Sai Rishi B V
(Law Student, Christ University Bangalore)
The Indian digital and competition landscape is on the brink of a change with the passing of the Digital Competition Bill (DCB) and the Digital Personal Data Protection Act (DPDPA). While having different goals, these two laws are set to reshape how businesses operate and how users interact with the digital world. For instance, potential challenges could arise in the form of data collection practices that may not align with the DPDPA’s provisions or in the jurisdiction of adjudicatory bodies to enforce the DCB’s regulations. Through this blog, the author examines how these two pieces of legislation work together, highlighting the need to address jurisdiction issues.
Different Goals but a Common Playing Field: Data
Data is the lifeblood of the digital economy and is used by enterprises to personalise services and target advertising. The DPDPA aims to protect user privacy by empowering individuals to control their personal data and ensuring its ethical use by businesses. This is accomplished through section 4, which aims to limit the processing of digital personal data only for – (i) which consent has been obtained; and (ii) certain legitimate uses. To effectuate this, data vendors must appoint Data Protection Officers to address user grievances. Furthermore, under section 6, the DPDPA seeks to prohibit obtaining user consent through deceiving means, such as pre-ticked boxes or confusing language, ensuring consent to be free, specific, informed, unconditional and unambiguous. For instance, a user should be able to easily understand what data is being collected, why it is being collected, and how it will be used.
The DCB, on the other hand, has been formulated to foster a fair and competitive digital market. The Committee on Digital Competition Law tabled a draft bill after finding the need for an ex-ante regulatory mechanism for digital markets in India. The bill seeks to fill a void in the existing competition law regime in the country, mainly flowing from the Competition Act, 2002 (the Act), which primarily adopts an ex-post mechanism. Under the existing ex-poste regime, investigations into incumbent players under the Competition Act, which begin after a contravention has occurred, are resource-intensive and time-consuming. In the meanwhile, the market may irreversibly tip in favour of the incumbent and consequently drive out competitors.
To address this, the DCB under section 3 defines an enterprise within the digital eco-system as a Systematically Significant Digital Enterprise (SSDE). In simpler terms, an SSDE is a digital enterprise that significantly impacts the digital market and is subject to the fulfilment of provisions of the bill under Chapter II. The DCB differs from the Competition Act by adopting an ex-ante mechanism requiring only SSDEs to comply with the bill’s provisions defined under Chapter III. In regard to data specifically, under section 12(1), the DCB prohibits SSDEs from using or relying on non-public data of its users to compete with other businesses in the same relevant market. This is achieved through the prohibitions laid down under section 12(2), which prohibit SSDEs without end-users consent from amalgamating their personal data obtained through different services offered by the enterprise and prohibit SSDEs from permitting third parties to use such data.
The overlap between these legislations can be observed as they both address data privacy concerns. Through sections 4 to 6, the DPDPA seeks to ensure that collected user data can be processed only for the specific ‘legal’ purpose for which consent from the user was obtained. To ensure this, the data fiduciary who has collected the data must notify the users, informing them of the data collected and the need to process it. A parallel can be observed under section 12 of the DCB, which defines ‘non-public data’ as any aggregated and non-aggregated data created by business users that can be gathered through their or their end users’ commercial activity on the designated Core Digital Service of the Systemically Significant Digital Enterprise. However, section 12 of the DCB goes one step further by prohibiting SSDEs from intermixing data obtained from various subsidiaries or sharing data with third parties.
Need for DCB: Data Privacy Used as a Non-price Competition
The need for a competition bill regulating digital space is a phenomenon not only observed in India but worldwide. This arose from platforms treating users unfairly, prominently by sharing ‘user data’ with third-parties. Notably, India followed suit after the European Union passed its Digital Markets Act, 2022, to keep up with the upcoming trend of ex-ante antitrust regulations. In India, the ex-ante approach is predicted to be more favourable as there has been a considerable delay in obtaining the final order under the ex-post regime, especially in cases involving digital markets, where the sharing of user data is in contention. For instance, in the WhatsApp case and the BookMyShow case, the CCI passed a preliminary order under section 26(1) in March 2021 and June 2022, but a final order under section 27 is still pending. If an ex-ante regulatory mechanism is adopted, SSDEs shall be identified beforehand, and they’ll have to comply with provisions of the DCB, a contravention of which shall attract a mandatory penalty.
The sharing of user data has raised antitrust concerns in India time and again. The CCI, most notably in the WhatsApp privacy policy case, took cognisance when WhatsApp wanted to share user data with other Meta enterprises such as Facebook. The Vinod Kumar Gupta case, is a cornerstone in India’s digital antitrust jurisprudence. In this case, the CCI laid down that WhatsApp policies’ mandatory nature violates the user’s right to consent. The commission also stated that excessive data collection and utilisation causes anti-competitive concerns that necessitate subsequent antitrust review and that data-driven ecosystems cannot escape the eyes of competition law.
While a prima facie reading of both legislations might suggest that they seek to achieve different objectives and work complementary to each other, history suggests that the CCI has always had a clash in jurisdiction with other regulatory authorities. In context to the DPDPA and DCB, the question regarding the Data Protection Board of India’s (DPBI) CCI’s jurisdiction is yet to be demarcated.
Data Collection: Who has Jurisdiction?
The DPDP constitutes a DPBI under section 18, which addresses disputes arising from the statute’s scope. Section 2(h) defines what constitutes Data, 2(i) defines Data fiduciary, and the breach of personal data is dealt with under section 2(u). The definition of processing has been provided under Section 2(x) of the DPDPA. It appears that questions such as data sharing between two subsidiaries of Meta can fall under the scope of the DPDPA. However, this also attracts the scope of section 12 of the DCB, which prohibits an enterprise from intermixing data collected from different services, including its Core Digital Services.
To remedy this, an equivalent can be borrowed from past CCI cases, such as the Ericsson case, where the authority of the Patents Act circumvented that of the CCI. The Delhi HC observed that the former dealt with fair, reasonable, and non-discriminatory (F.R.A.N.D) standards, while the latter ought to address competitive concerns. Another case which highlights a conflict in jurisdiction with a regulatory authority, namely the Telecom Regulatory Authority of India (TRAI) is the Bharti Airtel case, where the Supreme Court maintained balance by providing the TRAI to hearing matters related to the telecom sector in the first instance and then return those findings to CCI which provide a prima facie violation of competition law.
In the context of DPDPA and DCB, the “Personal data breach” that is the subject that is most likely to cause a conflict is principally covered by the DPDP Act through section 2(u), the special legislation on this matter, and the CCI does not have authority over it immediately. Following the direction and guidelines of the WhatsApp case, the CCI ought to assume jurisdiction when exclusionary practices and violations of the DCB provisions are evident. The DCB should thus take a backseat in the event of an unavoidable overlap between the two until the DPBI opines that this personal data breach raises anti-trust concerns. However, since not every data sharing with another organisation will qualify as anti-competitive behaviour, the CCI might not even need to consider examples of each and every personal data breach.
The main situation in which this breach of personal data would cause competition issues is if it results from an SSDE wherein it violates its obligations under section 12 of the DCB primarily by intermixing user data obtained from various services owned by the same SSDE and permitting third parties to use such data. Thus, the DCB ought to take precedence in cases of data breaches by SSDE. Upon the CCI’s decision, the DPBI may also be able to take action about this data breach.
Conclusion
A solution to the present conundrum can be found within the text of the Competition Act under section 62 which requires the Act to be interpreted harmoniously with other laws. Applying a harmonious interpretation, jurisdiction can be demarcated such that CCI gets primacy in data breaches only when the enterprise is an SSDE. This is so that the DPBI can appreciate the impact of market conditions exclusively on the ‘consent’ of the users. In every other scenario, the DPBI should exercise its jurisdiction over any personal data breach where the core question is not that of dominance.
Comments