Interplay Between Competition Law & Data Protection And CCI’s Lack Of Action

The growth of digital economy has disrupted the traditional outlook of the regulators around the world. ‘User Data’ is the new currency in exchange of which the consumers enjoy ‘free’ services. The data collected by the corporates become an invaluable asset giving access to the most private aspects of its users. The side-effects of this new normal are many. The two major impacts are the diminishing privacy and digital market tipping. Thus, it calls into question the competition and data protection laws. The competition regulators are not shying away from investigating into the conduct of the data-opolies.  These investigations also take a note of the privacy infringement issues as an anti-competitive practice. However, varying levels of synchronization between a state’s regulators have produced different jurisprudence around the globe.

In India, recently the Competition Commission of India (CCI or Commission) dealt with Harshita Chawla v. WhatsApp Inc,[1] case regarding the abuse of dominant position by Facebook owned WhatsApp for introducing “WhatsApp Pay” in the Indian market. The informant made an allegation of misuse of user’s sensitive “data” by the tech giant for its own commercial advantage. However, the Commission opined that since there is no concrete information for the same in India, it will not examine the issue.

Notably, this is not the first time that WhatsApp has been alleged to misuse the data of its users. The Commission has dealt with a filing against WhatsApp earlier in the case of Shri Vinod Kumar Gupta, Chartered Accountant v. WhatsApp Inc,[2] where an allegation of abuse of dominant position by way of sharing of data by WhatsApp to Facebook was put forth. However, in absence of a settled position in regard to legal recognition of the right to privacy in India, the matter was not decided on these grounds. It was expected that after the landmark judgement of Justice K. S. Puttaswamy v. Union of India,[3] things would have changed in favour of data protection. However, CCI’s denial to not delve into the question of abuse of collected data in the present case shows that things are no different today.

Recently, a decision on similar facts has been given by the Germany’s Federal Court of Justice where it found Facebook (Ireland) abusing its dominant position in the market of social media by forcing users to share their personal data from other Facebook owned applications like WhatsApp or Instagram, without their due consent. The Court in its decision found a prima facie violation of the German Competition Act[4] and further asked Facebook to apply structural changes to its business model in order to protect the privacy of consumers.[5] Facebook has also been responsible for various data scandals and breaches. In 2019, Facebook was found collecting data of approximately 267 Million users without their due consent.[6] It is interesting to note that the CCI’s restrictive approach did not take into account the “General business practice” of the Facebook in the social media sector and a number of violations on its part. The “storage and misuse of data” would not only affect the privacy of an individual alone but also hurt functioning of the market. This practice can help platforms to gain high market power which results in driving other competitors out of the market, creating significant entry barriers, deterioration of product quality and innovation in the market.[7]

The Germany Federal Court and OECD experts suggested that since the digital economy has resulted in blurring the boundaries of the spectrum of regulators, the best solution for them is coordination with each other. In reference of the same, the EC has considered “data” to be a part of competition enforcement activity. It has also given clarifications and rules as to how there will be a balance between application of both the laws and its regulators, wherein it has asked GDPR to cooperate with the investigations of other institutions and to share relevant information with one another.[8] Similarly, the UK’s CMA recently in its final report gave itself the power to intervene in data related practices when there will be direct harm to consumers or the market.[9]

A similar approach is needed in India which is severely lagging behind in the race of sophisticated data protection laws. They are at a very nascent stage with a recent introduction of the draft Data Protection Bill, and thus, have limitations. To combat these limitations, the cooperation of the Commission is required to delve into the issue of protection associated with the privacy of consumers from the exploitative conduct of these egregious platforms. The Data Protection Bill seeks to establish the Data Protection Authority (DPA) for its enforcement. It has already been suggested that the DPA and other regulators should sign “Memorandum of Understanding” for spheres of overlapping subject matters. Interestingly, Clause 67 of the Bill mentions that DPA has to consult other regulators having a concurrent jurisdiction on a matter prior to making a decision. Thus, it will allow DPA and the CCI to smoothly work with each other for better enforcement of data protection laws in India.

It is the need of the hour that CCI adapts a “forward-looking approach” in information filed regarding data-related issues. After the dominance of a tech-giant is established in the abuse of dominance cases; the Commission must examine the user data privacy as a potential anti-competitive issue resulting from the dominance of the enterprise.

The author is a former CIRC intern. The views expressed are personal.

[1] Harshita Chawla v. WhatsApp, Case No. 15 of 2020, Competition Commission of India.

[2] Shri Vinod Kumar Gupta, Chartered Accountant v. WhatsApp Inc., Case No. 99 of 2016, Competition Commission of India.

[3] 2017 10 SCC 1.

[4] Act Against Restraint of Competition 2013, s 19(1) (Germany).

[5] Federal Court of Justice of Germany, ‘The Federal Court of Justice provisionally confirms the allegation of abuse of a dominant position by Facebook’ (Karlsruhe, June 23 2020) <> accessed 15 July 2020.

[6] Shweta Ganjoo, Facebook Faces Another Data Breach, data of 267 million users exposed, INDIA TODAY (December 23, 2019),

[7] BundsKartellamt, Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate data processing – Case B6-22/16,

[8] Regulation on the protection of natural persons with regard to processing of personal data a by the Union institutions, bodies, offices and agencies and on the free movement of such data, Regulation (EU) 2018/1725 of the European Parliament and Council,

[9] Competition and Markets Authority, ‘Online platforms and digital advertising – Market study final report’ (London, 1 July 2020) <
> accessed 15 July 2020 (Final Report).