of cases that have involved a detailed examination of allegations relating to online advertising.

In the first investigation in this sector – Matrimony v. Google, initiated in 2012 – the CCI found Google dominant in the market for ‘online general web search advertising’.^[39] The CCI examined claims relating to search and advertising services provided by Google and for the first time observed the rise of this new business model where data is considered as the ‘oil’ of this century. It also observed the role and nature of ‘big data, i.e., an aggregate of eyeballs/choices’^[40] provided by end users as consideration for a free search service, justifying the CCI’s jurisdiction over such a service. It noted that the large volumes of data collected enable search platforms to attract advertisers, target relevant advertisements and improve their search service. Specifically, the CCI noted that prominent placement of certain types of search results (flight units) enabled Google to collect more data, which disadvantaged competing vertical search engines and reinforced Google’s advantage in the search advertising market. The CCI dismissed other claims that Google’s AdWords platform impaired data interoperability with rival search advertising platforms. In its analysis, based on an assessment including third-party evidence, the CCI found that advertisers did not face any barriers from Google to multi-home their data across platforms.

In the Umar Javeed case,^[41] the CCI observed that, by pre-installing a free bundle of apps on Android phones, Google was able to collect large volumes of data that can be used in search advertising. The CCI noted that this practice can be considered as dynamic leveraging where data generated from each application can complement the other and give Google a big data advantage over its rivals.

What next?

In 2021, the CCI launched an investigation into allegations by news publishers of the potential for unfairness and data asymmetry between publishers and advertising platforms.^[42] This investigation is pending.

Advertising services under the DCB include advertising networks, advertising exchanges and any other advertising intermediation services. To avoid accumulation of data (and therefore significant market power) by one entity, the DCB requires a designated online advertising intermediation service provider to ensure that (1) data of each individual business user is interoperable and can be easily ported to a rival platform, (2) no additional benefit is provided to the platforms’ own products and services, and (3) no two services or products offered by the platform are tied together.

Online retail platform services

According to the India Brand Equity Foundation,^[43] as at 2023, India was the world’s fifth largest destination for retail marketplaces globally, and the Indian retail industry is projected to generate revenue in excess of US$1.8 trillion by 2030. Globally, the country is ranked as one of the highest in terms of revenue per retail store.^[44] Covid-19 was also an important factor in the shift to online retail, as recorded in the CDCL report.^[45]

Regulatory framework and key competition concerns

This sector is highly regulated in terms of limits on foreign direct investment, applicability of taxes, etc.; however, there is no single piece of legislation that covers the sector, including the use of data. The DPDP Act, once enforced, will apply to the processing, use and sharing of personal data for online retail platforms, and the CCI has been reviewing antitrust allegations in the online retail sector since 2014.^[46]

In 2018,^[47] the CCI identified the online retail market as a distinct market rather than just a different distribution channel alongside traditional or offline retail. The CCI has specifically identified the presence of data-driven network effects while assessing market strength and its effects as exhibited by online platforms.^[48] The CCI is likely to conduct a case-by-case analysis for assessment of a platform’s dominance. In the past, it has dismissed complaints alleging abuse of dominance against online platforms such as Zomato^[49] owing to lack of dominance. It was alleged that Zomato unfairly raised delivery charges, imposing unfair conditions on users, in an abuse of the dominance it quickly gained in the online food ordering market owing to access to millions of users’ data from its restaurant discovery website, Foodiebay.com. The CCI disagreed with the market delineations^[50] and dismissed the complaint for lack of dominance and for there being no evidence of an effect on the market for the vertical restraint allegations.

Novel antitrust concerns have been and are being reviewed by the CCI in the context of data-driven retail platforms. In the continuing investigations into online food aggregator platforms such as Swiggy and Zomato, the allegation is that accumulation of large data sets enables these platforms to impose restrictions such as price parity,^[51] preferential listing^[52] and exclusivity on its business users.

The CCI is presently investigating e-commerce platforms such as Amazon and Flipkart^[53] in respect of similar concerns (preferred sellers, preferential listing, exclusively launching popular devices on their platform, requiring exclusivity from sellers, etc.) based on allegations that they have created entry barriers owing to network effects prompted by their access and use of large repositories of data. In the past, the CCI has preliminarily dismissed allegations involving the data use policies of large online retail platforms in respect of their third-party business users’ information. In 2021, CCI suo moto inquired into Amazon’s data policy following a Reuters report alleging that Amazon was using sellers’ data on its online marketplace to run ‘a systematic campaign of creating knockoffs and manipulating search results to boost its own product lines in India’.^[54] The CCI dismissed the action based on Amazon’s statement on oath by way of affidavit that denied all allegations in the Reuters’ report and its explanation that Amazon’s internal seller data protection policy does not allow use of seller-specific non-public information, such as inventory and sales data, and only allows use of data that is aggregated across multiple sellers for legitimate internal business purposes. The CCI did note, however, that it would revisit the allegations should Amazon’s statement be untrue. A similar complaint^[55] by an online vendor association was considered and dismissed by the CCI for lack of evidence. Among other allegations, the association claimed that Amazon was colluding with certain sellers on its e-commerce platform (allegedly Amazon’s affiliates), to build products with private labels by using the data of its competitors (sellers on Amazon’s platforms) without investing the time and resources in testing, and then sold these products at massive discounts. In another complaint against Amazon,^[56] dismissed by the CCI, it was alleged that Amazon as a marketplace has access to sensitive commercial data, such as pricing and trends in respect of the products sold by retailers on the platform, and uses this data to the competitive advantage of its preferred sellers. This complaint was dismissed primarily on the grounds that Amazon was not dominant in the market assessed by the CCI while inquiring into the complaint (i.e., the market for ‘services provided by online platforms for selling fashion merchandise in India’).^[57] It separately found that even as a marketplace with market power, its conduct did not give rise to an appreciable adverse effect on competition.

A report on e-commerce released by the CCI in 2020^[58] also encouraged the adoption of self-regulatory measures for e-commerce platforms that include the adoption of data collection policies to address issues such as sharing data with third parties for e-commerce platforms. These self-regulatory measures followed findings by the CCI that the data collection policies of e-commerce platforms were likely to have resulted in increased bargaining power and information asymmetry in the market.

What next?

As evidenced above, the issues of data use on online retail platforms have been brought to the CCI’s attention time and again. Not surprisingly, therefore, the DCB proposes to impose obligations on SSDEs,^[59] precluding them from using non-public data of business users to compete with businesses on their platform. The DCB also disallows the use of personal data of end users or business users collected from different sources, or the use of such data by third parties, without consent. These platforms are also required to allow business users and end users to easily port their data in a format that will be specified by the CCI.

If the DCB is introduced as a law in its current form, the current investigations against online marketplace sellers – including Amazon and Flipkart, and online food aggregators, such as Swiggy and Zomato (if they are designated as SSDEs) – into allegations of self-preferencing, tying and bundling, and anticompetitive data usage, would be moot. The decisional practice of the CCI dismissing claims of data use by market platforms is particularly noteworthy given that, under the DCB in its current form, Amazon may meet the thresholds to be classified as an SSDE for its e-commerce market place (as a CDS).^[60] On designation, these entities, including Amazon, will be proscribed from using business or user data collected from its platform to make any vertical services it offers more competitive – regardless of whether it may have resulted in pro-competitive effects.

Financial services

Fintech innovations such as cloud banking services have disrupted the Indian financial sector and revolutionised the Indian banking system. Financial data use is multiform, ranging from determining the creditworthiness of an individual to spending and earnings. Access to financial data is crucial for entities looking to launch new products and services and to target advertising.

Regulatory framework and key competition concerns

The financial services sector is highly regulated and is overseen by the Reserve Bank of India (RBI), which has issued several sector-specific data protection regulations (e.g., guidelines on digital lending published in 2022) that limit collection of data by regulated entities. These guidelines, and other regulations issued by the RBI, are consistent with the consent mechanism introduced under the DPDP Act.

In addition, the CCI has reviewed data collection and use practices in the financial services market. In Gpay/Pay,^[61] it defined a narrow market limited to those entities providing unified payment interface (UPI) services in India, rather than a broader market for digital payments.^[62] It examined Google’s practice to allow its own app (Google Pay) to use a better technology for making payments on the Play Store than it made available to rival UPI apps, and directed Google to ensure that it did not discriminate against other apps facilitating payment through UPI in India in favour of its own UPI app. In the same decision, the CCI also held that mandatory imposition of the Google Play Billing System (GPBS) as a payment processor for all paid apps and in-app payments made via the Play Store was an abuse of Google’s dominance in the market for app stores for Android smart mobile operating systems. The CCI directed Google to allow third-party payment processing services on the Play Store and imposed remedies on storage, use and sharing of data collected by Google on the Google Play platform, requiring that it (1) follow a transparent policy for collection, use and sharing of data and (2) share data generated through the GPBS with third-party app developers and not leverage the data for Google’s own advantage.

What next?

On 15 March 2024, the CCI issued an order^[63] directing a fresh investigation into allegations of unfair pricing under Google’s Play Store billing policies. It is considering whether the service fee is unfairly excessive.

Finally, the DCB includes payment sites in the definition of ‘online intermediation service’ CDS, such that some companies could be identified as SSDEs and subject to obligations by the CCI.

Endnotes:

^[1] Hemangini Dadwal is a partner, Shreya Singh is a senior associate and Deepanshu Poddar and Arnav Singh are associates at AZB & Partners.

^[2] Ministry of Electronics and IT, press release, ‘Salient features of Prime Minister Shri Narendra Modi’s 77th Independence Day address on giant strides India has taken in Electronics and IT Sector’ (18 August 2023) (https://pib.gov.in/PressReleasePage.aspx?PRID=1949092).

^[3] In 2016, Jio announced that it would provide its subscribers with 1GB of free data every day for a period of 83 days. Subsequently, Jio introduced data plans that were significantly more affordable than those of their competitors and the competitors were forced to reduce their data tariffs.

^[4] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf.

^[5] Regulation (EU) 2016/679 (https://gdpr-info.eu/).

^[6] https://www.meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf.

^[7] Section 43A: Compensation for failure to protect data: ‘Where a body corporate, possessing, dealing [with] or handling any sensitive personal data or information in a computer resource which it owns, controls or operates is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.’ (https://police.py.gov.in/Information%20Technology%20Act%202000%20-%202008%20(amendment).pdf).

^[8] Based on factors such as (1) the volume and sensitivity of personal data processed, (2) risk to the rights of the data principal, (3) potential impact on the sovereignty and integrity of India, (4) risk to electoral democracy, (5) security of the state and (6) public order.

^[9] Digital Personal Data Protection Act 2023 (https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf).

^[10] See https://www.thehindu.com/sci-tech/technology/digital-india-act-to-address-disbalance-between-digital-news-publishers-and-big-tech-platforms-mos-rajeev-chandrasekhar/article67822466.ece.

^[11] See the presentation submitted by the Ministry of Electronics and Information Technology for the proposed Digital India Act, 2023 (https://www.meity.gov.in/writereaddata/files/DIA_Presentation%2009.03.2023%20Final.pdf).

^[12] Federation of Hotel & Restaurant Associations of India (FHRAI) v. MakeMyTrip India Pvt. Ltd. (MMT) & ors, Case No. 14 of 2019, para. 232.

^[13] Harshita Chawla v. WhatsApp Inc. and others, Case No. 15 of 2020, para. 91.

^[14] Updated Terms of Service and Privacy Policy for WhatsApp Users, Suo Moto Case No. 01 of 2021, para. 32.

^[15] Competition Commission of India (CCI), ‘Market Study on the PharmaceuticalSector in India: Key Findings and Observations’ (18 November 2021)(https://www.cci.gov.in/images/marketstudie/en/market-study-on-the-pharmaceutical-sector-in-india1652267460.pdf).

^[16] CCI, ‘Market Study on the Telecom Sector in India: Key Findings and Observations (22 January 2021) (https://www.cci.gov.in/images/marketstudie/en/market-study-on-the-telecom-sector-in-india1652267616.pdf).

^[17] CCI, ‘Market Study on E-Commerce in India: Key Findings and Observations (8 January 2020) (https://www.cci.gov.in/images/marketstudie/en/market-study-on-e-commerce-in-india-key-findings-and-observations1653547672.pdf).

^[18] Samir Agrawal v. ANI Technologies Private Limited and Others, CCI, Case No. 37 of 2018, para. 15. The CCI order was upheld by the appellate courts in Samir Agrawal v. Competition Commission of India and Others, NCLAT, Competition Appeal (AT) No. 11 of 2019.

^[19] Even in the absence of active participation in collusion, online platforms could easily fall into the category of ‘hubs’ that facilitate the exchange of commercially sensitive information among rivals connected and listed on its platform, given that the features offered by the platform to the sellers (such as seller’s dashboard, sales trend, statistics, suggested prices, etc.) can be considered as making the platform a hub to exchange price-sensitive information about the sellers. The CCI presumes guilt if it finds and initiates an investigation to look into a hub-and-spoke cartel violation, and so far disproving an assumption of guilt for cartelisation has been an uphill task with the CCI.

^[20] Target-based exemptions available under the Competition Act allow any investment in a target enterprise with assets below 4.5 billion rupees to be exempt from notification to the CCI. The asset value for the target-based exemption was increased to 4.5 billion rupees from 3.5 billion through a Government of India notification on 7 March 2024. The turnover base threshold for target exemption was increased to 12.5 billion rupees from 10 billion rupees.

^[21] Ministry of Corporate Affairs, ‘Report of the Competition Law Review Committee’, dated 26 July 2019, Chapter 7, paras. 5.3 and 5.11 (pp. 128, 132) (https://www.ies.gov.in/pdfs/Report-Competition-CLRC.pdf). This report considered acquisitions such as Myntra by Flipkart (in 2014), TaxiforSure by Ola (in 2015), WhatsApp by Facebook (in 2014) and Freecharge by Snapdeal (in 2015) as examples for justifying introduction of the deal value threshold. Notably, since these acquisitions, several new players have entered these markets, such as Telegram (online messaging), BluSmart (online taxi services) and PhonePe (online payments). Arguably, this is proof of these markets remaining contestable even after the ‘unchecked’ acquisitions.

^[22] See CCI, Fair Play, Volume 42: July-September 2022, page 13 (https://www.cci.gov.in/images/publications_fairplay/en/volume-42-july-september-20221666260876.pdf).

^[23] Updated Terms of Service and Privacy Policy for WhatsApp Users Suo motu, Case No. 1 of 2021 see para. 26 read with para. 31.

^[24] Umar Javeed v. Google LLC and Anr, Case No. 39 of 2018, paras. 639 and 629; Federation of Hotel & Restaurant Associations of India (FHRAI) v MakeMyTrip India Pvt. Ltd., Case No. 14 of 2019, paras. 232, 307 and 319.

^[25] Government of India, Ministry of Corporate Affairs, ‘Report of the Committee on Digital Competition Law’ (2024) (https://www.mca.gov.in/bin/dms/getdocument?mds=gzGtvSkE3zIVhAuBe2pbow%253D%253D&type=open).

^[26] Comments and feedback about the Digital Competition Bill, 2024 were invited from the public up to 15 April 2024.

^[27] ‘Report of the Committee on Digital Competition Law’, op. cit. note 25, pp. 94–96.

^[28] Enterprises are required to self-report as systematically significant digital enterprises if they meet the quantitative thresholds under Section 3(2) of the Digital Competition Bill, 2024 (DCB). This includes meeting the financial and user-based thresholds. Financial thresholds are not limited to a particular core digital service (CDS) and include: (1) turnover in India of not less than 40 billion rupees (US$48 million); or (2) global turnover of not less than US$30 billion; or (3) gross merchandise value in India of not less than 160 billion rupees (US$1.9 billion); or (4) global market capitalisation of not less than US$75 billion, or its equivalent fair value of not less than US$75 billion calculated in such manner as may be prescribed. User-based thresholds are met if the enterprise meets any of the following, in each of the immediately preceding three financial years in India: (1) the CDS provided by the enterprise has at least 10 million end users; or (2) the CDS provided by the enterprise has at least 10,000 business users. There are certain qualitative thresholds as well under Section 3(3) but these are subjective and do not carry a self-reporting requirement under the DCB.

^[29] ‘The Power of Digital HealthCare Ecosystems’ (Deloitte United States, 8 March 2022) (https://www2.deloitte.com/us/en/pages/advisory/articles/the-power-of-health-care-ecosystems-and-platforms.html); see also, on the use of health monitoring using smart televisions, Y Jog, A Sharma, K Mhatre and A Abhishek, ‘Internet Of Things As A Solution Enabler In Health Sector’ in International Journal of Bio-Science and Bio-Technology, Vol. 7, No. 2 (2015), pp. 9–24 (https://gvpress.com/journals/IJBSBT/vol7_no2/2.pdf).

^[30] T Davenport and R Kalakota, ‘The potential for artificial intelligence in healthcare’, Future Healthc J, June 2019 6(2), 94–98 (https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6616181/).

^[31] https://main.mohfw.gov.in/sites/default/files/17739294021483341357.pdf.

^[32] Ministry of Health and Family Welfare, ‘Comments On Draft Digital Information Security In Health Care Act’ (https://main.mohfw.gov.in/?q=newshighlights/comments-draft-digital-information-security-health-care-actdisha).

^[33] National Institute for Transforming India, Government of India, ‘National Health Stack:Strategy and Approach’ (https://abdm.gov.in:8081/uploads/NHS_Strategy_and_Approach_1_89e2dd8f87.pdf; see also Mysuru Infra Hub, ‘National Health Stack to bring excellenceto Indian healthcare’ (https://mysuruinfrahub.com/national-health-stack-to-bring-excellence-to-indian-healthcare/#:~:text=National%20Health%20Stack%20Overview&text=The%20Health%20Stack %20is%20a,of%20diverse%20solutions%20in%20health).

^[34] US Federal Trade Commission, Division of Privacy and Identity Protection, K Cohen, Acting Associate Director, ‘Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data’ (11 July 2022) (https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal).

^[35] In Re: Alleged Cartelization in the Airlines Industry, Case No. 03 of 2015.

^[36] In Re: M’s House of Diagnostics LLP v. Neurologica Corporation and Ors, Shri Ramakant Kini v. Hiranandani Hospital, Case No. 39 of 2012; Vivek Sharma v. Max Super Speciality Hospital, Case No. 77 of 2015.

^[37] CCI, ‘Market Study on the Pharmaceutical Sector in India: Key Findings and Observations’, op. cit. note 15.

^[38] ‘CCI to shortly commence market study on artificial intelligence’, Deccan Herald (https://www.deccanherald.com/india/cci-to-shortly-commence-market-study-on-artificial-intelligence-2922582).

^[39] Matrimony.com Limited v. Google LLC & Others, Case No. 07 and 30 of 2012.

^[40] id., para 84.

^[41] Umar Javeed v. Google LLC and Anr, Case No. 39 of 2018.

^[42] Digital News Publishers Association v. Alphabet Inc. and Others, Case No. 41 of 2021. Some of the allegations being investigated were also part of the European Commission’s Statement of Objections in Google AdTech, Case No. AT. 40670, in which final adjudication is pending.

^[43] See https://www.ibef.org/download/1707291321_Retail-December-2023.pdf.

^[44] IBEF Report January 2023 (https://www.ibef.org/download/1707291321_Retail-December-2023.pdf).

^[45] ‘Report of the Committee on Digital Competition Law’, op. cit. note 25, p. 29.

^[46] Mr Asish Ahuja v. Snapdeal.com, Case No. 17 of 2014.

^[47] All India Online Vendors Association (AIOVA) v. Flipkart, Case No. 20 of 2018.

^[48] Federation of Hotel & Restaurant Associations of India (FHRAI) v. MakeMyTrip India Pvt. Ltd, Case No. 14 of 2019, para. 232.

^[49] Mr. Rohit Arora, Advocate v. Zomato Pvt. Ltd. (now Zomato Ltd.), Case No. 54 of 2020.

^[50] The CCI dismissed the complaint against Zomato for lack of dominance in the narrowly defined markets for food ordering and food delivery, since it ‘does not find these aforesaid definitions in consonance with the market realities and approach adopted by the Commission while dealing with the platform market cases’.

^[51] National Restaurant Association of India (‘NRAI’) v. Zomato Limited (‘Zomato’) & Others, Case No. 16 of 2021; Federation of Hotel & Restaurant Associations of India (FHRAI) v. MakeMyTrip India Pvt. Ltd, Case No. 14 of 2019.

^[52] National Restaurant Association of India (‘NRAI’) v. Zomato Limited (‘Zomato’) & Others, Case No. 16 of 2021.

^[53] Delhi Vyapar Mahasangh and Flipkart Internet Private Limited and ors, Case No. 40 of 2019.

^[54] In Re: Allegations pertaining to private label brands related to Amazon sold on Amazon India marketplace, Suo Motu Case No. 04 of 2021, para. 1.

^[55] AIOVA Sellers Association/Amazon Sellers Services, Case No. 29 of 2020.

^[56] Lifestyle Equities C.V./Amazon Seller Services, Case No. 9 of 2020.

^[57] id., paras. 23–26.

^[58] See note 17.

^[59] E-commerce platforms, online food aggregators, etc. are likely to be designated as systematically significant digital enterprises (SSDE) for the very broadly and loosely defined CDS of ‘online intermediation services’. In Schedule I of the DCB, it is stated that ‘online intermediation service’ includes any other digital service, not expressly covered under clauses (a) to (h) of Schedule I, which, on behalf of an end user or a business user, receives, stores or transmits an electronic record or provides any service with respect to that record and includes web-hosting service providers, payment sites, auction sites, online application stores, online marketplaces and aggregators providing services such as mobility aggregation, food ordering, food delivery services and match-making.

^[60] Designation depends on meeting the thresholds under the DCB (see note 28, above). According to public reports, Amazon’s e-commerce platform had around 1.2 million sellers in 2023, which breaches at least the business user-based thresholds of 10,000 business users in India for designation as an SSDE (see https://www.forbesindia.com/article/take-one-big-story-of-the-day/inside-amazons-game-plan-for-india/88633/1#:~:text=The%20ecommerce%20company %20has%20secured,big%20investments%20for%20further%20expansion).

^[61] XYZ v. Alphabet, Case No. 07 of 2020.

^[62] The CCI’s decision was based on factors including: (1) unified payment interface (UPI) users can initiate push transactions by using UPI identifiers, a feature that is not available in any other modes of digital payment; (2) UPI permits the linking of multiple bank accounts into a single mobile app (in contrast, one credit or debit card is linked with only one bank account); and (3) the presence of network effects. This offers useful insight into how other segments within the online financial services market, including other services for transacting money, will be examined in the future.

^[63] People Interactive India Private Limited And Alphabet Inc. & Others, Case No. 37, of 2022.