Tag: Privacy

Note On Competition/Anti-Trust Law and its Efficacy in Tackling Issues Concerning Privacy (Part III) – And a Post Script.

[The previous post seemed way too long for a blog post, so decided to split it and post a ‘Part III’. The previous posts can be found here and here. Also as a bonus – an anticlimax post script. ;)]

INDIA

As already stated above, India has also till date been following the traditional model of competition law enforcement. The language and the concepts of the Competition Act, 2002 are heavily borrowed from the Treaty on the Functioning of the European Union (T.F.E.U.) and the enforcement structure enumerated under the act, i.e., the Competition Commission of India (C.C.I.) and the Director General of Investigations (D.G.) is also similar to the enforcement structure of the E.U.

The Commission displayed its cognizance of data collection, though not from a Privacy perspective, in the case of Matrimony.com Ltd. v. Google LLC, Case No. 07 of 2012. In its Final Order dated 31.01.2018, while imposing a fine of Rs. 135.86 crores on Google, it observed:

“In fact, it would not be out of place to equate data in this century to what oil was to the last one. The Commission is not oblivious of the increasing value of data for firms which can be used to target advertising better. Moreover, the data can be turned into any number of revenue generating artificial-intelligence (AI) based innovations.”

However, prior to this, in the case of Vinod Kumar Gupta v. WhatsApp Inc., Case No. 99 of 2016, specifically assailing the acquisition and the privacy policies of the respective entities, the Commission while dismissing the Complaint, specifically observed:

“14. On the issue of dominance of the OP in the relevant market as defined supra, the Commission notes that in India a number of other players such as Apple with iMessage, BlackBerry with BBM, Samsung with ChatON, Google with Google Hangouts and Microsoft with Skype are providing consumer communication apps and are also active in the provisions of smartphone hardware and operating systems. Besides, many other consumer communication apps providers such as Hike, Viber, WeChat and Snapchat are also active in market. As per the information available in the public domain, globally ‘WhatsApp’ is having a billion monthly active users and within India, it is having 160 million monthly active users. According to a study of ‘Jana and mCent’, 97% of the smartphone users in India use a communication app daily and the most popular is ‘WhatsApp’, which is installed on 96% of devices and has more daily active users than any other communication app in India. As per the said report, ‘WhatsApp’ is installed in 2.3 times more devices than home-grown messaging app Hike. According to a study conducted by ‘TNS/TNC Connected Life Study 2015’, 56% of the internet users in India use ‘WhatsApp’ and 51% use ‘Facebook’ every day. Further, amongst India’s internet users, ‘WhatsApp’ tops the list of instant messaging apps. Further, citing a study conducted by Global Web Index, the Informant has submitted that 64% of mobile users in India use ‘WhatsApp’ which is the largest as compared to any other mobile messaging app usage. Based on the the above, the Commission is of the opinion that the OP is in a dominant position in the relevant market as defined under para 13 above.

15. With regard to the abusive conduct of the OP in the relevant market, it is noted that the Informant has alleged that the OP is abusing its dominant position in the relevant market by introducing privacy policy which compels its users to share their account details and other information with ‘Facebook’. In this regard, the Commission observes that the data sharing terms of the privacy policy of the OP as updated on 25th August, 2016 relate to sharing of users’ ‘WhatsApp’ account information with ‘Facebook’ to improve the online advertisement and products experiences available on user’s ‘Facebook’ page. It is noted that the OP provides the option to its users to ‘opt out’ of sharing user account information with ‘Facebook’ within 30 days of agreeing to the updated terms of service and privacy policy. Moreover, the OP has submitted that ‘Facebook family of companies’ will use such information for the purpose of improving infrastructure and delivery systems, understanding how their services are used, securing systems, and fighting spam, abuse or infringement activities. The Commission also finds force in the submission of the OP regarding its users safeguards that all types of ‘WhatsApp’ messages (including chats, group chats, images, videos, voice messages and files) and ‘WhatsApp’ calls are protected by end-to-end encryption so that third parties and ‘WhatsApp’ cannot read them and also the message can only be decrypted by the recipient. Further, as stated in the key updates summary of the OP, nothing a user shares on ‘WhatsApp’, including his/ her messages, photos, and account information, will be shared onto ‘Facebook’ or any other apps of ‘Facebook family of companies’ for any third party to see, and nothing a user posts on those apps will be shared by ‘WhatsApp’ for any third party to see.

……..

19. The Commission also observes that there are no significant costs preventing the users to switch from one consumer communication apps to another. It may be due to the following reasons: (i) all consumer communication apps are offered for free of cost or at a very low price (mostly free), (ii) all consumer communication apps are easily downloadable on smartphones and can co-exist on the same handset (also called ‘multi homing’) without taking much capacity along with other apps, (iii) once consumer communication apps are installed on a device, users can pass on from one app to its competitor apps in no-time, (iv) consumer communication apps are normally characterised by simple user interfaces so that costs of switching to a new app are minimal for consumers, and (v) information about new apps is easily accessible given the ever increasing number of reviews of consumer communication apps on apps store like google play store etc. Furthermore, the expansion of Hike Messenger to nearly 100 million user base within three years of launching their services into the aforesaid market reflects that in this market, there are no significant barriers to entry and consumers appear to be price sensitive. Based on the above, the Commission is of the view that even though ‘WhatsApp’ appears to be dominant in the relevant market, the allegations of predatory pricing have no substance and the OP has not contravened any of the provisions of Section 4 of the Act.”

The most comprehensive discussion by the Commission on the aspect of data collection and sharing appears to be under the combination procedure in the Jhaadu Holdings LLC Case, i.e., the Acquisition of 9.99 percent of the equity share capital in Jio Platforms Limited by Facebook, Inc. The relevant portions of the Order of the Commission dated 24.06.2020 are as follows:

“(ii) Potential data sharing between the parties

50. Most of the data driven businesses are multi-sided platforms where one or more sides of the platform is designed to attract user presence and the other sides are used for monetizing the data relating to user behaviour. For instance, Facebook application is a social media platform. One side of its platform offers free services to users for social interaction and on the other side, the monitored behaviour of the users is used as an input to offer advertisement services (targeted display ads). As noted earlier, the social media and other applications of Facebook group are popular amongst internet users and Facebook is expected to have access to rich data regarding user behaviour. Facebook has submitted that it has a data policy that explains the nature of information collected by Facebook and how it is being used. It inter alia explains data sharing with third party partners.

51. Jio Platforms including RJIO, on the other hand, is also in a position to collect and possess consumer data. The privacy policy of RJIO defines Non-Personal Information as information that does not identify the user or any other individual, and includes session, web beacons and usage and transaction data, aggregate log data and aggregate information. It further states that RJIO uses this information, inter-alia, to tailor its services to the interests of its users, to measure traffic within its services, to improve the quality, functionality and interactivity and let advertisers know the geographic locations from where its users/ visitors come. The privacy policy further provides that the information provided by the users will be used for a number of purposes connected with RJIO’s business operations including (a) verifying the identity, access, privileges assigned and relationship with the user; (b) provisioning of products/services, testing or improvement of services, recommending various products or services; (c) communicating about bills, invoices, existing or new offers, content, advertisements, surveys, key policies or other administrative information; (d) analytics and reviews for improvement of RJIO’s services; (e) improving user experience while using RJIO’s services by presenting tailored advertising, products and offers; and (g) other usages that users may consent to.

52. Business combination between entities having access to user data can be analysed from the perspective of data backed market power. The assessment in such instances needs to focus on the incentives of parties to pool or share their databank and monetize such data in possible means.

53. In the instant matter, it is noted that the Proposed Combination is an acquisition of 9.99% stake in Jio Platforms by Facebook group. This may not result in unrestricted access to each other’s resources including user data. Nevertheless, the parties may have incentives to engage in mutually beneficial data sharing. In this regard, Jaadhu has submitted that “there is no data to be shared as part of the Proposed Transaction” (i.e. proposed acquisition of shares in Jio Platforms by Jaadhu). It has been further clarified in the response dated 12th June, 2020 by Jaadhu that:

“It is clarified that data sharing is NOT the purpose of the Proposed Commercial Arrangement, nor will either side be acquiring ownership of the other’s data pursuant to the Proposed Commercial Arrangement. However, for implementation of the Proposed Commercial Arrangement, WhatsApp and JioMart (which is owned by RRL and operated by Jio Platforms) will receive or send limited data. This data is:

(i)being provided only for the purpose of facilitating e-commerce transactions on JioMart. Its use is limited, proportionate and solely for the purpose of implementing the Proposed Commercial Arrangement. Further, ****** the MSA explicitly prohibits the Commercial Arrangement Partners from using confidential information received from the other party for their own business purposes, or from disclosing it to third parties, *********************************************** ********************************************************** ********************************************************** ************************************************;

(ii)neither exclusionary, inimitable nor rare, and substitutes exist…; and

(iii)processed in accordance with applicable law and parties’ data policies.”

54. The Commission observes that RJIO is a prominent telecommunication player in India with more than one-third of wireless subscribers on its network. The group entities of Jaadhu viz. Facebook Group, on the other hand, are the second leading player in online advertisement space and leading player in online display advertisement services. The user data possessed by Jio Platforms including RJIO and Facebook Group are complementary to each other given the symbiotic interface between telecommunication business and OTT content/ application users. Thus, any anti-competitive conduct resulting from any data sharing in the future could be taken up by the Commission under Sections 3 and/or 4 of the Act having due regard to the dynamics of the concerned markets and position of the parties therein.

55. Considering the material on record including the details provided in the Notice and the assessment of the Proposed Combination based on factors stated in Section 20(4) of the Act, the Commission is of the opinion that the Proposed Combination is not likely to have any appreciable adverse effect on competition in India. Therefore, the Commission approves the Proposed Combination under Section 31(1) of the Act. The Commission also notes that the parties confirm that the Proposed Combination does not contemplate any non-compete covenants.

56. This order shall stand revoked if, at any time, the information provided by Jaadhu is found to be incorrect.”

Recently, the Chairman of the C.C.I, Ashok Kumar Gupta, remarked that “Lowering of privacy protection by dominant enterprises could be construed to be an abuse of dominant position and therefore fall within the ambit of antitrust as low privacy standards implies reduction in consumer welfare.” However, no fresh investigation appears to have been initiated by the regulator as on date.

P.S. (As promised) –

So we have a bit of an anti-climax in this space, with TechCrunch reporting day before yesterday through Natasha Lomas that Google won’t end support for tracking cookies unless UK’s competition watchdog agrees !! It’s a long article, but well worth the read, especially for grasping the contours of Google’s self-styled “Privacy Sandbox” it announced earlier this year.

My favourite portion was and I quote:

But the key issue here is how privacy and competition regulation interacts — and potentially conflicts — with the very salient risk that ill-thought-through and overly blunt competition interventions could essentially lock in privacy abuses of web users (as a result of a legacy of weak enforcement around online privacy, which allowed for rampant, consent-less ad tracking and targeting of Internet users to develop and thrive in the first place).

Poor privacy enforcement coupled with banhammer-wielding competition regulators does not look like a good recipe for protecting web users’ rights.”

Note On Competition/Anti-Trust Law and its Efficacy in Tackling Issues Concerning Privacy (Part II).

Continued from our previous post:-

EUROPEAN UNION (E.U.)

In the E.U., the European Commission (E.C.) and its Directorate General for Competition are responsible for the administration of competition law. In regard to privacy matters, the General Data Protection Regulation is regulated by the European Data Protection Board. European authorities have also had the opportunity to deal with data implications on several occasions.

Initially, in the 2014 Facebook-WhatsApp Merger Case, Case No. COMP/M.7217 it took at extremely conservative approach on the issue of privacy. To quote from the Commission’s Order itself:

“For the purposes of this decision, the Commission has analysed potential data concentration only to the extent that it is likely to strengthen Facebook’s position in the online advertising market or in any sub-segments thereof. Any privacy-related concerns flowing from the increased concentration of data within the control of Facebook as a result of the Transaction do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules.

On the other hand, in 2016, in the Microsoft-Linkedin Merger Case, Case M.8124 the E.C. approved the acquisition of LinkedIn by Microsoft, subject to several conditions. Both companies retained large datasets comprised primarily of personal information. The E.C. found that the combination of Microsoft’s and LinkedIn’s datasets would act as a barrier to entry. The E.C.’s commitments included granting competing professional social network service providers access to Microsoft Graph, a gateway for software developers which is used to build applications and services that can, subject to user consent, access data stored in the Microsoft cloud, such as contact information, calendar information, emails etc. Software developers can potentially use this data to drive subscribers and usage to their professional social networks. Simply put, the Commission considered Privacy as a parameter for non-price competition Interestingly, the F.T.C. did not find anticompetitive implications in this transaction.

However, it is in fact the German Competition Authority Bundeskartellamt, and subsequently the Federal Court of Justice of Germany which have taken the first proactive to privacy protection through competition law.

In its decision of 6 February 2019 the Bundeskartellamt prohibited Facebook Inc., Menlo Park, USA, Facebook Ireland Ltd., Dublin, Ireland, and Facebook Germany GmbH, Hamburg, Germany from making the use of the Facebook social network by private users residing in Germany, who also use its corporate services WhatsApp, Oculus, Masquerade and Instagram, conditional on the collection of user and device related data by Facebook and combining that information with the Facebook.com user accounts without the users’ consent. The prohibition was based on Section 19(1) of the German Competition Act. The prohibition also applied to terms making the private use of Facebook.com conditional on Facebook being able to combine information saved on the “Facebook account” without the users’ consent with information collected on websites visited or third-party mobile apps used via Facebook business tools and use this data. The Court concluded that there was no effective consent to the users’ information being collected if their consent is a prerequisite for using the Facebook.com service in the first place.

The Bundeskartellamt found Facebook had abused its market power based on the extent of collecting, using and merging data in a user account and imposed on Facebook far-reaching restrictions in the processing of user data. The Bundeskartellamt saw the use of the conditions of use as an abuse of dominant position. It found Facebook dominant in the national market for the provision of social networks. It abuses this position by, contrary to the provisions of the General Data Protection Regulation (G.D.P.R.), making the private use of the network dependent on its authorization to link user and user device-related data generated outside of facebook.com with personal data without further consent of the users. With a resolution dated 06.02.2019, the Federal Cartel Office prohibited Facebook and other group companies from using the corresponding terms of use and processing personal data accordingly. The Federal Court of Justice on 23.06.2020 upheld this decision.

Margrethe Vestager, the current European Commissioner for Competition since 2014, has also recently stated before the European Parliament’s economy committee on Tuesday that there could be scope for “investigating if it’s actually legal for a dominant provider to stop supplying” services, adding that the EU “would have a number of tools to use.”

To be continued further….

Note On Competition/Anti-Trust Law and its Efficacy in Tackling Issues Concerning Privacy (Part I).

The traditional competition/anti-trust law paradigm, both in India and jurisdictions abroad, aims to tackle all abuses under two broad heads:

  • Violations through Anti-competitive agreements
  • Violations through Abuse of dominant position

While action is possible against the first only post the agreement coming into effect, competition law allows action against the second even at a pre-execution stage, through the mergers and acquisitions/combinations regime. 

Furthermore, traditional competition law enforcement (including in India) has till date limited investigations to pricing models of goods and services on the presumption that companies with greater market power are incentivised to monopolise profits by charging more or limiting supplies. However, with the proliferation of “free” services in exchange for information whose hidden cost appears to be evidently a degradation in privacy protection, competition/anti-trust regulators around the world are now required to tackle a different threat to competition posed by digital businesses other than that of cost of goods or services or its demand and supply.

This would help partially explain why as of today, none of the competition/anti-trust investigations and suits which have recently been launched against ‘Big Tech’ companies in the E.U. and the U.S.A. have focused on consumer privacy protection. Google and Facebook have been charged with allegations of abuse of dominant position, but with respect to their commercial conduct against competitors and not against consumers. Apple has been charged with enforcing unfair policies on its App Store against application developers but not for consumer privacy harm. This coupled with an inability to properly understand technology and its stupendously fast evolution in the last two decades has left regulators picking low hanging fruit, i.e., anti-competitive harm which is possible to fit within the block pegs of comprehensible economic theory.

The traditional train of thought across jurisdictions has been that privacy issues are covered under a separate regulatory mechanism and do not fall under the purview of competition law enforcement. There has also been a second train of thought that competition law enforcement and privacy law enforcement cannot go hand in hand, as they are antithetical to each other, i.e., enforcing privacy or data protection leads to the dominance of a select few, thus stifling innovation in markets. However, there is now a developing strain of thought, particularly in the E.U., that compelling a consumer to access a service only on a pre-condition of their acceding to particular terms of agreement could constitute an abuse of dominant position on the part of such a service provider as the user loses the right of self determination or choice, particularly in the context of dominant social media services like Facebook or WhatsApp.

UNITED STATES OF AMERICA (U.S.A.)

Anti-trust enforcement in the U.S. has relied on an adversarial litigation process, mostly guided by the consumer welfare standard, i.e., a focus on lower prices and greater output. This is the primary reason why ‘Big Tech’ companies like Google and Facebook have received virtually no anti-trust scrutiny until recently. In fact, both companies have in response to the litigations raised against them, have countered by saying that the Federal Trade Commission (F.T.C.), the anti-trust enforcement body in the U.S., had cleared their respective acquisitions after careful scrutiny and reopening them or divesting them now would amount to a violation of the sanctity of the law concerning mergers and acquisitions process itself.

The matter of Nielsen Holdings N.V. and Arbitron Inc., FTC File No. 131 – 0058 demonstrates the F.T.C.’s ability to identify the importance of data in merger and acquisition review. By way of background, Nielsen and Arbitron competed in the supply of syndicated cross-platform audience measurement services to media companies and advertisers. The F.T.C. found that access to data posed a significant barrier to entry and obtained a consent order “requiring divestiture of assets to Arbitron’s cross-platform audience measurement services business, including audience data with individual-level demographic information and related technology, and intellectual property.”

Similarly, in The Dun & Bradstreet Corporation Case, FTC File No. 091-0081, the F.T.C. sued The Dun & Bradstreet Corporation, challenging its February 2009 acquisition of Quality Education Data (QED) and alleging that the deal hurt consumers by eliminating nearly all competition in the market for kindergarten through twelfth-grade educational marketing databases. The data sold by these companies was used to sell books, education materials, and other products to teachers and other educators nationwide. The combination of the two companies had given Dun & Bradstreet, through its subsidiary Market Data Retrieval (MDR), more than ninety percent of the market for K-12 educational marketing data, according to the complaint filed by the F.T.C. Dun & Bradstreet acquired QED from Scholastic, Inc. for about $29 million, which was below the threshold amount that would have required the companies to notify U.S. antitrust authorities before finalizing the deal. It ultimately chose to settle the case. The F.T.C. settlement required Dun & Bradstreet to divest certain assets to MCH Inc., an institutional and educational data company active in the K-12 data market, to restore competition that was eliminated as a result of the transaction. Under the terms of the settlement, Dun & Bradstreet sold MCH an updated K-12 database, the QED name, and certain associated intellectual property.

Both these cases clearly display the trend in the U.S.A. The F.T.C. DOES NOT enter into privacy issues when enforcing anti-trust law on data issues. Rather, the trend is rather the opposite – to prevent the monopolisation of data. It is believed, both in academic and enforcement circles, that using anti-trust law to vindicate privacy interests could make it harder for innovative companies to thrive with new products or technology-based offerings and this could potentially result in less competition. Thus, it is not per se considered an anti-trust issue if a company holds a lot of data.

The F.T.C. though has under its Consumer Protection Authority sued Facebook in the past for multiple privacy violations, which ultimately culminated in a five billion dollar settlement in 2019. 

To be continued….