[Shourya Mitra is penultimate year student from Jindal Global Law School, Sonepat]
Introduction
The Competition Commission of India (CCI) in the case of In Re: Updated Terms of Service and Privacy Policy for WhatsApp Users (WhatsApp case) has clarified the contours of competition concerns arising out of privacy policies stating that, sharing of data between entities can raise competition concerns owing to its potentially exploitative and exclusionary nature. In this case, the CCI had initiated investigation under Section 26(1) of the Competition Act, 2002(the Competition Act) pursuant to a new privacy policy imposed on WhatsApp’s users. This was further upheld by the Delhi High Court (High Court ruling) and the Supreme Court, which clarified that constitutional courts would not oust the CCI’s jurisdiction as CCI’s concern is with respect to the exploitative/exclusionary competitive practices and the “take-it-or-leave-it” approach by WhatsApp, wherein a user had to consent to the privacy policy as a pre-condition for using its services. The CCI is not deliberating upon the fundamental right to privacy under Article 21 of the Constitution of India. This harmonizes any potential conflict in jurisdiction between CCI and the constitutional courts.
However, with the introduction of the Digital Personal Data Protection Bill (DPDP), under the aegis of the Digital India Act, we now have a new upcoming data protection body that may have potential conflicting overlaps with the jurisdiction of the CCI. The Market study on the telecom sector by CCI also notes that there is potential for such overlap, and India currently has no specialized authority for it. Therefore, the report suggested that CCI can address “competition concerns arising out of privacy standards”. Additionally, the CCI in the WhatsApp case equated the “take-it-or-leave-it” approach to “involuntary consent” of the consumer. The new Bill, however, mentions a section of “consent” relevant for the new data protection body.
The Overlapping Theory of Harm
The DPDP Bill provides for the Data Protection Board of India (DPBI) under Section 5 which is supposed to deal with disputes covered within the realm of the statute. As per Section 2(16) of the DPDP Bill, the scope of the statute covers both the collection as well as the processing of such personal data by data fiduciaries. Any violations on those aspects will also fall under the purview of the DPBI – as stated under Section 20 of the DPDP Bill. Therefore, if WhatsApp and Facebook enter into a data sharing agreement, as a consequence of which there is also the imposition of a privacy policy on the consumers to the extent that users have not freely consented to the policy, the DPBI may annex jurisdiction of the same.
With respect to the collection and sharing of data between entities without legitimate consent, the Bill clearly stipulates a “Personal data breach” amounting to “unauthorized sharing of personal data” under Section 2(14). The concerned theory of harm that is overlapping under the Competition law regime is that of a dominant entity collecting data of the users or sharing its data with another entity or related entity without the users’ consent. In such a scenario the effective jurisdictional overlap is with respect to the “take-it-or-leave-it” approach that is considered problematic within the Competition law regime. This is also envisaged under the Section 7 of the DPDP Bill, wherein consent means “freely given, specific, informed and unambiguous indication of the Data Principal's wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose”. Sharing or collecting data that is imposed on the user also means that it was not ‘freely given’ as it is effectively coerced by making consent a pre-condition to use the services of the dominant entity. Therefore, in such a specific scenario, prima facie, there may be overlaps in the jurisdiction.
However, reliance can also be placed on the High Court ruling against WhatsApp, wherein the court held that “Parallel inquiries by two different authorities in their respective spheres of adjudication is not uncommon and a slight overlap between the inquiries does not mean that one must lead to the ouster of the other.” Hence, even if the issues are similar, the jurisdictions can be interpreted harmoniously.
Harmonizing the Overlaps
Therefore, a question arises regarding the differentiating factors such that both the authorities can adjudicate harmoniously. We can draw parallels with the case of Telefonaktiebolaget LM Ericsson v. CCI (Ericsson) wherein a statutory regulator’s jurisdictional overlap with the CCI was tested. Therein the jurisdiction of the authority under the Patents Act, 1970 (Patents Act) was tested against the CCI. Some important factors were observed such as the presence of different forms of remedies. While one entity had exclusive domain over patents and the grant of compulsory license, the other could legally assess the competition concerns arising and suggest behavioural remedies, barring the grant of licenses. The Hon’ble Delhi High Court, in light of Sections 21 and 21A of the Competition Act, observed that the legislature intended for the regulators and authorities to work together and take each other’s assistance rather than ousting the jurisdiction of the other. The Court also took recourse to Section 62 of the Competition Act to hold that the two legislations should be harmonized and not given a construction that makes them conflicting. The DPDP Bill also contains the same provision envisaged within Section 29, reflecting the intended harmonious construction of this legislation with any other legislation.
However, the difference is that in Ericsson, the issues could be separated between two with the former being imposition of terms not complying with fair, reasonable, and non-discriminatory (F.R.A.N.D) standards and providing remedy under Section 27 of the Competition Act, and the latter pertaining to adjudication of grant of compulsory license on grounds enumerated under the Section 84 of the Patents Act. Therefore, even if the latter fails, the former proceedings are not impaired.
In the present comparison, it can be argued that the issue at hand is the “Personal data breach”, and the same falls primarily under the special law of the DPDP Bill, and the CCI cannot exercise jurisdiction over this breach. Therefore, in an inevitable overlap of the two, the Competition Act should become secondary as the primary concern here is that of a data breach and the DPDP Bill is a special and newer legislation. However, the CCI may not even need to accept cases of personal data breach, as not every sharing of data with another entity will amount to anti-competitive conduct.
The primary cases where this personal data breach will raise competition concerns is if the same is a consequence of a dominant entity being able to use its position to impose unfair conditions on the consumer. Therefore, it can be said that when it comes to data breach because of dominance, the competition act should be given primacy. After the adjudication by the CCI, the DPBI could also exercise its jurisdiction over this data breach.
Reliance can also be placed on CCI v. Bharati Airtel wherein the Apex Court established that the contracts which governed the provision of Points of Interconnection (PoI) required the specialised eye of the Telecom Regulatory Authority of India (TRAI) before the CCI examined them. CCI could also utilize the findings by TRAI for its own decisions. Similarly in the present overlap, the impact of dominance on consent will be required to be assessed by the CCI first as it is specialized to understand the market conditions and demonstrate how the consent was not freely given to the dominant entity. The DPBI can use these findings to determine whether there was ‘consent’ for the purposes of a “Personal data breach”. Without such determination by the CCI first, Section 7(4) of the DPDP Bill may kick in, which illustrates that if a party withdraws their consent, the data fiduciary can stop offering its services. Section 7(4) also mentions that the withdrawal of consent by the consumer/data principal will not affect the lawfulness of processing of personal data based on “consent” before its withdrawal. This finding by the DPBI will not appreciate the dominance of the data fiduciary and how the lack of alternatives in the market will distort the consent given by the consumer. It could have been the case that the consumer only gave consent due to the dominance of the fiduciary, and its withdrawal should not allow the fiduciary to stop providing its services.
Further, regarding the remedies, DPBI carries the power Section 25 DPDP Bill to impose penalties as well as order behavioural remedies under Section 20(3). However, the DPBI provides these remedies in personam in cases of personal data breach as against the CCI whose remedies are in rem, making the operative breadth of the two different. The nature of the remedy may also be different wherein the remedies provided by the CCI will pertain to dominance, while those provided by the DPBI will be centred around the nature of the data itself and its sensitivity.
Conclusion
The First Draft of the Digital India Act will likely be released in July, which will clarify the interaction of the DPDP Bill with the overall framework. However, this article attempts to analyse a very specific theory of harm wherein there may be overlaps between the CCI and the upcoming DPBI. On a harmonious interpretation, they can be reconciled such that CCI gets primacy in data breaches only when the concerned data fiduciary is a dominant entity. This is such that the DPBI can appreciate the impact of market conditions on the ‘consent’ of the users. In every other scenario, the DPBI should exercise its jurisdiction over any “Personal data breach” that does not have dominance at its core.