The Data Cartel: Unmasking Anti-Competitive Practices Through the Lens of India’s Digital Regulation

A. Introduction

WhatsApp Terms of Service and Privacy Policy update (‘The policy’) was rolled out in 2021. It raised serious concerns regarding data privacy and Anti-competitive practices, which led the Competition Commission of India (CCI) to take suo moto cognizance of the update on January 19, 2021, and initiate an investigation. Following this, WhatsApp assured that it would not limit functionality for users who had not accepted the update until a data protection law was implemented. The CCI considered the investigation report and issues at hand in its order dated November 18, 2024, and found WhatsApp in violation of Section 4(2) of the Competition Act, 2002, and imposed a monetary penalty of Rs. 213.14 Crores on Meta, and a ban of five years on WhatsApp to not share user data collected on its platform with other Meta Companies or Meta Company Products for advertising purposes, directing compliance within three months. Aggrieved by this order, WhatsApp and Meta approached the National Company Law Appellate Tribunal (‘NCLAT’) in January 2025. In accordance with the Digital Personal Data Protection (‘DPDP’) Act 2023, NCLAT ordered to uplift the five-year prohibition.

This article critically analyses the effectiveness of the DPDP Act in resolving the issues presented in this case. It contends that the DPDPA might not adequately address the anti-competitive conduct highlighted by the CCI. In addition, it discusses whether the proposed Digital Competition Bill (‘DCB’) can offer a more effective mechanism to prevent dominant digital platforms from using data policies to their benefit.

B. Key Issues

The prima facie contention concerning the policy is that it contravenes section 4 of the Competition Act by gaining an unfair advantage using collected data. Data is an important aspect of data protection laws from the point of view of securing individuals’ privacy rights. However, competition law goes beyond personal rights and views data as competition-sensitive. Globally, the question of whether data privacy should be a concern within antitrust emerged initially in the Google/DoubleClick merger in 2007, however, the idea was rejected. The  Facebook (Meta Platforms) case brought a shift when, the Court of Justice of the EU (CJEU) emphasized that excluding data considerations from competition assessments would ignore the economic reality of digital markets and undermine the effectiveness of competition law. In India the present case introduced this debate. In this context, it is important to recognize that “user data” in digital platforms encompasses not just personal data but also anonymized and aggregated data, which may not always align with traditional definitions of personal data.

This broader view is crucial when analysing data-related competition concerns in digital markets. WhatsApp’s policy violates data protection and competition law in three significant ways. The three main issues in the policy highlighted in the November, 2024 order were lack of choice for users to accept the policy, excessive data collection, and sharing of data across various meta platforms.

Firstly, a lack of choice means that users either must accept the policy or stop using WhatsApp. WhatsApp is a dominant player in messaging apps, and as a result, many people use WhatsApp for various purposes. This has an element of compulsion and imposition of the intermediary’s dominant position in the market. The policy disregards the users’ legitimate expectations to decide how their data would be collected and used. This is unfair because it undermines users’ trust and deprives them of the right to choose.

Secondly, although some core data is required to provide messaging app services, location and data collected by cookies are not required to provide messaging app services. Furthermore, data collected by businesses, such as users’ interactions with businesses, third-party collected data, and images, videos, metadata, and orders by business users, are simply not required to provide messaging services and are out of proportion to the services delivered. Further, businesses implementing the Business API must have a Meta Business Manager Account, and a Facebook profile is required to create one. When a business opens a Facebook profile, Meta collects data from these businesses under its own data policy, such as cookie data, data collected from third-party services, etc., which is not required to offer its messaging services. The policies’ language is open-ended, broad, and imprecise, depending on the use of words like “includes,” “such as,” and “for example.” This leads to ambiguity about what particular categories of data are being gathered and shared. Terms like “service-related information,” “mobile device information,” and “interactions with others” are vague, allowing for broad interpretations.

Thirdly, sharing data across meta platforms helps in online display advertising. It improves other Meta products, recommends content, tailors advertising, enhances integration across Meta products, etc. Such practices contradict users’ reasonable expectations regarding data usage, as they extend beyond the limited context of service provision. Consequently, the data sharing scheme raises concerns about whether users are fully informed about how their personal information is utilized across multiple platforms within the Meta network.

Thus, these practices violate the Act by collecting massive user data and data sharing between Meta companies act as an entry barrier to the new entrant, resulting in denial of market access in contravention of the provisions of Section 4(2)(c) of the Act; and the conduct of leveraging its dominant position in the market for OTT messaging app to protect its market share in the online display advertising market tantamount to violating the provisions of Section 4(2)(e) of the Act.

C.  Misplaced Reliance on the Digital Personal Data Protection Act

The recent order considered to relook at the matter once the DPDP Act is enforced. However, a closer examination of the Act reveals that it fails to resolve these issues clearly.

1.     Lack of Choice

Section 6 of the DPDP Act outlines the principles of consent; it states that consent given by the Data Principal shall be free, specific, informed, unconditional, and unambiguous. Similarly, Section 7 introduces the concept of deemed consent. Which means that companies or data fiduciaries may use data provided to them by data principles for purposes not explicitly known to the data principles, and it would have been deemed to have taken consent. However, it is limited to only certain legitimate uses mentioned in the Act. While these provisions establish a framework for obtaining valid consent, they fail to account for consent given under the influence. For consent to be genuine, it must be voluntary and based on fair options. Without fair choices, the consent of the Data Principles is meaningless.. Therefore, while the DPDP Act ensures that consent is “free,” it ignores whether the options available for consent are “fair.” In the present context, even if users formally agree to the policy, their consent is significantly influenced by the platform’s dominant role in the market and their dependence on its services.

This creates a situation of Duress, which means that one party exerts improper pressure on another party, leaving them with no choice but to enter into an agreement. This absence of a realistic alternative constitutes duress. This policy, in particular, is problematic because it comes with two extreme choices: Firstly, Extreme data collection, and secondly, an extreme choice presented: take or leave. The repercussions of choosing or not choosing are extremely high and economically problematic, considering the base of WhatsApp users in India, not just in urban areas but also in rural areas.

This situation amounts to economic duress, not mere commercial pressure, for the following reasons: (A) Alternatives like Telegram may be helpful for personal usage but are not equally effective for business usage due to WhatsApp’s dominance and network effects. Even if one user switches, most of their contacts remain on WhatsApp, rendering the alternative practically useless. Thus, as Chitty on Contracts notes, a threat to end an existing contract when no real alternative exists may constitute duress; (B) Many users expressed dissatisfaction with the policy, some left WhatsApp, and others drastically reduced usage, clear signs of protest rather than genuine consent; (C) In Occidental v. Skibs A/S Avanti [1976][1], the court held that agreements made under threat of contract termination are voidable for duress. WhatsApp’s “accept-or-lose-access” model reflects such coercion; (D) Even if duress isn’t conclusively proven, WhatsApp’s conduct violates Section 4 of the Competition Act, 2002 by abusing its dominant position. Since agreements that violate the law are also contrary to public policy under Section 23 of the Indian Contract Act, 1872, such terms may be void on that ground as well. . A lack of choice may be acceptable when data is essential for core functions, like login details, or when only minor features are affected, but it’s unjustifiable when non-essential data is involved for all services.

Thus, the users accept WhatsApp’s policy not out of genuine free will but to protect their commercial and personal interests. By relying solely on the concept of consent as a protective mechanism, the Act overlooks the broader implications of economic duress and public policy, such as the commercial interest of other messaging services. Since the Act focuses on protecting personal data, reliance on it is misplaced when data is business and competition-sensitive. The main problem arises from the fact that in Indian jurisprudence, the concept of undue influence takes precedence over duress. However, courts have recognized economic duress in light of public policy. . In State of Rajasthan & Anr. v. Dr. Kantesh Khetani & Ors, the division bench agreed with the single judge’s reasoning where he held that transactions, which are unfair and unconscionable and caused by economic duress, cannot bind the petitioners, even if they were not under undue influence or coercion.

Addressing this issue would require a more expansive interpretation of Sections 6 and 7, not only with respect to the meaning of free consent relating to personal data but also with respect to fair terms and public policy at large.

2.     Unfair Data Collection

The DPDP Act lacks explicit provisions for defining and assessing the legitimacy of a “specified purpose” for data collection. While Section 6 mentions “specified purpose”, Section 2(za) merely defines it as the purpose stated in the notice given by the Data Fiduciary to the Data Principal. However, the Act does not address whether the stated purpose is legitimate, whether the data collection is necessary for that purpose, or whether a less intrusive alternative exists. The Act vaguely mentions the principle but fails to make it a reality, which leads to excessive data collection. As a result, the determination of these critical factors falls solely on judicial interpretation, creating uncertainty in data protection enforcement.

An explicit provision is necessary to define specified purposes clearly and to assess their legitimacy. For instance, users’ location data is often collected for area-based advertising, yet users remain unaware that their data is being used for such commercial purposes. The Purpose Limitation principle in international data protection frameworks, such as the General Data Protection Regulation (GDPR), mandates that personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in ways incompatible with those purposes. This principle ensures transparency and accountability in data collection.

Moreover, although users are informed about the sharing of their personal data in section 11 of the DPDP Act, there is no restriction to minimize such data sharing practices. This enables WhatsApp to share data within the Meta group for purposes beyond providing their primary services, thus monetizing user data in a fashion that has nothing to do with the messaging services of the platform.

Another major concern is that in order to accept a particular data-sharing policy, an individual does not just violate their personal privacy, but also has the chance of losing the privacy of some other individual whose information may be associated with them. That risk within the network illustrates the inadequacies and even the dangers connected with the overcollection of information. Such uncontrolled collection of data makes individuals not only susceptible to manipulation but also undesirably exposed to dangers without legal barriers to control such actions. Consequently, it is imperative to reinforce the DPDP Act with clear criteria on the need, the legitimacy and the proportionality for any collection of information.

D. Digital Competition Bill: Addressing Anti-Competitive Practices in Digital Markets

The limitations of the Act become pertinent when the complex interplay between data privacy and competition is considered. Given that “user data” encompasses both personal and aggregated data, it becomes established that it cannot adequately address how dominant platforms leverage user data to stifle competition and maintain monopolistic practices. Therefore, it is essential to implement and pursue the Digital Competition Bill (DCB), which draws inspiration from the European Digital Markets Act (DMA) and is designed to specifically address anti-competitive practices in the digital ecosystem.

The DCB aims to empower regulatory authorities like the CCI with tools to proactively manage and regulate digital markets and data, which in this digital market is termed as the “New oil” or “New gold”. Unlike the DPDP Act, which reacts to privacy violations after they occur, the DCB adopts a forward-looking approach that includes ex-ante regulations to prevent anti-competitive behavior before it takes root. This approach marks a significant shift in Indian Competition Law, as it enables regulators to intervene proactively-addressing potential harm in digital markets before they materialize, rather than waiting for abuse to occur and then acting retrospectively. This becomes particularly crucial in digital markets, where the rapid pace and network effects can lead to irreversible market tipping and entrenched dominance if not addressed in time .DCB has introduced a myriad of provisions such as Anti-steering, tying and bundlingthat seek to enable regulators to investigate and mitigate practices such as data monopolization, self-preferencing, and abusive conduct by dominant platforms. It specifically targets the Systematically Significant Digital Enterprises (SSDE) which are defined as companies that hold substantial market power while settling the question of CCI’s jurisdiction over digital market conduct. Notably, Section 14 of the draft bill specifically prohibits “Anti-steering” practices by preventing SSDEs from restricting business users or consumers from accessing alternative offers or channels, thus ensuring fair competition. The Bill, as per Section 13, also bars SSDEs from restricting the use of third-party applications on their core digital devices, which allows users greater freedom and choice in the digital ecosystem. Additionally, Section 15 restricts tying and bundling practices, so SSDEs cannot force or incentivize users to use other products or services as a condition for accessing a core digital service, thereby curbing exploitative leveraging of dominance. Thus, ensuring   that competition issues are addressed comprehensively and efficiently while providing a structured framework for regulating behaviors that can potentially   harm market dynamics or consumer welfare. These provisions thereby ensure fair choice to consumers and provide a way out of the ‘take it or leave it’ policy. Further the bill imposes strict limitations on how SSDEs can collect, use and share data as it forbids the use of non-public data obtained from business users to compete against those users thereby protecting sensitive business information from exploitation which is in line with public policy.Though the bill lacks provisions on protecting personal data, which can be competition sensitive, it can still be developed considering it is in the nascent stages of development.

NCLAT’s decision to stay the CCI’s order regarding WhatsApp was influenced by several key contentions that reflect the complexities of regulating digital platforms. Firstly, the tribunal expressed concerns about the potential impact on WhatsApp’s business model if a five-year ban on data-sharing practices were enforced. It highlighted that such restrictions could lead to irreparable harm not only to WhatsApp but also to its extensive user base in India, which exceeds 500 million users. Additionally, the NCLAT criticized the CCI for relying on insufficient evidence regarding the actual anti-competitive effects of the practices.

However, the DPDP Act lacks provisions to balance consumer privacy with the economic realities of Digital Platforms. The DCB, in contrast, as per Chapter III allows regulators to impose tailored remedies that address anti-competitive behaviour without jeopardizing business models. For instance, rather than a blanket ban, the DCB could mandate transparency in data-sharing practices or impose conditions that ensure fair competition while allowing businesses to operate sustainably. Moreover, it permits conditions ensuring fair access to basic services or information, precluding dominant operators from practicing restrictive behaviour and favouring small competitors. This model acknowledges the range of requirements of industries and business models, allowing regulators to develop sectoral solutions. By emphasizing both fair competition and business flexibility, the DCB achieves a balance between countering anti-competitive issues and providing a healthy digital environment in which consumer interests and economic expansion can harmoniously coexist.

DCB also requires a prospective analysis of market power and anti-competitive impacts. This method gives regulators the power to examine practices like bundling, where two or more products or services are sold together, or self-preferencing, where platforms prefer their own products or services over others. While these tactics increase consumer value or simplify operations, they can also raise barriers to competitors or harm consumer welfare by limiting choice. By requiring a thorough analysis, the DCB guarantees that regulatory measures are both specific and proportionate by targeting actual competitive harms without inhibiting legitimate business innovation.

It also fairly addresses the jurisdictional concerns by clearly defining SSDEs and granting exclusive jurisdiction to the CCI over their market conduct as per Section 19 of the draft DCB. This clarity ensures that competition-related issues are addressed comprehensively without conflicting with privacy laws.

E. Recommendations

To properly fill gaps in regulating digital platforms, it is important to hasten the legislative process for the DCB. Accelerating will allow regulators to apply required actions against anti-competitive conduct more quickly. Moreover, thresholds for detecting SSDEs need to be streamlined to prevent startups from being unnecessarily burdened while still detecting dominant market players. Additionally, it should also be considered to cover non- public data of End users along with Business users. Developing inter-regulatory guidelines can also assist in harmonizing the efforts of the CCI and data protection authorities to avoid overlaps and ensure that both consumer privacy and competitive fairness are maintained. Concurrently, the DPDP Act needs to adapt to deal with the threats of dominant intermediaries. In addition to the free consent principle, public policy concerns must be incorporated to safeguard users from undue influence and coercive behaviour that takes advantage of their reliance on these platforms. For example, platforms often use complex or opaque language in their terms of service, which creates fatigue and pressures them into agreeing without understanding the implications. Public policy measures could mandate simplified, user-friendly consent processes and prohibit manipulative tactics that nudge users toward providing consent against their better judgment.

Moreover, platforms should also be mandated to use simple language rather than vague terms like “improving user experience”, clearly stating whether data will be used for targeted advertising, algorithmic personalization, or shared with third parties. This clarity empowers users to make informed decisions and establishes a legal basis for holding intermediaries accountable for deviations from stated purposes, with regulators enforcing strict penalties for non-compliance.

F. Conclusion

It can be concluded that WhatsApp’s Privacy Policy case has underscored the urgent need for a comprehensive regulatory framework to address the intersection of Data privacy and Competition law in India. While the DPDP Act is a step forward, it has proved to be inadequate in specifically addressing the anti-competitive practices of dominant players like WhatsApp. DCB proposed on the contrary presents a proactive scheme with ex-ante regulations and custom-fit remedies to avoid monopolistic practices while ensuring fair competition. It is now the need of the hour to expedite the implementation of DCB and streamline its provisions in order to protect the rights of the users and develop a harmonious digital ecosystem since this two-pronged strategy can help ensure consumer privacy and market competition co-exist in the fast-changing digital environment.

[1] Occidental Worldwide Investment Corp v Skibs A/S Avanti (The Siboen and the Sibotre) [1976] 1 Lloyd’s Rep 293

*The authors are third year students at RMLNLU.