‘Data is a part of competition, we can no longer turn a blind eye towards it’: #PrivacyNama2022

Key Takeaways

• Sharing of data to enable competition is not a new idea
• It is required now more than ever because of how critical data is in new-age markets
• Even non-personal, anonymised data can pose privacy concerns, especially to group privacy
• India needs a data protection law as soon as possible
• The threshold to determine what constitutes a grave enough competition violation to mandate data sharing is evolving
• Bigger companies might be unfairly targeted for their data practices because competition laws are geared towards that

“There is consensus that data is a part of competition, we can no longer turn a blind eye towards it. […] The EU’s Digital Services Act and Digital Markets Act are largely examples of very horizontal-looking statutes that aren’t strictly competition, nor are they strictly digital markets, nor are they strictly privacy related, but have an amalgamation of all of this. And I think, as tech policy progresses, we’re seeing more of this, and I wish that we see more of this, where there is a coordinated approach to dealing with digital markets that aren’t necessarily looking at only one facet of it,” Manjushree RM, Senior Resident Fellow with the Law and Technology Team at Vidhi Centre for Legal Policy, remarked at MediaNama’s PrivacyNama 2022 discussion held on October 6 and 7.

Manjushree RM was joined by Deeksha Manchanda, Counsel at Chandhiok and Mahajan, Shashank Mohan, Programme Manager with the Technology and Society team at Centre for Communication Governance for the panel on Privacy and Competition, which was moderated by MediaNama’s Sarvesh Mathi.

MediaNama hosting these discussions with support from Mozilla, Meta, Walmart, Amazon, the Centre for Communication Governance at NLU Delhi, Access Now, the Centre for Internet and Society, and the Advertising Standards Council of India.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Why is data sharing used by regulators as a means to address competition concerns?

Concept of essential facilities: Manchanda explained that the genesis of data sharing and competition law dates back to 1975. “In competition law, we have this non-statutory concept of essential facilities. It’s essentially arguing that there are some assets, which are so integral to competition that if access to them is not enabled, competition cannot thrive.”

Compulsory licensing of patents follows a similar idea: Manchanda gave patent laws as an example to explain the concept of essential facilities. There is compulsory licensing of a patent, an asset that a company has developed by putting in a lot of R&D, but the company’s right to own is trumped by society’s right to access, Manchanda explained. “It’s not novel. We’ve had cases long ago, in the time when you had TV directories, where you could see what channel was going to play. There’s a very famous case of MaGill TV listing where the competition authorities in Europe directed TV broadcasters who have copyrights over their TV listing to compulsory license it to somebody who was creating these listings,” she added.

Data is a very critical resource in digital markets: “I suppose the first idea that comes to us intuitively is that data is looked at as a resource that if I have access to, I may be able to compete in a market better. But to me personally, data is so much more than that, because data has a way of reinforcing the strength of a market player in a market that is already very concentrated,” Manjushree RM remarked. To illustrate her point, she gave the example of Amazon and Google being the first movers in their market were able to collect vast amounts of consumer data that allowed them to maintain their position because of network effects or positive feedback loops.

“Competition requires data to be shared, not only because data is a very critical input for being able to create a product or to be able to break a barrier, but it is also important to flourish in a market.” — Manjushree RM

Lock-in effects of data: “We have Swiggy and Zomato, which control about 90% of the food tech market. Someone very interestingly asked me what prohibits someone from creating another platform. And the answer to that is very simple. Once you have tapped into data like this, once you have a beginner’s move advantage, once you have locked in your consumer, and once you have created those barriers for them, it discourages them from moving from one platform to another. And all of this is happening cohesively through the central aspect of data. There is very little incentive for consumers to migrate. And which is why having another parallel structure might not make a lot of sense, because consumers are also directly benefiting from the large networks of restaurants,” Manjushree RM explained.

What are the privacy risks that emerge from data sharing?

Even anonymised data poses re-identification and group privacy risks: “The risk with anonymised data is that it can be identified. As big data and data processing is developing, data processors do not necessarily need to process personal data to sort of draw inferences about us or target us. I know the way we’ve all looked at privacy has been from an individualistic lens […] but as data analytics has evolved, you know, data processors don’t need to actually process personal data,” Mohan explained, giving the following examples:

• NY cab drivers: “For example, researchers got access to cab ride details from New York City. And this was like anonymized to the extent of license plate numbers and the identity of personal drivers. It was just like trip details, or the timing of when a trip started, how many passengers etc. And what researchers were able to do is actually link this data with various other publicly available data and start identifying drivers or cars of a particular community. In this case, people were identified as Muslims just by matching when the car stopped during prayer hours they could backtrack and identify that. And then if you correlate that data to end-stop neighbourhoods, you can essentially say that this neighbourhood is predominantly occupied by the Muslim community.”
• Inferential data: “Another quick example is that big tech companies, if they can draw inferences about us, let’s say by identifying shopping patterns, then there is so much data out there […] For example, they can tell by my shopping patterns, the probability of my sexual orientation, which I would not want to share beyond a particular amount of people.”

“Some scholars have argued that only focusing on individual privacy or personal data is a bit sort of archaic because of big data capabilities […] whatever data processing they’re trying to do is draw some inferences about X person or group.” — Shashank Mohan

Erroneous inferences can be drawn: “You can be discriminated against, and your right to self-determination may be diluted. I can have insurance premiums at a higher rate because certain data from the sensors in my car was taken. And sometimes there are unverifiable inferences drawn by a data processor. […] A lot of these inferences are unintuitive and sometimes even erroneous. For example, Google wanted to identify flu trends in a region, and they got it very wrong based on data they had collected. So it’s not always that these inferences arrive at the right sort of output,” Mohan elaborated.

What constitutes a grave enough competition violation to mandate data sharing?

Thresholds have been changing continually: “There is so much happening on the international front on this and our understanding of this also has been evolving. If you asked the CCI a decade ago, if privacy was going to be a competition concern, I think they will flat-out say no. But if you look at it today, the most recent WhatsApp decision that the CCI has come out with and also its study in the telecom sector, clearly clarifies that privacy is a non-price metric for measuring competition. So this not only shows that the standards or thresholds have been changing continually,” Manjushree RM said.

“I think we should, in fact, push for thresholds to keep changing, because I feel like whenever we have a debate in privacy and competition, there is so much to learn from both sides, that I would personally be very hesitant to say that I found the answer to what qualifies dominance, when should data be shared?” — Manjushree RM

Three different ways data-based thresholds are arrived at: “We can categorize how data sharing has been a competition remedy or is being enforced in other countries largely in three different buckets. First, let’s look at the dominance bucket where the idea of dominance or what constitutes dominance is beginning to be very broadly understood. And factors that traditionally didn’t account for what established dominance are being taken into account by regulators. The second way is that we’re trying to establish standards that are different from dominance. So we’re saying why don’t we look at some more standards, let’s call them gatekeeper, or let’s call them covered platform or significant platforms, so that we can somehow move in a few extra obligations to ensure that, you know competition in those markets are preserved. And the third approach is actually an amalgamation of the two. There is a political will to do this, and there is also legislative will to do this, but it hasn’t yet seen fruition because legislative processes are that long. So you largely hear of courts that apply the gatekeeper threshold for the purpose of establishing dominance. Ultimately, what we’re seeing across jurisdictions and most jurisdictions that I’m talking about right now are either the EU, UK, Germany, US, Korea, a lot of these are coming up with thresholds of this sort,” Manchanda explained. “And what is interesting to see in all of these countries, or even India, for that matter, is that there is definitely a will or there’s definitely consensus that we need to be able to do something more than what is traditionally available in our antitrust toolkit to ensure that, you know, our competition laws are better equipped to deal with market realities. How this threshold gets applied, again, is rooted in institutional and political realities of a given country,” Manchanda added.

The indispensability of the resource: “The DMA has imposed a specific requirement on search companies, which for now only targets Google, to share click and query data with anyone who makes a request. Of course, the data which is personal has to be anonymized. I think at multiple levels by multiple stakeholders concerns were raised about the possibility of de-anonymization of this data. Clearly, all of that in the European Commission’s opinion triumphed the opportunity that they wanted to give to alternate search engines to compete in the market, which sort of brings us back to how you should balance two competing rights against each other,” Manchanda remarked. “There is an aspect of the indispensability of the resource to which access is provided, so in this case, the click and query data should be indispensable to a requestor of that data. There should be an actual assessment that if access is not provided, all competition in the market will be eliminated. Nobody can survive if I don’t give you access. And then you need to look at whether the company from whom data is being requested has some very objective justification for not sharing that data.”

Exploitative abuse: Competition authorities are capable of looking into any conduct by a dominant company that imposes an unfair condition on a user and this is generally called exploitative abuse. Germany was the first one to begin, it has not been the only one, they looked at Facebook—WhatsApp data sharing policy and came to the conclusion that this was anti-competitive. That matter got looked into at multiple levels, and finally landed up in the European Court of Justice, where the ECJ finally said that the jurisdiction exists with the competition regulators. “So it has given sanctity to the fact that a competition regulator can look into terms in a privacy policy which may be seen as exploitative vis-à-vis the end user irrespective of whether they are in compliance with the privacy laws or not,” Manchanda explained.

Ex-ante regulations:  Ex-ante regulations like the EU’s Digital Markets Act and Digital Services Act are another way data-dependent rules are arrived at. “It is largely when you realize that some market players are so big that it is not useful to correct their behaviour once it’s happened, as opposed to preventing it itself,” Manjushree RM explained.

Are bigger companies unfairly targeted for their privacy practices?

Bigger companies are held to higher privacy standards: “If privacy is seen as a fundamental human right, which is guaranteed to everyone, then the level of protection I deserve from people for my right to privacy has to be equal. What we are doing by including exploitative abuses within the scope of competition law and allowing a regulator to examine my level of privacy and the competition law is that I am placing a dominant entity on a slightly higher pedestal, which also means that I am placing all other entities as a lower pedestal. So if you compare that in the context of, take Google search and DuckDuckGo, the way competition law is being interpreted would imply that Google has to protect my privacy to a higher extent than DuckDuckGo,” Manchanda pointed out.

A limitation of competition law: “I understand that at the face of it this looks like asymmetrical protection of a fundamental right vis-à-vis a dominant and a non-dominant entity but unfortunately that’s where the limitation of competition law lies. In that, competition law at its outset, fundamentally says that I am only going to aggressively regulate those market entities which are so big that their behaviour has a polarising effect on the market. Which is why when we talk about privacy or data sharing from a competition lens, we are talking about it largely from the overall health of the market as supposed to a consumer-centric approach to privacy,” Manjushree RM shared. “In the absence of establishing a standard that all commercial entities must adhere to while collecting, processing or sharing of data, all that CCI or any other competition regulator can do is impose these obligations a little more stringently on dominant entities simply because they can.”

First need clarity on India’s data protection framework: “First we need clarity on what India’s data protection or data governance framework looks like. Without that, it will be very difficult for competition law to evolve as well. And that’s what is happening, if I take the EU for an example, even if there are failings of the GDPR, they have a baseline data protection law, they have an NPD regulation and various ancillary laws that sort of go around that. And then the second layer is the DSA, DMA, etc,” Mohan added.

“I know that privacy is a fundamental right and it’s easy as a privacy lawyer for me to say ‘okay, first address that, forget about everything’. But that’s not thinking holistically within a digital economy. I think, privacy should need to be addressed fairly sort of quickly. And then there needs to be a marriage between privacy and competition.” — Shashank Mohan

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

• Why India Should Think About Harms Of Deanonymisation In Non-Personal Data Governance And Privacy Law
• Why An Indian VPN Provider Is Suing The Government Over The New Cybersecurity Rules
• A Guide To Non Personal Data Regulation In India
• Delhi HC Dismisses WhatsApp And Meta’s Plea Against CCI Probe Into Privacy Policy