The Intersection of Data Protection and Competition Law in India
2 min read
In the age of technology, data has become a valuable commodity, with possession of vast amounts of data often considered a competitive advantage. However, the collection and use of personal data without consent has raised concerns among competition regulators worldwide. In India, these concerns are being addressed through the Digital Personal Data Protection Act, 2023 (DPDP), which aims to protect user data requiring user consent before collection and processing.
The DPDP defines personal data as any information that can be used to identify an individual, and data fiduciaries, such as digital service providers, are required to seek user consent before collecting and processing such data. However, publicly available personal data is not protected the DPDP. If a user chooses to withdraw their consent, they may face consequences, such as denial of access to services. Additionally, data fiduciaries are required to erase personal data once its purpose is fulfilled or consent is withdrawn.
The DPDP’s focus on consent and data protection has led to concerns about overlapping jurisdiction between the Competition Commission of India (CCI) and the Data Protection Board. The CCI, which initially considered data protection allegations outside its scope, has acknowledged the need for free consent in data collection dominant undertakings.
Recently, the CCI initiated an investigation into WhatsApp’s privacy policy, emphasizing the importance of free, optional, well-informed consent without withdrawal of services. The tension between the DPDP and the Competition Act lies in their individual objectives. While the DPDP aims to prevent data exploitation, the Competition Act seeks to prevent dominant undertakings from unfairly seeking consent for their commercial advantage.
In cases where dominant entities condition their services on consent for sharing personal data, it can raise antitrust concerns. The CCI may assess factors such as the availability of alternatives, necessity of data for services, and the ability to provide partial consent or continue using services without data sharing. However, the DPDP is also relevant in cases of false consent or data processing without clear consent.
Both the DPDP and the Competition Act address concerns regarding the dissemination and legitimate use of personal data digital players. It is essential to note that the CCI’s jurisdiction only applies to data fiduciaries with market power, while the DPDP focuses on protecting user data.
Overall, the intersection of data protection and competition law in India highlights the need to strike a balance between data-driven markets and user privacy, ensuring that personal data is used appropriately and with user consent.
Source: The source article does not have any explicit source links or URLs.
