[Tejas Sateesha Hinder is a legal associate at Cyril Amarchand Mangaldas and Arushi Bhagotra is a legal analyst with Varahe Analytics]

Can a Privacy Policy Break Competition Law?

In November 2024, India’s Competition Commission (CCI) fined Meta and WhatsApp INR 213.14 crore for anti-competitive conduct surrounding WhatsApp’s 2021 privacy policy. This signals a significant evolution in Indian competition jurisprudence. By addressing how mandatory data sharing across Meta’s ecosystem could distort competitive conditions, the CCI has directly challenged the notion that privacy and competition are distinct domains. Its decision directing WhatsApp to not share data with Meta for advertising purposes for five years, coupled with a requirement for more transparent user choice, marks a clear foray into the normative dimensions of digital market regulation.

The CCI’s Intervention: Privacy as a Competition Concern

However, this expansive reasoning has not gone unchallenged. The National Company Law Appellate Tribunal (NCLAT) granted a partial stay on the CCI’s order, adding a new layer of doctrinal debate about the limits and legitimacy of competition enforcement in the digital economy. The NCLAT granted a partial stay on the CCI’s remedial directions primarily on the ground that the final adjudication of the appeal was pending and immediate enforcement of the CCI’s order, particularly the five-year prohibition on data sharing, could cause irreparable harm to Meta’s ongoing business operations.  However, notably, while the NCLAT granted a conditional stay on the monetary penalty, requiring a 50% deposit, it refused to stay the CCI’s directions on restricting the sharing of user data for purposes other than advertising. This indicates that the appellate tribunal was cautious in providing immediate financial relief but endorsed, at least prima facie, the CCI’s substantive concerns regarding data-sharing practices.

At the heart of the case lies WhatsApp’s 2021 privacy policy, which required users to accept the sharing of metadata and business communication data with other Meta entities, especially Facebook and Instagram, as a condition of continued service. This policy update, which lacked an opt-out mechanism, ignited concerns over user autonomy and data monetisation. The CCI’s decision to initiate a suo motu investigation under Section 26(1) of the Competition Act, 2002, was notable in itself, as it reframed what is ordinarily seen as a privacy issue under the lens of abuse of dominance. Specifically, the CCI examined whether WhatsApp, by virtue of its dominant position in the Over-The-Top (OTT) instant messaging market, had imposed unfair terms in violation of Section 4(2)(a)(i) and (ii) of the Act, thereby enabling Meta to extract competitive advantage through the cross-utilisation of user data.

Expansive Antitrust Reasoning and Doctrinal Shifts

The CCI’s analysis adopts an expansive interpretation of dominance and unfair conditions. It reasons that the lack of granular user consent, the preconditioned acceptance of intrusive terms, and the disproportionate leverage arising from WhatsApp’s network effects collectively amounted to an abuse of dominance. Unlike traditional cases that focus on pricing or access restrictions, the CCI advanced a theory of harm rooted in non-price parameters, specifically, loss of control over personal data and the inability to make informed digital choices. These harms were not merely characterised as consumer protection concerns but as distortive of the competitive process itself. The CCI thus interpreted data aggregation not as a neutral business strategy, but as a vehicle for extending dominance across adjacent markets, particularly in targeted advertising.

From an Indian legal perspective, this case marks a subtle yet powerful expansion of antitrust doctrine. Historically, Indian competition law has remained tethered to structural analysis, focused on market shares and vertical restraints. However, this case shows a willingness to incorporate the evolving economics of digital platforms, where user attention and data serve as critical inputs in market competition. More importantly, the CCI appears to be drawing from a rights-based approach to market fairness. By linking exploitative conduct with a lack of informed consent, the CCI implicitly borrows from constitutional principles under Articles 14 and 21 of the Indian Constitution, which have previously been interpreted by the Supreme Court to protect informational privacy (Justice K.S. Puttaswamy v. Union of India). The CCI’s approach therefore represents a hybridisation of competition law with fundamental rights logic, which is normatively ambitious but potentially faces challenges in traditional antitrust jurisprudence that primarily focuses on economic harm.

Global Parallels and Institutional Fragility

Internationally, the decision aligns closely with recent developments in the European Union and Germany, particularly the German Federal Cartel Office’s (Bundeskartellamt) decision in Facebook v. Bundeskartellamt, where Facebook was found to have abused its dominance by combining user data from multiple sources without proper consent. There too, the competition regulator treated privacy violations as a form of exploitative abuse under Article 102 TFEU.

The Meta v. Bundeskartellamt case before the Court of Justice of the European Union (CJEU) significantly clarified the intersection of data protection and competition law in the EU. The primary question was whether Meta’s practice of conditioning access to its social networking services on users’ consent to extensive data collection and cross-platform tracking, allegedly in violation of the General Data Protection Regulation (GDPR), could also amount to an exploitative abuse of dominance under Article 102 TFEU. In essence, the CJEU was asked to determine whether a violation of data protection rules, in and of itself, can support a finding of abuse of dominance.

The CJEU’s assessment emphasized that competition authorities are competent to consider GDPR infringements as part of their analysis of abuse under Article 102, but they cannot substitute themselves for data protection authorities. Instead, they must take into account the decisions or investigations of data protection regulators when assessing the lawfulness of data practices. Thus the court acknowledged the complementary role of competition law in addressing privacy-related exploitation while stressing the need to respect the institutional prerogatives of data protection authorities.

Importantly, the CJEU delineated the duties of both regulatory spheres. Competition authorities may examine whether dominant undertakings impose unfair trading conditions by exploiting personal data, but they must cooperate with and avoid contradicting the findings of data protection regulators. This bifurcation ensures that competition law can address exploitative conditions arising from data practices without undermining the primary role of data protection authorities in enforcing GDPR compliance. The decision therefore reinforces a dual accountability framework, where anti-competitive abuses tied to personal data misuse can be scrutinized under competition law, provided such scrutiny remains consistent with GDPR enforcement mechanisms.

Likewise, the European Commission’s Digital Markets Act (DMA) reflects a growing consensus that gatekeepers should not be allowed to condition access to core platform services on intrusive data-sharing obligations. However, a key difference lies in institutional architecture and the specific remedies imposed. While European regulators increasingly operate under ex-ante frameworks and digital-specific instruments like the DMA, the CCI continues to work within a general competition statute, making its interpretative leap all the more significant, and potentially more susceptible to legal challenges.

This fragility is evident in the NCLAT’s partial stay of the CCI’s remedial directions. Although the NCLAT has not issued a final ruling on the merits, its willingness to suspend a portion of the CCI’s corrective order suggests a more restrained view of the competition regulator’s jurisdictional reach. The appellate tribunal’s interim stance raises questions about the boundaries between ex-post competition regulation and ex-ante data protection regulation, especially in the presence of India’s new Digital Personal Data Protection Act, 2023 (DPDPA). One interpretation of the NCLAT’s stay could be that questions of user consent and data transparency should be adjudicated by specialised data protection authorities, not by competition regulators through indirect means. If this view prevails, it may curtail the CCI’s ability to respond to evolving platform strategies where market power is exercised through informational asymmetries, not just price or entry barriers.

There is room for critique on both sides. The CCI’s intervention is arguably doctrinally ambitious but procedurally thin. Its treatment of data as an antitrust concern is conceptually sound, but the evidentiary chain between user data sharing and actual foreclosure or anti-competitive leveraging in advertising markets remains insufficiently developed in the order. The decision also glosses over the competitive pressure Meta faces from Apple’s App Tracking Transparency framework and Google’s privacy sandboxing, countermeasures that have changed the global dynamics of adtech. Moreover, the CCI’s five-year blanket restriction on data sharing, while well-intentioned, may be vulnerable to challenge for being disproportionate, especially in the absence of a graduated or reviewable remedy.

The CCI penalized Meta and WhatsApp for abusing dominance through the 2021 privacy policy, which forced users into data-sharing without real consent, granting Meta an undue edge in digital advertising. It imposed an INR 213 crore fine and a five-year ban on sharing WhatsApp data with Meta entities. Meta challenged this as disproportionate, with the NCLAT partially staying the ban and fine. The order is further contextualized by global adtech shifts, where Apple’s App Tracking Transparency and Google’s Privacy Sandbox already restrict cross-platform tracking, intensifying Meta’s competitive and regulatory pressures.

The Road Ahead: Balancing Regulation and Innovation

The NCLAT’s partial stay risks deferring important questions of digital market regulation at a time when institutional clarity is needed. The argument that data privacy is a matter solely for the DPDPA overlooks the fact that data accumulation, when leveraged to entrench dominance or prevent multi-homing, squarely implicates competition law. International experience, particularly the European Commission’s investigations into Amazon, Google, and Meta, underscores that antitrust regulators must be equipped to engage with data-driven theories of harm, even where privacy overlaps exist. If India were to artificially silo these domains, it would risk underenforcement in precisely those areas where digital market distortions are most acute.

The path forward should involve a more integrated regulatory framework. The CCI, while continuing to exercise its competition mandate, should coordinate with the forthcoming Data Protection Board to address overlapping harms. Ideally, India should move toward sector-neutral digital market regulation, akin to the DMA, which allows regulators to impose data portability, interoperability, and fair consent obligations as structural remedies. Until such a regime is created, the CCI must ensure that its interventions are not only normatively justified but also evidentially and procedurally resilient.

The CCI’s penalty on Meta, thus, represents a turning point in Indian competition law’s engagement with the digital economy. By treating user data as both an economic and normative good, the CCI has signalled that platform power cannot be immunised by contractual consent alone. However, the balance between ambition and restraint, between innovation and overreach, will now be tested before the NCLAT and possibly the Supreme Court. As India navigates the contours of digital sovereignty and market fairness, this case may well become the reference point for defining the role of antitrust enforcement in a datafied economy, and its ultimate resolution will significantly shape India's approach to regulating the power of digital platforms.