The market landscape has drastically been altered with the rise of platform-based business models setting in motion a new wave of capitalism transforming the erstwhile relationship between consumers and businesses. The erstwhile practice of building up physical assets to highlight economic prowess has been replaced by a more subtle mechanism of increasing access to the personal data of the consumers. In the current business sphere ‘Big Data’[1], distinguished by its volume, freshness, variety, and accuracy has been recognised as a core economic asset responsible for not only giving the firms a competitive edge over their rivals but also increasing the quality of the products being provided to the consumers.
For instance, MNCs such as Facebook and Google are reaping benefits from their huge repository of high-value personal data, which has not only enabled them to provide better quality services to their customers through targeted advertising but has also positioned them as a dominant player in their respective sectors.
Needless to say, there is a huge upside potential of the interplay of business and access to data. However, alternatively, there have been voices of concerns who argue that the impact of such technological innovation might turn out to be catastrophic from the point of view of competition and consumer welfare in the longer run.[2]
The overlap between Big Data and Competition Law has bought into sight the concerns regarding the commercial value of such data,[3] which has compelled the competition regulatory authorities around the world to take a proactive approach towards developing a holistic understanding of privacy concerns arising out of Data-Driven mergers.
There has been a growing concern in regards to exploitative and abusive conducts by tech giants in the digital markets. The accumulation of big data in few globally active multi techs and the possible privacy threats resulting from increasing numbers of data-driven mergers by these companies has led to a concentration of market power and thereby effectuating a possible threat towards the dominance of these companies especially in a market where there are few competitors only.
We need to understand here that potential exploitative threats by these tech giants are not limited to privacy and economic issues which have been discussed exhaustively by various committee reports but have also impacted to the extent of the political arena and democratic value as could be seen and highlighted from the Facebook-Cambridge Analytica data breach case.[4] This case was a major political scandal in 2018 where revelations were made that Cambridge Analytica harvested millions of Facebook’s user’s data without their knowledge or consent and used it for political advertising.
Talking about the imperfections in the market due to an increase in data-driven mergers can be seen as an attack on innovation and the quality of products. The recent acquisition by Trivago of Triple and famous others like Facebook/Whatsapp, Microsoft/Skype enlightens us of how dominant firms with access to big data acquiring a small start-up that has the potential to become a competitor. Where market leaders with deep pockets acquire potential competitors, a source of innovation is removed, and there is a higher concentration of market power in a single firm thereby harming competition and stifling innovation.
The authors are not trying to dismiss the pro-competitive effects of big data like the ability of firms to offer heavily subsidized, often free, services to consumers as consumers permit those firms to monetize consumer data on the other side of their business which has led to better delivery of services, improved innovation and technology and there have been low entry barriers also.[5] This monetization of the data in the form of targeted advertising sales for antitrust purposes is not suspected to be harmful, but rather “economically rational, profit-maximizing behaviour,” which has resulted in consumer benefits.[6]
But the aforementioned highlighted imperfections can’t be ignored. What concerns the authors is that due to the growing economic significance of big data it requires the adoption of a new concept of consumer harm and additional competitive assessment criteria which are based on non-price parameters which would ultimately trigger an evolutionary interpretation of traditional competition law regimes.
For this to happen first we have to first acknowledge the link between data and data protection infringement with the market power of a company. Then we have to take distance from the conventional price parameters as the only source of antitrust harm and explore the new non-price parameter like privacy, quality, data portability etc. for competitive assessments.
Based on the foregoing paragraphs, the authors would pose the question that in case of exclusionary conduct coupled with violations of data privacy policies by dominant data-rich companies, what should be an ideal legal regime for addressing such transgressions, should be dealt under competition laws or should they be handled by enacting specific data protection laws?
The Facebook- WhatsApp Investigation: Take-It-Or-Leave-It Nature of Policy
According to the Competition Commission of India (hereinafter CCI), in a world where data is gaining more importance, it is necessary to examine whether excessive data collection is getting in the way of creating a healthy competitive environment. CCI took a suo moto[7] cognizance of the matter when it was reported in early January through various media reports that WhatsApp has updated its privacy policy via which it is made mandatory for users to accept the terms and services for them to retain their respective WhatsApp accounts.[8] It has also stated that it will now share users’ personal information with its parent company Facebook and its subsidiaries. This policy is in stark difference from the previous one where the consumers were given choice whether they want to share their personal WhatsApp data with Facebook.
In the prima facie opinion formed by CCI, the said take-it-or-leave-it nature of privacy policy and terms of service of WhatsApp and the information-sharing stipulations mentioned therein, merits a detailed investigation because of the market position and market power enjoyed by WhatsApp, stated the CCI order.[9]
Looking at the potential impact of the privacy policy and terms of services. CCI concluded that the said policy has contravened Section 4 of the Competition Act 2002 through its exploitative and exclusionary conduct in the garb of the policy update. CCI investigative arm has directed the Directorate general to start the investigation and submit the report in sixty days.
Analysing Section 4 of the Indian Competition Act
The commission said in its order that it’s examining the said policy update from the perspective of competition lens to ascertain whether such policy updates have any competition concerns which violate Section 4 of the act.
Under the Indian Competition Act, abuse of dominance can only be held to occur when a dominant company is abusing its position to conduct some exploitative and exclusionary conducts in the market for its favour. Analysing and examining section 4 of act CCI would first have to prove that WhatsApp is dominant? Commissioned noticed in Harshita Chawla case[10] that Facebook and WhatsApp are group entities and though they may operate in separate relevant markets, their strengths can be attributed to each other’s positioning in the respective markets in which they operate.
CCI also noted that the data provided by the informant showed that WhatsApp messenger is the most widely used app for social messaging, followed by Facebook Messenger in the relevant market delineated by the Commission and is way ahead of other messaging apps like Snapchat, WeChat etc. showing its relative strength. Further, WhatsApp messenger and Facebook Messenger are owned by the same group and therefore do not seem to be constrained by each other, rather adding on to their combined strength as a group. Accordingly, owing to its popularity and wide usage, for one-to-one as well as group communications and its distinct and unique features, WhatsApp was found to be dominant. Hence, an investigation into the alleged abusive conduct seems a logical extension of the above stance. However, it is at this point, where the existing principles turn a bit murkier.
Under Section 4, the Commission is required to establish a well-reasoned and legally sound nexus between consumer harm and privacy violations for establishing that the exploitative conducts of WhatsApp amount to an abuse of dominance. Hence, the Commission would need to answer the elusive question of how the mandatory sharing of data by WhatsApp (the dominant entity in the present context) with its group companies can be considered exploitative towards consumers will be a task for the commission to examine? Establishing the same might prove particularly problematic because ethically two companies belonging to the same group can share data amongst themselves. The data-sharing aspect of the amended privacy policy being an internal policy of the company, thus if scrutinised by the commission as imposing unfair conditions will need to prove specific violations of any legal provision, which does not exist within India at present.
The next question which the commission would have to consider is, whether it is the aggregation of data that entails abusive conduct or whether it is the wrongful manner, in which the personal data that is being aggregated is amounting to abusive conduct. It will also need to address the question regarding whether these companies with market power have taken due permission from the consumers to aggregate their data in that cases will data aggregation will be violative of competition laws?
Looking at the exclusionary conducts, it must prove that a dominant undertaking aimed at depriving the rivals of the data. Now, if the facts are to be analysed, the user of WhatsApp was adequately informed about the changes to the existing privacy policy in a detailed fashion, along with the disclaimer that non-acceptance of the same would constitute deactivation of the account. The entire process followed here, is consistent with the principles of the Competition Law, wherein, the consumers of the services are being given a choice of whether consent to such changes or not. Thus, if any of the consumers are accepting the change in the privacy policy, then it essentially signifies consent on part of the consumer. Hence, there is no element of coercion that could be relied upon to suggest that the changes in the privacy policy are indeed exclusionary.
Thus, the authors believe that the Commission has based its prima facie notion on an erroneous question i.e. the ability of Facebook to stipulate such a data-sharing pre-condition arose from its dominant position in the relevant market. Rather, the question that needs to be considered by the Commission is whether the said condition is of a nature that any company owning multiple entities would have been otherwise capable of imposing. The examination of the same necessitates an investigation into the possible foreclosure effects of the combined entity of Facebook-WhatsApp a question that should ideally have been taken up for consideration at the time of the merger of the said entities.
Though if CCI wants to proceed with the investigations against WhatsApp it can take key takeaways from the only case which has dealt with the abuse of dominance and data aggregation that is Bundeskartellamt (German Competition Authority) proceedings against Facebook in 2019. It was held that Facebook was abusing its dominance by using its market power to compel users to access Facebook only on the pre-condition of their acceding to the fact that Facebook combines their data from other Facebook-owned services – like WhatsApp and Instagram. This, it was held, violated users’ right to informational self-determination under the provisions of the General Data Protection Regulations (hereinafter GDPR).[11] In essence, the German Competition Authority held Facebook’s violation of privacy law – the GDPR – as a per se violation of competition law as well, instead of establishing a violation based on competition law principles.[12] However, it is noteworthy to mention here that although the German authorities identified the violations of data protection law and accordingly ordered Facebook to rectify its policies, however, they had failed to establish a competition law violation.
Hence, it will interesting to see the approach adopted by the CCI to answer a similarly placed question keeping in mind India does not have a specific data protection law dealing with the concerns raised in the foregoing paragraphs. and the existing legal framework under the Information Technology Act is not enough to answer data privacy concerns in digital markets.
Can Antitrust Laws regulate Privacy?
As we can see from the antitrust jurisprudence preceding the current investigation, Indian competition regulators have held the allegations of breach of data protection laws and data privacy does not come under the purview of competition laws.
As far as other jurisdictions worldwide are concerned, the European Commission (hereinafter EC) and the European Court of Justice (ECJ) have multiple times denied the opportunity to address the issue of data collection and resultant privacy violations stemming from it stating it comes under the ambit of Data protection law.
Thus, the question arises to do the Competition Regulators worldwide and specifically of the regimes lacking a specific data protection law, have the proper jurisdiction to regulate matters regarding data violations?
The European Union in 2016 came up with its GDPR policies thereby delineating the issues of data privacy and anti-trust and clarifying the scope of the parallel regulators in case privacy and anti-trust interface. Further, if the recent orders in the EU dealing with data privacy concerns are considered, an acknowledgement may be noticed regarding ‘privacy’ being considered as a determinative element by antitrust regulators. Thus, a progressive approach can be noticed in accepting data privacy issues as anti-trust concerns, however, it is necessary to understand that they could be made possible post the enactment of the GDPR policies.
However, the position is diametrically opposite if the Indian jurisdiction is considered. The authors at this stage would reiterate their earlier concerns that, whether the investigation into the alleged data policy changes of a group entity at a much later stage (when the optimum time to address such a concern was the time of the merger of two companies) would establish a wrong precedent going forward, as far as the scope of the jurisdiction CCI is considered. This is further complicated by the lack of a specific regime concerning data protection and a parallel authority to exercise its jurisdiction in the abovementioned instances.
However, a probable answer to the issue (albeit only as a short-term solution) may be found in a conjoint reading of § 60 and § 62, Competition Act, which establishes CCI as a sector agnostic regulator, wherein, it may assume jurisdiction concerning any sectoral law violations, provided it has a competition angle attached to it. Thus, it may be interpreted for future investigations that, as far as Indian jurisdiction is considered as the situation stands, CCI may and probably will assume jurisdiction over any allegations concerning personal data breach irrespective of the plausibility of competition concerns in such cases.
[1] Joseph Drexl and others, ‘Data Ownership and Access to Data – Position Statement of the Max Planck Institute for Innovation and Competition of 16 August 2016 on the Current European Debate’, (2016), Research Paper No. 16-10, 10 <https://ssrn.com/abstract=2833165>
[2] Andres V. Lerner, ‘The Role of ‘Big Data’ in Online Platform Competition’, (2014), 17 <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=24 82780>
[3] Joseph Drexl and others, ‘Data Ownership and Access to Data – Position Statement of the Max Planck Institute for Innovation and Competition of 16 August 2016 on the Current European Debate’, (2016), Research Paper No. 16-10, 7 [21] <https://ssrn.com/abstract=2833165>
[4] Elena Boldyreva, Natalia Y. Grishina and Yekaterina Duisembina, ‘Cambridge Analytica: Ethics and Online Manipulation with Decision Making Process’, in Prof. Valeria Chernyavskaya, Prof. Holger Kube (eds.), European Proceedings of Social and Behavioral Sciences, 91 (Future Academy, 2018)
[5] David S. Evans and Richard Schmalensee, ‘The Antitrust Analysis of Muti-sided Platform Businesses’, in Roger Blair and Daniel Sokol, Oxford Handbook on International Antitrust Economics, vol. 1 (OUP, 2014)
[6] Andres V. Lerner, ‘The Role of ‘Big Data’ in Online Platform Competition’, (2014), 15 <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=24 82780>
[7] In Re: Updated Terms of Services and Privacy Policy for WhatsApp Users, Suo Moto Case No. 01/2021 (CCI)
[8] Reuters, ‘WhatsApp Privacy Policy Update faces Anti-Trust Probe from CCI’, (Gadgets 360ᵒ, March 25, 2021) <https://gadgets.ndtv.com/apps/news/whatsapp-privacy-policy-update-probe-cci-investigation-antitrust-law-change-facebook-2398601> last accessed April 10, 2021
[10] Harshita Chawla v. WhatsApp Inc., Case No. 15/2020 (CCI)
[11] General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of natural persons with regards to the processing of personal data and on the free movement of such Data, and Repealing Directive 95/46/EC, [2016] OJ L119/1, ch. 3
[12] Preliminary Assessment in Facebook Proceeding, Facebook, Case No. B6-22/16 (Bundeskartellamt)
________________________
To make sure you do not miss out on regular updates from the Kluwer Competition Law Blog, please subscribe here.