On 18th November 2024, the Competition Commission of India (“CCI”) made history by imposing a penalty of Indian Rupees 2.13 billion (approximately USD 25.3 million), alongside cease-and-desist directions on Meta for abusing its dominant position (In Re: Updated Terms of Service and Privacy Policy for WhatsApp users). The order was passed in relation to WhatsApp’s 2021 Privacy Policy violating various provisions of the Indian Competition Act, 2002 (“Competition Act”), and represents many Firsts for India’s anti-trust watchdog.
It is the first Indian case in which the CCI has not only explicitly affirmed, but further utilised data privacy as a form of non-price competition. It is also the first time that the CCI has accused a digital platform of abusing dominance via excessive data collection. But perhaps most importantly, it is the first case wherein the CCI has attempted to resolve the jurisdictional overlap between the fields of competition law and data protection law. Therefore, the present article aims to critically examine the CCI’s order in the context of the aforementioned, while delving into its impact on the future of data protection and competition law cases in India.
Background of the Case
On 4th January 2021, WhatsApp updated its privacy policy to introduce mandatory data-sharing with Facebook (now Meta) and its subsidiaries. What stood out even more was the absence of an opt-out provision, making it a ‘take it or leave it’ policy i.e., if users did not consent to the updated policy, they would no longer be able to use WhatsApp. This led to the CCI ordering an investigation into WhatsApp, while passing a prima facie order (“PF Order”) that the updated privacy policy and its ‘take it or leave it’ nature amounts to abuse of dominance under Section 4 of the Competition Act (see previous blogposts for detailed discussion here and here).
Hence, the CCI’s present order has been in the making for nearly 4 years and was primarily delayed due to WhatsApp’s numerous appeals against the CCI’s jurisdictional competence to pass a PF Order relating to data protection, leading all the way up to the Supreme Court of India (see Table 1).
| Time | Events |
| 4th January 2021 | WhatsApp announces updated Privacy Policy. |
| 24th March 2021 | CCI passes PF Order directing an investigation into WhatsApp. |
| April 2021 | WhatsApp files a petition challenging the PF Order, which is dismissed by single bench of the Delhi High Court. |
| 25th August 2022 | Division bench of the Delhi High Court upholds the decision of dismissal of challenge by the single bench. |
| 14th October 2022 | Supreme Court of India dismisses the appeals filed, while upholding CCI’s PF Order. |
| 18th November 2024 | CCI passes order imposing penalty of $25.3 million on Meta. |
Table 1 – Chronological Timeline of Dispute
To assess Meta’s conduct, the CCI identified two relevant markets (in the specific context of India) – the market for Over-The-Top (OTT) messaging applications on smartphones alongside the market for online display advertising. Furthermore, it was established that Meta enjoys dominance in the former, based on a multitude of factors such as WhatsApp’s high number of users (relied on both Daily Active Users and Monthly Active Users), direct network effects, absence of countervailing buying power in the market, lock-in effects and high entry barriers.
Anti-Trust Provisions Infringed by WhatsApp’s 2021 Privacy Policy
An analysis of WhatsApp’s updated 2021 Privacy Policy led to Meta being found liable for abuse of dominance, specifically for the violation of Section 4(2)(a)(i), Section 4(2)(c) and Section 4(2)(e) of the Competition Act. The CCI criticised WhatsApp’s updated “take it or leave it” Privacy Policy for being “vague, broad, and open-ended” (Para 166), leading to opacity and information asymmetry between the platform and its users. It was noted that such ambiguity in data policies is per se unfair toward users and raises anti-competitive concerns.
Lack of transparency in WhatsApp’s Privacy Policy disadvantages users, inhibits them from making informed decisions (such as looking for alternatives) and allows WhatsApp to continue increasing its data collection without any accountability. Furthermore, the CCI emphasised on privacy’s role as a non-price competition parameter and deemed the 2021 Privacy Policy’s data-sharing provisions to be unnecessary in the context of WhatsApp’s core business. It was further highlighted that excessive data collection would lead to the weakening of WhatsApp’s quality of service, in turn adversely impacting consumer welfare and competition.
Based on the above, the CCI concluded that WhatsApp’s 2021 Privacy Policy violates Section 4(2)(a)(i) of the Competition Act by imposing coercive unfair conditions on users, which amounts to abuse of dominance. Coming to the other relevant market considered by the CCI (online display advertising), the CCI noted that excessive data-sharing between WhatsApp and Meta would result in the creation of entry barriers, thereby violating Section 4(2)(c) i.e., practices leading to denial of market access. In a similar vein, the CCI also found a violation of Section 4(2)(e), based on Meta leveraging its dominance in the market of OTT messaging application to protect its interests in the market of online display advertising. Interestingly, Meta is being held liable for both exploitative and exclusionary abuse, marking one of the first instances wherein the CCI has imposed liability for both forms of misconduct at the same time.
Based on the above infringements and following the methodology set out under the Competition Commission of India (Determination of Monetary Penalty) Guidelines, 2024, the CCI imposed a penalty of Indian Rupees 2.13 billion (approximately US$ 25.3 million) on Meta. Furthermore, the CCI set out various remedial measures to be abided by, such as a five-year data sharing ban for advertisement purposes between WhatsApp & other Meta companies, enhancing transparency in the data sharing conducted between WhatsApp & other Meta companies for non-advertising usage and lastly, providing users with an opt-out option for all data sharing unrelated to WhatsApp’s core services.
Data Collection and Privacy as Relevant Factors in Anti-Competitive Analysis – A Progressive Step Forward
Competition law enforcement agencies around the world have long taken cognisance of privacy and data protection as relevant factors in determining anti-competitive effects. To illustrate, the European Commission has evaluated the impact of data concentration across a variety of mergers, such as Facebook/WhatsApp (2014), Microsoft/LinkedIn (2016), Sanofi/Google (2016), Apple/Shazam (2018) (see previous blogpost here), Google/Fitbit (2020) (see previous blogpost here) and Meta/Kustomer (2022). Similarly, US anti-trust regulators have also factored in aspects of data and privacy in multiple cases such as the Google/Double Click merger (2007), United States v. Thomson Corp. (2008), United States v. Google Inc. (2011), the Verisk/EagleView merger (2014) etc.
On the other hand, the CCI has been extremely late in joining the above the trend. Until very recently, the CCI adopted a reluctant approach towards the consideration of privacy and data as relevant factors in determining breach of competition law. In 2012, the CCI investigated its first case in the sector of online advertising – In Re Matrimony.com, involving Google’s abuse of dominance via imposition of unfair terms on its search intermediation partners alongside indulging in search bias (see previous blogpost here). Despite noting that “it would not be out of place to equate data in this century to what oil was to the last one” (Para 86), the CCI refrained from further delving into the anti-competitive effects caused by data and privacy.
Furthermore, akin to WhatsApp’s 2021 Privacy Policy, the anti-competitive effects of WhatsApp’s 2016 Privacy Policy were adjudicated upon by the CCI in Vinod Kumar Gupta v. WhatsApp Inc (it was ultimately upheld since the 2016 Policy provided an opt-out option, unlike the 2021 Policy). However, despite privacy and data collection being central to the case at hand, the CCI refused from delving into the said aspects, while providing the rationale that privacy matters must be decided under the Information Technology Act, 2000, rather than the Competition Act.
At this point, it is necessary to note the two schools of thought on the role of privacy in competition law – “separatist” and “integrative” (see previous blogpost for detailed discussion here). While the latter believe that privacy and data factors play a key role in determining anti-competitive effects (especially in data-driven markets), the former argue that data protection law and competition law must be kept separate, thereby allowing no scope for overlap. The CCI’s approach till Vinod Kumar Gupta v. WhatsApp Inc may be termed as separatist, however, as explored below, it appears that the CCI has gradually transitioned to the integrative path.
The genesis of this change may be traced back to the Report of the Competition Law Review Committee, 2019, which argued for the recognition of data as a relevant factor of consideration in zero-price markets. More importantly, on 22nd January 2021, the CCI released its report on the Market Study on the Telecom Sector in India (“Market Study”), which explicitly acknowledged that privacy can take the form of non-price competition (Para 70). In the context of data collection, the Market Study observed that competition analysis must take into consideration the extent of free consent given by users in cases involving actions by dominant entities.
Furthermore, abuse of dominance by said entities may lead to lowering of privacy, in turn leading to lack of consumer welfare, which comes under the ambit of competition law. The Market Study concluded while warning against the potential dangers of both exploitative and exclusionary abuse arising from lower data protection and privacy standards. It is important to note that just within two months of the release of the Market Study, the CCI initiated its investigation into WhatsApp’s 2021 Privacy Policy, with the PF Order passed relying heavily on anti-competitive effects arising from data and privacy factors. Moreover, with the CCI’s final order establishing abuse of dominance by Meta based on excessive data collection and lowering of privacy standards, it is affirmed that India has transitioned to the integrative approach.
The Bundeskartellamt’s Decision in Facebook – A Guiding Light for the CCI
When discussing the integrative path towards data protection and competition law, it is impossible to ignore the Bundeskartellamt’s (“BKartA”) seminal judgment against Facebook in 2019. The said case dealt with Facebook’s abuse of dominance arising from their practice of excessive data collection of user personal data across various services, despite the absence of any legitimate ground of data processing. In many ways, Germany’s anti-trust authority pioneered the integrative approach, the evidence of which is evident in CCI’s own decision against Meta. Even beyond the CCI explicitly citing the BKartA’s decision against Facebook in its order, both the decisions share numerous commonalities.
Both were against the same party, in the same relevant market (online advertising), involved breach of user privacy, had elements of exclusionary alongside exploitative abuse and substantially relied on the anti-competitive effects of excessive data aggregation. However, despite the similarities between the two cases, it appears that there is still one crucial aspect wherein the CCI can take further inspiration from the BKartA i.e., cross-application of data protection legislation provisions to establish competition law violations.
What particularly stands out about the BKartA’s decision is its extensive usage of various provisions from the European Union’s General Data Protection Regulation (“GDPR”) to establish abuse of dominance by Facebook. In fact, the bulk of the analysis in the BKartA’s order focused on proving that Facebook’s data collection was in contravention with Article 6 (lawfulness of processing) and Article 9 (processing of special categories of personal data) of the GDPR. On 4th July 2023, the validity of this approach was affirmed by the European Court of Justice (“ECJ”) in Meta v Bundeskartellamt, while adjudicating upon Meta’s appeal against the BKartA’s decision.
While calling for cooperation between data protection and competition law authorities, the ECJ noted that GDPR violations may serve as a “vital clue” in determining whether an undertaking has operated beyond the bounds of normal competition practices. Furthermore, the Court warned against the non-consideration of data protection legislations by competition authorities while determining abuse of dominance, noting that the same would constitute as overlooking economic realities and may lead to the weakening of competition law enforcement.
On the other hand, it appears that while the CCI has placed reliance on various data protection law principles such as consent and transparency, not once did it refer to any provision from India’s own domestic personal data protection legislation – the Digital Personal Data Protection Act, 2023 (“DPDP Act”). Pertinently, since the DPDP Act was enacted on 11th August 2023, it is understandable that no reference was made to it in the initial PF Order passed by the CCI in 2021, which initiated the proceedings against Meta.
However, since the final decision against Meta came on 18th November 2024, the CCI had sufficient time to include in its analysis the specific provisions from the DPDP Act, which are being contravened by WhatsApp’s 2021 Private Policy. Hence, it is recommended that the CCI follows the BKartA’s aforementioned approach in future cases dealing with the intersection of data protection and competition law.
Before concluding, it is necessary to note that Meta has already filed an appeal against the CCI’s order before the National Company Law Appellate Tribunal (“NCLAT”). Hence, it may be some time before the legal saga between CCI and Meta ends, with a large chance of Meta appealing before the Supreme Court of India if it fails before the NCLAT. Nevertheless, it would not be an overstatement to say that the CCI’s order against Meta is a landmark precedent in the making, with the potential to fundamentally alter the course of competition law enforcement in India, especially in the context of Big Tech.
________________________
To make sure you do not miss out on regular updates from the Kluwer Competition Law Blog, please subscribe here.
