Introduction

India's vision of a digital economy saw the use of phones, networks, and data usage increase from a meager 13% (approx.) to 55% (approx.) between 2014 and 2024. While the IT Act, tried to address some basic issues at the time, it could not cater to the increasing and fast-paced technological advancements. Data became a tool to measure economic strength with large entities monetizing data that was collected from users - recording consumer preferences, targeting consumer behavior, etc.

In the meanwhile, a law to protect an individual's privacy was widely debated across the world with several countries leaping to frame the best guideline and practice around data protection. But these very countries also saw a shift in the mindset of enterprises/entities - from a traditional brick-and-mortar enterprise to a digital enterprise providing goods and services across various spectrums to consumers. This also required a structural transformation in ideologies for competition authorities across the world.

India's data protection law stemmed from the Supreme Court's decision in Justice KS Puttaswamy and Anr. v. Union of India and Ors. A Committee headed by a former judge of the Supreme Court was formed to create a holistic framework which resulted in a report and two draft legislations. The DPDPA, as it stands today, is a completely different and rather delayed rendition of a data protection law. The Government, in the interim, amended the IT Act by way of regulations/guidelines in the year 2021 and issued repeated advisories on specific matters.

Simultaneously, the competition framework and the authority saw a transformation in the nature of cases being handled by them. However, the pace with which the Government and authorities were taking steps to mitigate risks, was not commensurate with the pace of digitization. The competition authorities were hit with a slew of matters from taxi aggregators to search engine optimization, suo moto cognizance of privacy policies, etc.

A tabulated representation of events until the recent DCB is as under:

Privacy as a concern for antitrust authorities

The role of the CCI and its involvement in privacy and data protection matters has been contentious, with different schools of thought taking opposing views.

• In 2019, the Ministry of Corporate Affairs set up a Competition Law Review Committee (CLRC) to review the existing law in light of emerging trends in new-age markets and technology. The CLRC reviewed digital markets, their economic scale and scope, network effects, multisided markets, and the importance of interoperability between various platforms and service providers. Among other findings, the CLRC recommended that online businesses that collect large amounts of data, enabling them to understand consumer demands, habits, needs, and preferences, often gain a competitive advantage and could therefore become dominant. This dominance may lead to targeted advertisements and the monetization of services, allowing them to obtain additional funds to invest in the service quality,  thereby creating entry barriers for other and newer players who do not have access to such volumes of data. The question of whether data or access to data should be considered as a factor to determine an entity's dominant position is also a longstanding debate. The CLRC, however, concluded that the current factors under the law are sufficient to include 'access to data' under 'resources of the enterprise.'
• Given this backdrop, the Parliamentary Standing Committee on Finance presented the 53^rd Report on 'Anti-Competitive Practices by Big Tech Companies' before the Lok Sabha (Lower House) on December 22, 2022 (Standing Committee Report). The Standing Committee Report relied heavily on the EU's Digital Markets Act (DMA) and drew a parallel in terms of the model i.e., the concept of gatekeepers was imported in the form of Systemically Important Digital Intermediaries (SIDI). Essentially, a small number of digital enterprises, depending on their revenues, active businesses, users, etc., would be classified as SIDIs, which will have conditions imposed on them.

The said report identified 10 anti-competitive practices that ideally should be addressed by competition law to ensure market efficiency and fair competitive conduct. Of the 10 anti-competitive practices, data usage in particular 'personal data,' was highlighted. The Standing Committee felt that newer players in the market who have much more to offer than generic market leaders, struggle to make any impact given that market leaders amassed a wealth of personal data over a period of time.

The Standing Committee, closely aligning with the scope of the yet-to-be-formed data protection authority, made the following recommendations:

• SIDIs should not process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core services of the platform;
• SIDIs should not combine personal data from the relevant core service of the platform with personal data from any further core services or any other services provided by the platform, or with personal data from third-party services;
• SIDIs should not interchangeably use personal data from relevant core services in other services provided separately by the platform, including other core services, and vice versa;
• SIDIs should not sign in end users to other services of the platform in order to combine personal data unless the end-user has been presented with the specific choice and has given consent; and
• SIDIs should not use, in competition with business users, any data that is not publicly available, that is generated or provided by those business users in the context of their use of the relevant core services of the platform, or of the services provided together with the relevant core services, including data generated or provided by the end users of those business users.

The Committee finally recommended that the Government formulate a Digital Competition Act, to address the requirements of the digital landscape.

Proposals under the Digital Competition Bill

A Committee on Digital Competition Law (CDLC) was set up on February 6, 2023, as a method to implement the aforementioned recommendations of the Standing Committee. The CDLC, while proposing the Draft DCB, explored the possibility that the DCB may have some overlap with the DPDPA and summarily concluded that the objectives sought to be achieved by both statutes are different. While the DPDPA is concerned with ensuring that a data principal's personal data is protected, the Competition Act seeks to ensure fairness and contestability in the market. Both therefore are complimentary in nature and not in conflict.

In short, the DCB proposes:

• an ex-ante approach to monitor large digital enterprises and prevent any form of abuse; and
• self-regulation by Systemically Significant Digital Enterprises (SSDEs) and potential intervention by the CCI before any form of abuse - these are to be defined by way of both qualitative and qualitative criteria in core digital services provided by SSDEs.

The need for an ex-ante regulation was a forethought of the Standing Committee in its report, as an ex-post approach may not be sufficient to remedy the rapid pace of digital markets. The CDLC which proposed the DCB, supports this notion, opining that an ex-post model involves a time-consuming fact-finding inquiring process.

The DCB follows the recommendation of the Standing Committee by implementing provisions relating to 'Data Usage,' both on personal and non-personal (non-public data of business users, including any aggregated and non-aggregated data that is generated by business users and collected through commercial activities of business users or their end users).

Opinion

As opined herein, the involvement of the competition authority in aspects of data privacy and protection is not novel. This is not a criticism per se, since the authority felt the need to protect the interests of consumers given the enormous presence of these entities in India, especially in light of the fact that there was no data protection or privacy law in force then.

Today, however, we are faced with some skepticism. For instance, if a website were to offer delivery services of a certain product to a consumer on a mandatory condition/consent to the privacy policy, without which the service itself will not be offered, several challenges arise. Consensus would state that the aspect of consent needs to be necessarily looked at by the Data Protection Board (the Board) under DPDPA and if the entity happens to be dominant, the abuse will have to be looked at separately by the CCI under competition law.

However, the question remains: Who exercises jurisdiction first given that both are special laws? The decisional practice, if applied to this scenario would indicate that the issue of consent and its validity will have to be addressed first by the Board under DPDPA, and then the CCI can step in to target abuse, if any.

Conclusion

The initiative to implement ex-ante measures with the introduction of the DCB to ensure the behavior of big tech companies in the digital sphere appears to be proactive enforcement. For now, the DCB has been kept open for stakeholder comments and then placed before the Parliament for approval. Once approved, exhaustive guidelines will need to be framed for self-regulation by the SSDEs to avoid any turmoil. Given the severe penalties and some opposition, the Government must ensure that it does not hamper both investments and innovation in the country.

Prashanth Shivadass Partner
[email protected]
Shivadass & Shivadass, Bangalore