The Vacuous Intersection between Data Protection and Privacy Law

Authors: Akangsha Majumdar, Presidency University

Padmalaya Kanumgo, SLS, Hyderabad

Shrey Kumar Sinha, FOL, DU

Akansha Mittal, Amity University Kolkata

Mahip Mayank, Faculty of Law, DU

Rahul Sodhi, NorthCap University

Editor: Dyuthi Sutram, SLS, Pune


The Competition Act was enacted in the year 2002 to prevent any activity that may have an adverse effect on the competition in the Indian market. With the advancement in technology, the power to collect, store, process and analyse data on a large scale is acquired. This voluminous amount of data that is being collected is mined by business entities for commercial gains and is known as ‘Big Data’.

Data comes in various forms. It can be very simple and as well as very vast. It is a class of asset that vary widely in their competitive significance. Businesses evaluate whether the relevant data is a factor for competition in the relevant market. Most data can be categorised into three ways for analysis: a product; a commercially available database, an input to provide and improve functionality or a non-commercial asset. But whatever the type, businesses should only focus on the data that is commercially viable.

Views regarding the relative importance of data to competition and its analysis differ widely. Some opine that big data is a barrier to entry because it is difficult to collect, access and process while some others assert that data-rich companies are an important source of innovation and shall be encouraged.

Big Data has emerged as an important factor in Competition law. Data (in whatever form) may constitute as an asset. With regard to any business or company’s use or acquisition of Big Data, agencies shall take great caution to have an in-depth understanding of the relevant data and its usage.

Comments On CCI’s Jurisdiction of Data

As we are setting our foot into the period of datafication, business companies are being provided with numerous opportunities through large scale collection of data without the knowledge of the user. Data which is now commonly referred to as big data has become the new raw material of business and has also been referred to as the new oil in the year 2012.

Now, when there are data protection authorities and laws are in place to govern the collection and use of sensitive information, the question which arises is that whether big data-related activities can be examined by the CCI. To answer this question we first need to examine whether the usage of big data can impact or interfere with fair competition in the market. Big data can analyse, track and study the needs of the consumer and can also assist in the improvement of the quality of goods by using its self-learned algorithms.It also improves the decision-making on the supply side by improving market predictions and the operational efficiency of manufacturers[1]”. Hence, it is evident that access to data is of great value in competitive markets.

While the competition authorities in India are presently reluctant in going beyond the concept of economic efficiency and are not giving enough consideration to the use of big data, the European Commission has (EC) considered data as a non-price competition factor in the assessment of the merger. CCI needs to strike a balance between data protection and economic efficiency given that the collection of sensitive data can be used for gaining power in the market. In the case of Vinod Kumar Gupta vs. Whatsapp Inc[2], it was held by the CCI “that any privacy concern was outside of its purview and had to be dealt with exclusively under the Information Technology Act, 2000.” Competition and data protection are two separate regimes and any issues related to data protection are to be dealt with data protection authorities. However, It remains to be seen if and to what extent CCI will take clues from the EC in considering privacy concerns as a relevant parameter of quality of the goods or services offered in its competition assessment[3]”.

Privacy as an Issue

The emergence of big data as an asset raises the issue of data protection and also leads to competition considerations. After Google’s proposed acquisition of DoubleClick in 2007, concerns regarding the information that Google would have acquired were raised. Since then, the importance of data protection in competition law gained attention. However, the legal overview has been - competition and data protection are two different spheres of law and thus, data protection issues should only be considered by data protection authorities.

Whenever we talk about the classification of data with anyone it always raises concerns about the privacy and protection because right to privacy is a fundamental right that has been declared by the Supreme Court. Without privacy laws there will be no regulator who can keep a check on the security of the data that has been shared to the company.

Case Study : Facebook- Jio Investment Deal

Recently, Facebook Inc. has become the largest minority shareholder in Jio Platforms Limited (subsidiary of Reliance Industries Limited (RIL)). Facebook has invested $5.7 billion (Rs.43,574 crore) for acquisition of 9.99% stake in Jio Platforms making it the largest FDI in India`s technology sector as well as largest minority shareholder`s investment in the world. This deal between Facebook and Jio Platforms has brought two conglomerates together which will have huge effect on retail and internet market.

This deal is supposed to be mutually beneficial for both the companies. Through this deal Facebook would be able to expand itself to other sectors in India apart from social media. The partnership with RIL would also ease its entry in the telecommunication sector for its newer initiatives including Whatsapp Pay, as previously Facebook has minor disputes with the regulatory authority regarding its initiatives like Free Basics or Express Wi-Fi. Similarly, RIL can reduce its debts using these funds and the Jio-Facebook combination would be able to compete in e-commerce and e-services sectors with others in a stronger manner. The large number of Whatsapp and Instagram users will be added to JioMart increasing its market reach and consumer convenience. Thus, the amount of sensitive data collected from citizens will be vast and unregulated. The Competition Commission of India while approving this deal did not go into the mechanics of data as an asset which may be used against the stakeholders involved.

Even though it appears to be a win-win deal for both the ‘tech giants’, it also poses concerns related to data privacy and protection, undue advantage in market place, etc. The query regarding data sharing with the third party applications without the privacy protection act that has been raised. Both companies have more than 350 million users and during the mergers and acquisitions the data has to be shared with other parties. At present, India does not have any law relating to data privacy and protection whereas in the USA there is strict data privacy law, there may be a unidirectional flow of data without limitations i.e from India to the US.

Data Security in the EU - GDPR

With the advancement of humankind and the advent of the digital age, data[4] is everywhere. Whatever we do, or wherever we go, we leave a digital footprint[5]. Given its ubiquity, when data breaches occur, confidential information is leaked, which may be exploited by malicious individuals.

The General Data Protection Regulation (GDPR)[6] was adopted in 2016 and regulates the law relating to data protection and privacy in the EU[7]. It gives people more control over their data and applies to every organization that provides goods, services, or businesses in the European Union (EU). Being termed as the core of Europe’s digital policy legislation, it puts forth new rules for the benefit of citizens and corporations from the digital economy. It also brings about more rigid rules and a global application.

The GDPR redefines data as anything which may be employed, either on its own or in conjunction with other data to identify an individual and forthwith covers data such as IP addresses, mobile device identifiers, geolocation, and biometric data compared to the earlier, limited definition[8].

The GDPR makes it mandatory for organizations to ensure that data is gathered legally and under strict restrictions in every step. It requires users to authorise explicitly for their data to be used. It also provides for discarding of data when it is no longer in use. The GDPR increased the minimum age of individuals whose data can be collected from 13 to 16yrs. Furthermore, if an organization fails to comply with the provisions of the GDPR, it would be liable to pay heavy compensation [9].

Therefore, we see that the GDPR has increased the expanse of the laws regulating data. There has been a transformation in the definition of data to keep up with the digital age. Further, the GDPR applies to controllers[10] and processors[11] collecting data from EU subjects from any part of the world, making it a globally applicable law.

Conclusion and Recommendations

All the anti-trust/competition regulators are keeping a close eye across the world to investigate the usage of big data by the enterprises. As enforcement of effective competition rules can ensure that stakeholder are getting the best out of the global trend of data analytics, it is important that we set regulations for the same. A Committee of experts headed by B.N Srikrishna was appointed by the government to balance the privacy concerns and big data challenges as in India, the Competition Act, 2002 is unfit to deal with challenges of big data. The Personal Data Protection Bill, 2018 awards power to the Competition Commission of India to keep check on the merger activity of data protection, storing, and collecting entities and mitigate the thresholds enshrined under Competition Act, 2002 for much efficient oversight of sensitive and personal data of citizens. Coordination between competition and data protection authorities is vital to rapidly capture excesses by big data businesses. However, as the bill remains in that status, India has largely stagnated in the push forward for digital privacy.

[1] OECD, Big Data: Bringing Competition Policy to the Digital Era, November 2016, Page 8. [2] Vinod Kumar Gupta v WhatsApp Inc, 2017 SCC OnLine CCI 32. [3] 2018) Practical Lawyer (COMP. L) February by Anshuman Sakle, Partner CAM. [4] (Personal Data) Defined in Section 4(1) of the General Data Protection Regulation, 2016 [5] A trial of data we create while browsing the internet. [6] The General Data Protection Regulation, 2016 [7] European Union [8] Data as defined in the Data Protection Directive, 1995 [9] Up to €20 million or 4% of annual turnover of the company for the previous financial year [10] Defined in Section 4(7) of the General Data Protection Regulation, 2016 [11] Defined in Section 4(8) of the General Data Protection Regulation, 2016

29 views0 comments

Recent Posts

See All

©2020 by JURIS COGNITIONIS. Proudly created with