As the Digital Personal Data Protection Bill, 2023 receives presidential assent and officially graduates to a statute, discourse on the tension between the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Competition Act, 2002 (Competition Act) has gained momentum. There are two competing ideologies – one that believes that the two laws have inherent conflicts, and the other which believes that the two complement each other with divergence being intuitively rooted in the objectives of the respective legislations. To explain, the Competition Act is designed to preserve and promote the competitive character of markets which ultimately leads to consumer benefits. The DPDP Act, on the other hand, aims to empower individuals by protecting their personal data and allow processing of their data in a lawful manner.
Much has been said about the first ideology (i.e., of conflict); however, in this piece we reflect on how the two laws coalesce rather than collide.
The DPDP Act and the Competition Act are two significant legislative frameworks that address distinct yet interrelated aspects of the modern digital world. While the former focuses on safeguarding personal data and user privacy, the latter aims to ensure fair competition and prevent anti-competitive practices in the market. The interaction between these two legislations is crucial as they collectively shape the evolving digital ecosystem, ensuring a balance between data protection and healthy market competition.
The chief criticism of the DPDP Act relates to an increase in compliance costs since the industry will be required to significantly alter the way they collect, use, store, etc. personal data by implementing reasonable security practices and mechanisms.
Moreover, if a business qualifies as a “Significant Data Fiduciary” (based on the volume of personal data being processed, risk of harm to the consumers, public order, etc.), such a business will be required to undertake data impact assessments and appoint a Data Protection Officer based in India.
While at first blush, the rise in cost of compliance may appear to be an entry barrier from a competition law lens, providing robust infrastructure aimed at protecting user privacy can only serve to foster and promote effective and wholesome competition in the long run. The DPDP Act aims to enhance user trust and confidence by creating a transparent environment which further contributes to a balanced and competitive digital landscape.
Even from a start-up standpoint, the DPDP Act has created an avenue for exempting notified start-ups (depending on the nature of personal data handled) from certain compliances under the Act. To that extent, the DPDP Act recognizes that to continue the innovation drive in the country, start-ups may require suitable relaxations– which in turn supports easing barriers to entry and fueling competition in the market.
Aside from select legitimate uses where personal data can be processed sans consent, the DPDP Act largely makes collection and processing of personal data conditional upon prior affirmative consent from the user. Purpose limitation is at the heart of the Act and explicitly provides that personal data can only be used for specified purposes. It further clarifies that rendering of a service cannot be made conditional on the user agreeing to processing of information for purposes not necessary to render the service. This provision will likely deter large technology companies from promoting and advertising their own products to consumers on their platforms.
This provision resonates with the observations in the Standing Committee Report on Anti-competitive Practices by Big-Tech Companies which opined that regulation is required to prevent digital gatekeepers (or Systemically Important Digital Intermediaries) from, inter alia,
(i) the cross-use of personal data obtained from the provision of a relevant core service in other services; and
(ii) signing in consumers to other services of the platform in order to combine personal data, unless consent has been obtained from them.
The above clarifies that the two laws are designed to further a common objective aimed at the creation of fair, contestable and transparent market by preventing abuse of data power. With features such as purpose limitation and data minimization at its core, the DPDP Act indirectly restricts companies from using their data advantage in an anti-competitive manner, such as using data to create entry barriers for competitors or engaging in discriminatory practices.
The DPDP Act also provides a novel consent management mechanism that empowers users to provide, manage or withdraw their data through an “accessible, transparent, and interoperable platform” managed by a “Consent Manager”. A Consent Manager will be a third party registered under the Data Protection Board and will have technical, operational, and financial expertise. Further, a Consent Manager will act as an agent of the users. While the concept of Consent Manager is in its infancy, once a Consent Manager is backed by a sizeable number of users, it will likely have significant bargaining power over businesses – this will empower users and positively induce the industry to develop fair and non-discriminatory terms in their privacy policies.
The DPDP Act is a giant leap towards safeguarding the fundamental right of privacy of individuals. Akin to other beneficial legislations (such as labour laws, or pollution control laws), its implementation may cause a certain degree of inconvenience to the industry. However, once the teething problems are resolved, its pro-competitive effects promise to outweigh any short-term disruptions to create an equitable pathway of opportunities for smaller players, and individual users alike.
Overall, companies that are truly committed to protecting user privacy and data could stand out as industry differentiators and can leverage this strength to attract more customers/users in a legitimate and honorable fashion – to say that this would be antithetical to competition law principles would be a ruse.
Anisha Chand is a Partner and Tanveer Verma is a Principal Associate at Khaitan & Co.