Regulating Big Data: Contextualising CCI probe into WhatsApp’s privacy policy

Credit: Reuters

Big Data presents as much of a challenge for competition regulators as it does for privacy regulation. 

It involves balancing multiple considerations – on the one hand, collection and processing of extensive data allows businesses to better serve their customers. 

On the other, it could create significant entry barriers to new market participants and increase consumer dependency on a single or a limited set of offerings. 

These concerns have been raised by competition regulators both in India and abroad – most recently in the context of the 2020 update to the terms of service and privacy policy for WhatsApp users, with the Competition Commission of India (CCI) taking suo moto cognizance of the matter and commencing investigation. 

Data protection under Indian competition law 

Data was first recognised as a competition law concern by the CCI in 2012 in Matrimony.com Ltd vs Google LLC, where the complainants alleged that Google had abused its dominant position in the online search advertising market by, inter alia, imposing conditions that were discriminatory to its advertisers and displaying Google’s own websites prominently in comparison to other search results. 

Google argued that for there to be ‘abuse of a dominant position’ in terms of Section 4 of the Competition Act, 2002, sale and purchase of goods and services had to be involved. 

Dismissing this contention, the CCI reasoned that even though Google provides the search service free of cost, in a two-sided market (that is, where there is interdependence between users seeking information and businesses advertising their goods and services) information collected from users on every search contributed to Google’s capabilities to generate revenue from targeted advertisements. 

The intersection of data aggregation and competition law was once again examined by CCI in 2017 when examining WhatsApp’s conduct in the case of Vinod Kumar Gupta vs WhatsApp Inc

In this case, the complainant’s allegations were two-fold – first, that by making the app free of cost, WhatsApp had engaged in predatory pricing; and second, that in 2016, WhatsApp had abused its dominant position by introducing a privacy policy which compelled its users to share their account details and other information with Facebook (2016 Privacy Policy).  

With respect to predatory pricing, CCI observed that other products in the same market (i.e., instant messaging services using consumer communication apps through smartphones) are also available for free, which the CCI noted appears to be standard practice for such market. 

It also noted that there are no significant costs for users to switch to other instant messaging platforms. Taking note of the rapid growth of other messaging platforms at the time (e.g., Hike, Messenger, Viber), the CCI found that there were no barriers to entry into the market. 

In respect of the allegation that WhatsApp had abused its dominance by compelling users to share data with Facebook, CCI observed that WhatsApp had provided an option for users to opt out of sharing user account information with Facebook within 30 days of the 2016 Privacy Policy coming into effect.  

Separately, in respect of allegations of breach of the Information Technology Act, 2000 (IT Act), CCI observed in the Vinod Kumar Gupta case that data security and privacy matters did not fall within the purview of CCI and that such breaches needed to be examined by other authorities. 

In this regard, CCI referred to the decision in Karmanya Singh Sareen case where the Delhi High Court had examined the legality of the 2016 Privacy Policy under the IT Act and in the context of the constitutional “right to privacy” (although not recognised as a constitutional right at the time). 

Data protection and competition law in global context 

European antitrust regulators have taken an aggressive approach to Big Data -- most famously in examining Facebook’s data collection practices. 

In 2017, Facebook was investigated by the European Commission (the Commission) for making certain misleading submissions in connection with its merger with WhatsApp. 

Prior to the merger, the Commission had enquired with the entities regarding the possibility of automated matching of user accounts and IDs between Facebook and WhatsApp. 

Facebook had responded that any integration would present significant technical difficulties due to the two apps using different account identifiers and having a fundamentally different architecture. 

The Commission accepted this submission and the merger was cleared in October 2014. 

However, in 2016, the Commission found that not only had the integration of Facebook and WhatsApp user networks been planned, but also that it had been technically possible in 2014 (and that Facebook officers were aware of this fact). The Commission imposed a €110 million fine on Facebook for violation of the merger conditions. 

In another instance the Bundeskartellamt, the German antitrust authority (Federal Cartel Office), examined Facebook’s terms of service which allowed users to access the social networking platform only after consenting to its data and cookie policies. 

These policies permitted Facebook to collect data on users and their devices outside of the social network through Facebook Business Tools and combined such data gathered from Facebook-owned companies, such as WhatsApp and Instagram, to create a hyper-targeted advertising profile for purposes of the Facebook social network platform. 

The Federal Cartel Office found that such practices constituted an abuse of Facebook’s dominant position and therefore violated the European Union’s General Data Protection Regulation.
The Federal Cartel Office accordingly prohibited the implementation of such policies to the extent that they involved the collection of user and device-related data from other Facebook-owned companies without users’ consent and the combination of such data with Facebook data for purposes related to the social network.  

In contrast to the EU, the Federal Trade Commission (FTC) and the Antitrust Division of the Department of Justice in the US have generally remained more skeptical of the anti-competitive effects of the creation of big data sets, particularly in vertical mergers such as Amazon’s acquisition of Whole Foods (2017), Google’s acquisition of ITA (2011) and Google’s acquisition of DoubleClick (2007). 

In certain cases, the regulators have specifically approved of the efficiency gains that a business relying on user data may achieve from a merger with another data-rich business. 

When closing its investigation into a proposed Internet search and paid search advertising agreement between Microsoft and Yahoo! in 2010, the FTC observed that the acquisition of data sets by Microsoft would lead to “more rapid innovation of potential new search-related products, changes in the presentation of search results and paid search listings, other changes in the user interface, and changes in the search or paid search algorithms.” It was concluded that the enhancement of Microsoft’s performance, if achieved, would exert correspondingly greater competitive pressure in the marketplace, in particular, by creating a more viable competitive alternative to Google. 

2021 CCI investigation 

WhatsApp’s 2020 update to its privacy policy describes, in greater detail than previously, certain user data that the platform collects and specifies that this user data will be shared with other Facebook group companies (and in certain circumstances, with third-party apps). 

Continued use of WhatsApp is conditional upon acceptance of the new policy. While initially slated to become effective February 8, 2021, WhatsApp has pushed this back to May 15, 2021. Soon after the new privacy policy was announced, the CCI issued a notice to WhatsApp and Facebook asking them to provide reasons for why an investigation should not be undertaken to determine whether the policy constituted an abuse of dominant position.  

In its submissions before the CCI, WhatsApp attempted to argue that issues of data privacy and sharing are not within the scope of the CCI’s mandate, and are governed by other legislations such as the IT Act. 

Additionally, WhatsApp reiterated that the proposed policy does not expand upon the data collection and sharing practices currently in place and only clarifies how the platform will work with businesses that use Facebook or other third parties to manage communications through WhatsApp. 

In its order of March 24, 2021, the CCI appears to have adopted a more nuanced approach in discussing considerations that could be relevant in assessing ‘abuse of dominance’ in the context of Big Data, stating that “in a data-driven ecosystem, the competition law needs to examine whether the excessive data collection and the extent to which such collected data is subsequently put to use or otherwise shared, have anti-competitive implications…”  

The CCI also distinguished the present matter from the Vinod Kumar Gupta case, observing that in digital markets, “unreasonable” data collection and sharing may grant competitive advantages to dominant players and result in exploitative and exclusionary effects. 

It specifically noted that unlike the fact scenario in Vinod Kumar Gupta, where WhatsApp provided an opt-out mechanism to users who did not wish to share their data with Facebook, the proposed policy is a “take-it-or-leave-it” policy, which when combined with the “unduly expansive and disproportionate” data being collected (including transactions and payment data, intrinsic device data, service related information and information on users’ interactions (including with businesses), warrants a detailed investigation in light of the market position and power held by WhatsApp.  

Certain observations in the CCI’s order on the interaction of data collection and sharing, and consumer welfare, may be instructive in understanding how it may approach data sharing as a competition law concern going forward. 

The CCI noted that users, who are owners of their personalized data, are entitled to be informed about the “extent, scope and precise purpose of sharing of their data”, but that in the present case, the information categories described in the proposed privacy policy are broad, vague and unintelligible. 

It also specifically notes that users are not likely to expect that their personal data would be shared with third parties ordinarily except for the limited purpose of providing or improving WhatsApp’s service.  

Accordingly, the CCI has taken a view that WhatsApp’s conduct in sharing user data with Facebook group companies in a manner that is “neither fully transparent nor based on voluntary and specific user consent”, is prima facie unfair to users and goes beyond users’ reasonable and legitimate expectations of the service for which they have registered.  

Interestingly, the CCI’s order notes that building user profiles through cross-linking of data, which is one of the intended end-uses of WhatsApp’s data sharing practices, may itself attract competition concerns as concentration of data may be perceived as a competitive advantage not only in the market for messaging applications but also in the market for display advertising.  

In stark contrast to the Vinod Kumar Gupta case, the CCI observed that network effects make it difficult for a user to switch applications and acknowledged that users wishing to discontinue their use of WhatsApp may have to incur costs such as the loss of historical data, as porting data to other applications is cumbersome and time-consuming.  

Pursuant to the CCI’s order of March 24, the Director-General is required to complete its investigation and submit an investigation report within a period of 60 days. However, as a practical matter, the investigation may take longer. 

Conclusion 

There is much wisdom to the adage that if you are not paying for a service, you are not the customer; you are the product. Data has assumed greater significance for businesses than ever before, whether for purposes of targeted advertising, personalised services or internal analytics, and is capable of shifting competitive advantage. 

The CCI’s suo moto cognizance of WhatsApp’s 2020 privacy policy update is recognition of this fact. It could also be indicative of the CCI’s intention to take a more interventionist approach where it believes that user data is being exploited in a manner that creates barriers to entry or otherwise adversely impacts competition or consumers’ interests.  

The CCI has wide powers under the Competition Act in case of a finding of abuse of dominance, and may pass such orders or issue such directions as it deems fit. 

Upon the conclusion of the investigation in respect of WhatsApp’s updated terms of service and privacy policy, the CCI could, for instance, impose a fine on WhatsApp, direct WhatsApp to cease sharing user data with Facebook group companies, require WhatsApp to obtain user consent in a specified manner for sharing of data (although this would be more in the territory of privacy and data protection regulation) and/or require that WhatsApp eliminate the ‘take-it-or-leave-it’ aspect of the policy. 

It is also possible that the CCI could ultimately conclude that WhatsApp’s conduct is not in violation of the Competition Act. It remains to be seen  how the CCI will, in its final order, strike a balance between consumer welfare and data protection on the one hand, and free enterprise in today’s data-driven world on the other hand. 

It will also be interesting to see how the intersection between privacy and competition considerations in the context of Big Data plays out over time and, in particular, how the CCI circumscribes the limits of where competition concerns end and privacy and data protection concerns begin. 

Rachael Israel is partner and Sarangan Rajeshkumar and Dhanush Dinesh are associates at S&R Associates. They can be reached at risrael@snrlaw.in,  sarangan@snrlaw.in and ddinesh@snrlaw.in. Views are personal.