By Shravya Devaraj and Rohit Gupta*



In 2019, the German Bundeskartellamt (Federal Cartel Office, hereinafter “German FCO”)[1] rendered the first decision[2] linking data protection with competition law. The German FCO made two main observations that have driven competition authorities to reconsider the factors influencing anti-competitive behavior in digital markets. First, it held that voluntary consent for processing information from third parties could not be assumed merely because consent is a prerequisite to accessing the services of Second, combining data collected by Facebook (now, Meta) owned services like WhatsApp and Instagram with Facebook cannot be processed without the users’ voluntary consent. These observations form an uncanny resemblance with the recently announced Competition Commission of India (hereinafter “CCI”) investigation against WhatsApp.[3] The 2021 privacy update[4] by WhatsApp negates the “voluntary” consent requirement by predicating access to the services solely on the acceptance of its new privacy policy. Further, the update introduced combining data collected through WhatsApp with other Facebook companies for marketing and advertising.

Contrasting the two decisions, the German FCO was guided by Article 6(1)(f) of the General Data Protection Regulation (GDPR)[5], whereas WhatsApp’s conduct in unilaterally denying consumers the “opt-out” option constituting a potential abuse of dominance spearheads the CCI investigation. In this piece, I aim to analyze the contours of antitrust scrutiny within the realm of privacy policies, specifically analyzing the role of consent in the CCI investigation.


Digital platforms collect and monetize data through a direct subscription model (e.g., Spotify), by using collected data to tailor products directly to users (e.g., Amazon), or by selling targeted advertisements[6] (e.g., Facebook and Google Search). Social media companies like WhatsApp and Instagram also monetize by selling advertisements. Since these products are free platforms, they are called zero-price platforms.[7] The companies use the data they collect when users access their services to generate inferences about consumer preferences and behavior.

In competitive markets, companies compete fiercely for data and use this data to improve the quality and efficiency of goods and services. Since access to zero-price platforms is predicated on the data collected by companies, a lack of data can prevent companies from offering goods and services at competitive levels. This makes these companies less likely to survive in data-driven markets, leading to decreased competition. Courts[8] have previously recognized the role of data privacy as a significant factor of quality, hence an important parameter in analyzing anticompetitive behavior.[9] The value of data collected by zero-price platforms is not limited to the ad-tech industry; it extends to the company’s potential to use the data to innovate and ability to increase barriers to entry for new companies entering the market.

Further, zero-price platforms have forced competition regulators to revisit whether the absence of “data” within the competition law framework definition should preclude the basis for such investigation. For instance, the Competition Law Review Committee in India found the inclusion of data within the definition of price to tackle digital markets was unnecessary since the current definition of price encompasses “every valuable consideration, whether direct or indirect,” is wide enough to encompass any kind of consideration that has a bearing on a service or product. [10]

The relationship between privacy policies and competition law is not mutually exclusive. In the digital market, data substitutes price where the value and contribution of user data to the market prowess of companies are undeniable. For instance, Japan adopted guidelines to include a collection of personal data without consent as a violation of the Japan Anti-Monopoly Act.[11]


A growing sense of reckoning for consumers’ privacy and data protection has influenced conscious privacy policy frameworks. Firms compete by increasing the level of privacy protection through data minimization, storing personal data for shorter time periods (storage limitation), providing clear, precise, and understandable privacy policies (transparency), deploying PETs (data security & privacy by design), and implementing protective privacy features by default.

For instance, Google introduced alternatives to third-party data collection by Tools AI and federated learning of cohorts (FLoC).[12] However, the Competition and Markets Authority (UK’s competition regulator, hereinafter “CMA”) launched an investigation on these privacy policy changes by Google, called the Google Sandbox investigation.[13] The CMA is primarily concerned about the changes resulting in anti-competitive practices where Google would retain the ability to track individual web users on Chrome despite preventing third parties to do the same by the effective implementation of the Privacy Sandbox Proposals. Close involvement and interventions by CMA to ensure Google’s proposals to implement the Sandbox Proposal on Android do not distort market competition is a digression from competition regulators resorting to ex-post regulatory actions.[14] Another example is Apple’s change in its privacy policy which has made it harder for third-party apps to collect data – by introducing an enhanced notice and consent mechanism[15] based on user opt-in but exempting its own apps from the requirement, leading to potential self-preferencing conduct, especially since third-party applications continue to pay Apple a 15-30% fee.[16] Hence, privacy policies have formed an essential component in influencing competition law determinations.

In India, the WhatsApp investigation has presented an opportunity for competition regulators to determine the influence of privacy in influencing anti-competitive behavior. The recent CCI Telecom Report[17] also presented abusive conduct illustrations, including a low privacy standard. This implies a lack of consumer behavior, lower standards of data protection, which could indicate exclusionary behavior, and leveraging a data advantage across various services.


Unlike Europe, India does not have exhaustive data protection guidelines. The current Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter “SPDI Rules”)[18], and the Information Technology Act, 2000[19] (hereinafter “IT Act”) are insufficient to provide a legal basis for initiating anti-trust scrutiny through an exploitative privacy policy angle. It only provides broad compliance for the collection of sensitive personal data. Instead, the WhatsApp CCI investigation finds that data-sharing by WhatsApp with Facebook amounts to the degradation of non-price parameters of competition. This conduct prima facie amounts to the imposition of unfair terms and conditions upon the users of WhatsApp.

The CCI has previously investigated WhatsApp in 2016[20] and 2020.[21] The 2016 investigation resembles the current investigation since it involved a change in WhatsApp’s privacy policy.[22] The change in its policy allowed data sharing between WhatsApp and Facebook, though it allowed users to opt-out of this data sharing within thirty days. In 2016, CCI decided against abuse of dominance since the ‘opt-out’ made data sharing optional, and there were legitimate purposes for sharing the data with Facebook-owned companies.[23] The legitimate purposes included using the data for improving user and product experience and overall cyber security. However, the German FCO held that these exact reasons for sharing data were incompatible[24] since it did not ultimately lead to Facebook’s interest in processing data according to its terms and conditions outweighing user interests.

Though some researchers argue that the 2016 and 2020 CCI investigations established an ‘implicit’ and ‘explicit’ user choice standard for determining  unfairness[25] where the implicit element constitutes the user’s ability to opt-out of data sharing without limiting their access to the service – the explicit standard implies taking away additional choices that would have otherwise been available to users resulting in an unfair imposition on users. The 2021 policy is in contravention to both these standards and thus provides a sufficient basis for the CCI to decide against WhatsApp. However, the consequences of establishing anti-competitive behavior only on the competition regulator’s user choice standard of consent limit the extent of the commission in analyzing the repercussion of exploitative privacy policies to consent-based findings. This restricts the far-reaching implications of drafting privacy policies that might impose unreasonable time limits for storing and collecting data for vague purposes to slip between the cracks, especially if they merely fulfill the voluntary consent requirement.


In India, the scope for including privacy considerations is limited in the competition law legislative framework. The need of the hour is implementing robust data protection principles that have been envisaged in the 2021 Data Protection Bill. Further, addressing the collection of data that contributes to the unequal bargaining power of big tech companies might require an explicit inclusion of such provisions. Hence, instead of data protection standards playing catch up with the competition regulator’s findings, a clear framework for handling data with guidelines on formulating privacy policies will address the lacunae in the existing privacy law framework. Besides directing companies towards adopting better privacy policies, it would also facilitate anti-competitive behavior analysis. Having recognized the intersection of privacy policies and competition law, this article offers insights into the current CCI investigation and the impact of framing privacy policies on anti-competitive behavior. There are significant international differences in approaches to data protection and competition policy, and competition authorities worldwide differ in their mandate and the scope of their competition laws. Thus, applying global best practices in framing privacy policies will harmonize the application of legislative provisions specific to jurisdictions.


* Shravya Devaraj and Rohit Gupta are final year law students at West Bengal National University of Juridical Sciences, Kolkata.

[1] The German FCO is Germany’s national competition regulatory agency.

[2] Bundeskartellamt v. Facebook, Case KVR 69/19 (June, 2020).

[3] Re: Updated Terms of Service and Privacy Policy for WhatsApp Users, Suo Moto Case No. 01 of 2021.

[4] We updated our Terms of Service and Privacy Policy on January 2021, (January 2021)

[5] Processing shall be lawful only if and to the extent that at least one of the following applies:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

[6] Lina M. Khan, Amazon’s Antitrust Paradox, 126 YALE L. J. 564 (2017).

[7] Maurice Stucke, Allen Grunes, Big Data and Competition Policy, Oxford University Press (2016).

[8] Case No. AT.40684.

[9] CMA investigates Facebook’s use of ad data, (June 4, 2021),

[10] Ministry of Corporate Affairs, Report of Competition Law Review Committee, (July 2019),

[11] Japan Fair Trade Commission, The Guidelines for Exclusionary Private Monopolization under the Antimonopoly Act, (2009).

[12] Federated Learning of Cohorts (“FLoC”),

[13] Competition & Market Authority, Investigation into Google’s ‘Privacy Sandbox’ browser changes, (2021).

[14] Case Number 50972, Decision to accept commitments offered by Google in relation to its Privacy Sandbox Proposals.

[15] Legal Process Guidelines, Government of Law and Enforcement,

[16] Epic Games, Inc. v. Apple Inc., 559 F. Supp. 3d 898 (N.D. Cal. 2021).

[17] CCI Workshop on Competition Issues in the Telecom Sector in India (February 2021).

[18] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, (2011).

[19] The Information Technology Act, (2000).

[20] In Re: Shri Vinod Kumar Gupta and Whatsapp, Case No. 99, (2016).

[21] In Re: Harshita Chawla and Whatsapp Inc., Facebook Inc., Case No. 15, (2020).

[22] In Re: Shri Vinod Kumar Gupta and Whatsapp, Case No. 99, ¶14, (2016).

[23] In Re: Shri Vinod Kumar Gupta and Whatsapp ,Case No. 99,¶15, (2016).

[24] Bundeskartellamt v. Facebook, Case KVR 69/19, (June, 2020).

[25] Centre for Internet & Society, The Competition Law Case Against WhatsApp’s 2021 Privacy Policy Alteration (March 2021),

Image Source: