By Vikrant Rana, Anuradha Gandhi and Rachita Thakur
Introduction
In January 2021, the Competition Commission of India (hereinafter referred to as “CCI”) took suo motu cognizance of certain media reports on WhatsApp’s updated privacy policy of 2021, which required users to accept new terms to retain their accounts and allowed data sharing with Meta and its subsidiaries without any option to opt-out. The CCI via order dated November 18, 2024 imposed a penalty of INR 213.14 crore on Meta for abusing its dominant position as the updated privacy policy, enforced on a ‘take-it-or-leave-it’ basis, imposed unfair conditions on users, created entry barriers in display advertising and leveraged its dominance in messaging apps to secure online advertising, violating section 4 of Competition Act, 2002.[1]
The above order has been appealed before the National Company Law Appellate Tribunal (hereinafter referred to as the “Tribunal”) by the Meta Group on the ground that CCI has exceeded its jurisdiction by ruling on the aspect of data protection and the same would fall under the Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP Act”). The tribunal has granted a limited interim relief to Meta by putting a stay on the 5-year ban imposed by CCI. [2] Considering the awaited Draft Digital Personal Data Protection Rules, 2025 would likely to be notified by mid-2025, the Tribunal has listed the matter for the month of May 2025.[3]
The Digital Personal Data Protection Act, 2023
The DPDP Act regulates the collection, storage, processing and transfer of Personal Data in India. Personal Data is defined as any data which can identify an individual in relation to such data[4]. However, any personal data which is made publicly available by the Data Principal (the individual to whom the personal data relates)[5] will not be protected by the DPDP[6].
The DPDP Act requires consent as a lawful basis for processing personal data. Such consent must be free, specific, informed, unconditional and limited to a specified purpose. Request for consent should be preceded by a notice specifying itemized description of Personal Data processed by the Data Fiduciary (the individual who determines the means and purpose of processing personal data) [7]long with the type and purpose of Personal Data collected. For instance, Privacy Notices, Privacy Policies, Cookie Policies and Cookie Consent Management on the Website would serve as a notice to the Data Principal.
Furthermore, the DPDP Act grants the Data Principal the right to withdraw consent[8], requiring the Data Fiduciary to erase all related Personal Data upon withdrawal or after completion of the specified purpose.[9]
The WhatsApp privacy policy undermines the principle of consent by compelling users to accept the expanded terms without an opt-out option, effectively seeking forced consent. Under the DPDP Act, consent is the lawful grounds for processing data and taking such forced consent violates the lawful data processing norms, potentially attracting a penalty of upto INR 50 crores for non-compliance.[10]
The Overlap between Competition Law and Data Protection Law
The overlap between the DPDP Act and Competition Law arises from their distinct objectives. While the DPDP Act safeguards an individual’s personal data, Competition law aims to promote consumer welfare and sustain competition by preventing practices that have an adverse effect on the market. It regulates anti-competitive agreements, abuse of dominant position, mergers and combinations, along with competition advocacy. A key area of intersection is the misuse of market dominance in obtaining user consent for personal data and leveraging it for commercial advantage, as observed in the Meta case.
A pertinent illustration of lack of consent can also be referred from the Google’s acquisition of Fitbit in 2020. Google, already a dominant entity in digital advertising, acquired Fitbit, a leader in wearable devices. The main concerns raised by the regulators were:
- Access to Fitbit’s sensitive health data could be leveraged to further strengthen Google’s dominance in the advertising market and;
- It would be difficult for users to track what their health data would be used for.
The European Commission’s investigation found that Google must comply with the provisions of the General Data Protection Regulation (GDPR), which prohibits the processing of personal data concerning health, unless the individual has given explicit consent. To address these issues, Google made commitments to keep Fitbit’s health data separate from its advertising business and by giving users a choice to grant or deny the use of health data stored in their Google Account or Fitbit Account by other Google services. The acquisition was approved subject to compliance with the commitments offered by the Google. [11]
In yet another similar case, Meta introduced a “pay or consent” model in November 2023 for EU users of Facebook and Instagram. Under this model, users must choose between paying a subscription fee for an ad-free experience or using the free version that features personalized ads. The EU Commission has preliminary found that this approach violates the Digital Markets Act because it does not allow users to opt for an equivalent service that uses less personal data nor does it enable them to freely consent to the combination of their personal data. This effectively forces users into a binary choice, undermining the principle of free and informed consent.[12]
The above cases highlights how users are coerced into data-sharing agreements, illustrating sensitive data can be exploited to reinforce market dominance while at the same time may result in breach of privacy. Therefore, it is incumbent upon the Tribunal to carefully strike a balance between both the laws ensuring individual privacy and fair market competition. Additionally, it must decide the question of jurisdiction, whether the matter falls under the purview of the CCI or the Data Protection Board under the DPDP Act.
Rishabh Gupta, Junior Associate Advocate at S.S.Rana & Co. has assisted in the research of this article.
[1]CCI Order dated 18/11/24 available at: https://www.cci.gov.in/images/antitrustorder/en/order1732001619.pdf
[2] NCLAT Order dated 23/01/25 available at: https://nclat.nic.in/display-board/view_order
[3] NCLAT Order dated 17/03/25, available at: https://nclat.nic.in/display-board/view_order
[4] Section 2(t) of Digital Personal Data Protection Act, 2023
[5] Section 2(j) of Digital Personal Data Protection Act, 2023
[6] Section 3(c)(ii) of Digital Personal Data Protection Act, 2023
[7] Section 2(i) of Digital Personal Data Protection Act, 2023
[8] Section 6(4) of Digital Personal Data Protection Act, 2023
[9] Section 8(7)(a) of Digital Personal Data Protection Act, 2023
[10] The Schedule under the Digital Personal Data Protection Act, 2023
[11] https://ec.europa.eu/commission/presscorner/detail/en/ip_20_2484