Digital Personal Data Protection Act: Yet Another Jurisdictional Overlap?

The boon of technology has changed the way consideration is paid for services. Against the workings of traditional markets, 'zero-price markets’ have emerged where services are paid for using ‘data’. Data has gained significant economic value, and possession of data is now often considered a competitive advantage over other players in the market.

The widespread collection of user data has given rise to platform-based ecosystems of digital products and services. This has raised the eyebrows of competition regulators across the world, as one big entity with high volumes of data may put other players in the digital market at a disadvantage. For a ‘free’ service, Indian users almost never hesitate to share their personal data with the service providers. The new Digital Personal Data Protection Act, 2023, or DPDP, seeks to fill this gap by requiring ‘user consent’ before collecting and processing user data. The DPDP has been enacted into law but is yet to be enforced by the central government.

While the DPDP is a welcome step, it may also raise overlapping jurisdiction issues between the Competition Commission of India and the Data Protection Board, as envisaged in the DPDP.

The DPDP requires data fiduciaries, such as digital service providers, to seek user consent before collecting and processing personal data. Personal data is defined as any data that can be used to identify an individual. However, any personal data that is made publicly available by the data principal (the individual whose personal data is collected) will not be protected by the DPDP.

The DPDP clarifies that if the data principal seeks to withdraw their consent, they need to bear all consequences resulting from such withdrawal. This implies that the data fiduciaries may deny access to their services to such data principals who have withdrawn their consent. Further, the data fiduciaries are required to erase all personal data if the data principal has withdrawn their consent or when the purpose of collecting such data is fulfilled.

In essence, DPDP mandates ‘free consent’ by a data principal before a service provider can process or use user personal data. However, the DPDP provides no recourse for consequences that a data principal may face if consent is withheld or withdrawn.

Platform-based markets have created an ecosystem of digital players who provide goods and services based on the continuous collection of user data. These datasets in large volumes are considered 'big data', which feeds into advertisement algorithms, machine learning, artificial intelligence, etc. In Matrimony vs. Google, the CCI referred to ‘big data’ as the ‘oil’ of the current century. In the same case, the CCI also observed that although data-based markets result in great gains for users, they also result in a loss of control over personal data.

The CCI was initially hesitant to interfere with data protection allegations and considered them outside the purview of the Competition Act, 2002. However, in the market study of the telecommunications sector, the CCI acknowledged the need for ‘free consent’ for the collection of data by dominant undertakings. In the market study, the CCI also observed that when a dominant entity acquires data, it can cross-link it with multiple services to retain users in the ecosystem.

More recently, when WhatsApp mandated acceptance of its privacy policy for its users to continue using WhatsApp, the CCI stepped in and initiated an investigation. Interestingly, for the first time, the CCI emphasised that consent for sharing user data needs to be ‘free’, ‘optional’, ‘well informed’, and ‘without withdrawal of services’, failing which it may be considered an imposition of unfair conditions by a dominant undertaking.

It is clear that the requirement of consent for collecting and processing user data, at least by dominant undertakings, is squarely covered by both the DPDP and the Competition Act. The cause of tension between the two lies in the individual objectives of the statutes. While the DPDP seeks to prevent the exploitation of personal data, the Competition Act is aimed at preventing dominant undertakings from unfairly seeking consent to collect personal data for their own commercial advantage.

To understand the overlap, let's consider a hypothetical situation similar to the WhatsApp case where company ‘X’ is dominant in the market for providing internet calling services and conditions its ‘free’ services on users giving consent for sharing their personal data. If a user refuses to give consent, X may stop providing its services to such a user.

While this may pass the muster of DPDP, it can still be considered anticompetitive by the CCI. This is because services provided by a dominant entity are essential for the user, and a ‘take it or leave it’ condition would practically force the user to give consent. For the CCI to find such a condition to be kosher, it is likely to take a "fairness and reasonability test" where the CCI may assess the following factors: (a) Whether the users have options to easily switch to X’s competitors providing similar internet calling services?; (b) Whether the data requested by X is necessary for providing its services?; (c) Do users have an option to only give consent for data that is essential for providing services by X?; (d) Do existing users have an option to continue using X’s services without sharing data?; and (e) Whether there is an objective justification behind withdrawal of services by X?

On the other hand, in a scenario where consent is given under a false pretext or where data is processed without clear consent, a remedy would lie under the DPDP. In such situations, the CCI may also exercise jurisdiction if the data collected by a dominant undertaking is not for the purpose of providing services but to hoard data for commercial purposes such as targeted advertising.

Both the DPDP and the Competition Act are concerned with the dissemination of personal data to digital players and its legitimate use. Needless to say, if the data fiduciary lacks market power, the CCI will have no jurisdiction. While the DPDP is clear in its limited purpose of protecting user data, parallel allegations under the Competition Act cannot be ruled out. The CCI has asserted that, in any situation, it will remain the exclusive body to resolve antitrust and competition-related issues. This creates yet another case of parallel jurisdiction between the CCI and the DPB.

The Supreme Court in Competition Commission of India vs. Bharti Airtel Ltd. has held that in the event of a jurisdictional overlap, the specific sector regulator would first decide on the overlapping issues, and the CCI’s jurisdiction would be activated if the findings of the sectoral regulator indicated anticompetitive conduct. The Airtel decision is likely to serve as the guiding principle in a possible overlap of jurisdiction between the CCI and the DPB.

Toshit Shandilya is a partner and Deepanshu Poddar is an associate in the AZB & Partners’ competition law team. The views expressed are personal and should not be attributed to the firm.

The views expressed here are those of the author and do not necessarily represent the views of BQ Prime or its editorial team.