Note On Competition/Anti-Trust Law and its Efficacy in Tackling Issues Concerning Privacy (Part III) – And a Post Script.

[The previous post seemed way too long for a blog post, so decided to split it and post a ‘Part III’. The previous posts can be found here and here. Also as a bonus – an anticlimax post script. ;)]

INDIA

As already stated above, India has also till date been following the traditional model of competition law enforcement. The language and the concepts of the Competition Act, 2002 are heavily borrowed from the Treaty on the Functioning of the European Union (T.F.E.U.) and the enforcement structure enumerated under the act, i.e., the Competition Commission of India (C.C.I.) and the Director General of Investigations (D.G.) is also similar to the enforcement structure of the E.U.

The Commission displayed its cognizance of data collection, though not from a Privacy perspective, in the case of Matrimony.com Ltd. v. Google LLC, Case No. 07 of 2012. In its Final Order dated 31.01.2018, while imposing a fine of Rs. 135.86 crores on Google, it observed:

“In fact, it would not be out of place to equate data in this century to what oil was to the last one. The Commission is not oblivious of the increasing value of data for firms which can be used to target advertising better. Moreover, the data can be turned into any number of revenue generating artificial-intelligence (AI) based innovations.”

However, prior to this, in the case of Vinod Kumar Gupta v. WhatsApp Inc., Case No. 99 of 2016, specifically assailing the acquisition and the privacy policies of the respective entities, the Commission while dismissing the Complaint, specifically observed:

“14. On the issue of dominance of the OP in the relevant market as defined supra, the Commission notes that in India a number of other players such as Apple with iMessage, BlackBerry with BBM, Samsung with ChatON, Google with Google Hangouts and Microsoft with Skype are providing consumer communication apps and are also active in the provisions of smartphone hardware and operating systems. Besides, many other consumer communication apps providers such as Hike, Viber, WeChat and Snapchat are also active in market. As per the information available in the public domain, globally ‘WhatsApp’ is having a billion monthly active users and within India, it is having 160 million monthly active users. According to a study of ‘Jana and mCent’, 97% of the smartphone users in India use a communication app daily and the most popular is ‘WhatsApp’, which is installed on 96% of devices and has more daily active users than any other communication app in India. As per the said report, ‘WhatsApp’ is installed in 2.3 times more devices than home-grown messaging app Hike. According to a study conducted by ‘TNS/TNC Connected Life Study 2015’, 56% of the internet users in India use ‘WhatsApp’ and 51% use ‘Facebook’ every day. Further, amongst India’s internet users, ‘WhatsApp’ tops the list of instant messaging apps. Further, citing a study conducted by Global Web Index, the Informant has submitted that 64% of mobile users in India use ‘WhatsApp’ which is the largest as compared to any other mobile messaging app usage. Based on the the above, the Commission is of the opinion that the OP is in a dominant position in the relevant market as defined under para 13 above.

15. With regard to the abusive conduct of the OP in the relevant market, it is noted that the Informant has alleged that the OP is abusing its dominant position in the relevant market by introducing privacy policy which compels its users to share their account details and other information with ‘Facebook’. In this regard, the Commission observes that the data sharing terms of the privacy policy of the OP as updated on 25th August, 2016 relate to sharing of users’ ‘WhatsApp’ account information with ‘Facebook’ to improve the online advertisement and products experiences available on user’s ‘Facebook’ page. It is noted that the OP provides the option to its users to ‘opt out’ of sharing user account information with ‘Facebook’ within 30 days of agreeing to the updated terms of service and privacy policy. Moreover, the OP has submitted that ‘Facebook family of companies’ will use such information for the purpose of improving infrastructure and delivery systems, understanding how their services are used, securing systems, and fighting spam, abuse or infringement activities. The Commission also finds force in the submission of the OP regarding its users safeguards that all types of ‘WhatsApp’ messages (including chats, group chats, images, videos, voice messages and files) and ‘WhatsApp’ calls are protected by end-to-end encryption so that third parties and ‘WhatsApp’ cannot read them and also the message can only be decrypted by the recipient. Further, as stated in the key updates summary of the OP, nothing a user shares on ‘WhatsApp’, including his/ her messages, photos, and account information, will be shared onto ‘Facebook’ or any other apps of ‘Facebook family of companies’ for any third party to see, and nothing a user posts on those apps will be shared by ‘WhatsApp’ for any third party to see.

……..

19. The Commission also observes that there are no significant costs preventing the users to switch from one consumer communication apps to another. It may be due to the following reasons: (i) all consumer communication apps are offered for free of cost or at a very low price (mostly free), (ii) all consumer communication apps are easily downloadable on smartphones and can co-exist on the same handset (also called ‘multi homing’) without taking much capacity along with other apps, (iii) once consumer communication apps are installed on a device, users can pass on from one app to its competitor apps in no-time, (iv) consumer communication apps are normally characterised by simple user interfaces so that costs of switching to a new app are minimal for consumers, and (v) information about new apps is easily accessible given the ever increasing number of reviews of consumer communication apps on apps store like google play store etc. Furthermore, the expansion of Hike Messenger to nearly 100 million user base within three years of launching their services into the aforesaid market reflects that in this market, there are no significant barriers to entry and consumers appear to be price sensitive. Based on the above, the Commission is of the view that even though ‘WhatsApp’ appears to be dominant in the relevant market, the allegations of predatory pricing have no substance and the OP has not contravened any of the provisions of Section 4 of the Act.”

The most comprehensive discussion by the Commission on the aspect of data collection and sharing appears to be under the combination procedure in the Jhaadu Holdings LLC Case, i.e., the Acquisition of 9.99 percent of the equity share capital in Jio Platforms Limited by Facebook, Inc. The relevant portions of the Order of the Commission dated 24.06.2020 are as follows:

“(ii) Potential data sharing between the parties

50. Most of the data driven businesses are multi-sided platforms where one or more sides of the platform is designed to attract user presence and the other sides are used for monetizing the data relating to user behaviour. For instance, Facebook application is a social media platform. One side of its platform offers free services to users for social interaction and on the other side, the monitored behaviour of the users is used as an input to offer advertisement services (targeted display ads). As noted earlier, the social media and other applications of Facebook group are popular amongst internet users and Facebook is expected to have access to rich data regarding user behaviour. Facebook has submitted that it has a data policy that explains the nature of information collected by Facebook and how it is being used. It inter alia explains data sharing with third party partners.

51. Jio Platforms including RJIO, on the other hand, is also in a position to collect and possess consumer data. The privacy policy of RJIO defines Non-Personal Information as information that does not identify the user or any other individual, and includes session, web beacons and usage and transaction data, aggregate log data and aggregate information. It further states that RJIO uses this information, inter-alia, to tailor its services to the interests of its users, to measure traffic within its services, to improve the quality, functionality and interactivity and let advertisers know the geographic locations from where its users/ visitors come. The privacy policy further provides that the information provided by the users will be used for a number of purposes connected with RJIO’s business operations including (a) verifying the identity, access, privileges assigned and relationship with the user; (b) provisioning of products/services, testing or improvement of services, recommending various products or services; (c) communicating about bills, invoices, existing or new offers, content, advertisements, surveys, key policies or other administrative information; (d) analytics and reviews for improvement of RJIO’s services; (e) improving user experience while using RJIO’s services by presenting tailored advertising, products and offers; and (g) other usages that users may consent to.

52. Business combination between entities having access to user data can be analysed from the perspective of data backed market power. The assessment in such instances needs to focus on the incentives of parties to pool or share their databank and monetize such data in possible means.

53. In the instant matter, it is noted that the Proposed Combination is an acquisition of 9.99% stake in Jio Platforms by Facebook group. This may not result in unrestricted access to each other’s resources including user data. Nevertheless, the parties may have incentives to engage in mutually beneficial data sharing. In this regard, Jaadhu has submitted that “there is no data to be shared as part of the Proposed Transaction” (i.e. proposed acquisition of shares in Jio Platforms by Jaadhu). It has been further clarified in the response dated 12th June, 2020 by Jaadhu that:

“It is clarified that data sharing is NOT the purpose of the Proposed Commercial Arrangement, nor will either side be acquiring ownership of the other’s data pursuant to the Proposed Commercial Arrangement. However, for implementation of the Proposed Commercial Arrangement, WhatsApp and JioMart (which is owned by RRL and operated by Jio Platforms) will receive or send limited data. This data is:

(i)being provided only for the purpose of facilitating e-commerce transactions on JioMart. Its use is limited, proportionate and solely for the purpose of implementing the Proposed Commercial Arrangement. Further, ****** the MSA explicitly prohibits the Commercial Arrangement Partners from using confidential information received from the other party for their own business purposes, or from disclosing it to third parties, *********************************************** ********************************************************** ********************************************************** ************************************************;

(ii)neither exclusionary, inimitable nor rare, and substitutes exist…; and

(iii)processed in accordance with applicable law and parties’ data policies.”

54. The Commission observes that RJIO is a prominent telecommunication player in India with more than one-third of wireless subscribers on its network. The group entities of Jaadhu viz. Facebook Group, on the other hand, are the second leading player in online advertisement space and leading player in online display advertisement services. The user data possessed by Jio Platforms including RJIO and Facebook Group are complementary to each other given the symbiotic interface between telecommunication business and OTT content/ application users. Thus, any anti-competitive conduct resulting from any data sharing in the future could be taken up by the Commission under Sections 3 and/or 4 of the Act having due regard to the dynamics of the concerned markets and position of the parties therein.

55. Considering the material on record including the details provided in the Notice and the assessment of the Proposed Combination based on factors stated in Section 20(4) of the Act, the Commission is of the opinion that the Proposed Combination is not likely to have any appreciable adverse effect on competition in India. Therefore, the Commission approves the Proposed Combination under Section 31(1) of the Act. The Commission also notes that the parties confirm that the Proposed Combination does not contemplate any non-compete covenants.

56. This order shall stand revoked if, at any time, the information provided by Jaadhu is found to be incorrect.”

Recently, the Chairman of the C.C.I, Ashok Kumar Gupta, remarked that “Lowering of privacy protection by dominant enterprises could be construed to be an abuse of dominant position and therefore fall within the ambit of antitrust as low privacy standards implies reduction in consumer welfare.” However, no fresh investigation appears to have been initiated by the regulator as on date.

P.S. (As promised) –

So we have a bit of an anti-climax in this space, with TechCrunch reporting day before yesterday through Natasha Lomas that Google won’t end support for tracking cookies unless UK’s competition watchdog agrees !! It’s a long article, but well worth the read, especially for grasping the contours of Google’s self-styled “Privacy Sandbox” it announced earlier this year.

My favourite portion was and I quote:

“But the key issue here is how privacy and competition regulation interacts — and potentially conflicts — with the very salient risk that ill-thought-through and overly blunt competition interventions could essentially lock in privacy abuses of web users (as a result of a legacy of weak enforcement around online privacy, which allowed for rampant, consent-less ad tracking and targeting of Internet users to develop and thrive in the first place).

Poor privacy enforcement coupled with banhammer-wielding competition regulators does not look like a good recipe for protecting web users’ rights.”