THE INTERFACE BETWEEN COMPETITION LAW AND PRIVACY

LAW

I. INTRODUCTION

II. OVERVIEW OF PRIVACY LAW

History & Background
Legal Framework

III. OVERVIEW OF COMPETITION LAW

IV. INTERFACE BETWEEN COMPETITION LAW AND PRIVACY LAW

Data as a non-price parameter for competition
Sectoral Regulations governing privacy and competition

V. JUDICIAL PRECEDENTS

VI. CHALLENGES AND RECOMMENDATIONS

VII. CONCLUSION
 I. INTRODUCTION
II. OVERVIEW OF PRIVACY LAW
“Privacy is not an option and it shouldn’t be the price we accept for just getting on the Internet.”
– Gary Kovacs
2.1. History & Background
The road to recognition of the right to privacy has been a long and unforgiving one. From MP
Sharma1 to KS Puttaswamy,2 the Supreme Court’s recognition of the right to privacy as a
fundamental right under Article 213 has been constantly debated. While the Courts recognised
the right in some cases, it was completely negated in others. The full and final stance of the
Supreme Court was announced when 9 judges decided it was time for the right to privacy to be
bestowed on the citizens of the largest democracy. While provisions of the Information
Technology Act cover privacy, (Section 43A requires organisations that handle sensitive
personal data (SPDI) to implement reasonable security practices and Section 72A provides for a
punishment of up to three years in prison for intentionally or knowingly disclosing personal
information without the consent of the person concerned.) and the Indian Penal Code

The decision in K.S. Puttasamy v. Union of India4 led to the Legislature taking a charge to
implement legislation governing privacy and data protection. Post the K.S. Puttaswamy
judgement in 2017, the Government of India, through its Ministry of Electronics and Information
Technology, appointed a committee of ten members under the chairmanship of Justice B.R.
Krishna (a retired Supreme Court judge). This committee was supposed to submit a detailed
report on the introduction of the data privacy law in India. The committee finally submitted its
report on the data protection framework on July 27, 2018. The Report recommended new privacy
legislation and amendments in legislations governing aspects of privacy. The proposed Bill from
the Report was sent to a Joint Parliamentary Committee which suggested many changes, which
led the government to withdraw the Bill. A new Bill was introduced in August of 2023. The

1 M.P. Sharma v. Satish Chandra AIR 1954 SC 300

2 K.S. Puttaswamy (Privacy-9J.) v. Union of India, (2017) 10 SCC 1
3 INDIAN CONSTITUTION, Art. 21.
4 Ibid.
many iterations of the Bill were revised and amended after much consultation and the Digital
Personal Data Protection Act was passed and it received the President’s assent.

2.2. Legal Framework for Privacy Law in India

2.2.1. The Digital Personal Data Protection Act, 2023.
The primary legislation governing data protection and privacy is the recently enacted Digital
Personal Data Protection Act, of 2023 which aims to classify data and impose obligations on the
companies (referred to as “data fiduciaries”) that heavily collect and process the data of users
(referred to as “data principals”). The companies are only allowed to collect and process the data
only if the data principal consents to it. 5 This consent should be free, informed, specific,
unconditional and unambiguous6 and the Data Principal has been granted the right to withdraw
the consent at any given time. 7 The ambitious rights granted to the Data Principals are merely
words on paper right now. The Act, though enacted in 2023 still await notification by the Central
Government, which raises concerns about the legislation losing its effectiveness. 8 It is being said
that the Draft Rules complementing the Act will be released soon for public consultation but no
update has been provided by the Information Technology Ministry.9

2.2.2. The Information Technology Act, 2000.

The amendment to the Information Technology Act in 2008 brought in Sections 43A and 72A,
which recognized and further protected the sensitive information of the users. Section 43A
provides that any body-corporate that possesses, deals or handles any “sensitive personal data” or
information should maintain reasonable security practices and procedures relating to such data. It
will be liable to pay compensation to the affected person in case of any negligence, whereas
Section 72A provides for the punishment for intentionally or knowingly disclosing personal

5 The Digital Personal Data Protection Act, 2023, §4(1), No. 22 of 2023, Acts of Parliament, 2023.
6 The Digital Personal Data Protection Act, 2023, §6(1), No. 22 of 2023, Acts of Parliament, 2023.
7 The Digital Personal Data Protection Act, 2023, §6(6), No. 22 of 2023, Acts of Parliament, 2023.
8 Mishra, Ashutosh, One year of DPDP Act: Firms in a fix over delayed implementation of rules, Business Standard
(Aug 11, 2024), https://www.business-standard.com/economy/news/one-year-of-dpdp-act-delayed-rules-hamper-
india-s-data-protection-law-124081100299_1.html
9 The Indian Express, Centre finalises draft rules for Digital Personal Data Protection Act, public consulation
soon, https://www.newindianexpress.com/business/2024/Aug/19/centre-finalises-draft-rules-for-digital-personal-
data-protection-act-public-consulation-soon
information relating to a person that was acquired for providing services under a lawful contract,
without the consent of the person concerned or in breach of a lawful contract.
As a clarification to these provisions, the Government rolled out the Information Technology
(Reasonable security practices and procedures and sensitive personal data or information) Rules,
2011 (referred to as “Privacy Rules”) which clarify the definitions of sensitive personal data, 10
personal information,11 personally identifiable information. The Rules further detail of what a
company’s privacy policy should entail12 for reasonable security of sensitive information of the
users. But the emphasis of these Rules was not data protection but information security and
while it does regulate certain aspects of personal data use on IT networks within India, it does
not provide comprehensive rules or regulations on personal data processing or transfers.

2.2.3. Indian Penal Code, 1860.

The Indian Penal Code, 1860 now replaced with the Bharatiya Nyaya Sanhita, 2023 (“BNS”)
governs privacy in criminal matters. Section 228A(1) of the IPC (Section 72(1) of the BNS)
prescribes that it is a punishable offence to print or publish the name of any matter which may
make known the identity of a person against whom an offence under Sections 376 and associated
provisions has been committed. Section 354C of the IPC (Section 77 of the BNS) prescribes that
voyeurism, that is, any man who watches, or captures the image of a woman engaging in a
private act in circumstances where she would usually have the expectation of not being observed
either by the perpetrator or by any other person at the behest of the perpetrator or disseminates
such image) is a punishable offence. Section 354D of the IPC (Section 78 of the BNS) punishes
stalking (any man who follows a woman and contacts, or attempts to contact such woman to
foster personal interaction repeatedly despite a clear indication of disinterest by such woman; or
monitors the use by a woman of the internet, email or any other form of electronic
communication).

III. OVERVIEW OF COMPETITION LAW

10 The Information Technology (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011, Rule 3.
11 The Information Technology (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011, Rule 2(1)(i).
12 The Information Technology (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011, Rule 4,8.
Competition law in India was introduced by the Monopolies and Restrictive Trade Practices
Act13 (MRTP Act) with the aim of preventing monopolies, regulating unfaif trade practices and
promoting consumer interests. Soon after the implementation of the MRTP Act, came the New
Economic Policy of 1991, enforcing the Liberalisation, Privatisation and Globalization reforms
that opened up the Indian economy. The domestic players were now forced to buckle up when
competing with foreign players, ultimately leading to a greater choice for consumers. This
increased need for competition in the market led to the deduction that the existing MRTP Act,
1969 was no longer sufficient to address the concerns of an exponentially evolving market. The
High Expert Commitee on Competition Law and Policy in 1999 chaired by Mr. S.V.S. Raghavan
was tasked with suggesting a framework to place India’s position at par with mature
jurisdictions. The Raghavan Commitee recommended the enactment of the Competition Act, of
2002, shifting the focus from curbing monopolies to promoting competition in the market.

The nascent law is enforced by the Competition Commission of India, the regulatory body
established by the Act itself. The Competition Act, of 2002 primarily aims to maintain healthy
competition in the market by preventing and when required penalizing anti-competitive
agreements under Section 3 of the Act and abuse of dominant position by an enterprise under
Section 4 of the Act and regulating mergers and acquisitions under Sections 5 & 6 of the Act.
The hopeful endeavour soon faced multiple litigations challenging numerous provisions of the
Act itself.14 By the time these litigations were disposed of, the year was 2010 and the pressure
was high to make the legislation a successful one. Thus started the actual enforcement of the
Competition Act. Post 2010, the CCI has adjudicated innumerable cases in different sectors

13 The Monopolies and Restrictive Trade Practices Act, 1969.

14 The constitutionality of the Competition Act, 2002 was challenged in numerous case including Mahindra &
Mahindra v. CCI (challenge to the Hon’ble Chairperson having a casting vote), Tranter India Private Limited v. CCI
(challenge to Section 48 of the Competition Act.), and Brahm Dutt v. UOI (challenge to adjudicatory powers of the
Competition Act.)
including the telecom sector,15 the e-commerce sector,16 the oil and natural gas sector,17 the
cement sector,18 the automobile sector,19 the cab aggregator sector20 and numerous others.

IV. INTERFACE BETWEEN COMPETITION LAW AND PRIVACY LAW

Data is considered a key asset for the digital economy, the oil of the digital era, 21 the lifeblood of
the digitization process22 and the heart of digital transformation.23 In online platforms, data
facilitates innovations and growth.24 In business, data not only enables companies like Google
and Facebook to maintain and improve services but also helps them to develop new products and
services.25 In addition to acquiring data directly by taking permission from users, companies also
track their online activities, choices, and preferences to benefit from targeted advertising, for
which users do not give informed consent in most cases, especially in emerging economies,
given the lack of awareness.26 This access to data enables online platforms to engage in data-
driven innovations, learn about the market and customers, hence, can be a decisive factor in
competition.27

15 Bharti Airtel v. Reliance Jio

16 Delhi Vyapar Mahasangh v. Flipkart & Amazon (Case no. 40 of 2019) (CCI)
17 The Hindu, RIL moves CIC, says PSUs acting as cartel in ATF Supply, (Nov. 28, 2021 09:13 pm IST)
https://www.thehindu.com/business/companies/RIL-moves-CIC-says-PSUs-acting-as-cartel-in-ATF-supply/
article16196436.ece
18 Builders Association of India v. Cement Manufacturers' Association, 2016 SCC OnLine CCI 46; Binani Cement
Ltd. v. CCI, 2017 SCC OnLine Comp AT 57; Shree Cement Limited, In re, 2016 SCC OnLine CCI 54;
Manufacturers of Asbestos Cement Products, In re, 2014 SCC OnLine CCI 26
19 Shamsher Kataria v. Honda Siel Cars India Ltd., 2015 SCC OnLine CCI 114
20 Samir Agrawal v. CCI (Cab Aggregators Case), (2021) 3 SCC 136
21 The world’s most valuable resource is no longer oil, but data, The Economist,
https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
22 David Reinsel, John Gantz & John Rydning, The Digitization of the World from Edge to Core 3 (2018),
https://www.seagate.com/files/www-content/our-story/trends/files/idc-seagate-dataage-whitepaper.pdf
23 OECD, Vectors of digital transformation, (2019), https://doi.org/10.1787/5ade2bba-en.
24 Jacques Crémer, Yves-Alxendre & Heike-Schweitzer, Competition policy for the digital era 73-110 (2019),
http://publications.europa.eu/publication/manifestation_identifier/PUB_KD0419345ENN.
25 ACCC, Digital Platforms Inquiry, (2019), https://www.accc.gov.au/system/files/Digital%20platforms
%20inquiry%20-%20final%20report.pdf
26 Rupal Nayal, Data Privacy at the Altar of Competition Laws, Competition Commission of India Journal on
Competition Law and Policy (Vol. 3, December 2022, pp. 79-95) Doi: 10.54425/ccijoclp.v3.42
27 Digital Competition Expert Panel, UK, Unlocking Digital Competition 17-53 (2019),
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/785547/
unlocking_digital_competition_furman_review_web.pdf
Enterprises that primarily operate in the digital markets have been under the radar of CCI for a
very long time. These enterprises primarily include five of the world's largest internet companies
– the Big Tech – Google, Amazon, Facebook, Apple, and Microsoft (GAFAM). Enterprises like
these are huge repositories of data due to the services they provide to consumers. Additionally,
these enterprises have been held to have a dominant position in numerous jurisdictions, including
in India.28 A primary objective of the privacy law is to regulate the collection of data and how the
enterprises (termed “data fiduciaries”) process that data. Since GAFAM are enterprise operating
in the digital space, it gives them ample opportunity to collect data from the consumers using
their platform. They also process this data to improve their services and personalize their
platform for its users. It allows for innovation. However, this data might be used in an
exploitative manner (by locking in customers and imposing unfair terms and conditions) or in an
exclusionary manner (by leveraging the data to eliminate competitors from the market). Both of
these are concerns that any competition authority seeks to mitigate, prevent or correct.

While adjudication of cases involving enterprises like Google/Alphabet, Facebook/Meta, and

Amazon, the CCI has been cognizant of the value of data for these enterprises, especially in
markets ruled by multi-sided platforms. More often than not, the users of one side of the platform
avail the services for free whereas the users of the second side of the platform pay for availing
the platform. For instance, a consumer (also referred to as the “end-user”) does not pay any price
to access platforms like Amazon/Flipkart or Swiggy/Zomato but the sellers listed on the platform
(also referred to as the “business-users”) pay the platform fee to reach to the customers.

The end-user does not pay monetarily but through the collection of their data and online
behavioural patterns. The enterprises utilize this collected data to innovate and bring better
products to the market suiting the customer’s needs. 29 This data may also be used to lock in the
customers and impose unfair or discriminatory terms, leaving the customer no choice but to
accept those terms and conditions. For instance, A gaming platform “X” provides a platform for
game developers to list their games and players a platform to purchase, download and play the
games imposes exorbitantly high prices on the platform fee paid by both the game developers

28 In Google LLC v. Competition Commission of India, 2023 SCC OnLine SC 88, the Hon’ble Supreme Court
upheld CCI’s order designating Google as a dominant enterprises that abused its dominant position.
29 OECD. Supporting Investment in Knowledge Capital, Growth and Innovation. Paris: OECD Publishing, 2013.
and players and does not allow the players to transfer their progress in each game to any other
gaming platform. This leads to the players (the end-users in this case) being locked in to X as
their game progress data cannot be transferred elsewhere and have to accept the excessive price
imposed by X. Many instances like this particular one have caused competition authorities
around the world to be vigilant of data collection practices of dominant digital enterprises. In an
attempt to not overreach judicially, data has been included in the list of non-price parameters of
competition, which is discussed in the next section.

V. JUDICIAL PRECEDENTS

FOREIGN CASES
1. Google/Doubleclick Merger (USA)
2. Microsoft/LinkedIn Merger (EU)
3. Case C-21/23 Lindenapotheke – coexistence of data protection and unfair trade remedies
4. Facebook German Case + EU’s decision – Meta Platforms v. Bundeskartellamt

INDIAN CASES
1. orders under Section 31(1) of the Competition Act in Facebook / Jio, Combination
Registration No. C-2020/06/747, dated June 24, 2020
2. Google/ Jio, Combination Registration No. C-2020/09/775, dated November 11, 2020
3. Whatsapp Privacy Policy Case (+ the DG Report Update) (+ Harshita Chawla and Vinod
Gupta case)

VI. CHALLENGES AND RECOMMENDATIONS

VII. CONCLUSION