Rules and Rivalry: Understanding The DPDP–Antitrust Jurisdictional Conflict

[Himansh and Soham are students at Hidayatullah National Law University.]

The Ministry of Electronics and Information Technology on 13 November 2025 notified the Digital Personal Data Protection Rules 2025 (Rules). The rules building upon the legislative framework of the Digital Personal Data Protection Act 2023 (DPDP Act), outline the framework for operationalizing the DPDP Act. The DPDP Act, since its enactment, has been already discussed to be coming into tension with existing other statutory and regulatory frameworks, giving rise to jurisdictional overlaps. While the Rules were expected to mitigate such tension, the non-redressal of the same has sustained the existing impasse, with the effects of the same being felt in the anti-trust regime.  

Through this article, the author analyzes the jurisdictional overlap between the Rules and the Competition Act 2002 (Competition Act). The blog highlights two major realms of jurisdictional overlap of the Rules with the anti-trust regime, along with the potential resolution to the same. And puts forth a constructive conclusion, informed by global best practices. 

Essential Facilities Obligations vis-à-vis DPDP Purpose Limits

The essential facilities doctrine imposes an obligation on a dominant firm to deal with its competitors if “it controls an indispensable facility that makes it impossible or extremely difficult for an actual or potential competitor to compete with the incumbent firm without access to its facility.” With the ever-increasing importance of data in the survival of smaller entities, data has come under the lens of the essential facilities doctrine. The World Economic Forum, while cautioning the emergence of personal data as a new “data class”, quoted an observation by Meglena Kuneva that personal data will be the new “oil”, and noted that it will emerge as a new “asset class” touching all aspects of society. Similarly, The  National Company Law Appellate Tribunal in WhatsApp case recognised data as a key competitive asset. 

Hence, data, being an essential facility, has been addressed through data-sharing orders to counteract anti-competitive practices stemming from its accumulation, as digital markets cannot be genuinely competitive unless dominant firms share the data that they possess. The practice of granting access to data under the essential facilities doctrine treats data as assets that are essential for sustaining competition in the market. This data sharing in furtherance of the essential facility doctrine conflicts with the consent-centric framework of the data protection laws, i.e., the DPDP Act, which treats data as a license rather than an asset.

Sections 6 and 7 of the DPDP Act have defeated the interpretation of data as an asset by enshrining the principle of purpose limitation which provides for the consent to be given by data principal for a specific purpose only, limiting the processing of data for that purpose only by the data fiduciary, and even providing for withdrawal of such consent at any time. However, the exemption has been provided for the consent centric approach of Sections 6 and 7 vide Section 17(1)(a) exempting the application of both the sections for enforcement any legal claim or right. 

The DPDP Act requires enactment of rules for its commencement as given under Section 1(2). Section 40(2) of the DPDP Act expressly requires enactment of rules for the operationalization of the concept of purpose limitation as given under the law. Rule 3 of the Rules operationalizes the principle of purpose limitation enshrined in the DPDP Act, by providing for the notice given by data fiduciary to the data principal to enable the data principal to give specific and informed consent for the processing of her personal data along with the provision for consent withdrawal of the data principal. However, the conspicuous absence of the exemption to the principle of purpose limitation, allowing data sharing order in the Rules, despite the express presence of enabling principles of consent withdrawal and purpose limitation, creates the potential for interpretational ambiguities.

Hence, to avoid the interpretational ambiguity, the Rules must operationalize the exemption to the principle of purpose limitation under the DPDP Act, akin to  Article 6(1)(c) of GDPR which recognizes the  processing of personal data as lawful when it is necessary for compliance with a legal obligation imposed on the data controller.

Forum Shopping

Forum shopping refers to “an activity aimed at finding the most favorable jurisdiction for the applicant’s interests.” The conflict between the jurisdictions of the Competition Commission of India (CCI) under the Competition Act and Data Protection Board (Board) under the DPDP Act can lead to forum shopping by firms. In Re: Updated Terms of Service and Privacy Policy for WhatsApp Users, the CCI for the consent for sharing “data” to be free and well informed for it to be fairly competitive. Parallelly, Sections 4 and 6 of the DPDP Act adopt a consent-centric approach to data processing, making a ‘free, specific, informed, unconditional and unambiguous’ consent mandatory for data processing. With the evolving data-driven market, it becomes evident that the collection and processing of data is squarely covered by both the laws.

Such substantive overlap of data proceedings giving both the laws the authority to adjudicate is also accompanied by a divergence in the procedural framework governing the initiation of proceedings under both the laws. Section 26(1) of the Competition Act requires the CCI to establish a prima facie case for directing an investigation into the matter. The Competition Act’s investigation-initiating mechanism under Section 26 has been one prioritizing swift determination to prevent anti-competitive harm. As pointed out in WhatsApp case, the orders passed under Section 26(1) are purely administrative, and neither require to be reasoned nor need to grant the petitioners the opportunity to be heard. This determination involves a very low threshold, not requiring detailed evidence-oriented research, but rather a direction simpliciter to cause an investigation into the matter. 

In contrast to the nature and intention of the initiating order under the Competition Act, the decision to commence an investigation under the DPDP Act requires a substantive determination of jurisdictional facts. Section 28(3) of the DPDP Act requires the Board to ascertain the existence of ‘sufficient grounds’ to proceed with an inquiry. Section 28(5) of the DPDP Act mandates the Board to record written reasons for the proceedings and inquiry, and the proceeding is required to be closed for the lack of sufficient grounds. Furthermore, the requirement of data principals to exhaust the opportunity of redressing their grievance through the data fiduciary mechanisms, before approaching the board, highlights the substantive and prolonged nature of the proceedings.

This divergence in procedural design creates a significant risk of forum shopping. Firms subject to scrutiny for anti-competitive conduct involving data may strategically challenge the jurisdiction of the CCI and seek recourse before the Board. The apex court in the CCI v. Bharti Airtel Limited gave primacy to the jurisdiction of the sector specific body, by laying down the sequential jurisdiction model, holding that the sector specific regulators must first determine “jurisdictional facts”, with CCI’s jurisdiction being deferred until the sector specific regulator has made findings on those issues. This will lead to the prioritization of jurisdiction of Board over CCI, thereby deferring the antitrust proceedings. This will consequently defer the anti-trust proceedings of the CCI, which are intended to be swift and preventive, by invoking a slower and more substantive jurisdiction of the Board under the DPDP Act, allowing the firm to defer proceedings and undermining the efficacy of anti-trust proceedings. 

The challenges to the jurisdictional overlap can be dealt with by establishing a “purpose-based” jurisdictional model, rather than a hierarchy-based model. The  reference mechanism, under Sections 21 and 21A of the Competition Act, allowing statutory authorities and the CCI to make references to each other in matters of conflict between their decisions and provisions of their respective governing statutes, has failed to facilitate cooperation. As the annual report of CCI has demonstrated that in past years, no reference has been made by any sectoral regulator to CCI, highlighting the lack of inter-regulatory consultation leading to protracted litigation.

The inspiration from the same can be drawn from the ruling of the Court of Justice of the European Union in Meta Platforms Inc. and Others v Bundeskartellamt wherein the authority enabled the German competition authority, Bundeskartellamt, to determine the conduct of the firm in relation to a violation of the GDPR to the extent that the alleged breach was relevant for determining an abuse of dominance in the market. Further, the cooperation between both the bodies must be enhanced by formation of an institutional cooperation agreements model, based on cooperation agreements between various regulators, with the agreement laying out the processes by which the collaboration of authorities will curb anti-competitive behavior such as that of the US, wherein the sectoral regulators managing particular markets and sectors work together by means of agreements.

The Section 28 of the DPDP Act provides for the enactment of rules for the procedure to be followed by the Board on the receipt of a complaint or intimation, providing ample scope for enactment of such reconciling jurisdictional model consistent with global best practices. However, the lack of procedural guidance over the same by the enactment of a reconciling model has sustained the potential for forum shopping under the framework of the DPDP Act. 

Conclusion: The Road Ahead

With antitrust and data privacy laws shaping the digital economy, concerns loom over large digital platform firms gathering substantial amounts of data to bolster their competitive advantages in the market. Thus, for the Indian digital regulation regime to be effective, it is quintessential that effective reforms focused on fostering cooperative enforcement are encouraged without deferring the legitimate rights and duties of one over the other. The Rules serve as the final step in operationalizing the much-anticipated data protection regime marked by a deliberative process of almost two years. Against this backdrop, it is essential that the rules mitigate the shortcomings of the DPDP Act to ensure its effective implementation and to achieve the intended objectives of the act. Thus, for the Indian digital regulation regime to be effective, it is quintessential that effective reforms focused on fostering cooperative enforcement are encouraged without deferring the legitimate rights and duties of one over the other.