This article analyzes the said order where the proactive anti-trust regulator examines the instant messaging app market, inadequately regulated by lagging data privacy laws.
WHATSAPP AND FACEBOOK ARGUMENTS
Before proceeding with the investigation, both WhatsApp and Facebook were asked to submit their responses before the CCI. Facebook submitted that though being a parent company of WhatsApp, the two are separate entities and the Updated Policy governs the instant messaging services provided by WhatsApp. On this basis, Facebook submitted that it should not be a party to this matter. CCI rebutted this by pointing out that Facebook is a “direct and immediate beneficiary” of the Updated Policy and is a proper party to the matter.
WhatsApp on the other hand, challenged the jurisdiction of CCI on the subject-matter, arguing that matters related with Updated Policy falls within the purview of Information Technology Act, 2000, effectively the privacy laws contained under Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,2011. Further, WhatsApp relying on the Supreme Court judgement of CCI vs. Bharti Airtel Limited and Others (“CCI TRAI Case”), responded that the subject matter was currently sub-judice before various judicial forums in India and therefore CCI should only exercise its jurisdiction once proceedings before a sectoral regulator has concluded.
INTRICACIES OF CCI’S ARGUMENTS
In its order, CCI has essentially pointed out two inter-linked grounds which create manifold anti-trust issues. One, that under the Updated Policy WhatsApp will share personalized user data with other Facebook Companies, and second, that all existing users of WhatsApp had to mandatorily accept the Updated Policy within a stipulated date, for them to continue using the services of WhatsApp.
Analyzing the Updated Policy from Competition perspective
In response to WhatsApp’s submission, CCI explained its role in studying the Updated Policy from competition perspective which would include examining the anti-competitive implications of excessive data collection and the usage of such data. It highlighted that unreasonable collection and sharing of data by dominant players like WhatsApp will grant unfair competitive advantage and may create barrier entry for new entrants.
No sectoral regulator
Another crucial element of this order is CCI’s interpretation of the CCI TRAI Case. The CCI held that this case has no application to the present issue at hand. CCI explained that the crux of the CCI TRAI Case was to establish a ‘comity’ between CCI and TRAI. As WhatsApp had relied on this case in its response, CCI observed that it has failed to demonstrate that the present subject-matter is sub-judice before a sectoral regulator.
Direct network effects and lack of competition
CCI observed that in the ‘relevant market’ of OTT messaging apps’ and based on trailing competitors, vast user base, combined with direct network effects enjoyed by WhatsApp, WhatsApp is clearly dominant. Additionally, imposing a precondition on users to accept the Updated Policy for accessing the services of WhatsApp, would in-turn enable WhatsApp to collect expansive amount of data for sharing with other Facebook Companies. CCI observed that due to lack of competing options, the users may be compelled to accept the Updated Policy.
Non-price parameters for ascertaining abuse of dominance
CCI noted that in the digital economy, organizations compete based on non-price parameters such are quality of service, innovation, customer service etc. Lower data protection coupled with lack of control of the user over their data can be considered as reduction in quality under anti-trust law. CCI observed that the current conduct of WhatsApp and Facebook qualifies as “degradation of non-price parameters of competition viz. quality” and the implementation of the Updated Policy prima facie is imposition of unfair terms and conditions.
COMMONALITY IN COMPETITION AND PRIVACY LAWS
Recognizing the sovereign rights of the users over their data, CCI concluded that WhatsApp has prima facie contravened 4(2)(a)(i), 4(2)(c) and 4(2)(e) of the Competition Act.  In the current order, CCI is concerned with the non-voluntary and non-transparent collection of data which maybe further used by dominant entities to secure leverage even in unrelated markets and create barrier entries for new entrants. Few anti-trust regulators have attempted to regulate on matters which converge data protection and competition laws. In the United States the Federal Trade Commission (“FTC”), American anti-trust regulator, has sued Facebook in federal court for continuous anticompetitive conduct by acquiring Instagram and WhatsApp and imposing unfair terms on software developers, to maintain its monopoly. If the FTC has its way, Facebook will have to seek prior notice and approval for all future mergers and acquisitions. Although, literature around overlap of competition and data privacy law is limited, CCI’s order has made a compelling case for implementing strong data protection laws which would prevent dominant firms to employ coercive tactics for collection and usage of user data and enforcing its monopoly in relevant markets.
CURRENT DEVELOPMENTS AND WAY FORWARD
India has started with its attempt to join the league of nations having stringent data privacy laws by tabling the Personal Data Protection Bill, 2019 (“PDP Bill”). The PDP Bill once coming into effect will regulate the processing of personal data by government, as well as companies, both Indian and foreign, processing personal data of individuals. Further, it will establish the Data Protection Authority (“DPA”) which shall be vested with powers to prevent the misuse of personal data, ensure compliance with the act as well as specify code of practice for promoting good practices of data protection amongst other things.
Recently, the Ministry of Electronics and Information Technology (“MeitY”) has directed WhatsApp to withdraw the Updated Policy. In absence of a regulator in the IT sector and inception of the DPA being a distant dream, it is pertinent to note that MeitY, in discharging executive function, may be stepping into the shoes of a data protection regulator. If DPA would have been in existence and had started investigating this matter, then going by the CCI TRAI Case, CCI would have to wait for the conclusion of the matter before DPA. However, the jurisdiction, scope of DPA and CCI investigations, and the orders would have been entirely different. This clearly shows that its high time India have its DPA and PDP Bill in place to cover similar future issues from all aspects. Once the PDP Bill is enacted, it would be interesting to see how both DPA and CCI regulate overlapping matters on data protection and competition law.
Partner, Juris Corp
Associate, Juris Corp