INDIA (DOMESTIC FIRMS): An Introduction to Competition/Antitrust
Data Privacy Law in India
Background and applicability of laws
Having received Presidential Assent on 11 August 2023, the Digital Personal Data Protection Act, 2023 (DPDPA) is on its way to regulating digital personal data in India. The economic essence of the DPDPA and its impetus to businesses and start-ups can be gauged from the statement of the Act and the exemption provisions provided under Sections 17(3) and 17(5).
The Competition Act, 2002 (CA), which closely governs the digital markets and the conduct of market participants, was also enacted with similar objectives. It governs the conduct of an enterprise pertaining to the abuse of a dominant position and also keeps a check on agreements or combinations that will have appreciable adverse effects on competition in the market. A closer analysis of the DPDPA will exhibit its co-relation with the CA, which businesses must be cautious about. Section 38 of the DPDPA specifically allows for the application of other laws to the extent there is no conflict. In fact, Section 6(2) of the DPDPA recognises that consent shall be invalid if it is taken in violation of any other law in force (eg, the CA).
However, there is an academic divergence of views in that, on the one hand, the CA and DPDPA are said to conflict with each other, while on the other hand they are said to be “in addition to” each other. The Delhi High Court addressed this point of jurisdictional conflict in a 2022 appeal filed by WhatsApp, in which it held that the issues relating to the right to privacy arising from WhatsApp’s updated Terms of Service as examined by the courts, and the corresponding abuse of dominant position as investigated by the Competition Commission of India (CCI), operate in different realms and there is no irreconcilable repugnancy between the jurisdiction of the authorities.
An interesting development can be seen in the European Court of Justice (ECJ) ruling in Case 252/21, Meta Platforms and Others v Bundeskartellamt, an improvised version of which exists in the CA as well. The ECJ stated that member state antitrust authorities can enter into the exercise of finding a violation of the General Data Protection Regulation (GDPR) while investigating a case of abuse of dominant position. Sections 21 and 21-A of the CA, as introduced through an amendment in May 2023, create the provision for reference on a particular issue (eg, DPDPA violation) and the seeking of an opinion by the CCI from the authority concerned, or vice versa.
Processing and profiling activity
The DPDPA regulates the partly automated processing of personal data. However, it has no explicit provision on its applicability to “profiling” activities – ie, any form of the processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal. However, profiling may amount to a “processing” activity under the DPDPA if it is done through non-publicly available personal data. The digital market business (social media, aggregation services, OTT, analytics firms, etc) that reaps data insights and engages in user tracking, behavioural monitoring and targeted advertisement may be regulated under the DPDPA. However, in all situations, the antitrust law obligations,covering unfair usage and the leveraging of user data will apply with full force, especially to those enterprises that have market power in the digital market.
Consent mechanism
Section 6(1) read with Section 5(2) of the DPDPA mandates a retrospective compliance obligation for data fiduciaries and provides that consent by a data principal for already concluded contracts has to be unconditional. This provision also has the potential to address issues related to the abuse of dominant position by those platforms whose services are unavoidable/necessary in their offerings. In addition, the purpose and limitation framework in seeking consent should address the issues pertaining to excessive data collection and the cross-leveraging and sharing of data between group entities, which can simultaneously be looked into by the Data Protection Board of India and the CCI.
Section 7(a) of the DPDPA mentions that the voluntary giving of personal data and non-indication of “no consent” by data principals is a legitimate use case. Such an activity may be permissible under the privacy law but will run foul under the antitrust law, especially in the digital market. An untrained user does not generally investigate the data they are sharing, or its purpose. The situation is exacerbated by the prevalence of dark patterns for taking consent in lieu of services. The US Federal Trade Commission is already examining the usage of “dark patterns” by Amazon for enrolling consumers in Amazon Prime without consent and making the cancellation process complicated. This also comes with nuanced UI/UX for seeking tricked consent to onerous conditions of sharing personal data, wherein the consent withdrawal process is complicated. The remedying provision for ease in withdrawing consent can be seen in Section 6(4) of the DPDPA. The Ministry of Consumer Affairs has introduced the Draft Guidelines for Prevention and Regulation of Dark Patterns, 2023, which will soon become law. All these issues around consent management have propelled the need for a new set of entities called “consent managers” under the DPDPA, which is new in privacy laws globally.
Vendor-vendee disputes
Under the DPDPA, all liabilities are cast upon the data fiduciary (Section 9(1)). However, the DPDPA gives the data fiduciary the right to engage data processors under a valid contract. In a complex digital market structure involving marketplace service providers and sellers, wherein both come together to provide users with some services, the question of who is a data fiduciary and who is a data processor is bound to arise. A data fiduciary and processor may be in a joint fiduciary relationship, or a data processor may subsume the role of a data fiduciary as well.
The question gains more importance considering the recent antitrust cases in India (eg, in the food aggregator market or the mobile app store marketplace), wherein data, its ownership, the privacy of data and sharing amongst businesses have become contested issues. Once the respective roles are determined, the negotiation on liability mitigating contractual clauses will be of paramount importance between the data fiduciary and the processors to secure their respective interests. All these activities will attract antitrust principles with equal force (eg, Sections 4(2)(a), 4(2)(d) and 4(2)(c) of the CA, as well as Section 3(4) read with Section 3(1)), depending on the negotiating parties. These issues may arise in the cloud services market, the ad tech market, the platform market, etc.
Conclusion
India is on the cusp of harmonising its laws regulating digital markets and balancing the interests of the citizenry with those of businesses. India is contemplating a “Digital India Act” to regulate new-age technologies from the lens of antitrust law as well, in addition to exploring the need for having an ex ante framework. A Special Committee was formed in 2023 to review the CA on the need for ex ante regulation for digital markets and regulating “gatekeeper platforms”. The future is to observe legal compliance as a behavioural activity by every company dealing in digital personal data in India and map all the sectoral laws carefully for legal hygiene.