Data Protection and Competition Law: Developments and the Way Forward

In the last decade the digital sector has witnessed tremendous growth – while this has given rise to new business models, opened up new markets, and unlocked significant efficiencies, it has also raised concerns that tech giants may use the excessive amounts of user data they hold, to influence digital markets to their advantage. However, there are also apprehensions regarding the use of competition law (instead of privacy and consumer legislations) to address such concerns. This note provides a brief overview of the existing legal framework on data privacy in India, analyses the CCI’s decisional practice in this regard, and suggests an appropriate way forward for the CCI on this matter.


Regulating Big Data: Contextualising CCI Probe into WhatsApp’s Privacy Policy

The CCI’s recent order directing an investigation into WhatsApp’s privacy policy provides us with the opportunity to look at how competition regulators, both in India and abroad, have sought to regulate data collection and sharing. There are multiple concerns to be balanced in this process – the ability of businesses with large data sets to better serve customers, entry barriers to new business with access to comparatively smaller data sets, and increased consumer dependency on a limited set of players. The CCI’s recent order could be indicative of its recognition of these concerns and its intention to take a more interventionist approach where it believes that user data is being exploited in a manner that creates entry barriers or otherwise adversely impacts competition or consumers’ interests.


SPACs: A ReNew-ed Interest in US Listings

In 2020, over $80 billion was raised in the US from more than 200 SPACs (special purpose acquisition companies), with SPAC IPOs comprising over 50% of US IPOs. While Indian laws have been amended to facilitate cross-border mergers, regulatory and taxation challenges restrict the ability of the parties to efficiently merge an Indian company with the SPAC. The parties’ objectives could therefore be met through externalisation and structuring within the scope of Indian regulations. Apart from the regulatory and taxation challenges involved in a US listing through the SPAC route, Indian companies should also be prepared for compliance with a stringent governance, internal controls, accounting and disclosure regime. Several Indian technology companies have plans to go public. It remains to be seen how many will opt for the SPAC route, which has increasingly emerged as an attractive option for companies around the world particularly in the technology and ESG sectors. In the meanwhile, the SPAC alternative could also well be explored by Indian regulators as a route for listing in India with appropriate safeguards.


Defining Control: Future Retail vs. Amazon

The recent interpretation of “control” by the High Court of Delhi in a litigation between Future Retail and Amazon has once again focused attention on the perennial question of what constitutes control. As described in more detail in the note, this question cannot be considered in abstract; it must be considered in the context of a specific legislation or policy and the objective it seeks to achieve. The relevant provisions of the FDI policy, which provide the context in this case, may not have been correctly appreciated.


COVID-19: Implications on the Data Protection Framework in India

The outbreak of COVID-19 and its development into a pandemic has led governments across the world to take extraordinary measures to protect their residents. The Central Government and various State Governments in India, along with public-health authorities, not-for-profit organizations and corporates, are collecting, tracking, and using information about individuals to slow down the spread of COVID-19; however, since a large proportion of such information could be categorized as ‘personal data’ or ‘sensitive personal data’ its use is subject to the data protection laws in India. It is, therefore, essential that a balance is struck between an individual’s right to privacy and public interest at large. Separately, as a result of the COVID-19 pandemic, corporates are also required to implement aberrant measures to safeguard their employees and extended workforce. In this regard, the collection of personal data by corporates will need to be undertaken in compliance with the requirements of data protection laws in India.

This note discusses the use of technology platforms by the Government of India to curtail the spread of COVID-19 and the obligations of corporates in India in relation to their employees or business, in each case, in the context of the legal framework for data protection in India.


The Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019 (“PDP Bill”), which was presented before the lower house of the Indian Parliament on December 11, 2019, seeks to provide for the protection of personal data of individuals and establish a Data Protection Authority. The PDP Bill has been referred to a joint select committee of both the houses of the Indian Parliament, which is expected to submit its report in early 2020. Accordingly, there may be changes to the PDP Bill based on the recommendations of the joint select committee. Once enacted, the PDP Bill will replace Section 43 of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and prevail over any other inconsistent laws in this regard (e.g., any sector-specific laws). This note provides an overview of the PDP Bill