Sep 20, 2023

The Digital Personal Data Protection Act: Yet another jurisdictional overlap?

Introduction

The boon of technology has changed the way consideration is paid for services. Against the working of traditional markets, ‘zero price markets’ have emerged where services are paid for using ‘data’. Data has gained significant economic value and possession of data is now often considered as a competitive advantage over other players in the market.

Widespread collection of user data has given rise to platform-based ecosystems of digital products and services. This has raised the eyebrows of competition regulators across the world as one big entity with high volumes of data may put other players in the digital market at a disadvantage. For a ‘free’ service, Indian users almost never hesitate to share their personal data with the service providers. The new Digital Personal Data Protection Act, 2023 (“DPDP”) seeks to fill this gap of requiring ‘user consent’ before collecting and processing user data. The DPDP has been enacted into law but is yet to be enforced by the Central Government.

This article explores the interplay between the introduction of the DPDP and the existing competition enforcement concerns in relation to data collection and digital markets. While the DPDP is a welcome step, it may also raise overlapping jurisdiction issues between the Competition Commission of India (“CCI”) and the Data Protection Board (“DPB”) as envisaged in the DPDP.

What is the DPDP?

The DPDP requires data fiduciaries such as digital service providers to seek user consent for collecting and processing personal data. Personal data is defined to include any data that can be used to identify an individual. However, any personal data that is made publicly available by the data principal (the individual whose personal data is collected) will not be protected by the DPDP.

The DPDP clarifies that if the data principal seeks to withdraw their consent, they need to bear all consequences resulting from withdrawal of such consent. This implies that the data fiduciaries may deny access to their services to such data principals who have withdrawn their consent. Further, the data fiduciaries are required to erase all personal data if the data principal has withdrawn their consent or when the purpose of collecting such data is fulfilled.

In essence, DPDP mandates ‘free consent’ by a data principal before a service provider can process/use user personal data. However, the DPDP provides no recourse on consequences that a data principal may face if consent is withheld or withdrawn.

CCI’s view on data protection

The rise of platform based markets has created an ecosystem of digital players who provide goods and services which are based on continuous collection of user data. These datasets in large volumes are considered as ‘big data’ which feed into advertisement algorithms, machine learning, artificial intelligence, etc. In Matrimony v. Google, the CCI referred to ‘big data’ as ‘oil’ of the current century.[1] In the same case, the CCI also observed that although data based markets result in great gains for users, it also results in loss of control over personal data.[2]

The CCI was initially hesitant in interfering with data protection allegations and considered them outside the purview of the Competition Act, 2002 (“Competition Act”).[3] However, in the market study of the telecommunication sector, the CCI acknowledged the need of ‘free consent’ for collection of data by dominant undertakings.  In the market study, the CCI also observed that when a dominant entity acquires data, it can cross link them with multiple services to retain the users in the ecosystem.[4]

More recently, when WhatsApp mandated acceptance of its privacy policy for its users to continue using WhatsApp, the CCI stepped in and initiated an investigation.[5] Interestingly, for the first time the CCI emphasized on how consent for sharing user data needs to be ‘free’, ‘optional’, ‘well informed’, and ‘without withdrawal of services’, failing which it may be considered as an imposition of unfair conditions by a dominant undertaking.[6]

The overlap between data protection and competition law

It is clear that the requirement of consent for collecting and processing user data, at least by dominant undertakings, is squarely covered by both, the DPDP and the Competition Act. The cause of tension between the two lies in the individual objectives of the statutes. While the DPDP seeks to prevent exploitation of personal data, the Competition Act is aimed towards preventing dominant undertakings unfairly seeking consent for collecting personal data for their own commercial advantage.

To understand the overlap, let’s consider a hypothetical situation similar to the WhatsApp case where company ‘X’ is dominant in the market for providing internet calling services and conditions its ‘free’ services over users giving consent for sharing their personal data. If a user refuses to give consent, X may stop providing its services to such a user.

While this may pass the muster of DPDP, it can still be considered anticompetitive by the CCI. This is because services by a dominant entity are essential for the user and a ‘take it or leave it’ condition would practically force the user to give consent. For the CCI to find such a condition to be kosher, it is likely to take a “fairness and reasonability test[7] where the CCI may assess the following factors: (a) Whether the users have options to easily switch to X’s competitors providing similar internet calling services?; (b) Whether the data requested by X is necessary for providing its services?; (c) Do users have an option to only give consent for data that is essential for providing services by X?; (d) Do existing users have an option to continue using X’s services without sharing data?; and (e) Whether there is an objective justification behind withdrawal of services by X?

On the other hand, in a scenario where consent is given under a false pretext or where data is processed without clear consent, a remedy would lie under the DPDP. In such situations, the CCI may also exercise jurisdiction if the data collected by a dominant undertaking is not for the purpose of providing services but to hoard data for commercial purposes such as targeted advertising.

Case of Parallel Jurisdiction

Both the DPDP and the Competition Act are concerned with dissemination of personal data to digital players and its legitimate use. Needless to say, if the data fiduciary lacks market power, the CCI will have no jurisdiction. While the DPDP is clear in its limited purpose of protecting user data, parallel allegations under the Competition Act cannot be ruled out. The CCI has asserted that in any situation, it will remain the exclusive body to resolve antitrust and competition related issues.[8] This creates yet another case of exercise of parallel jurisdiction between the CCI and the DPB.

The Supreme Court in Competition Commission of India v. Bharti Airtel Limited,[9] has held that in case of a jurisdictional overlap, the specific sector regulator would first decide on the overlapping issues and the CCI’s jurisdiction will be activated if the findings of the sectoral regulator indicate anticompetitive conduct. The Airtel decision is likely to serve as the guiding principle in a possible overlap of jurisdiction between the CCI and the DPB.

Footnotes:

[1] Case No. 7 and 30 of 2012, paragraph 86.
[2] Ibid, paragraph 85.
[3] See Vinod Kumar Gupta v. Whatsapp, Case No. 99 of 2016, and Harshita Chawla v. Whatsapp, Case No. 15 of 2020.
[4] Market Study on Telecom Sector in India, paragraph 70.
[5] Suo motu Case No. 1 of 2021.
[6] Ibid, paragraph 29 and 30.
[7] Indian National Shipowners’ Association v. Oil and Natural Gas Corporation Limited, Case No. 01 of 2018, paragraph 135
[8] Supra 5, paragraph 72.
[9] Competition Commission of India v. Bharti Airtel Limited, Civil Appeal No. 1183 of 2018, paragraph 91.

AUTHORS & CONTRIBUTORS

TAGS

SHARE

DISCLAIMER

These are the views and opinions of the author(s) and do not necessarily reflect the views of the Firm. This article is intended for general information only and does not constitute legal or other advice and you acknowledge that there is no relationship (implied, legal or fiduciary) between you and the author/AZB. AZB does not claim that the article's content or information is accurate, correct or complete, and disclaims all liability for any loss or damage caused through error or omission.