Competition LawData PrivacyInterplay between Data Protection and Competition Law

January 4, 20230


 The digital industry has grown dramatically in India and throughout the world during the last decade. While this expansion has given rise to new business models, opened up new markets, and unlocked tremendous efficiencies, it has also generated fears that the Information Technology (IT) companies hold a huge amount of data to manipulate digital markets for their advantage.

With the expanding digital economy, the data driven tech-mergers have also seen a considerable increase. Such tech-mergers aim to translate the consolidated data into personalised services for the consumers.

However, such an activity also harms the competition in the market by:

  1. Diluting the data privacy and the protection of data; and
  2. Raising barriers to enter into the market.

In the backdrop of the foregoing, the Competition Commission of India (CCI) has launched investigations against a number of players, including WhatsApp, Facebook, and Google. However, there are concerns about applying Competition Law (rather than Privacy and Consumer Protection) to handle such problems.

Even in the absence of the Data Protection Law, the Right to Privacy is a fundamental right and protection of the fundamental right is the responsibility of the State. This blog deliberates upon the emerging interface and the overlap in various jurisdictions pursuant to antitrust and data protection.


One of the most prominent examples of the interplay between competition and privacy started particularly from 07.02.2019 when the Bundeskartellamt prohibited Facebook from combining the user data from various sources. The Bundeskartellamt which is the National Competition Authority of Germany, held that:

(i)     Facebook-owned services like WhatsApp and Instagram can continue to collect data. However, assigning the data to Facebook user accounts will only be possible subject to the users’ voluntary consent. Where consent is not given, the data must remain with the respective service and cannot be processed in combination with Facebook data.

(ii) Collecting data from third party websites and assigning them to a Facebook user account will also only be possible if users give their voluntary consent.

If consent is not given for data from Facebook-owned services and third party websites, Facebook will have to substantially restrict its collection and combining of data. Facebook is to develop proposals for solutions to this effect.

Herein, the investigation concluded that the clubbing of user data collected from third party websites and sources by Facebook is abuse of dominance. Various authorities in different jurisdictions had different opinion on the Facebook case. On the grounds of jurisdiction, the Düsseldorf Higher Regional Court set aside this Order with the opinion that

“the question of whether there had been a violation of the General Data Protection Regulation (“GDPR”), cannot be decided by the German competition authority and must be decided by the European Court of Justice”.

In the Indian parlance, the introduction to the conflict between Competition Law and Data Privacy can be traced to the Case wherein WhatsApp changed its data privacy policy. With this case, it was realised that there is a unilateral dependence on the companies that specialise in big data. This realisation has prompted a public deliberation as to why the Competition Law Authorities must interfere in order to protect consumer rights.

Pursuant to such deliberations, the CCI clarified its intention to include data protection and privacy within its domain. The CCI also directed a probe into WhatsApp’s privacy policy. This was done as a measure allowed by the Delhi High Court on the challenge. The response and judicial trends, therefore, so far, indicate that the Competition Regulator should and could engage in the matters pertaining to Data Protection.

Disregarding any merits or lack thereof at this point, the inclination to expand CCI’s power to data protection matters, concerning as discrepancies, are bound to arise when the long-pending Data Protection Legislation is passed.


 The CCI, vide the Competition Act, 2002 (Competition Act) is entrusted with the obligation to “prevent practices having adverse effects on competition and sustain competition in the market”. The CCI can investigate three areas of competition law under the Competition Act:

  1. Under Section 3 of the Competition Act, the CCI can intervene in Anti-competitive Agreements between enterprises;
  2. Under Section 4 of the Competition Act, the CCI can intervene if any enterprise abuses its dominant position in the market; and
  3. Under Sections 5 and 6 of the Competition Act, the CCI can regulate mergers and acquisitions of two or more enterprises.

While the CCI has conducted limited investigations into information-related issues, it did pass three orders in 2017-2018 that dealt with the impact and meaning of information in the opposition scene, including grievances filed against WhatsApp and Google and affirming the merger of Bayer and Monsanto.

It is significant – and maybe a pointer to what might be on the horizon – that in 2018, while favouring the merger between Bayer and Monsanto, the CCI guided the blended substance to give horticultural data/information on reasonable, sensible, and non-oppressive terms.

The CCI has had several opportunities to investigate the digital sector since its formation in the year 2010; the CCI has only lately examined data as an asset. The CCI released a Market Study on the Telecom Sector in India: Key Findings and Observations on 22.01.2021 (CCI Telecom Report), highlighting the intersection of Data Privacy and Competition Law.

CCI in its Telecom Report defines data usage as ‘non-price competition’, implying that data obtained from consumers by an organisation may be utilised to gain a competitive edge over its competitors in the market. The CCI also stated in another report that network effects caused by massive volumes of data collected allow corporations to compete on a level that is unrelated to price and creates a ‘winner takes all’ system.


Mining and analysis of information raises not only information security problems, but also other serious concerns. Organizations that have access to huge informative collections and current information breakthroughs often have a significant advantage over those that do not.

This provides such organizations an unfair advantage. As a result, it is important to stress that violation of Data Privacy would also be considered as an anti-trust concern. This has implications for both Organizations and Customers, as non-prevailing parts are on the lookout.

The CCI Telecom Report presents the following instances of abusive behaviour:

  1. a poor privacy standard reflecting a lack of customer welfare;
  2. lesser data security, which might also indicate exclusionary behaviour; and
  3. exploiting a data advantage across many services.

The acquisition of WhatsApp by Facebook is yet another instance of dispossession. Prior to the acquisition, the two companies had independent information bases. With an inexhaustible supply of acquisition, WhatsApp modified its security strategy and granted Facebook access to its clients’ information.

The CCI appears to endorse this theory of harm in the WhatsApp Suo Moto Order, opining that data-sharing by WhatsApp with Facebook degrades non-price parameters of competition, and that this conduct prima facie amounts to imposition of unfair terms and conditions on WhatsApp users (Facebook is also included in the investigation as a direct beneficiary of this privacy policy).


With the wide scope of big data and digitised economy, there have been various debates with respect to the role of competition law in data protection stem. On a fundamental level, the Competition Law and the Data Protection Laws achieve different sets of modalities.

Competition Law aims to ensure undistorted competition within the internal market. Competition is conceived as the best means to ensure allocation of resources and increase consumer welfare. Whereas, privacy distortion effects could arguably both distort fairness and efficiency-based theories.

The various views pertaining to the interplay between Competition Law and Data Protection include:

  1. Separatist View

According to the Separatist view, the Competition Law and Data Privacy are complementary to each other and in no way are overlapping.

The origin of the Separatist view is Asnef-Equifax v Asociación de Usuarios de Servicios Bancarios ECR I- 11125 [Case C-235/08] wherein the major argument is that Data Protection Law and Competition Law are supposed to be viewed separately.

The principal argument here remains that incorporation of privacy and data protection concerns in the Competition Law Assessment would create a bubble of confusion specifically when the same is applied to the standards of consumer welfare.

  1. Integrationist View

This view accepts the incorporation of privacy arguments in the framework of Competition Law. Based on the Integrationist View, both the price and non-price factors under the Competition Law improve consumer welfare.

The Preliminary Opinion of the European Data Protection Supervisor (EDPS) in ‘Privacy and Competitiveness in the Age of Big Data: The Interplay between Data Protection, Competition Law and Consumer Protection in the Digital Economy (2014)’ is of the opinion that “privacy and the protection of personal data should be considered not as peripheral concerns but rather as central factors in the appraisal of companies’ activities and their impact on competitiveness, market efficiency and consumer welfare”.


The Constitution of India does not stipulate the Right to Privacy and the same has been subject to judicial interpretation. The judicial interpretation of the Right to Privacy brings it under the ambit of Fundamental Rights.

The Indian Judiciary as well as the CCI have evolved and developed the law relating to Privacy.

Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors. [(2017) 10 SCC 1]

The Hon’ble Supreme Court rendered a historic decision in this matter, holding that the Right to Privacy is guaranteed and enshrined in Articles 14, 19, and 21 of the Constitution of India.

The Supreme Court ruled that the Right to Privacy is inherent in the Right to Life and personal liberty enshrined in Article 21. It is also one of the rights guaranteed under Part III of the Constitution.

The Supreme Court further stated that the State has an obligation to preserve the Privacy of its citizens. As a result, the ‘Aadhaar Card Scheme’ was shown to violate the Right to Privacy of the citizens. The Supreme Court’s judgment permits people to seek legal remedies if their Privacy Rights are being violated.

This decision also has an impact on the norms and regulations established by Indian tech businesses.

People’s Union for Civil Liberties (PUCL) v. Union of India [AIR 1997 SC 568]

This case included telephone tapping and the issue raised before the Supreme Court was whether the tapping of telephones violated the Right to Privacy. The Hon’ble Supreme Court ruled that telephone calls are private and confidential, and hence the Right to Privacy was breached in this instance.

The Supreme Court was of the opinion that whether or not the Right to Privacy is included under Article 21 of the Constitution is dependent on the facts of the case.

The CCI probe on WhatsApp’s new Privacy Policy

In 2021, the CCI ordered a probe into the new privacy policy of WhatsApp for alleged abuse of market dominance. WhatsApp moved the petition in Delhi High Court but the Court ruled in favour of CCI.

Later, the Supreme Court also refused to halt the CCI probe into WhatsApp’s Privacy Policy.


The digitization of the economy with ‘data’ as the new critical resource is nothing short of a revolution. Such a revolution requires related legal framework that simultaneously makes necessary adaptions. The economy is now a ‘digital economy,’ leaving only a thin line difference between a conventional market structure and data considerations.

Accordingly, it is inevitable for contemporary regulations to fail or fall short on account of lack of competence with respect to either one of the domains of the market. In simpler terms, it can be said that no Competition Authority can handle big data mergers that put the personal data of individuals at risk, alone. Similarly, no Data Protection Authority can investigate or examine antitrust concerns in such situations.

Thus, an integrated approach that warrants the supervision of both Competition and Privacy Regulators would be a step in the right direction. However, such interface must be well coordinated and contradictory actions in isolation can create conflicts.

Although ‘big data’ has been the focus of competition regulators throughout the world, the Authorities are still working to obtain a better grasp of the underlying difficulties and determine how traditional techniques may be used in a technology-driven scenario.

In India, the CCI should work with other bodies that have been specially authorised to develop the Data Protection Norms. While the CCI may take cognizance of an anti-competitive deviation from such criteria, attempting to determine what constitutes an “excessive amount of data” may create contradictory positions with other authorities who may be in a better position to make such evaluations in any case.

The necessity of the hour remains for the implementation of clear and comprehensive Data Protection laws as soon as possible.

If such law establishes a data collecting threshold, the CCI might then analyse market power in digital marketplaces appropriately. However, the suggestion here would be to give primacy to the Data Protection Authorities in such cases.

In order to strengthen the collaboration between the authorities under the two laws, Sections 21 and 21A of the Competition Act must be revisited as the present form of the provisions; the outcome is futile because the consultations between the Authorities are neither compulsory nor binding.

– Team AMLEGALS assisted by Mr. Vinay Sachdev (Intern)

For any queries or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.