Our India chapter has been published in the 2nd edition of GCR’s Data & Antitrust Guide titled ‘India: regulators take careful approach to AI-driven market growth’, at https://globalcompetitionreview.com/guide/data-antitrust-guide/second-edition/article/india-regulators-take-careful-approach-ai-driven-market-growth.

Introduction

In the digital economy, data is the fuel that powers innovation and artificial intelligence (AI) is its most potent engine. As businesses leverage vast data sets to define algorithms and enhance market power, competition regulators worldwide are grappling with how data accumulation affects market dynamics. In India, the evolving regulatory landscape – encompassing the Digital Personal Data Protection Act, 2023 (the DPDP Act), the Competition Act, 2002 (as amended) and proposed ex ante rules for digital markets – raises critical questions about data access, monopolisation and AI-driven market distortions. A competition law lens on data regulation is now essential to ensure that AI-driven economies remain fair, contestable and innovation-friendly. The big question today is whether the current and proposed regulations will drive growth or stifle innovation. We explore this debate in this chapter.

Data regulation in India

Governing laws and framework

India’s primary governing law for personal data protection is the DPDP Act (enacted but yet to be enforced).^[1] It is similar to the European Union’s General Data Protection Regulation^[2] but imposes only baseline obligations on data fiduciaries (i.e., entities determining data processing). The DPDP Act, alongside the Information Technology Act, 2000 (the IT Act) and various guidelines and rules under it (together, the IT Guidelines^[3]), regulate most personal data-related issues. However, clarity on enforcement timelines remains pending as the Draft Digital Data Protection Rules, 2025 are yet to be finalised.^[4]

AI systems thrive on large data sets, making data governance and AI regulation inseparable.

Key features of the Digital Personal Data Protection Act and its implications for artificial intelligence

The key points introduced by the DPDP Act include the following:

• Data processor: An entity that processes data.
• Data principal: Any entity whose data is being processed.
• Significant data fiduciary: Certain data fiduciaries can be designated by the government for stricter compliance, including audits, impact assessments and appointing data protection officers.
• Restrictions on minors’ data: The collection and processing of minors’ data are strictly prohibited.
• Consent architecture: Fiduciaries must disclose the purpose of data collection, ensure clear and accessible consent mechanisms, limit data use as per acquired consent and provide transparent privacy notices.
• Withdrawal of consent: Data principals can withdraw consent or file grievances if consent was given before enforcement of the DPDP Act.^[5]

AI systems operate on vast amounts of non-personal and anonymised data, which are outside the purview of the DPDP Act. In addition to this, there is no clarity as to whether the government of India (GoI) will introduce a mechanism for regulation of non-personal data within the proposed bill for a Digital India Act.^[6]

Competition law and data-driven markets

Antitrust oversight on data and artificial intelligence practices

The Competition Commission of India (CCI) examines competition concerns arising from data-driven markets under the Competition Act, though there are no dedicated provisions addressing AI-related antitrust issues. Key areas of scrutiny include:

• the manner in which companies collect, process and accumulate data for AI-driven decision-making;
• exploitative and exclusionary practices arising from data-driven network effects in AI markets;
• ensuring voluntary and informed user consent in AI-generated outputs and
• the intersection of privacy, AI governance and competition law.

Investigations by Competition Commission of India in digital markets

Although the CCI is taking a wait-and-watch approach to AI regulation, it has already looked into competition issues in digital markets. Since 2012, it has launched investigations into several big tech firms (Google, Microsoft, Apple, Meta, Amazon) and Indian start-ups (Flipkart, Zomato, Swiggy). Five contravention decisions have already been issued against technology firms, signalling the CCI’s increasing focus on digital markets. As regards issues within the digital markets that intersect with potential concerns in AI regulation, the CCI has used the Competition Act to examine allegations such as (1) the manner of collecting, processing and accumulating data, (2) exploitative and exclusionary abusive practices that may result from data-driven network effects,^[7] (3) construing user consent through necessary voluntary steps^[8] and (4) the interrelationship between privacy and competition law.^[9]

Market studies and policy reports

Apart from enforcement efforts, the CCI and other policy bodies have conducted multiple studies to assess competition concerns in digital markets; for example:

• Standing Committee on Finance Report, 2022: Recommended amendments to the Competition Act considering the growing digital and AI economy.
• CCI market study on the pharmaceutical sector:^[10] Examining AI-driven data use by online pharmacies.
• CCI market study on the telecommunications sector:^[11] Assessing the tension between allowing access to data and protecting privacy, in the context of competition in the telecommunications market.
• CCI market study on e-commerce:^[12] Identifying competitive concerns in online retail, travel and food delivery. The study sought to future-proof competition compliance by providing a set of voluntary self-regulating measures that businesses with market power ought to adopt.

Regulation and competitive implications of artificial intelligence

Reliance on data and privacy risks

AI is trained using large data sets, and is also tuned and retrained using additional data sets. However, this can create potential risks, including:

• unauthorised data collection: AI may gather personal and sensitive data without explicit consent;
• lack of transparency: AI models are often ‘black-boxed’, making it difficult to track how data is used;
• unchecked surveillance: AI-powered analytics can lead to pervasive monitoring, threatening privacy rights;
• data leakage and exfiltration: poorly governed AI systems risk exposing sensitive information; and
• bias and discrimination: AI models trained on biased data sets can reinforce harmful stereotypes, affecting competition and consumer choice.

India’s strategy on regulating artificial intelligence

Unlike jurisdictions such as the European Union and the United States, India is taking a wait-and-watch approach to AI-specific regulations. The GoI’s priority remains AI innovation with balanced regulation, as reflected in the 10.3 billion rupees approved for IndiaAI Mission.^[13] This initiative aims to develop a non-personal data platform to facilitate AI research, and launch a graphics processing unit (GPU) access portal to support AI start-ups and researchers. Initiatives are also under way to reduce reliance on imported technology by developing an indigenous GPU within the next three to five years.^[14] India’s Ministry of Electronics and Information Technology is working towards building indigenous AI models^[15] and is establishing 27 AI data laboratories.^[16] The GoI is focused on the growth of AI-driven markets in India, particularly on promoting indigenous growth towards self-reliance.

Existing efforts and regulations specific to artificial intelligence

Instead of following the path of over-regulation, and in recognition of AI’s transformative potential, the GoI has proposed a self-regulatory approach through the Draft AI Governance Guidelines (released on 6 January 2025 and currently under stakeholder consultation).^[17] The Advisory Group on AI Governance, chaired by India’s Principal Scientific Adviser, is leading this initiative.^[18] Additional regulatory measures include the following:

• Government advisory of 15 March 2024:
  • AI platforms must label experimental AI models as ‘under testing’.
  • Platforms must implement user consent mechanisms to inform users about potential inaccuracies in AI-generated outputs and ensure metadata tracking for modification.^[19]
  • AI-generated content must comply with the Information Technology Rules, 2011, prohibiting pornography, child sexual abuse material and content that is obscene, grossly defamatory or in any manner unlawful.
• Sectoral regulation: Sectoral regulators such as the Reserve Bank of India (RBI) are expected to introduce sector-specific AI guidelines, particularly in fintech and automated decision-making.^[20]

Competition Commission’s approach to artificial intelligence and competition law

The key challenge for the CCI in AI regulation is timing. Intervening too early may stifle innovation, while delayed intervention may allow anticompetitive practices to take root. To navigate this, CCI has prioritised understanding the impact of AI before taking regulatory action.

Ongoing artificial intelligence market study

In September 2024, the CCI appointed the Management Development Institute Society (MDIS) to conduct a Market Study on Artificial Intelligence and Competition^[21] (AI Study). This AI Study will cover various aspects, including understanding the existing AI ecosystem, its emerging and potential competition concerns, existing and evolving regulatory frameworks, enforcement and advocacy priorities, among other things.^[22] In the past few months, MDIS has conducted stakeholder consultations with legal practitioners, academicians and other industry stakeholders and will cover their findings in a report to the CCI, to decide the next steps. While noting that the AI Study will examine various risks associated with AI, the CCI chairperson has recently made statements^[23] that the CCI aims to address the concerns through appropriate enforcement mechanisms. The CCI also upgraded its in-house Digital Markets and Data Unit to a Digital Markets Division, headed by an adviser. Its priority is to recruit domain experts in areas such as AI, data analytics and digital markets to ensure the CCI is equipped to address challenges posed by rapidly evolving technology.

AI regulation and its competitive implications

More generally, antitrust regulators worldwide have raised concerns about restricted access to generative AI (GenAI) models and foundational data, given that substantial proprietary data sets and computing resources are concentrated in a few large technology firms. This has led to fears of market concentration and vertical integration in AI-driven markets. In India, these concerns have been echoed in stakeholder discussions, especially in view of the absence of a legal framework governing proprietary AI licences. However, the prevalence of open-source AI models such as Deepseek, Llama 3, H2O.ai, DeepSearcher, GPT-4 and QwQ-32B demonstrates that AI development is not exclusively proprietary. Open-source research has historically driven AI innovation and two-thirds of AI models today operate on open-source frameworks. Additionally, the GoI’s initiatives to promote self-reliance in AI technology will mitigate residual concerns about data accessibility.

Competition Amendment Act, 2023 and artificial intelligence markets

Recent updates to India’s Competition Act (Competition Amendment Act, 2023) reinforce competition law’s applicability to data-driven markets:

• Hub-and-spoke cartels: The Act now penalises not just participation but also the intent to participate in any such cartels affecting online platforms that rely on AI models.^[24] This is a departure from the CCI’s previous approach,^[25] where only ‘active’ collusion was considered to justify a finding of a hub-and-spoke cartel.
• Vertical agreements: The scope has been expanded to include platform markets, beyond traditional buy-sell relationships.
• Deal value thresholds: The CCI can now review mergers and acquisitions in asset-light digital companies if (1) the deal value exceeds 20 billion rupees and the target has substantial business operations (SBOs) in India.^[26]

SBO criteria now cover digital services, internet services and digital content. The test for SBOs in India also includes a criterion for digital services for entities providing internet services or digital content.

The introduction of the deal value threshold is justified by claims that technology mergers and ‘killer acquisitions’ have ‘escaped’ review.^[27] However, there is little evidence to suggest that antitrust intervention would have been warranted in those cases.

Future of data, artificial intelligence and competition regulation

Data

The Digital Competition Bill, 2024 and ex ante regulation

On 12 March 2024, the Committee on Digital Competition Law released the Digital Competition Bill, 2024 (DCB)^[28] for public consultation.^[29] If enacted, the DCB will designate systemically significant digital enterprises (SSDEs)^[30] based on (1) financial thresholds (revenues, investments, etc.) and (2) user base thresholds (business and end users in India).

SSDEs will be required to self-notify to the CCI, which may impose obligations such as no self-preferencing, no anti-steering policies, tying or bundling, fair and transparent dealings with users, restrictions on non-public business data usage and data portability requirements.^[31] The draft DCB also empowers the CCI to notify specific obligations, tailor-made for each core digital service (CDS) identified under the DCB.

The CCI will have broad enforcement powers, including penalties of up to 10 per cent of total global turnover, cease-and-desist orders and the ability to investigate global conduct. Stakeholder consultations are over, with no clarity on when the DCB will be tabled in Parliament.

Data and artificial intelligence

The regulation of data and AI is deeply intertwined, as AI relies on data sets for training, tuning and retraining. Although the DPDP Act lays the groundwork for personal data protection, it does not address the role of non-personal data. Meanwhile, the CCI is actively investigating digital market practices and exploring AI’s competition implications through continuing studies.

India’s regulatory approach remains a work in progress, with a shift towards proactive but cautious regulation in AI markets. The coming years will determine whether India can strike a balance between innovation, data protection and competitive neutrality in the evolving digital landscape.

Competition concerns in specific sectors

The next sections briefly cover data-related competition concerns specific to healthcare and AI, online advertising, e-commerce and financial services.

Healthcare and artificial intelligence

AI has emerged as a powerful tool to leverage healthcare data, and AI applications (apps) are already used by consumers, service providers and life sciences companies to support diagnosis, treatment recommendations, patient engagement and administrative tasks.^[32]

India does not have a separate legal framework for all health data-related issues, such as ensuring accuracy, lack of bias, etc., and there are no separate laws regulating AI, cloud computing or machine learning. In the future, the consent mechanism under the DPDP Act (once enforced) will apply to how health data should be accessed and shared.

Key competition concerns

Data dominance and potential abuse

A vast amount of healthcare data is now collected through technologies such as wearables and apps, on which the data collected ranges from heart rate, blood sugar, sleep pattern, blood pressure, fitness and biometric information.^[33] This kind of data, if controlled by a few entities, could confer a significant advantage (and the ability to exclude). Companies could also exploit this data for targeted advertisements or by selling it to third-party advertisers. At the same time, given the sensitivity of healthcare data, disseminating this data or making it available for purchase is also not a viable solution.

Algorithmic bias

There are concerns that AI implemented in healthcare could reflect biases from the data on which it is trained, potentially leading to one or more unfair decisions, unequal access to healthcare services and anticompetitive conduct; for example, AI might underestimate the needs of certain minority groups, limiting their access to appropriate healthcare.

As for antitrust regulation, although the CCI has reviewed and dismissed allegations of algorithmic collusion, it has not specifically looked into the abuse of dominance concerns regarding the use of data in connection with AI.^[34] However, the CCI is showing increased interest in the interplay of algorithmic collusion and AI. For instance, in December 2024, the CCI chairperson made a statement^[35] that AI ‘has the potential to aid cartelisation by automating collusive behaviour through predictive algorithms’. The chairperson also noted that the CCI is currently focusing on ‘developing ecosystems that ensure algorithmic transparency and accountability while promoting innovation’. We can expect some updates in this area in the near future.

Specifically in the pharmaceutical sector, during the past 12 years, the CCI has primarily focused on physical pharmaceutical distribution.^[36] These cases, however, did not delve into issues of data exclusivity, data protection or competition concerns.

Market reports

A pharmaceutical report by the CCI^[37] for the first time preliminarily explored the interplay between data privacy and competition law in the healthcare industry. The study observed that, with the advent of e-pharmacies and the concentration of data on a few platforms, there may be concerns about the collection, storage, security and sharing of data. Although the CCI noted that data and digital technology can improve access to and efficiency of healthcare delivery, it would nevertheless need to be alert to potential competition harms arising from the disproportionate collection and use of data by digital platforms. It noted the change brought by online pharmacies and their corresponding use of users’ data that could lead to breaches of patient data protection and prescription privacy. The CCI suggested that e-pharmacies adopt self-regulatory measures to ensure privacy and security of information until relevant data protection laws to safeguard patient privacy and protect sensitive personal medical data are enforced.

What next?

The AI Study is likely to offer more insights into AI’s role in the pharmaceutical sector.

Online advertising

As markets have moved online, so have marketing and advertising. Advertisements are now targeted and personalised through the use of AI, machine learning and collection of personal data, and this can raise data management issues, including fair use, data protection and privacy, as well as data access and data dissemination.

Regulatory framework and key competition concerns

The government primarily relies on the IT Act and the DPDP Act to ensure data privacy and prevent the misuse of data.

Regarding antitrust regulation, with the massive growing success of online markets in recent years, particularly during and following the covid-19 pandemic, online advertising is gaining regulatory attention. The CCI, however, has so far conducted a limited number of cases that have involved a detailed examination of allegations relating to online advertising.

In the first investigation in this sector – Matrimony v. Google, initiated in 2012 – the CCI found Google dominant in the market for ‘online general web search advertising’.^[38] The CCI examined claims relating to search and advertising services provided by Google and for the first time observed the rise of this new business model where data is considered the ‘oil’ of this century. It also observed the role and nature of ‘big data, i.e., an aggregate of eyeballs/choices’^[39] provided by end users as consideration for a free search service, justifying the CCI’s jurisdiction over such a service. It noted that the large volumes of data collected enable search platforms to attract advertisers, target relevant advertisements and improve their search service. Specifically, the CCI noted that the prominent placement of certain types of search results (flight units) enabled Google to collect more data, which disadvantaged competing vertical search engines and reinforced Google’s advantage in the search advertising market. The CCI dismissed other claims that Google’s AdWords platform impaired data interoperability with rival search advertising platforms. Based on third-party evidence and its overall analysis, the CCI found that advertisers did not face any barriers from Google to multi-home their data across platforms.

In the Umar Javeed case,^[40] the CCI observed that, by pre-installing a free bundle of apps on Android phones, Google was able to collect large volumes of data that can be used in search advertising. The CCI noted that this practice can be considered as dynamic leveraging where data generated from each app can complement the other and give Google a big data advantage over its rivals.

Most recently, the CCI imposed a penalty of 213.14 million rupees on Meta and issued a number of significant behavioural remedies for data-sharing between WhatsApp, other Meta products and Meta entities.^[41] The CCI noted that (1) the ‘take-it-or-leave-it’ approach regarding users accepting the privacy update or losing access to WhatsApp exploited users’ lack of alternatives and infringed user autonomy, and (2) WhatsApp’s data sharing with its parent entity (Meta) led to exclusionary effects in the market for online display advertising in India. For the first time, the CCI passed remedies on the data sharing practices of a private entity. Moreover, the CCI prohibited cross-platform data sharing for advertising purposes for five years and, after five years, for advertising and non-advertising purposes, required Meta to:

• explain its data-sharing policies, linking types of data to their purpose;
• not mandate data sharing with Meta for using WhatsApp in India; and
• implement some user control mechanisms inside the WhatsApp app. In particular, users must be given the option to opt out of data sharing, to be presented prominently via in-app notifications and a setting to review and modify data sharing choices.

This decision was challenged in January 2025 before the appellate forum, the National Company Law Appellate Tribunal. The Tribunal granted an interim stay on the CCI’s first five-year ban on sharing WhatsApp user data with Meta for advertising purposes, noting that such a restriction could disrupt WhatsApp’s business model, which relies on providing free services to users. The Tribunal also considered the fact that the DPDP Act, 2023 has been passed and is likely to be enforced, which may cover all issues pertaining to data protection and data sharing. The appeal is still ongoing.

The CCI also conducted a preliminary analysis of the data-sharing capabilities within the Google-Android interface in the Truecaller decision.^[42] The complaint alleged that because of their business relationship, Google provided application programming interfaces (APIs) enabling Truecaller to collect users’ non-public contact details and access Android data before policy changes restricted such access. This was to the exclusion of Truecaller’s competitors. The CCI dismissed the complaint holding that (1) Android APIs are open source and available to all apps, (2) Truecaller users voluntarily shared their data, and (3) the allegations pertained to a non-Play version of Truecaller, with no evidence of discriminatory policy enforcement. Google demonstrated that its policies were applied uniformly and no competitive advantage was given to Truecaller.

What next?

In 2021, the CCI launched an investigation into allegations by news publishers of potential unfairness and data asymmetry between publishers and advertising platforms.^[43] This investigation is pending. A new investigation into Google’s adtech intermediation services was combined with this investigation in 2024.^[44]

In 2024, the CCI launched an investigation^[45] into Google’s Play Store policies and advertising policies for selectively allowing onboarding and advertisements only for daily fantasy sports and Rummy apps, while excluding other real money gaming platforms. The CCI preliminarily noted that online advertisements have become an ‘indispensable tool’ for advertisers to extend their reach and connect with a broader audience and that Google holds a 95 per cent market share in the search advertisement market, making it a ‘critical channel’ for apps aiming to maximise visibility and drive user acquisition. Based on this, the CCI prima facie found Google’s selective onboarding and advertising policies to be discriminatory. This investigation is ongoing.

Separately, advertising services under the DCB include advertising networks, advertising exchanges and any other advertising intermediation services. To avoid the accumulation of data (and therefore significant market power) by one entity, the DCB requires a designated online advertising intermediation service provider to ensure that (1) the data of each individual business user is interoperable and can be easily ported to a rival platform, (2) no additional benefit is provided to the platforms’ own products and services, and (3) no two services or products offered by a single platform are tied together.

If the DCB is enforced, data interoperability obligations could stifle innovation as seen in the European Union since its enforcement of the Digital Markets Act (DMA).^[46] For instance, Apple has recently withheld its security-enhancing features and AI capabilities from users in the European Union because of this obligation under the DMA. Moreover, the CCI’s effective ex post analysis of Matrimony v. Google^[47] is indicative of the fact that in some cases, such as when Google tied its Search app with its Maps app, it actually benefited consumers. The CCI specifically acknowledged this feature as an innovation that enhances search functionality.^[48] Therefore, proposed ex ante regulations might risk the chance of overregulating a competitive market.

Online retail platform services

India has a vibrant online retail market and the country is ranked globally as one of the highest in terms of revenue per retail store.^[49]

Regulatory framework and key competition concerns

This sector is highly regulated in terms of limits on foreign direct investment, applicability of taxes, etc.; however, there is no single piece of legislation that covers the sector, including the use of data. The DPDP Act, once enforced, will apply to the processing, use and sharing of personal data for online retail platforms, and the CCI has been reviewing antitrust allegations in the online retail sector since 2014.^[50]

In 2018,^[51] the CCI identified the online retail market as a distinct market rather than just a different distribution channel alongside traditional or offline retail. The CCI has specifically identified the presence of data-driven network effects while assessing market strength and its effects as exhibited by online platforms.^[52] Following a case-by-case analysis, in the past, it has dismissed complaints alleging abuse of dominance against online platforms such as Zomato^[53] owing to lack of dominance. It was alleged that Zomato unfairly raised delivery charges, imposing unfair conditions on users, in an abuse of the dominance it quickly gained in the online food ordering market owing to access to millions of users’ data from its restaurant discovery website, Foodiebay.com. The CCI disagreed with the market delineations^[54] and dismissed the complaint for lack of dominance and absence of effect on the market for the vertical restraint allegations. However, novel antitrust concerns have been and are being reviewed by the CCI in the context of data-driven retail platforms. For instance, in another investigation into Zomato, and another online food aggregator platform, Swiggy, the allegation is that the accumulation of large data sets enables these platforms to impose restrictions such as price parity,^[55] preferential listing^[56] and exclusivity on its business users.

The CCI is also investigating e-commerce platforms such as Amazon and Flipkart^[57] in respect of similar concerns (preferred sellers, preferential listing, exclusively launching popular devices on their platform, requiring exclusivity from sellers, etc.) based on allegations that they have created entry barriers owing to network effects prompted by their access and use of large repositories of data. In the past, the CCI has preliminarily dismissed allegations involving the data use policies of large online retail platforms in respect of their third-party business users’ information. For example, in 2021, the CCI suo moto investigated Amazon’s data policy following a Reuters report alleging that Amazon was using sellers’ data on its online marketplace to run a ‘systematic campaign of creating knockoffs and manipulating search results to boost its own product lines in India’.^[58] The CCI dismissed the action based on Amazon’s statement on oath by way of an affidavit that denied all allegations in the Reuters report and its explanation that Amazon’s internal seller data protection policy does not allow the use of seller-specific non-public information, such as inventory and sales data, and only allows use of data that is aggregated across multiple sellers for legitimate internal business purposes. The CCI did note, however, that it would revisit the allegations should Amazon’s statement be untrue. A similar complaint^[59] by an online vendor association was considered and dismissed by the CCI for lack of evidence. Among other allegations, the association claimed that Amazon was colluding with certain sellers on its e-commerce platform (allegedly Amazon’s affiliates) to build products with private labels by using the data of its competitors (sellers on Amazon’s platforms) without investing the time and resources in testing, and then sold these products at massive discounts. In another complaint against Amazon,^[60] dismissed by the CCI, it was alleged that Amazon as a marketplace has access to sensitive commercial data, such as pricing and trends in respect of the products sold by retailers on the platform, and uses this data to the competitive advantage of its preferred sellers. This complaint was dismissed primarily on the grounds that Amazon was not dominant in the market assessed by the CCI while investigating the complaint (i.e., the market for ‘services provided by online platforms for selling fashion merchandise in India’).^[61] It separately found that even as a marketplace with market power, its conduct did not give rise to an appreciably adverse effect on competition.

On 3 March 2025, the CCI dismissed allegations of tying and bundling against Microsoft for preinstalling Microsoft Defender as the default security software on Microsoft desktops and laptops.^[62] The CCI found Microsoft dominant in the market for licensable operating systems for desktops and laptops in India but closed the investigation, noting the lack of compulsion on users to use Defender (including using it exclusively) and because original equipment manufacturers could preinstall rival (3P) antivirus software. It applied an effects analysis in this decision to conclude there was no evidence that Microsoft’s strategy was preventing rivals from introducing innovative features. The CCI also noted that it is acceptable for Microsoft to pursue its legitimate interests by prescribing certain reasonable compatibility requirements for apps adhering to the Microsoft Virus Initiative.^[63]

What next?

As evidenced above, the issues of data use on online retail platforms have been brought to the CCI’s attention time and again. Not surprisingly, therefore, the DCB proposes to impose obligations on SSDEs,^[64] precluding them from using non-public data of business users to compete with businesses on their platform. The DCB also disallows the use of personal data of end users or business users collected from different sources, or the use of such data by third parties, without consent. These platforms are also required to allow business users and end users to easily port their data in a format that will be specified by the CCI.

If the DCB is introduced as a law in its current form, the current investigations against online marketplace sellers – including Amazon and Flipkart, and online food aggregators, such as Swiggy and Zomato (if they are designated as SSDEs) – into allegations of self-preferencing, tying and bundling, and anticompetitive data usage would be moot. The decisional practice of the CCI dismissing claims of data use by market platforms is particularly noteworthy given that, under the DCB in its current form, Amazon may meet the thresholds to be classified as an SSDE for its e-commerce market place (as a CDS).^[65] On designation, these entities, including Amazon, will be proscribed from using business or user data collected from its platform to make any vertical services it offers more competitive – regardless of whether it may have resulted in pro-competitive effects.

Financial services

Fintech innovations, such as cloud banking services, have disrupted the Indian financial sector and revolutionised the Indian banking system.

Regulatory framework and key competition concerns

The financial services sector is highly regulated and is overseen by the RBI, which has issued several sector-specific data protection regulations (e.g., guidelines on digital lending published in 2022) that limit the collection of data by regulated entities. These guidelines, and other regulations issued by the RBI, are consistent with the consent mechanism introduced under the DPDP Act.

In addition, the CCI has reviewed data collection and use practices in the financial services market. In Gpay/Pay,^[66] it defined a narrow market limited to those entities providing unified payment interface (UPI) services in India, rather than a broader market for digital payments.^[67] It examined Google’s practice of allowing its own app (Google Pay) to use a better technology for making payments on the Play Store than it made available to rival UPI apps, and directed Google to ensure it did not discriminate against other apps facilitating payment through UPI services in India in favour of its own UPI app. In the same decision, the CCI also held that mandatory imposition of the Google Play Billing System (GPBS) as a payment processor for all paid apps and in-app payments made via the Play Store was an abuse of Google’s dominance in the market for app stores for Android smart mobile operating systems. The CCI directed Google to allow third-party payment processing services on the Play Store and imposed remedies on the storage, use and sharing of data collected by Google on the Google Play platform, requiring that it (1) follow a transparent policy for collection, use and sharing of data and (2) share data generated through the GPBS with third-party app developers and not leverage the data for Google’s own advantage.

What next?

In March 2024, new complaints were filed against Google on allegations similar to the Gpay/Pay case as a reaction to Google’s updates to the GPBS with the introduction of User Choice Billing (UCB).^[68] The UCB policy permits app developers offering digital content to integrate alternative billing systems alongside the GPBS. Under the revised framework, transactions processed via the GPBS remain subject to a service fee (or commission) of 15 per cent or 30 per cent, whereas transactions executed through alternative billing mechanisms are subject to a reduced fee of 11 per cent or 26 per cent (i.e., a 4 per cent reduction from the service fee for payments processed via the GPBS), respectively. Noting the Play Store to be an essential gateway for reaching users in India, the CCI directed an investigation into what it prima facie considered a proportionately higher service fee, and other allegations regarding preferential treatment to Google’s own applications reinforcing its dominance in the payment processing ecosystem. These investigations are ongoing.

Finally, the DCB includes payment sites in the definition of ‘online intermediation service’, such that some companies could be identified as SSDEs and subject to obligations by the CCI.

Acknowledgements

The authors acknowledge the contributions of colleagues Hemangini Dadwal, Deepanshu Poddar and Arnav Singh to the previous edition of this chapter.

Endnotes