Privacy must not be diluted at the altar of competition

The decision of the German Federal Cartel Office in 2019 that Facebook’s data collection practices were an exploitative abuse of market power was based on its finding that the data-gathering processes in question were illegal under Europe‘s General Data Protection Regulation, or GDPR. Last week, the Higher Regional Court in Düsseldorf set aside this order, stating that questions of whether or not there had been a violation of the GDPR must be decided by the European Court of Justice, and not the German competition authority.

This is the latest example of the tension between competition and privacy regulators on questions of how data businesses should be governed, and by whom. Data protection regulators contend that since it is they who are responsible for the personal privacy of users, it should be they who have the last word on matters relating to personal data. Competition regulators, on the other hand, point out that since the privacy-related actions of big tech companies reduce consumer choice, it should be treated as a non-price factor that affects consumer welfare. Accordingly, they argue, it falls within their regulatory remit to control. Taken at face value, these divergent viewpoints suggest that privacy and competition occupy opposite ends of the spectrum. While competition law restricts conduct harmful to consumer welfare, data protection law ensures that users can have a reasonable expectation of privacy. The issue, however, is not as cut and dried as made out to be. Rather than being mutually exclusive to each other, issues of privacy and competition frequently overlap, to the point where enforcement by one regulator can cause a regulated entity to act in a manner prohibited by the other.

Take for instance, the case of HiQ vs. LinkedIn decided by the US Ninth Circuit in 2019. LinkedIn terminated HiQ’s access to profile data on the grounds that the latter was scraping personal data even though users had expressly engaged a privacy setting called ‘do not broadcast’ in relation to changes to their profile. HiQ argued that its business could not survive without access to data from LinkedIn’s servers and that LinkedIn’s decision to block access amounted to unfair competition, given that the latter was planning to introduce a competing data analytics service of its own. When the Ninth Circuit ruled in favour of HiQ, it placed competition interests at the forefront and simply ignored the privacy that LinkedIn users should have been afforded, having expressly chosen to prohibit broadcast.

Other more extreme actions are not beyond the realm of possibility. EU Commissioner Margrethe Vestager has gone on record to state that the European Commission may require companies to share data with their rivals if that is what it takes to improve competition. While data-access remedies to corporate information (such as business plans or technical data) have long been part of the competition regulator’s toolbox, exercising these in the context of data businesses that deal in personal data is bound to have serious repercussions on the privacy of users.

We will not be able to resolve these tensions unless we commit to the adoption of a better coordinated approach to regulation. This will mean ensuring that in all instances where competition disputes implicate issues of personal privacy, the competition regulator not only informs the data protection authority of the investigation, but also makes the latter an integral part of the final ruling. In instances where this was not done, courts deciding on appeals arising from the order of a given regulator should balance consumer welfare interests with those of personal privacy.

If these conflicts have been hard to resolve in the US and in Europe, where privacy regulators are well established, how much harder will they be in India where we still don’t have a data protection law?

In the absence of a data protection authority issuing directions on how data businesses need to operate, various other regulators have stepped in to fill the breach. Across a range of industries, sector-specific policies have been issued on how personal data should be used. Unfortunately, rather than providing clarity, the resulting patchwork of compliances has further muddied the waters.

Recently, the Competition Commission of India stepped into the fray, pointing out in its Market Survey on Telecom that privacy is a non-price factor of competition and is consequently within its authority to regulate. It later made good on that statement by ordering an investigation into WhatsApp’s recently-proposed privacy-policy changes.

It seems clear from these developments that the Indian competition regulator intends to make the privacy-related aspects of data businesses part of its remit. While this might have been acceptable if we already had a data protection authority in place, in the absence of someone making the case for personal privacy, the regulation of Indian data businesses will now, unfortunately, take on a distinctly ‘competition first’ flavour. With respect to issues that lie at the interstices of competition and privacy, this is going to prejudicially affect the direction of our data jurisprudence.

India cannot afford to delay the enactment of a privacy law any longer. Jurisdictional conflicts such as this underline just how urgent this matter has become. Any further delay will set back data jurisprudence in ways that our data industry can ill afford.

Rahul Matthan is a partner at Trilegal and also has a podcast by the name Ex Machina. His Twitter handle is @matthan