Overlap
Issues of privacy and competition often overlap and we need a coordinated approach between regulators. That works in the US and EU where both the privacy and the competition regulators are active. In India, where we are yet to establish a privacy regulator, the competition commission will step in and regulate privacy aspects of data businesses from a competition perspective. There is a risk that privacy will be decided from a competition perspective. We need a data protection authority asap.
This article was first published in The Mint. You can read the original at this link.
The decision of the German Federal Cartel Office in 2019, that Facebook’s data collection practices were an exploitative abuse of market power, was based on its finding that the data gathering processes in question were illegal under EU privacy law (GDPR). Last week, the Higher Regional Court in Düsseldorf set aside this order stating that questions as to whether or not there had been a violation of GDPR must be decided by the European Court of Justice - not the German competition authority.
When Regulators Clash
This is the latest example of the tension between competition and privacy regulators on questions of how data businesses should be governed - and by whom. Data protection regulators contend that since it is they who are responsible for the personal privacy of users, it should be they who have the last word on matters relating to personal data. Competition regulators, on the other hand, point out that since the privacy related actions of big tech companies reduce consumer choice it should be treated as a non-price factor that affects consumer welfare. Accordingly, they argue, it falls within their regulatory remit to control. Taken at face value these divergent viewpoints suggest that privacy and competition occupy opposite ends of the spectrum. While competition law restricts conduct harmful to consumer welfare, data protection law ensures that users can have a reasonable expectation of privacy.
The issue, however, is not as cut and dried as either of them makes it out to be. Rather than being mutually exclusive of each another, issues of privacy and competition frequently overlap - to the point where enforcement by one regulator can cause a regulated entity to act in a manner prohibited by the other.
Take for instance, the case of HiQ v. LinkedIn decided by the US Ninth Circuit in 2019. LinkedIn terminated HiQ’s access to profile data on the grounds that the latter was scraping personal data even though users had expressly engaged a privacy setting called “do not broadcast” in relation to changes to their profile. HiQ argued that its business could not survive without access to data from LinkedIn’s servers and that LinkedIn’s decision to block access amounted to unfair competition given that the latter was planning to introduce a competing data analytics service of its own. When the Ninth Circuit, held in favour of HiQ, it placed competition interests at the forefront and simply ignored the privacy that LinkedIn users should have been afforded, having expressly chosen to prohibit broadcast.
Other more extreme actions are not outside the realm of possibility. EU Commissioner Margrethe Vestager has gone on record to state that the European Commission may require companies to share data with their rivals if that is what it is going to take to improve competition. While data access remedies to corporate information (such as business plans or technical data) have long been part of the competition regulator’s toolbox, exercising these remedies in the context of data businesses that deal in personal data is bound to have serious repercussions on the privacy of users.
Coordination
We will not be able to resolve these tensions unless we commit to adopt a more coordinated approach to regulation. This will mean ensuring that in all instances where competition disputes implicate issues of personal privacy, the competition regulator not only informs the data protection authority of the investigation but also makes the latter an integral part of the final ruling. In instances where this was not done, courts deciding on appeals from the order of a given regulator should carefully balance consumer welfare interests with those of personal privacy.
If these conflicts have been hard to resolve in the US and in Europe where privacy regulators are well established, how much harder will they be in India where we still don’t have a law?
In the absence of a data protection authority issuing directions as to how data businesses need to operate, various other regulators have stepped in to fill the breach. Across a range of industries, sector-specific policies have been issued on how personal data should be used. Unfortunately, rather than providing clarity, the resulting patchwork of compliances have further muddied the waters.
Competition Commission
Recently, the Competition Commission stepped into the fray pointing out, in its Market Survey on Telecom, that privacy is a non-price factor of competition and that, consequently, is within its authority to regulate. It subsequently made good on that statement by ordering an investigation into the recent changes to WhatsApp’s privacy policy.
In my article about the Market Survey on Telecom I pointed out that privacy is a complex subject that the competition regulator may not be able to satisfactorily address:
It has nuances and subtleties too complex to be effectively addressed by a non-specialist regulator trying to find a remedy for one manifestation of harm. As regular readers of this column are aware, I believe that consent itself is not a complete solution to all the challenges that are posed by modern technology to personal privacy in a digital age. These are not the sorts of nuances that the competition regulator will get — nor should be expected to appreciate. They simply do not have the necessary frame of reference that it takes to appreciate these sorts of nuances or the full range of experience that is needed to find holistic solutions.
Regardless, from recent developments it seems clear that the Indian competition regulator intends to make the privacy-related aspects of data businesses part of its remit.
Missing: A Data Protection Authority
While this might have been acceptable if we already had a data protection authority in place, in the absence of someone making the case for personal privacy, the regulation of Indian data businesses will now, unfortunately, take on a distinctly “competition first” flavour. With respect to issues that lie at the interstices of competition and privacy, this is going to prejudicially affect the direction of our data jurisprudence.
I have argued before, that India cannot afford to delay the enactment of its privacy law any longer. Jurisdictional conflicts such as this underline just how urgent this matter has now become. Any further delay will set back our data jurisprudence in ways that our data industry can ill-afford.