By Srishti Sharma
The Competition Regulator (worldwide) is not excited about having to overarch its territory and take on the responsibility of the Data Regulators.
Nudging the Data Regulators to stand up to their share of accountability is, legitimate. In a country like India which does not have finalised Privacy and Data Protection laws and which still is lending from the Information Technology laws, an enactment of 2012 and its’ Rules, the dispensation of fair practices stand the chance of delay.
In the following paragraphs, peak into the global view and national dilemma about the role of competition commission as the a Regulator, with data entering consumer finance and inroads being made in BigData.
Last month the Higher Regional Court in Dusseldorf had set aside the earlier decision of the German Federal Cartel Office passed in 2019 against-
Facebook’s data collection practices and exploitative conduct by abusing its market power in violation of the General Data Protection Regulation (GDPR) 2018 and held that a question whether Facebook abused its dominant position being a provider in the German social networking market for collecting users’ data and if violated GDPR, can only be decided after referring to the European Court of Justice which is responsible for the interpretation of European law.
The allegations leveled that Facebook conditioned the use of its social networking site on the collection of user data from owned apps like Instagram, WhatsApp.
In 2019, the same court ordered a temporary injunction to Facebook to stop combining user data across its chain of social platforms – without the user consent. Facebook succeeded in barring the order under a court appeal before Germany’s Federal Cartel Office which took the view that data privacy is outside the scope of competition law and any breach of GDPR by a dominant player does not mean abuse of dominant position. Added further that consumers are not being exploited by Facebook as, the users could share the same data with some other platform.
This judgment has created a transparent rift between the competition and data regulators over data privacy and protection matters. The Competition regulator ensures consumer welfare inclusive of protection of personal data and its abuse by dominant players and the Data Regulators cover all aspects of data privacy and protection.
India, not too far behind, the CCI’s ordered to probe into WhatsApp’s new privacy policy, of it being, take it or leave it policy terms and conditions, prima facie held to be unfair and unreasonable, is facing challenge at the Delhi High Court. Counsel for WhatsApp, Sr. Adv. Harish Salve, raised the need of a new legislation to assess anti-competitiveness on the issue of excessive data collection. Interestingly, data protection and data privacy are constitutional matters, outside CCI’s jurisdiction and thus, CCI has no basis to adjudicate on the same. Sr. Adv. Mukul Rohatgi, representing Facebook, referred to the comity of courts principle and expressed that CCI being an inferior body to the Supreme Court of India and Delhi High Court could not adjudicate upon the issue while the matter stands pending before the constitutional authorities.
Why is this important?
The recent data leak of millions of people from Facebook and LinkedIn reveals the vulnerability of a breach in personal data of users. It raises a question- how to regulate public data and stop privacy compromises?
In LinkedIn v. Hiq, the issue related to the usage of public LinkedIn profiles was held permissible by a third party who runs its business through publicly available data of the users on LinkedIn. The rationale segmented the data in: one that is open to the general public and is accessible without permission; the second which requires authorization and has been given; and the third where authorization is needed but not given.
With artificial intelligence as the new entrant, data is becoming the single most essential ingredient than ever. This data is useful to train the AI models, more of it leads to the efficient functioning of the AI with precise targeted advertising, etc. This data holds immense benefit in the use of Big Data which holds substantial commercial value as holds the potential to increase the variety of categories of data collected from simple information like name, age to ore complex information like behavioral data like the type of data browsed, search history, specific and personalized data, etc. This leads to widening of the scope of expansion in different sectors of markets.
This, now impacts markets with some companies possessing an edge over others, competition regulators may remain busy by looking at multiple facets revolving around data privacy, consumer protection, and abuse of dominance.
- Does access to data provides a competitive advantage? The views are diversified. One view holds, that unavailability of data means hindrance of market entry for the new competitors while the other citing examples of Uber, Spotify, Airbnb, etc. suggests that new entrants could enter in some market sectors even with being at a data disadvantage.
- How does data power impact merger/ amalgamation? Merges can be both, pro-competition or anti. As Former, mergers idealize to bring up a new service and as latter it magnifies the risk of foreclosure of a market for new entrants due to impossibility of replicating data. These 2 extreme ends hold long term and impacts, which offer an opportunity for Regulators to cast the foundation at formative stages.
The European Commission in the case of a merger between Facebook/ WhatsApp, COMP/M.7217 pointed “Any privacy-related concerns flowing from the increased concentration of data within the control of Facebook as a result of the Transaction do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules”.
- With the task around infiltering Competition, Data and Consumer Protection Regulators, being unsettled, laying down a specific framework preventing concentration of personal information for market power in this digital era leaves risks at the hands of the consumers (with very little remedy); and a potential abuse of dominance by big digital platforms.
Consumers may become informed and may grow into choice empowerment but it definitely leaves them with very little options in terms of remedy. The legislations require companies to dispense with a greater responsibility in making the choice apparent to the consumers, but what is the degree of this benefit being actualized for the consumer is, not known.
- Possibility of discrimination by intermediaries acting as Marketplace and Inventory model e.g., Amazon. It chips away into third-party suppliers, using this information to their advantage.
Tales of Different Jurisdiction
Jurisdictions have handled the issues of competition and data privacy concerns, differently.
In the US, in the matter of Google/ Double Click, the investigation which began to assess that merger can ‘adversely affect non-price attributes of competition, such as consumer privacy’ held in contrast on grounds that Google already possessed the technical skills which gives it abundant customer information even before its combination with DoubleClick.
Further, “the evidence gathered do not support the suggestion that Google would be able to use competitively sensitive information particularly pricing information – to disadvantage its ad intermediation competitors. And even if pricing data is perfect, it is still not clear that it would have any utility to Google, because AdSense uses a different payment model, targeting technology, and advertiser buy-in process than many of its intermediation competitors, making the available pricing data of little competitive value to Google.”
The EU, proud owner of, and probably the most developed privacy law in the world today, GDPR for entities with European Economic Area (EEA) presence or target EEA individuals. It has brought some regulatory elements, like administrative fine up to the higher of 4 percent of global annual turnover and EUR 20 million; obligations on data processors; data subject rights like the right to be forgotten and data portability, etc.
The parts to pick involve, EU’s unbiased way of dealing with, for instance, data access under competition law, it has been suggested that access to data can be obtained in exceptional circumstances notably those referred to the essential facility doctrine which puts an obligation on a monopolistic firm to share its facilities with everyone including competitors provided it is essential for the competitors to stay. There is a special responsibility imposed on dominant undertakings to share data with its competitors and avoid distortions in the internal market, and to protecting itself in attacking situations from the competitors but never to strengthen its dominant position.
In 2019, the EU-Japan entered into a mutual Adequacy Decision to create the largest area for safe and free flow of data including personal data between the two economies on the basis of strong protection guarantees.
Conclusion
Without better and timely privacy laws, the situation runs the risk of soon sliding into misuse and commotion. It is the time when Indian legislators look at this aspect sector wise, since now whatever be the business or action- it is all moved digitised.
The intensity of the cases surrounding data and competition calls for immediate rescue. The GDPR data reflected around 2, 70,000 complaints lodged over data protection breaches between 2018 and 2019, which was made possible because of the legislation governing it. The regulators have a task at hand, a legislation to address jurisdictional concerns and regulatory interpretations. Efficacy of enactments of this nature- will remain to be seen.
This blog on Residuary role of Competition Regulator in Data Regulation is only for information purposes. Nothing contained herein is, purports to be, or is intended as legal advice and you should seek legal advice before you act on any information or view expressed herein. Endeavoured to accurately reflect the subject matter with legal analysis, without any representation or warranty, express or implied, in any manner whatsoever in connection with the contents of this. This isn’t an attempt to solicit business in any manner.