Privacy breaches in digital transactions: Examination under Competition Law or Data Protection Law?

The digital economy centres itself around the flow of information between consumers and businesses. With access to datasets of consumers and rapidly evolving technology, businesses have started to mine and process this data.

The analyses of this data helps business target consumer groups to deliver better goods and services, efficiently and effectively. This is in turn gives them the capacity to create demand by tapping into the behaviours and buying patterns of consumers.

Recently, a major search engine company exclaimed that there exists a secrecy policy which is designed not only to keep spammers from manipulating results, but also to prevent rival companies from copying its methods or developing them. Unlike patents, in which the patent holder must disclose the material items of a patented invention, which would eventually expire, it is possible for trade secrets to never be disclosed, thereby never really entering public domain.

Innovations in search engine mechanisms are closely dependent on the number of users training the algorithm to be more responsive. The more search questions a search engine gets, the better it would be able to sharpen and perfect its results. For example, if the search engine finds that users in a given area click on a particular result which is the fourth or the fifth instead of the first in a given day, then it would re-arranged to be the first of the results for the given area.

As long as the search engines’ search data is kept secret, no rival or would be rival or entrant, will have access to this critical ‘raw material’ for search innovation.

Further, when transactions take place in the digital economy, firms generally tend to collect personal as well as non-personal data of users in exchange for services provided. While it can be argued that personal data is probably collected with the user’s consent, usually, collection of non-personal data happens without the consent or knowledge of the consumers. Data is further compromised when businesses that have large amounts of data merge or amalgamate, and when dominant firms abuse their market position and resort to unethical practices.

Traditional Competition Law analysis involves a wide focus on ‘pricing models’ i.e., methods used by business players to determine the price of their goods or services. User data forms part of the ‘non-pricing model’. With the Competition Act, 2002 undergoing a number of changes owing to technological developments, there is a possibility that non-pricing models are also considered under the ambit of the Act.

In this regard, the Competition Commission of India (CCI) also observed that in the era of data aggregation, competition analysis must also focus on the extent to which a consumer can “freely consent” to actions of a dominant player in the market. The antitrust framework must, therefore, address the exploitative and exclusionary behaviour arising out of privacy standards of those entities enjoying market power.

Anti-competitive aspect

Mining and analysis of data gives rise not only to data privacy concerns, but also to anti-competitive concerns. Businesses or companies with access to large data-sets and modern data technologies generally possess a competitive edge over businesses that do not. This gives such businesses an unfair competitive advantage. Therefore, it would be pertinent to note that violation of data privacy would need to be analyzed as an antitrust concern as well. This in turn also has implications on both the users or consumers as well as non-dominant players in the market. We have analysed the impact on some players below:

i. Users/Consumers: In the Competition Law framework, violation of data privacy adversely affects ‘quality’ of services provided to consumers. One of the earliest instances of privacy violation having some adverse effect on the market was the case of Amazon in 2000. The retail giant had utilized data that was already in hand with them to predict the highest prices for DVD players that customers would be willing to pay. Although this policy was eventually scrapped, it still remains one of the earliest instances of an interface between data privacy and competition law.

ii. Multi–service businesses use data that are collected for purposes other than their purposive intent i.e., to transfer or sell data to third parties that have no direct relationship with users. According to research conducted by Privacy International, it was found that over 60% of Android apps, such as Spotify, Trip Advisor, Period Tracker Clue, etc., shared data of its users with Facebook, regardless of whether the user had a Facebook account.

iii. Impact on non-dominant market players: This can be addressed in three legs – first, a merger of ‘data rich’ companies which will make one company acquire new set of data, strengthening their position in the market and foreclosing competition. This poses a competitive advantage which impacts smaller, non-dominant businesses that do not have equal access to such data. An example of such a merger is the Microsoft-Linkedin merger, which the European Commission (EC) noted would lead to substantial expansion of the user database, which could have an adverse impact affecting the competition in the market. Further, other professional networks such as Xing, Viadeo, etc, that have better privacy policies, would be marginalized.

The Facebook–WhatsApp merger is another instance of foreclosure. Prior to their merger, both companies had separate databases. Upon completion of the merger, WhatsApp altered its privacy policy and allowed access to data of its users with Facebook. With other significant changes relating to its internal privacy policy and the disappearance of competition in the market, the presence of Facebook significantly increased in the market and strengthened its dominance. Facebook was also slammed with carrying ‘unfair and deceptive’ practices and compromising user data. The EC accordingly levied a fine of 110 million Euros on Facebook for providing ‘misleading information’ about the WhatsApp takeover.

There have also been multiple scenarios wherein certain data has been held to be ‘essential’ and therefore, not sharing such essential data leads to abuse of dominant position. This is where the second impact on non-dominant enterprises comes into play - exclusion of competitors by depriving them of market data access. The EC has gone on to hold that merely refusing to provide access to data does not per se amount to abuse of dominant position. However, essential data cannot be refused or be subject to practices that amount to any form of discrimination.

The third and the last leg of impact is the mere exercise of market power by controlling data within a few dominant companies or firms. Ideally, two major factors define market power, especially anti-competitive market power in relation to data: (i) the scarcity of data and (ii) the relevance of data to competitive performance. In this regard, it may be relevant to consider the example of the Bazaarvoice-PowerReviews merger, which was viewed as anti-competitive because the new entity would create entry barriers for new entrants and other companies because of its combined market power.

The Privacy–Antitrust dilemma in India

The Supreme Court in India declared privacy as a Fundamental Right in the case of Puttaswamy. In December 2019, the Ministry of Electronics and Information Technology (MEITY) introduced the Personal Data Protection Bill (PDP Bill) in the Lok Sabha. The PDP Bill seeks to protect an individual’s personal data by setting up consent as a main requirement for data sharing. Further, it provides punishment for the processing or transferring of personal data and also punishes the re-identification of personal data without the consent of users. Another aspect is the regulation of non-personal data by the government.

At present, the provisions of Section 91(2) and Section 93(x) of the PDP Bill aim to establish a regulatory framework within which even non-personal data can be regulated. However, per the revised report that was released, it has been recommended that in order for two frameworks i.e., PDP and non-personal data (NPD) to mutually exist and work harmoniously with each other, these sections should be deleted from the PDP Bill and that they should be appropriately covered under the NPD framework.

The CCI has shown hesitancy in merging data privacy and competition laws. In the case of Shri Vinod Kumar Gupta v. WhatsApp Inc, the CCI observed that any breach of privacy policies under the Information Technology Act, 2000, does not fall under the purview of Act, thus suggesting its reluctance towards combining the two areas of law. However, in July 2019, the CCI had made an announcement to the effect that it would conduct a market survey to look into digital anti-competitive practices. A report in this regard has been released recently.

Non-personal data: An International perspective

Generally, in the case of a merger/amalgamation/takeover or even a Joint Venture, two companies would negotiate and enter into agreement with respect to the modalities of data sharing. However, if Company A believes that there is no economic interest is granting Company B access to its information, it will most likely hesitate to share data or subject the availability or use of the data to terms in the agreement which are manifestly unacceptable.

This becomes all the more challenging if Company A, holding such data, enjoys a dominant position. Refusal to share such data could be considered an abuse of their dominant position.

Therefore, if a dominant company allows data sharing under unequal or discriminatory terms, it would still be under the ambit of Competition Law.

Case Studies

i. The Magill Case: While the case narrowed in on the interface between Competition Law and Intellectual Property Law, the genesis of the case revolved around data sharing i.e., refusal to share list of programs to prepare weekly schedules by an independent publisher. Essentially, the broadcasting companies acted in a manner that made it impossible for such a product or service to be delivered by denying access to data. The European Court of Justice (ECJ) ruled that the protection of a copyright cannot be exercised in such a manner that is manifestly contrary to the competition rules laid down in Articles 81 and 82 of the Treaty Establishing the European Community.

ii. The Microsoft Case: Sun Microsystems requested Microsoft to provide them with ‘interoperability information’ which was required to operate the former’s systems and for this system to communicate with the Windows operating system. When Microsoft refused, Sun filed a claim with the EC alleging that Microsoft was refusing to make them aware of the interoperability information. The EC held that Microsoft infringed Article 82 of the EC Treaty by abusing their dominant position.

In the same year, Microsoft sought an annulment before the Court of First Instance, or, alternatively, a substantial reduction of the fine imposed. However, the Court, while considering the aspect of refusal to provide information relating to interoperability, held that although undertakings are, in principle, free to choose their trading partners, a refusal to supply that comes from a company in a dominant position may constitute an abuse in certain circumstances.

In light of the foregoing discussions, it becomes amply clear that Competition Law analysis becomes an essential component for digital transactions as the ultimate goal ‘to prevent practices having adverse effect on competition in the market’.