Privacy and Competition Law: Different Jurisdictions, Same Premises and Uncertain Future
[Rohan is a student at Institute of Law, Nirma University.]
In this article, the author analyses the basis on which the relationship between privacy matters and competition law is generated. There are two most common premises which originate the arguments for the integration of privacy concerns into the competition law - first, privacy is a non-price parameter, and second, one of the goals of the competition law is the protection of consumers' interests which include privacy concerns. Different jurisdictions have a distinct manner of dealing with these premises. The author demonstrates such distinctiveness by comparing the stance of India with that of the European Union (EU) with respect to the said integration.
India has a specific legislation dedicated to the protection of competition i.e., the Competition Act 2002 (Act), whereas the Treaty for the Functioning of the European Union (Treaty) provides for the competition law in the EU (in particular, Article 101 to Article 109 of the Treaty).
The author argues that the CCI is inclined towards the integration of privacy and data protection considerations into the existing competition law framework of India. Conversely, this inclination seems to be absent on the part of the EU judicial bodies responsible for the enforcement of the EU competition law (i.e., European Commission (EC), European Court of Justice (ECJ), and the General Court).
The First Premise: Privacy as a Non-price Parameter and an Aspect of Quality
With being an aspect of quality, privacy is a non-price competitive parameter, which means that consumers are attracted towards the products that value their privacy and, therefore, the competitors can compete on the same. While dealing with the WhatsApp’s updated terms in the Suo Moto Case Number 1 of 2021 (WhatsApp Case), the CCI found privacy as a non-price parameter and observed that the concerned conduct of data-sharing harms users’ privacy and, therefore, has the potential to raise anti-competitive implications.
Further, the EC, in the merger case of Facebook/WhatsApp (2014), has found privacy valuable to consumers and recognised it as an aspect of quality. Hence, both the jurisdictions have accepted privacy as a non-price parameter; however, such acceptance has resulted in the integration of privacy concerns and competition law for only one of them.
In India, as per Harshita Chawla v. WhatsApp Inc. (2020) (Harshita Chawla Case), the CCI’s rationale for ordering an investigation, in any case, is sufficiently clear i.e., an investigation will be ordered in any case where there exist anti-competitive implications. The recognition of privacy as a competitive parameter contributes to the finding of anti-competitive implication. For instance, in the WhatsApp Case, the CCI observed that a dominant player who collects excessive data gets a competitive advantage which may result in exploitative or exclusionary effects. Simply put, like a dominant firm with the largest market sale can manipulate price, a dominant firm in a data-driven market can manipulate collection of data which may lead to exclusionary or exploitative conduct, thereby raising anti-competitive implications.
As for the EU, in Facebook/WhatsApp, the EC observed that although the concentration of data could strengthen the dominant firm’s position in the market, any privacy-related concerns arising from such concentration do not fall within the scope of the EU competition law but rather falls within the domain of Data Protection Rules 2016. The EU judicial bodies have kept the matters of competition law and privacy concerns under different domains and for their respective authorities to handle. Seemingly, they want to avoid a collision between these domains; however, India does not have a privacy domain to reckon a collision.
The EU has a data protection regime, namely, EU General Data Protection Regulation 2016 (EU GDPR). This allows the EU judicial authorities to leave a privacy-related matter to be dealt under the EU GDPR and out of the ambit of the EU competition law.
Currently, in India, there are no binding data protection rules; thus, it could be argued that the stance of privacy concerns in the competition law in India may change after the enactment of the Personal Data Protection Bill 2019 (Bill). In Vinod Kumar Gupta v. WhatsApp (2016), the CCI denied intervening in the matter because the informant alleged breach of provisions of the Information Technology Act 2000 which do not fall within the ambit of the competition law. Moreover, as per Competition Commission of India v. Bharti Airtel (2018), it can be anticipated that if an authority is created for handling privacy concerns and is recognised as a sector-specialised body, then the CCI will have a secondary jurisdiction in the matters that involve privacy considerations.
Ergo, in India, the identification of privacy as a non-price parameter has contributed to the integration of privacy concerns into the competition law. However, if anything, the integration of privacy concerns in India can be considered as provisionally accepted until the stance becomes clear after the introduction of privacy laws. In the EU, the first premise is accepted but has not caused an integration between privacy concerns and competition law because its judicial bodies are inclined to maintain boundaries between them.
The Second Premise: Protection of Consumer Interest as one of the Goals of Competition Law
Arguably, one of the aims of any competition law is the protection of consumers' interest. This premise supports the argument that integration of privacy concerns and competition law should be made to better safeguard consumers' interest.
In India, the Act makes it sufficiently clear that one of the roles of the CCI is to protect the interests of consumers. As for the EU, in Fédération Internationale de Football Association (FIFA) v European Commission (2011), the General Court found that a conduct can be abusive even if it only harms the consumers without affecting the competitive structure. Thus, both jurisdictions have identified the protection of consumers' interests as one of their goals.
In India, the stance with respect to the protection of consumer interest is similar to what was observed with the first premise (of privacy being a non-price parameter in which competitors could compete) i.e., if anti-competitive implications are found to have arisen as a result of harm to consumers’ privacy, this will invite antitrust scrutiny. In the WhatsApp Case, the CCI observed illegitimate, non-specific, or involuntary collection of user data as unfair to consumers which, in turn, raises a prima facie case under Section 4(2)(a)(i) of the Act. Thus, harm to consumers’ data or privacy is found to have raised anti-competitive implications in India, thereby originating integration of privacy concerns and competition law.
In the EU, the goal of the protection of consumer interest has not caused or originated the integration. The ECJ’s judgment of the Asnef-Equifax v. Ausbanc (2006) (Asnef-Equifax) upholds that even when consumer interests are affected, issues related to personal data are not a matter of competition law but are to be resolved by the relevant provisions governing data protection.
The position in India remains that there will be an antitrust scrutiny by the CCI if a conduct raises anti-competitive implications. Privacy issues can contribute to the findings of anti-competitive implications, for example, when an excessive collection of data gives the dominant firm a competitive edge over others to engage in anti-competitive behaviors. However, as noted above, these contributions are subject to the provisions of the Bill, which may mean that the CCI has to take a back seat with respect to matters of privacy.
The stance in the EU is that its judicial bodies, without an analytical assessment, have been reluctant towards the integration. This position is expected to be clarified, if not changed, in the recent preliminary question pending before the ECJ. The reference of the Bundeskartellamt v. Facebook (2019) to the ECJ is expected to elucidate the rationale behind reluctancy towards the integration. In this case, the German Supreme Court has gone against the ratio of Asnef-Equifax. It was found that the conduct of Facebook have caused a lack of choice to its users and if there had been an alternative to Facebook with better-protected privacy standards then users would have switched to such an alternative. The German Supreme Court seemed to have accepted both the premises discussed in the article i.e., Facebook being dominant has the potential to manipulate data or privacy standards through which it is affecting choices of its users and in order to protect its users, the matter shall be kept under antitrust scrutiny. Therefore, in this reference, the ECJ will have to comment upon the integration of privacy and competition law and give a lucid rationale behind maintaining the boundaries between privacy and competition law (if any).
Hence, the introduction of the Bill in India and the said reference case in Germany could change the course that privacy is holding in their respective competition law regimes.