The Competition Commission of India’s (CCI’s) recent decision regarding WhatsApp’s 2021 privacy policy has far-reaching implications for data privacy and competition in the digital economy. The CCI found that WhatsApp abused its dominant position by mandating data-sharing with its parent company, Meta, and imposed a penalty of ₹213.14 crore. Perhaps, more significantly, the CCI has directed WhatsApp to cease and desist from sharing user data for advertising purposes for five years and to provide users with an opt-out option for data-sharing for any other purpose.

WhatsApp has already indicated that it intends to challenge the CCI’s decision and there will undoubtedly be considerable debate on the appreciation of facts and law in this case. However, what stands out is the CCI’s careful balancing act between reviewing the competition issues arising out of WhatsApp’s conduct, while acknowledging that data protection and privacy issues are the domain of other legislation. The CCI quite correctly identifies its responsibility to ensure that data does not become a tool for perpetuating anti-competitive behaviour while acknowledging the role of India’s fledgling Digital Personal Data Protection Act (DPDPA), Information Technology Act and Privacy rules. What the CCI does not do, is reconcile the potential conflict between its decision on data-sharing obligations and those contained in the DPDP.

Behavioural remedies

This conflict becomes evident in the behavioural remedies that the CCI imposes, which embargo WhatsApp from sharing user data that is collected on its platform with other Meta companies for advertising purposes, for a period of five years, regardless of user consent. The CCI’s embargo appears to be an effort to level the playing field, and allow Meta’s online advertising competitors an opportunity to catch up. Even assuming that a five-year embargo on sharing data for advertising is an adequate or proportionate competition law remedy, it is evident that it is contrary to the DPDPA which permits users to consent to data-sharing. It is unclear whether the CCI’s decision will preclude such users from providing their consent for data-sharing once the DPDPA has been operationalised.

It’s also questionable whether the CCI’s remedy will protect Meta’s competitors, even if at the cost of its customers. The CCI’s decision does not answer this question. In fact, it neither assesses the adverse effect that such data-sharing would have on Meta’s competitors, nor does it empirically establish that such data-sharing will adversely affect either users or advertisers who rely on such data. Significantly, the CCI does not explain how a five year data sharing embargo will level the playing field, when Meta continues to face competition from a number of significant competitors.

The CCI decision does however, and perhaps rather paradoxically, acknowledge the primacy of user consent to data-sharing. It requires WhatsApp to inform its users that their data might be shared with other Meta companies along with the purpose for sharing. The CCI also requires WhatsApp to provide its users with a clear opt out from such data-sharing. This blanket requirement to obtain user consent to any data-sharing, contradicts the DPDPA which permits data-sharing without consent in certain specific circumstances — example, for legitimate use in public interest, such as to protect user safety and security. This potential contradiction between the CCI decision and the DPDPA will create legal uncertainty and make it difficult for entities to comply. It remains to be seen whether the DPDPA, once operationalised, will allow for derogations from responsibilities under that law, on account of a CCI order.

The CCI’s decision on WhatsApp’s privacy policy is significant for several reasons and the CCI should be complimented for having made its view on the intersection between data sharing and competition law known. However its behavioural remedies run the risk of creating legal uncertainty for all technology companies which depend on data-sharing. It also runs the risk of becoming part of a regulatory turf war between the CCI and the Data Protection Board of India once it is operationalised. Perhaps it might have been prudent for the CCI to have waited for the DPDPA’s operationalisation before tailoring its remedies.

Gandhi is Co-founder and Partner; Gangal is Senior Associate, Axiom5 Law