Introduction

The Competition Commission of India’s recent decision in the WhatsApp case highlights the complex intersection of data protection and competition law. While data protection law restricts data exploitation to safeguard privacy, competition law addresses the impact of data driven advantages on competition. This article examines the above case and explores the approach to balance these competing interests by answering the following three questions: To what extent can competition law effectively address privacy concerns?; Can the consent under data protection law be meaningfully exercised in respect of dominant enterprise?; How does competition law address the exploitation of data driven advantages by dominant enterprises that undermine user decision rights?

Background

Technology has transformed lives with 'free' digital services, but every click leaves behind behavioural footprints that companies use to create consumer profiles. These profiles, built through cookies, are sold to advertisers, enabling personalized offerings but raising concerns about the use of sensitive personal data without explicit consent. Such practices may not only challenge data protection regulations but can also impose unfair conditions that distort competition and limit consumer autonomy.

Analysis

CCI’s order in WhatsApp case highlights how competition law can address privacy concerns when companies use personal data for a competitive edge. The assumption that better privacy practices boost competition is undermined when dominant firms use data control to prevent user switching. If a dominant company like WhatsApp with no competent rivals offers poor privacy protections and shares data with parent company Meta, then consumers and advertisers may lack alternatives. Given Meta’s significant financial resources and data collected from its ecosystem, it can unilaterally use it for advertising purpose which can make it harder for rivals to compete and consumers to truly opt out, creating a “lock-in” effect. Therefore, restraining the companies’ excessive data collection practices is crucial. To address this concern, the European Commission in Google/Fitbit case mandated a data silo commitment to keep Fitbit’s user data separate from Google’s advertising ecosystem.

CCI’s order was challenged before the NCLAT, claiming that it overstepped its jurisdiction by relying on potential effects rather than actual anti-competitive conduct and a stay was sought on the five-year ban. NCLAT granted partial relief, suspending only the data-sharing restriction for advertising, while upholding other directions. The stay was contingent on payment of 50% of the penalty within two weeks. The NCLAT’s interim order underscores a troubling trend of prioritizing corporate interests over consumer privacy, despite Meta's ability to adopt alternatives like zero-knowledge advertising or contextual advertising to reduce extensive data processing. While content personalization offers benefits, it’s not essential for core services. This raises a critical question: Does WhatsApp users reasonably anticipate or consent to such extensive data collection?

WhatsApp's claim that users were notified and largely accepted the policy overlooks a fundamental limitation of the notice and consent model, which lacks effective privacy safeguards. When privacy risks erode both consumer autonomy and fair competition, regulatory intervention becomes essential to uphold market fairness and safeguard user rights. The CCI decision sets a precedent for intervention based on potential competitive harm. Further, privacy harms may not align with traditional competition law framework but can qualify as consumer harm when they impact service quality. CCI ruled that compliance with existing data protection laws does not shield big tech under the Competition Act from anti-competitive violations arising from data exploitation (Para 248).This concern is exacerbated when privacy violations result in consumer harm.

Freedom and validity of user consent

Consent is one of the lawful grounds on which personal data processing has to be based. It must be free, specific, informed, unconditional, unambiguous, and should signify an agreement to process only necessary data for a specified purpose. However, a company's market dominance can undermine the voluntariness of such consent. Often, broad and opaque privacy policies allow companies to collect and exploit data without informed user consent, granting them unchecked power to acquire rights without bargaining.

In WhatsApp’s case, consent was bundled into non-negotiable terms of its privacy policies, leaving users with little real choice. Even with consent, collecting and sharing unnecessary personal data remains fundamentally unjust. Users surrender their data for free under restrictive terms that stifle their choices, deepening market power imbalances. Reclaiming control over data and protecting individual’s informational privacy is thereby fundamental to restoring user sovereignty. Shoshana Zuboff emphasizes how tech giants, like in the WhatsApp appeal, oppose privacy protections to preserve the free flow of behavioral data. She draws attention to the "knowledge asymmetry," where companies have deep insights into users, while users remain unaware of their data use, forcing them to sacrifice privacy for basic digital services.

The Court of Justice of the European Union in the Meta case, affirmed that a catch-all consent is deemed unfair under Art 102 and their validity can be questioned. They ruled that national competition authorities can assess the General Data Protection Regulation compliance but must cooperate with supervisory bodies. The European Union's consent guidelines also help to ensure data protection compliance, putting an obligation on data controllers to find new legal solutions to protect personal data of users. While India lacks such specific guidelines or regulations on consent and calling out cookies, its approach aligns with EU standards, suggesting that a similar framework may emerge over time, given the progress in WhatsApp case.

Conclusion

Competition law can effectively address privacy concerns by recognizing privacy as an integral component of product quality. Compliance with existing data protection laws does not exempt dominant enterprises from anti-competitive behaviour. When privacy harms affect consumers, it constitutes competitive harm, providing a basis for competition authorities to intervene and maintain fair market dynamics.

Free consent cannot be given to dominant enterprises with significant market power, as users often face a "take-it-or-leave-it" choice. This power imbalance undermines voluntariness, making consent illusory and requiring regulatory intervention. By addressing anti-competitive practices and balancing privacy interests through other mechanisms like data siloing, data pooling, and data sandboxing, competition law can protect consumer choice and foster innovation.

The CCI's efforts to curb big tech firms’ dominance by promoting informed consent and transparent privacy policies are a positive step. However, the NCLAT's interim order to overturn the ban without considering Meta's ability to adopt alternative solutions raises concerns about user autonomy.

Aditi Jaiswal is a Ph.D. Scholar at NLU, Delhi and a Research Intern at the Centre.