The intensity of competition and the problematic conducts of enterprises operating in digital markets have been focal points for discussion across many prominent jurisdictions, for instance, the European Union.
The Competition Commission of India has also been actively studying the emerging trends and challenges to ensure competitiveness in the digital sector. Through its market studies [1] and case inquiries [2] undertaken in the recent past, the commission has recognised the role of data, its economic value and the competitive advantage it yields.
Given the growing relevance of consumer’s data in digitally intensified businesses, it is indispensable to strike a balance between competition and privacy considerations that are often seen at a crossroads. While protecting the consumer’s data is essential, its economic relevance for businesses in building new products and services cannot be denied. This has prompted many countries to enact or update their privacy laws keeping pace with the challenges that technology has infused for businesses and consumers.
The Personal Data Protection Bill, 2019 (proposed bill) [3] is one such legislation proposed to build a robust data protection regime. In December 2021, the Joint Parliamentary Committee (JPC), constituted to study and provide its opinion on the bill, presented its much-awaited report [4].
The bill intends to incorporate the right to data portability which is also recognised as a pro-competitive measure for existing competition law issues in digital markets [5]. In this background, the analysis of the right as enshrined in the bill, the JPC’s recommendations and plausible effects on developing competition law jurisprudence have many crucial implications on how portability should be interpreted in the digital sector.
Data portability and its relevance as a remedy
Access to relevant databases allows productive functioning of machine-led learnings and application of algorithms for profit-making enterprises. Data processing and the inferences procured through past user interactions allow enterprises to continuously innovate, upgrade their R&D and create unique monetisation opportunities by strategising use-cases [6].
While the data gathered over time further strengthens the incumbents’ position in the market, the inaccessibility to relevant consumers’ databases can raise concerns for potential and nascent competitors. This can act as an entry barrier that is strengthened by existence of strong network effects. Additionally, datasets gathered and processed by enterprises are used to over-personalise interfaces, raising the switching costs. These costs are associated with users’ facing friction in terminating ties with their current service providers, given the difficulty of replicating the data and its value over a different service provider.
Data portability is understood to reduce these switching costs by allowing users to control their data and transfer it to other service providers. Its inclusion in the law can help achieve greater contestability, product improvement, and overall growth by introducing competition and superior technologies in the markets [7].
Analysis of the provisions and Committee’s recommendations from competition law lens and the takeaways:
- Purpose, compliance cost and nascent competition
Available evidence from regimes like the GDPR shows that companies are spending about $1.3 – $ 1.8 million annually complying with data protection laws [8]. Studies show the technology/software sector experiencing the second-highest growth in regulatory compliance costs (99%) between 2011 and 2017 after the healthcare sector [9]. Similar evidences from the US market suggests that compliance cost roughly is estimated to be around $510 million for companies annually for data portability alone, costing consumers and organisations cumulatively around $18 billion annually [10]. Hence, portability is cited as one of the most expensive and complex corporate obligations. The associated costs include development, authentication, processing and maintenance. Moreover, for digital enterprises that undertake business in borderless cyberspace, costs would further amplify as enterprises are subjected to different portability laws across different nations.
Clause 19 of the proposed bill largely resembles the GDPR in its essence, applying it alike to all data fiduciaries, and requiring them to allow portability in a machine-readable format. This requires careful consideration since costs would not only differ across jurisdictions but would also vary in different digital markets. The kind of market, the company’s size, operations, number of users it caters to, and the utility data yields vary across markets. While few enterprises may rely on procuring data through initial investments and subsequently begin operations, others could rely more on the inferences drawn from data already collected as a natural product of its operations in the market. Hence, applying portability without any differentiation can affect the efficient functioning of the enterprises relying on such data.
Moreover, nascent and small players may not have the requisite knowledge or resources to develop systems that allow data portability. While the know-how can be developed over time, applying portability alike without considering the size and resources at the disposal of certain players could ultimately make enterprises devoid of datasets, essentially required for technology to work and yield results.
Recognising the implications associated with portability requirements on the business, the State of California, in its law, prescribed mandatory data portability only for a profitable business, confirming to a minimum threshold. Costs related burden has also been identified by Trade Union Advisory Committee (OECD) [11] and nations like Singapore [12] and the United Kingdom [13], emphasising the need for more explicit industry standards on portability. As India attempts to establish its data protection regime, policymakers need to acknowledge how the associated costs can affect businesses and consumers economically in the long run.
- Portability of personal data and its competitive relevance: Lessons from EU
Given the value digital services derive from datasets, allowing portability without studying its probable impact could ultimately harm competition and consumer welfare, adversely affecting business activities. Inputs from the EU provide crucial insights into how portability must be interpreted to work as a competition law remedy.
The ambit of personal data
Definition of personal data under the GDPR includes ‘directly or indirectly identifiable information’ on ‘name, an identification number, location data, an online identifier, to one or more factors specific to the identity of a natural person – physical, physiological, genetic, mental, economic, cultural or social’. [14] The proposed bill, however, includes data “directly or indirectly identifiable” including “any inference drawn from such data for the purpose of profiling” under personal data and prescribes portability for ‘voluntarily provided, generated data or data forming part of the profile or otherwise obtained’ [15]. It is pertinent to note that the bill nowhere defines generated, obtained or inferred data keeping its scope open to interpretation.
For digital enterprises the value and utility derived through each may differ. Considering the same, Guidelines on Right to Data Portability (2017) [16] specifically exempted inferred data or derived data from the purview of portability even in cases where it is related to personal data. The rationale is that fiduciaries create inferred and derived datasets over time for deriving predictions and; porting, which can affect businesses and competition. Hence, the inclusion of ‘inference drawn’ and its meaning requires deliberation, considering its economic relevance.
The Exceptions
The GDPR exempts ‘trade secrets’ and ‘information whose portability is technically unfeasible’ from the mandate of data portability. Both the exceptions find a place in the proposed bill. On protection to trade secrets, the EU grants protection to information comprising – ‘data not known to the public at large’, ‘has a commercial value’ and ‘fiduciaries have taken steps to keep the information secret’ [17]. For instance, in the digital sector, ‘algorithms’ have been granted protection under the GDPR, considering the economic significance and value it generates [18].
The JPC, however, in its suggestion, has recommended removing the exception citing high chances of manipulation [19]. It must be considered that removing this exception would mean compelling enterprises to over-share data, making them more accountable. This could hamper the functioning of technology and may negatively impact competition. Hence, ‘inclusion of inferences drawn’ and ‘suggesting removal of trade secrets’ requires careful scrutiny from the competition law perspective.
On the technical feasibility exception, Recital 68 of the GDPR indicates that enterprises are required to maintain minimum interoperability [20], allowing users to collect and transfer their data easily between different service providers. The Committee, however, has suggested leaving interpretation of ‘technical feasibility’ to the fiduciaries in a manner specified through regulations [21]. If the suggestion is accepted, the regulations must specify the portable datasets and ensure that exception is only invoked where necessary, without any manipulation.
Conclusion
The nature of the data collected by digital enterprises, the value so created, and its utility differs across markets. While a few enterprises may derive substantial value from personal data, others might depend on inferences drawn through the processing of such data. Portability may hamper competition without applying intelligible differentia, depreciating the value that enterprises procure from data. Devising policies, sector and market-specific regulations through collaborative consultation between sectoral regulators is essential for a fair competition and consumer welfare balance. Policies must clarify the nature of the enterprises subject to mandatory porting requirements, the ones exempted, and their respective thresholds of data volumes considering economic aspects of businesses and the costs structure attached.
__________________________
References
[1] Competition Commission of India, ‘Market Study on E-commerce in India (08-01-2020), Available at https://www.cci.gov.in/sites/default/files/whats_newdocument/Market-study-on-e-Commerce-in-India.pdf; Competition Commission of India, ‘Market Study on the Telecom Sector in India’ (22-01-2021), Available at https://www.cci.gov.in/sites/default/files/whats_newdocument/Market-Study-on-the-Telecom-Sector-In-India.pdf
[2] In Re: Updated Terms of Service and Privacy Policy for WhatsApp Users, (Case No. 01 of 2021), Available at https://www.cci.gov.in/sites/default/files/SM01of2021_0.pdf
[3] The Data Protection Bill, 2019 (Bill No. 373 of 2019), Available at https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf
[4] Report of the Joint Parliamentary Committee on The Data Protection Bill, 2019 (New Delhi, December 2021) Available at http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf
[5] OECD, ‘Data Portability, Interoperability and Competition – Note by India’ (DAF/COMP/WD(2021)31, May 10, 2021, Available at https://one.oecd.org/document/DAF/COMP/WD(2021)31/en/pdf#:~:text=Introduction-,1.,to%20choose%20among%20competing%20providers.&text=This%20would%20ensure%20network%20effects,3.
[6] Julius Baecker, Martin Engert, Matthias Pfaff, Helmut Krcmar, ‘Business Strategies for Data Monetization: Deriving Insights from Practice, (March 2020) Available at https://www.researchgate.net/publication/339797599_Business_Strategies_for_Data_Monetization_Deriving_Insights_from_Practice
[7] Centre for Digital Future, ‘Initiative on Choice, Competition and Innovation (ICCI) Launch Event, Keynote Address, Available at https://www.cci.gov.in/sites/default/files/speeches/Digital-Future-speech.pdf?download=1
[8] Edward Longe, ‘GDPR Was Bad for Europe; U.S. Needs Its Own Path’ (December 8, 2021)
Available at https://insidesources.com/gdpr-was-bad-for-europe-u-s-needs-its-own-path/
[9] globalscape by HelpSystems ‘The True Cost of compliance with Data Protection Regulations’ (Ponemon Institute LLC, December 2017), Available at https://static.helpsystems.com/globalscape/pdfs/guides/gs-true-cost-of-compliance-data-protection-regulations-gd.pdf
[10] The Cost of an unnecessarily stringent Federal data privacy law, Available at https://itif.org/publications/2019/08/05/costs-unnecessarily-stringent-federal-data-privacy-law
[11] OECD, ‘Data Portability, Interoperability and Competition – Note by TUAC’, Available at https://one.oecd.org/document/DAF/COMP/WD(2021)35/en/pdf
[12] Discussion Paper on Data Portability (Personal Data Protection Commission In collaboration with Competition and Consumer Commission of Singapore), Point 4.8, Available at https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Resource-for-Organisation/Data-Portability/PDPC-CCCS-Data-Portability-Discussion-Paper—250219.pdf.
[13] OECD, Data Portability, Interoperability and Digital Platform Competition (2021) Point 5.3, Available at https://www.oecd.org/daf/competition/data-portability-interoperability-and-digital-platform-competition-2021.pdf
[14] Article 4 (1) GDPR
[15] Clause 19, The Personal Data Protection Bill, 2019, Available at https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf
[16] Guidelines on Right to Data Portability (2017), Working Party, European Commission (16/EN WP 242 rev.01), Available at file:///C:/Users/Admin/Downloads/wp242_rev_01_en_D8A6FCF6-9039-846A-0C8040819826D818_44099.pdf
[17] European Union, ‘Trade Secrets’, Available at https://europa.eu/youreurope/business/running-business/intellectual-property/trade-secrets/index_en.htm
[18] Ibid at 16
[19] Ibid at 4 No. 2.85, pg.78
[20] Ibid at 16
[21] Ibid at 4 No. 2.85, pg.78
________________________
To make sure you do not miss out on regular updates from the Kluwer Competition Law Blog, please subscribe here.