Integrating Data Protection and Competition Law: The Why, the How, and the Way Forward

Integrating Data Protection and Competition Law: The Why, the How, and the Way Forward

The line as to where legitimate data collection ends and excessive data collection starts is hard to draw.”

Viktoria H.S.E. Robertson

With an expanding digital economy, data-driven tech mergers have seen a remarkable increase. Such mergers purportedly intend to translate the consolidated data into personalized services for consumers. However, this activity also stands to impair competition – firstly, by diluting data protection and privacy, and secondly, by raising entry barriers to the market. It should be noted that the integration of the realms of big data and competition law hardly came as a surprise as private entities had taken charge of notifying authorities of anti-competitive implications in data transactions. However, competition authorities have also recently begun to take cognizance of large data mergers to resolve the complex relationship between competition on the one hand and privacy and protection of personal data on the other. In India, though the Competition Commission of India (“CCI”) had several opportunities to examine competition in the digital sector, data was recognized as an asset only recently. Even in the absence of a data protection law, the right to privacy is fundamental, and protecting it is the State’s responsibility. The most suitable means to this end, i.e., through competition law or sector-specific regulation, remains to be seen.

In this light, this blog seeks to deliberate on the emerging overlap in the jurisdictions of antitrust and data protection authorities. Bringing the debate to India, wherein this data governance is still nascent, the author discusses recent developments. After that, the author briefly discusses the theoretical contentions about including privacy as a competition law concern. In conclusion, the author suggests that a balanced approach must be taken to resolve this conundrum in the Indian context and recommends some possible measures.

Origin of Data Protection

The most prominent example of the tension between competition and privacy regulators on the governance of data businesses is the imposition ordered on Facebook from processing user data in 2019 by Bundeskartellamt (Germany’s national competition regulator). Herein, a 3-year investigation concluded that Facebook’s conduct of clubbing a user’s data with the data collected from third-party websites was an abuse of dominance. Per anticipation, the decision was met with mixed feedback as to its very authority and feasibility. Interestingly, on jurisdictional grounds, the Düsseldorf Higher Regional Court recently set aside this order. It opined that the question of whether there had been a violation of the General Data Protection Regulation (“GDPR“), cannot be decided by the German competition authority and must be decided by the European Court of Justice. This highlights that the quandary extends beyond the already-complex consideration of whether competition law should engage in matters of data protection – and onto the jurisdictional question of whether competition authorities could engage in matters of data protection.

In the Indian context, the introduction of this conflict can be traced to WhatsApp changing its data privacy policy. The realization of unilateral dependence on companies specializing in big data capabilities instigated a rather heated public deliberation on why competition law authorities must interfere to protect consumer rights. Thereafter, via measures taken, the CCI clarified its intention to encompass data protection and privacy within its domain. For instance, the 2021 “Market Study on the Telecom Sector in India“, provides that privacy is a non-price factor of competition and accordingly falls within the ambit of the competition regulator [Para. 70]. The CCI had also directed a probe into WhatsApp’s privacy policy, a measure which went on to be allowed by the Delhi High Court on the challenge. The response and judicial trends, therefore, so far, indicate that the competition regulator should and could engage in matters of data protection. Disregarding any merits or lack thereof at this point, the inclination to expand CCI’s power to data protection matters is concerning as discrepancies are bound to arise when the long-pending Personal Data Protection Bill, 2019 (“Bill“) is passed.

Examining Theoretical Contentions

The rival views regarding the role of competition law in data protection stem from what may be termed the ‘objective-debate.’ The intent is to establish the scope of competition law and determine whether privacy would fall within its ambit. On the one hand, some scholars proffer that competition law is concerned, exclusively, with objectives and disputes that fit a larger social goal as opposed to individual ones. According to this school of thought, while some individuals may have a ‘subjective sensitivity‘ to privacy issues, this does not create a sufficient ground for considering the economic assessments of competition law. On the other hand, some scholars point out that consumer information must be valued or priced, consequently inviting the economics of competition. Experts have come to suggest that data, when used as part of product development and analysis, is invaluable across industries and cost-models are likely to become a norm. This indicates that the idea of competition law not being concerned with personal data rests on the determination of respective goals and their integration.

With respect to the objective-debate, commentators have adeptly identified that considerations will not be unbiased in the Indian context. The right to privacy, a fundamental right after the Puttaswamy judgement, stands to be favored over economic facts. Since the protection of privacy as a fundamental right is derived from the basic values of human dignity and autonomy, it cannot be evenly pitted against economic considerations. This line of argument is, however, at an early stage with respect to the Indian scenario. Even in jurisdictions such as the EU, the primary concern with respect to overlap is that it might create tensions with the policy objectives of the GDPR. This aspect cannot presently be deliberated upon in the Indian context, as a data protection law is absent. The question of prioritizing privacy regulation over market considerations, or contrariwise, is dependent on how the data protection law is ultimately framed and introduced. The recent celebrations regarding CCI’s probe into WhatsApp are unfounded. The repercussion of such unilateral measure was not realized as CCI did not face any impediment, i.e., CCI’s jurisdiction remained unchallenged by any competing authority – because such authority does not presently exist in India. The establishment of the Data Protection Authority under Section 41 of the Bill will however alter the equation. Thus, a calculated and balanced approach is nothing short of necessary to ensure that data protection does not impede innovation in the digital market and vice-versa.

Conclusion

The digitization of the economy with data as the new critical resource is nothing short of a revolution. This, in turn, requires that related legal framework simultaneously make necessary adaptions. The economy is now a ‘digital economy,’ whereby only a thin line remains between a conventional market structure and data considerations. Accordingly, it is inevitable for contemporary regulation to fail or fall short on account of lack of competence with respect to either one of the domains. To elaborate, no competition regulator can alone deal with big data mergers that put individuals’ personal data at risk. Similarly, no data protection authority alone would be able to identify and investigate antitrust concerns in such circumstances. Thus, an integrated approach that warrants the supervision of both competition and privacy regulators would be a step in the right direction. However, such cross-sectoral efforts must be well-coordinated, as contradictory actions in isolation would increase conflict. Authorities must therefore proceed with caution and act within their respective expertise. This, however, requires that a robust and comprehensive data protection law be enacted in the first place. Upon implementation, the data protection authorities and the CCI must function in harmony vis-à-vis preventative actions.   

Even in such coordinated functioning, it is suggested that primacy be given to the data protection authorities. One cannot deny that an individual’s right to privacy, a fundamental one at that, should precede the consideration of market dynamics. In this light, the author recommends a cross-sectoral mechanism that is finely demarcated. This would require that CCI’s long-standing jurisdictional overlap and statutory conflicts be addressed preemptively. The recent inclination of the Supreme Court in CCI v. Bharti Airtel Ltd. & Ors. affirms that the sector-specific authority, and not the general competition regulator, will be empowered to determine conflicts at the first instance. Thereafter, where such sectoral regulator affirms anti-competitiveness, the CCI would be roped-in to investigate. It is suggested that the same should unequivocally be made applicable upon establishment of a Data Protection Authority. To further strengthen collaboration between the authorities, Sections 21 and 21A of the Competition Act, 2002 must be revisited. In their present form, though a mechanism for consultation between authorities is incorporated, the outcome is rather futile in light of the fact that the consultations are neither compulsory, nor binding. An amendment should thus seek to make such consultations obligatory and conclusive.

Such measures would benefit all stakeholders as it would result in efficient allocation of resources, decreased time (mis)utilised in jurisdictional confrontations, and, therefore, speedier assurance for end-consumers.


This article is authored by Manvee Kumar Saidha, student at School of Law, Christ University, Bangalore.

Leave a Reply

Your email address will not be published. Required fields are marked *