Privacy As A Parameter Of Competition: NCLAT Weighs In!

The National Company Law Appellate Tribunal's ('NCLAT') decision in the WhatsApp-Meta case, is a major milestone for competition law in India. WhatsApp's 2021 privacy policy update, which permitted WhatsApp to share user data with Meta without providing an opt-out mechanism for WhatsApp users, was under scrutiny after the Competition Commission of India ('CCI') had found WhatsApp and Meta to be in contravention of the Competition Act, 2002 ('Act').

The judgement provides jurisprudence on various aspects of data protection and competition law, that have not been considered by Courts in India before. For example, the NCLAT found that extensive and vague collection of vast amounts of data and sharing them with group entities/subsidiaries, amounted to a reduction in service quality, harming both users and competition in violation of Section 4 of the Act.

Pertinently, the NCLAT addressed the question of whether abuse of dominance proceedings before the CCI are maintainable where the impugned conduct also implicates data protection and privacy laws, including the Digital Personal Data Protection Act, 2023 ('DPDP') and the Information Technology Act, 2000 along with allied rules. Rejecting these jurisdictional challenges, the NCLAT held that competition, and data protection & privacy landscapes, operate in distinct but complementary domains, and that regulatory overlap does not oust the CCI's jurisdiction.

It was clarified that data protection law and competition law examine fundamentally different aspects. While DPDP's focus is on personal data processing, consent, and protection of individual rights, the Act examines whether dominant firms misuse data to distort markets, foreclose competition, reduce consumer choice, or impose unfair conditions. Consequently, the same conduct may attract scrutiny under both frameworks without giving rise to repugnancy or conflict.

The NCLAT also held as under:

1. The mere overlap in subject matter is insufficient to exclude the CCI's jurisdiction. The CCI would retain its power to pursue competition harms where the principal subject matter is data or privacy, even after the DPDP Act has come into force, and the data regulator becomes operational. In this context, reliance was placed on the Supreme Court judgment in Bharti Airtel: Competition Commission of India v. Bharti Airtel, (2019) 2 SCC 521, where it had held that the existence of sectoral regulation does not bar the CCI from examining competition concerns, and that CCI's jurisdiction is only deferred and not excluded where specialised regulatory findings are required.

2. It recognised privacy as a non-price parameter of competition, akin to quality, innovation, and consumer service. Loss of privacy or excessive data collection can constitute a degradation of service quality. Excluding such non-price factors from competition analysis would undermine the purpose of the Act and leave digital markets effectively unregulated.

3. Data is a critical source of market power. The volume, variety, and quality of data available to a platform can confer significant competitive advantages, enabling improved targeting, efficiencies, and service enhancements. The scalable and reusable nature of data allows dominant firms to reinforce their position, create entry barriers, and distort competition. Accordingly, the CCI's jurisdiction extends fully to zero-price markets, where the real economic value lies in user data.

4. Data-related practices may simultaneously breach data protection and competition laws and that the DPDP Act does not render competition enforcement redundant. The CCI's jurisdiction encompasses not only traditional price-based conduct but also unfair data practices that affect market dynamics, consumer choice, and fairness.

A key principle emerging from the judgment is that privacy can function as a parameter of competition. Competition law today no longer confines itself to price effects alone. As the Organisation for Economic Co-operation and Development ("OECD") has emphasized, quality dimensions such as privacy, data security and user autonomy increasingly shape consumer choice and market outcomes in digital markets. Platforms often compete on the promise of better privacy safeguards, and when a dominant enterprise violates privacy without fear of exit from the market, it may signal market power. As rightly said by the European Data Protection Board, when defining the relevant market, the protection of privacy and personal data offered to consumers may be one of the parameters of competition to be considered. The CCI, and subsequently the NCLAT, explicitly relied on this understanding by treating forced data sharing as a reduction in service quality.

While data protection laws and competitions laws are distinct legal frameworks that operate in different domains and pursue different objectives, they share commonalities. At their core, both laws aim to protect individuals and their choices. This principle has been echoed by international organizations and regulators such as the OECD, European Data Protection Board, European Commission, and the Federal Trade Commission.

While the NCLAT referred to international precedents on the intersection between Data Protection and Competition Law, it did not entirely follow the reasoning of the Court of Justice of the European Union ("CJEU") in Meta v. Bundeskartellamt, which was heavily relied on by the CCI. In this decision, the CJEU held that extensive data collection and data-combination practices imposed through exploitative terms could be examined as an abuse of dominance by competition authorities, even where such conduct also falls within the scope of data protection laws. The NCLAT noted this line of reasoning but confined its analysis to the statutory scope of the Act – rather than treating infringement of data protection principles as determinative, the NCLAT focused on whether such data practices resulted in competition law harm, such as reduction in service quality, unfair conditions, or denial of market access within the meaning of Section 4 of the Act. In this context, the NCLAT's approach is consistent with its broader view that competition law and data protection law operate in parallel but address distinct questions. It recognised privacy as a non-price parameter of competition and accepted that excessive data collection may amount to a reduction in service quality.

The CCI had also argued that mandatory data sharing harmed users by eroding privacy and harmed competitors by strengthening Meta's data-driven advertising advantages. While the NCLAT accepted the competitive harm in terms of denial of market access, it was far less explicit in linking that harm to the underlying privacy violation.

The NCLAT's reasoning in approaching privacy, acknowledged that WhatsApp users faced a "take-it-or-leave-it" choice, with no realistic alternative in the relevant market. This acknowledgment recognises that consent obtained under such conditions is not voluntary. However, the NCLAT stopped short of treating privacy loss as serious enough on its own, to establish an abuse of dominance and instead required proof of additional downstream market effects, also positively reiterating their jurisdictional limitations. In doing so, the NCLAT also emphasised that findings of abuse must remain grounded in competition law harm rather than substituting for enforcement under data protection law.

One of the most significant limitations of the judgment is its focus on only the immediate effects of the policy without addressing cumulative data concentration. Over time, the continuous accumulation of user data creates deep and lasting advantages for dominant platforms that are difficult, if not impossible, for competitors to overcome. The OECD highlights that such cumulative data advantages can function as enduring entry barriers, even if no single instance of data collection appears decisive. The concentration of large volumes of data can shape market structures and create barriers to entry that may not be adequately captured by traditional abuse of dominance analysis. In emerging digital markets, exclusionary conduct and exploitative behaviour by large data enterprises, may not resemble the anti-competitive hallmarks of traditional abuse of dominance provisions. As digital markets continue to evolve, future cases may benefit from clear guidance on how data-driven market power and privacy-related effects should be examined under competition law.

An alternative approach could have been to look more closely at the cumulative impact of data collection over time, rather than focusing only on the immediate effects of the 2021 Policy. By examining how continuous data accumulation strengthens market power, increases entry barriers, and limits the ability of competitors to challenge dominant platforms, the NCLAT could have assessed long-term competitive harm.

In conclusion, the NCLAT's decision is a welcome step towards defining Indian jurisprudence on the intersection between data and competition. While the judgment marks a cautious step in addressing the intersection of privacy and competition, it also highlights the challenges that lie ahead in applying Competition Law to data-driven markets. The NCLAT rightly grounded its analysis in established Competition Law principles and avoided overextending its jurisdiction. As India's data protection and competition frameworks continue to develop, future cases will need to move beyond this cautious approach and acknowledge that in platform markets, privacy, data and competition are closely connected and cannot be examined in isolation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.