Sharp Lines

Regulating the intersection of data protection and competition is hard. Dominant platforms can leverage user data to create monopolies, limit user choice and raise competition concerns. As India prepares its own data protection law, it should try and avoid regulatory overlaps and strike a balance between data protection and competition regulation.

This article was first published in The Mint. You can read the original at this link.

Data protection is a cross-cutting legal regime. Since it applies to every entity that collects and processes personal data, its principles tend to superimpose themselves on top of other legislative frameworks—increasingly so, as more and more businesses go digital.

The unavoidable outcome of all of this is that traditional regulators are beginning to engage with data protection issues in ways that they previously never had cause to. This, as one might imagine, has blurred the boundaries between regulators and forced regulated entities to reorganise their internal processes in order to deal with the multiple and often conflicting demands from different regulators.

One of the main areas of conflict is competition regulation.

Platform Regulation

The value of a technology platform rises the more the people using it. Social media platforms increase in popularity as more subscribers sign up, just as ride-sharing and e-commerce platforms are more attractive to buyers and sellers alike the more options they offer both. This is the power of network effects in a platform economy.

The inevitable outcome of all of this is that one (at best two) dominant companies end up being in control of a given market. When that happens, users begin to worry that their options are limited, and that they have no choice but to accept services on the terms made available by a major platform.

Competition authorities have begun to dig deeper into these situations, trying to ascertain whether there are any competition concerns on account of the data advantage that Big Tech companies enjoy. These investigations inevitably stray beyond the traditional bounds of competition regulation, into areas that have so far remained within the sole purview of the data regulator.

Social Media

In one such instance, in 2019, the German Federal Cartel Office looked into the competition implications of merging user data from one social media platform with that of another and whether it made a difference that the users concerned had provided their consent to it. To arrive at its final decision, the Office looked at how consent is dealt with under the European Union’s General Data Protection Regulation (GDPR). It noted that to be valid, consent had to be obtained separately from the agreement of users to standard terms and conditions. In this case, consent had been bundled, so the Office had no hesitation in ruling that the company had abused its dominant position by violating provisions of the EU’s data protection law.

This decision of the Federal Cartel Office was appealed against in the Court of Justice of the EU (CJEU), which, last week, upheld the decision of the German competition authority.

The result of this judgement is that in Europe, competition authorities can now make an assessment as to whether or not there has been an abuse of the dominant position of a given entity based on a determination of whether or not the latter has acted in a manner consistent with its obligations under the GDPR. Stated differently, it is now the legal position in Europe that if a violation of data protection laws is held to be on account of an abuse of a dominant position, competition authorities can make a data protection determination in order to arrive at that competition law’s conclusion.

This is a path that European legislators had decided to follow even before the CJEU ruled on the appeal. A provision has been specifically introduced in the Digital Markets Act (a new European legislation focused on competition issues in data-driven markets) aimed at prohibiting large online companies that have been designated as “gatekeepers” from combining the data of their users in this manner without explicit consent. This specifically applies in the context of cases such as these.

Compliance Burden

To organisations, regulatory compliance is an obstacle to the smooth functioning of their businesses. They look to minimise their compliance burden by structuring their operations to either reduce the total number of compliances they need to address, or, where that is not possible, to find ways in which the process can be streamlined.

For this, they need clarity, both in terms of exactly what it is they need to do in order to comply, as well as which regulator they need to satisfy for that purpose. As soon as more than one regulator has the ability to legitimately assume jurisdiction over them in respect of what is essentially the same subject matter, not only will the organisation no longer know what it is they need to do to comply, the moment the specific requirements of the two regulators diverge—even marginally—it will significantly increase their compliance burden, as they will now have to meet the demands of not just one, but two regulators in relation to what is essentially the same issue.

Sharp Lines

As India readies itself to enact into law a new data protection regime, if there is one thing we should take care to do, it is avoiding regulatory overlaps. Rather than allowing a turf war between regulators that overlapping regulatory remits make space for, we should draw sharp lines to delineate what falls within the mandate of which regulator so that companies have clarity on what is expected of them in terms of compliance.

And where an overlap is unavoidable, we need a process that addresses this sort of conflict. We should let regulators find a way to arrive at decisions that adequately reflect the concerns that both regulatory regimes are looking to address.