“Personal data is the currency of today’s digital market.”[1]
-Viviane Reding, (Former Vice-President, the European Commission)
Recently, a Committee of Experts (Srikrishna Committee) set up in India to draft a law for data protection in the country after enunciation of the right to privacy by the Indian Supreme Court, released the “Personal Data Protection Bill, 2018”. The bill comes against the backdrop of a flagship programme of the government, the Aadhaar Project the biggest ID database of citizen data in the world. Over 79% (87 crore of 109.9 crore accounts) of all bank accounts in the country have been linked to the Aadhaar as of March, 2018 and insurance policies, credit cards, mutual funds, pension plans and social welfare benefits will have to be seeded to the Aadhaar as well. As we enter the age of datafication that entails “taking all aspects of life and turning them into data”, our ever-increasing financial transactions give away not only our credit history and financial records but also the derivative sensitive information like personality traits, data pertaining to health, product preferences, political, religious and sexual orientation.
Such wealth of data aggregated richly in a mammoth central database creating a ‘map of maps’ raises significant security as well as competition law issues. Nuanced discussion on the privacy issues is beyond the scope of this post and they will be discussed only inasmuch as they merit cross sectoral competition regulation in light of the burgeoning corporate interest in big data which provides countless business opportunities unbeknownst to the users at the time of data collection. Such large scale data collection, often in contravention of the well known privacy principles of consent and purpose limitation poses a challenge to anti-trust regulators because it can be used to infer consumer behaviour at minimal costs, allowing companies to gain market power through collection of ‘unique’, strategic user data and restrict potential rivals that do not possess such data from developing competitive products. Traditional antitrust laws in India limit their concerns to pricing models of goods and services as companies with greater market power are incentivised to monopolise profits by charging more and limiting supplies. However, with the proliferation of “free” services in exchange for attention/information whose hidden cost is evidently a degradation in privacy protection, antitrust regulators are challenged by newer threats to competition posed by digital businesses other than price. In stark contrast, let alone incorporating a specific safeguard for the particular privacy risks in Mergers and Acquistion (M&A) transactions, Section 17(2)(c) of the Data Protection Bill lists M&A transactions as a reasonable basis to process information without a user’s consent.
You Can’t Manage What You Don’t Measure.
-Peter F. Drucker
The blindspot in the Competition Commission of India’s (CCI) approach to M&A transactions ignores the extraction of big data and its impact on privacy. As aforementioned increasing corporate interest in big data would drive many companies towards acquisition solely to gain access to the data held by the Target enabling profiling and privacy invasion. Since data is not considered an asset in the traditional sense, competition law fails to detect such targets, often with limited actual turnover or physical assets during the review process. The CCI held in the case of Vinod Kumar Gupta v. WhatsApp Inc. that any privacy concern was outside of its purview and had to be dealt with exclusively under the Information Technology Act, 2000. In the case of In Re Matrimony.com vs. Google, the CCI noted, “it would not be out of place to equate data in this century to what oil was to the last one. The Commission is not oblivious of the increasing value of data for firms which can be used to target advertising better. Moreover, the data can be turned into any number of revenue generating artificial-intelligence (AI) based innovations.” However, even as big data was recognised as a competition concern, any cross sectoral approach to tackle privacy within competition regulation in addition to consumer protections laws was entirely missing.
While Indian law does not allow the convergence of competition and privacy concerns, the European Commission rightly accords centrality to consumer welfare in accounting for privacy concerns in its evaluation of mergers. Anti-competitive effects of data aggregation affecting the quality of services or goods offered as well as privacy protection by the concerned companies will be part of a deal’s competition assessment by EU regulators.
Even the regulation averse U.S. FTC directed the divestiture of a significant database prior to allowing Dun & Bradstreet to acquire Quality Education Data in 2010. A joint study by the French Autorité de la concurrence and the German Bundeskartellamt on big data and competition law concerns discusses the nexus between privacy concerns and increased market power due to bigdata.
Thus, competition proceedings should ideally overlap with and cover data protection laws, more so in the merger control of companies which collect and processes large swathes of data though mergers have been expressly exempted from users’ consent requirement. Similarly, the implications of collection and storage of big data by corporations upon degradation in privacy protection, product quality and competition by creating new gatekeepers and stiffer barriers also merit antitrust regulation in India’s data rich landscape.
[1] European Commission – PRESS RELEASES – Press release – Viviane Reding Vice-President of the European Commission, EU Justice Commissioner The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age Innovation Conference Digital, Life, Design Munich, 22 January 2012, http://europa.eu/rapid/press-release_SPEECH-12-26_en.htm
________________________
To make sure you do not miss out on regular updates from the Kluwer Competition Law Blog, please subscribe here.
A privacy principle that is common to all international privacy principles, and a requirement in all data protection and privacy legal requirements is implementing strong security safeguards to protect personal data.