Antitrust Probe into WhatsApp’s New Privacy Policy: What does the CCI have to say?

Posted on May 3, 2021

Co-authored by Melita Tessy & Vivek Basanagoudar*

WhatsApp Has Updated Its Terms And Privacy Policy: Here's Why You've Been  Receiving Prompts - Tech
Image source: Mashable India

Introduction

WhatsApp has over 2 billion users worldwide and is used in over 180 countries, making it the world’s most popular messaging app. With over 400 million users, India is WhatsApp’s biggest market. In January this year, WhatsApp released its new privacy policy (“the 2021 update”) which is scheduled to take effect from May 15th. This policy applies to non – European Region countries which are not governed by the General Data Protection Regulation (“GDPR”). WhatsApp has explained that in order for users to have access to the functionality of the app, they have to accept the new terms. The new policy gives WhatsApp the right to share user data such as phone number, IP address and payment related data on the app with Facebook and other Facebook owned companies like Instagram. Data including messages generated from customer-business interaction on WhatsApp will also be used by Facebook to advertise to the said customer on Facebook.[1] The new policy has faced severe backlash from critics as well as members of the general public who are concerned for the privacy and security of their data. The data breaches that have occurred on Facebook in the recent past have only heightened this concern.

In addition to the above-mentioned privacy concerns, the new policy has also given rise to antitrust concerns in India. These concerns have been dealt with by the Competition Commission of India (“CCI”) under the provisions of the Competition Act (“CA”), 2002. In this article, the order passed by the CCI is examined and analysed. 

The CCI and WhatsApp’s New Privacy Policy: Background and Issues

According to the CCI, its role in a data driven ecosystem is to examine “whether the excessive data collection and the extent to which such collected data is subsequently put to use or otherwise shared, have anti-competitive implications, which require antitrust scrutiny”. In light of the said role, the CCI took suo moto cognizance of the antitrust issues surrounding WhatsApp’s new privacy policy in the case of Re: Updated Terms of Service and Privacy Policy for WhatsApp Users. In this antitrust investigation, the CCI sought to examine whether the privacy policy updates issued by WhatsApp have any competition concerns which are in violation of the provisions of Section 4 of the CA. Since the privacy policy had been publicly released and the users were already getting prompts for acceptance of updated terms, the CCI acknowledged that it “is obligated to ‘prevent’ practices having adverse effect on competition”.

In this vein, both WhatsApp and Facebook were arrayed as opposite parties in the case. The CCI observed that while WhatsApp’s previous privacy policies gave users the option to choose whether or not they would like to share their data with Facebook, the latest update made the said data sharing mandatory. CCI, dismissing Facebook’s contention that it is a distinct legal entity from WhatsApp, observed that since Facebook was a direct and immediate beneficiary of WhatsApp’s new policy update, it cannot feign ignorance regarding the possible impact of the said updates altogether.

WhatsApp and Facebook had earlier been the subject of other antitrust investigations as well; such as, in Vinod Kumar Gupta v. WhatsApp Inc., WhatsApp and Facebook were accused of indulging in the practice of predatory pricing by not charging any subscription fee from its users in violation of the provisions of Section 4 of CA, 2002. They were also accused of abusing their dominant position in the relevant market by introducing a privacy policy that compelled users to share their account details and other information with ‘Facebook’. The CCI held that the privacy policy was not abusive since it had an opt-out option and also took the view that allegations of breach of the Information Technology Act, 2000 do not fall within its purview. WhatsApp used this observation to support its claims in the present antitrust probe. Similarly, in Harshita Chawla v. WhatsApp Inc, it was alleged that WhatsApp was abusing its dominant position in the market by providing in-app payment services. The CCI had dismissed the said allegation holding that issues related to data localization and data sharing need not be looked in under competition law.

Accordingly, in the present case, WhatsApp took up a similar plea that its recent privacy policy will be under the purview of information technology laws and not under the prevailing antitrust laws. WhatsApp also claimed that since its policy update dealt with data sharing, it did not fall within the purview of the CCI.

The CCI rejected the objection of WhatsApp based on the reasoning that they are free to examine the policy update from the viewpoint of competition law to ascertain whether WhatsApp’s new privacy policy is in violation of Section 4 of the CA for inter alia being exclusionary and exploitative, and having appreciable adverse effects on competition. Since WhatsApp is the most popular messaging app in India, it is in a dominant position. The CCI observed that in digital markets, extreme data collection can lead to an exclusionary effect on competitors. This aspect, therefore, comes under the purview of competition law.    

Prima Facie Concerns of Abuse of Dominance

Before addressing the prima facie concerns, it is imperative to note that WhatsApp, in response to certain clarifications sought by the CCI stated that the 2021 update, was required to share more information with users about how WhatsApp gathers, utilizes, and exchanges information and to remind users about how optional business messaging services function when those features become accessible to them. Furthermore, it was stated by WhatsApp that they continue to honour their 2016 update (“the 2016 update”) which allowed existing users to opt-out of sharing their WhatsApp account information with Facebook companies. The company clarified that it cannot access personal conversations due to their end-to-end encryption policy.

With regards to the prima facie concerns, WhatsApp submitted that there were no competition-based concerns that could have arisen from the 2021 update and the company requested the CCI to refrain from initiating an investigation. However, the CCI proceeded to examine the issue on merit and noted that it had previously established WhatsApp to be a dominant player in the ‘Over-The-Top (OTT) messaging applications via smartphones in India’ market and this was done in the Harshita Chawla case. It noted that, unlike the 2016 update, users were not given the option to opt-out, and the scope of data collected by the 2021 update was too wide and disproportionate. It includes, among other things, details about the user’s battery level, signal power, app edition, mobile operator, ISP, language, and time zone, system activity information, service-related information and identifiers, and the user’s position information, even if the user does not use location-related features.  

The CCI observed that details about how users “interact with others (including businesses)” aren’t specifically described, and what constitutes “service-related information“, “mobile device information“, “payments or business features“, and so on aren’t either. The CCI also noted that the policy’s list of data to be collected, which used terms like “includes“, “such as“, and “For example“, among others, was indicative rather than exhaustive, implying that the scope of sharing data may extend beyond the information categories that have been explicitly stated in the policy. The real data expense that a user incurs for using WhatsApp services is hidden by obscurity, ambiguity, open-endedness, and incomplete disclosures. It is still unclear from the policy whether users’ past data will be shared with Facebook companies, and whether data will be shared with respect to WhatsApp users who aren’t on Facebook’s other apps, such as Facebook, Instagram, and so on.

Users are often unlikely to expect their personal information to be exchanged with third parties unless it is for the specific purpose of delivering or enhancing WhatsApp’s service. However, it appears that the data sharing system is often intended to ‘customize’, ‘personalize’, and market’ the services of other Facebook Companies, based on the policy’s wording. Users generally have sovereign rights and power over decisions about sharing their personalised data in a competitive market. This is not the case for WhatsApp users, and there seems to be no justifiable explanation why they do not possess any influence or say over such cross-product data processing by mutual agreement rather than as a condition of using WhatsApp’s services.

WhatsApp users previously had such control over sharing of their personal data with Facebook, owing to a ‘opt-out’ clause in previous policy changes that was available for 30 days. However, they no longer possess such ability in the new update. As a result, if users choose to utilise a dominant messaging app, they must embrace the platform’s arbitrarily dictated “take it or leave it” terms in their entirety, including the data sharing provisions. Such “consent” cannot be interpreted as voluntary approval to any of the policy’s particular processing or use of personalised data. They have not been given adequate options to object to or opt-out of particular data sharing terms, which tends to be unfair and unreasonable for them.

After having considered the above matters, the CCI claimed that the conduct expressed by WhatsApp through its update was “neither fully transparent nor based on voluntary and specific user content” and this was claimed to be unfair to its users. The CCI also stated there was data concentration between the Facebook companies which posed to be a threat due to the degradation of non-price parameters of competition viz. quality which in-turn causes detriment to customers with no valid justification. Abuse of dominance by an individual with a dominant position in a relevant market is prohibited under Section 4 of the CA.  According to Section 4(2) of the CA, a company or a group is abusing its dominant position if it imposes unequal or discriminatory conditions in the prices of purchase or sale of goods or services; restricts or limits production of goods or services in the market; or restricts or limits technological or scientific advancement relating to goods or services to the detriment of others. The CCI held that WhatsApp dominated the relevant market for OTT messaging apps via smartphones in India and thereby concluded that such acts as mentioned above, prima facie amounted to imposition of unfair terms and conditions and violated Section 4(2)(a)(i) of the CA. Additionally, the contested data sharing clause could have exclusionary effects in the display advertisement industry, potentially undermining the competitive process and creating further barriers to market entry, which was held to be in violation of Section 4(2)(c) and (e) of the CA. There was also a recognition of WhatsApp’s pronounced network effects and the lack of a credible competitor which resulted in the company being put in a power to compromise the protection of data of its users.

Conclusion

Due to lack of a strict data privacy regime in India, the CCI has gone beyond its role of being a competition regulator and taken the lead in protecting user privacy, thereby blurring the demarcation between antitrust laws on one hand and information technology laws on the other. In the absence of such a simple line of demarcation, courts are likely to see an increase in jurisdictional disputes resulting from the country’s changing data jurisprudence. Interestingly, both 2016 and 2021 updates have been challenged on other aspects as well. Firstly, the 2016 update was challenged in Karmanya Singh v. Union of India.[2] In this case, the Delhi High Court ordered the deletion of user data collected by WhatsApp before 25th September 2016, but allowed the retention and sharing of data post the said date. It observed that those who didn’t want to use WhatsApp could always choose to leave it. The 2021 update was challenged in Chaitanya Rohilla v. Union of India, wherein the court noted that the 2021 update violated the right to privacy. It also observed that the preferential treatment given to EU countries was concerning.

In the current case, the CCI has probed into the antitrust concerns raised against WhatsApp and has clearly identified issues that could pose a threat to the data of its users. The DG has now been ordered to conduct further investigation into the new policy which may or may not result in a remedy. Instead of merely ordering an investigation, under Section 33 of the CA, 2002, the CCI could have ordered for interim relief by placing an injunction on the operation of the update itself. While WhatsApp itself has delayed the implementation of the update till the 15th of May, the lack of official action could seriously harm competition in the OTT messaging applications industry. Though the 2021 update has been subject to various contentions in the fields of data privacy and competition, WhatsApp, using its position as the dominant player was trying to find a leeway to get past them. In light of this, it is relieving to note that the Delhi High Court has refused to set aside the CCI order discussed in this article.


*Melita is a Researcher at IntellecTech Law and a law student at CHRIST (Deemed to be University), with a keen interest in IP and TMT law.  She published her novel ‘Battle of the Spheres’ when she was 15 and is one of India’s youngest TEDx Speakers.

Vivek is a Researcher at IntellecTech Law and is a second year law student pursuing a B.A.LL.B degree from Jindal Global Law School. Having completed over 20 internships and 6 RAships in a span of one and a half years, he is determined to succeed in the fields of Intellectual Property Law, Environmental Law and Gender Justice.

[1] WhatsApp Privacy Policy – Third party information: Businesses on WhatsApp, Jan 4, 2021 – “Businesses you interact with using our Services may provide us with information about their interactions with you. We require each of these businesses to act in accordance with applicable law when providing any information to us. When you message with a business on WhatsApp, keep in mind that the content you share may be visible to several people in that business. In addition, some businesses might be working with third-party service providers (which may include Facebook) to help manage their communications with their customers. For example, a business may give such third-party service provider access to its communications to send, store, read, manage, or otherwise process them for the business. To understand how a business processes your information, including how it might share your information with third parties or Facebook, you should review that business’ privacy policy or contact the business directly.”

[2] UOI, 233 (2016) DLT 436.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s