On 5th October 2020, the Subcommittee on Antitrust Law of the US House Judiciary Committee (‘the Committee’) released a comprehensive majority report (‘the report’) on the dominance of Big Tech (Amazon, Google, Facebook, Microsoft). The Committee observed that the dominance of Big Tech has degraded privacy, eroded entrepreneurship, and undermined free press. The Committee urged Congress to reform anti-trust laws, bar dominant platforms from competing in ‘adjacent lines of business’, encourage interoperability and push for data portability. Following the report in October, the US Justice Department sued Google, accusing them of illegally protecting their monopoly over the online search market. In December, the US Federal Trade Commission and over 40 states sued Facebook, alleging Facebook eliminated competition by acquiring Instagram and WhatsApp.
These incidences are a watershed moment in the regulation of Big Tech. In the past, regulators have considered turned a blind eye to the dominance of Big Tech. They felt Big Tech were ‘no-fault monopolies’ because Big Tech gained their dominant position without engaging in unfair trade practices and because they provided superior products. However, the report and the lawsuits which followed, are critical of the anti-competitive conduct these firms have engaged in after they attained monopoly status. One of the essential observations in the report is that ‘the best evidence of market power of platforms owned by Big Tech is the degree to which these platforms have eroded consumer privacy without prompting a response from the market.’ Indeed, if Google faced genuine competition from let’s say, Duckduckgo, it would be compelled to provide robust privacy protection to its users.
In this paper, considering the recent developments, we have examined the tests an anti-trust regulator such as the Competition Commission of India (‘CCI’), uses to determine whether a tech entity has abused itstheir dominant position (Section 4 of the Competition Act, 2002). We have pointed out that tests which may have been sufficient for traditional markets do not work for markets fuelled by the internet. As a running theme, because of the overlap with privacy law, we have analysed whether a regulator may deem data collection practices as anti-competitive. The first part of this post focuses on the tests a regulator may use to determine if the aggressive collection of personal data is an abuse of a dominant position. The second part, considering the privacy implications of data accumulation, analyses the jurisdictional conflict that may exist between a competition regulator and a data protection authority.
PART – 1: TECH MARKET AND COMPETITION REGULATOR
Users do not pay for most of the products offered by Big Tech. There are no charges for creating a Gmail account, communicating through WhatsAapp, searching on Google or using Facebook. All you need is a device through which you can access these platforms and an internet connection – both of which are becoming accessible by the day. Big Tech monetises these platforms through targeted advertising. Firms prefer Big Tech platforms over traditional media (newspapers and tv) for their advertising. This is because Big Tech enables firms to target their promotions only to users who are likely to buy the good/service the firms offer. Big Tech does this through superior products but also because their products give them access to a high volume of data which, in turn, lets them accurately profile their users. From this business strategy, we may draw two crucial inferences – firstly, Big Tech has an incentive to collect as much user data as possible. Secondly, anyone who wants to compete with Big Tech can only do so if they have access to the user data.
The purpose of competition law is to protect the interests of consumers, prevent adverse effect on competition and promote competition in the markets. The question is whether tech entities, through their data collection practices, may violate competition law. To answer this question, a regulator may engage in the following exercise. Firstly, the regulator will determine the relevant market in which a complainant/informant alleges abuse of a dominant position. Secondly, the regulator will establish whether the entity in question, has a dominant position in the relevant market. And lastly, the regulator will analyse whether the entity has abused its dominant position in the relevant market. In the following paragraphs, we have discussed each of these steps in the context of Big Tech and their data collection practices.
The first task of a regulator is delineating a market in which the monopolist allegedly abuses a dominant position as dominance cannot exist in a vacuum. Section 2(r) of the Competition Act, 2002 (“the Act”) defines “Relevant Market” with reference to the Relevant Product Market, Relevant Geographic Market or both the markets. Relevant Product Market, in turn, is defined in Section 2(t) of the Act as a market comprising all those products or services which are according to the consumer are interchangeable or substitutable, because of their characteristics, prices or intended use. Section 19(7) of the Act provides the factors the Commission has to take into account while determining the “Relevant Product Market”. These factors include the price of good or service, consumer preferences and the existence of specialised producers. In a nutshell, while determining the “Relevant Product Market”, the Commission inspects whether Product A and Product B belong to the same market. For example, in the lawsuit against Facebook, the prosecutors have defined the “Relevant Product Market” as Personal Social Networking in the United States.
The difficulty with delineating a “Relevant Product Market” in the information technology domain is that most firms provide services for free. In Matrimony.com Limited vs Google LLC, Google had contended (Paragraph 58) that a trading relationship should exist between a company and its customers for defining a relevant market and as such, the market for online search cannot be a “Relevant Market”. The Commission rejected the argument (also refer to paragraph 82-88) because even while searching online, Google collects data from users which contributes to ‘Big Data’ analysis. Thus, merely because a company and its customers do not exchange money, does not mean there is no commercial relationship between them. Therefore, the Commission has held that a “Relevant Market” in the IT industry, need not involve the exchange of money.
Generally, a regulator in determining relevant market applies the Small but Significant Non-Transitory Increase in Price (‘SSNIP’) test. However, in the context of the IT domain, the application of the SSNIP test has posed difficulties. The application of the SSNIP test begins with defining the smallest possible markets in which a hypothetical monopolist could profitably raise the price of the products by 5% above the competitive level. The relevant market would then include all those products which the consumer would regard as sufficiently interchangeable or substitutable to avoid the price increase. If after a price increase, consumers shift from Product A to Product B, both the regulator will consider both products to be a part of the same market. The difficulty in applying the SSNIP test in markets where tech entities collect data in return for free services (Social Networks, Online Search) is that there is no ‘price’ at all. Therefore, instead of the SSNIP test, the ‘Small but Significant Non-Transitory Decrease in Quality’ (‘SSNDQ’) is appropriate to define “Relevant Market” in the IT domain. SSNDQ test asks if consumers would shift to a different product if there is a reduction in the quality of the hypothetical monopolists’ product. If consumers are willing to move, then the regulator will consider both products to be part of the same market. As an example, if Google decides to seek more personal information from users of their search engine (a reduction in quality), and that makes the users shift from Google to Bing, then Google and Bing are part of the same market.
Once a regulator has determined the relevant market, it has to analyse whether a tech entity enjoys a dominant position in the relevant market. This is relevant because competition law prohibits the abusive conduct only by company in a dominant position, and not of others. Section 4 of the Competition Act 2002 defines a dominant position as a position of strength which enables an enterprise to operate independently of competitive forces prevailing in the relevant market. The dominant position of a firm does not mean the absence of other entities in the market. Still, it does mean that the dominant entity can influence the market. Section 19(4) of the Competition Act, 2002 provides the factors which the Commission has to consider while inquiring whether an enterprise enjoys a dominant position. These factors include – inter alia the market share of the enterprise, the dependence of consumers on the enterprise and the market structure.
In digital markets, regulators must consider the data possessed by tech entities to determine dominance. Big Tech, in particular, has developed services which are dependent upon the acquisition of personal data. As mentioned above, data allows these entities to understand behavioural patterns of their users which in turn, they use to provide targeted advertising. Data is useful for participants of digital markets when it scores highly on three vectors – volume (the quantity), velocity (how fast the data comes in) and variety. Therefore, to determine dominance, regulators should consider the ability of the entity in question to examine data. In the lawsuit against Google, the prosecutors have pointed out the dominance of Google by referring to the data it possesses. The Competition Commission of India in Matrimony.com Limited vs Google LLC, which we have discussed above, also pointed out the importance of data for Google. In this regard, Google’s Research Director famously evaluated their role in the market as – “We don’t have better algorithms than anyone else. We just have more data.”
Abuse of Dominant Position
Once the regulator established the dominant position of a monopolist, it will have to determine if its actions are abuses of dominant position. This regulator has to undertake such an analysis because, under Competition Law, dominance per se is not illegal. Under Section 4 of the Competition Act 2002, setting an unfair condition on purchase or sale of goods or services, or indulging in a practice which results in denial of market access, is an abuse of dominant position. Typically, unfair conditions or unfair terms are those which the monopolist will not impose in a competitive market. Through their data collection practices, tech entities may abuse a dominant position in two ways. Firstly, they may foreclose the market for other competitors, and secondly, they may infringe upon the privacy of their users to improve their position in the market.
Tech entities may be able to foreclose markets because data is an ‘essential facility’ to compete in the markets such as social media, online search and electronic retail. Usually, essential facilities are exclusionary – that is if an entity has access to oil, it will deny its competitors that quantum of oil. Data, on the other, is an essential facility even though is non-exclusionary (you can provide the same information to multiple tech entities) because of how digital markets operate. In these markets, a user only interacts with entities which have already attained dominance. Partly, this is because of ‘network effects’, but it is also because tech entities have been able to take advantage of being in adjacent lines of business – [Google pre-installs Google Chrome on its phones and sets google.com as a default search engine (another anti-competitive aspect which prosecutors in the Google lawsuit have highlighted)]. Therefore, users provide data to dominant entities to the exclusion of their competitors and the possession of data forecloses competition. However, regulators should not consider mere possession of data as anti-competitive. Nevertheless, regulators in Europe have insisted on data-porting to provide a level playing field. For example, the UK’s Competition and Markets Authority (‘CMA’) found that coal-based energy firms could dominate the market over alternate energy providers because they possessed more information on their consumers. The CMA forced firms to share data with their competitors to avoid abuse of dominance. Interoperability, as a solution, finds authorization in the Personal Data Protection Bill, 2019 (‘Bill’) too, which permits users to port their data to entities apart from merely the data controller.
Another manner in which tech entities may abuse their dominant position is by infringing the privacy of their users. As per Section 4(2)(a) of the Act, an enterprise abuses its dominant position if it imposes unfair conditions in purchase or sale of its goods or services. Keeping aside the jurisdictional conflict with a data protection authority, which we have dealt in the next part, the question here is whether a violation of privacy may constitute an unfair condition in sale of goods. In this regard, the Bunderskartellamt, the German regulator in the Facebook Case, noted that Facebook funds itself by advertising which required the processing of personal data and that users expected Facebook to process their data. However, Facebook was making use of its services conditional upon users permitting Facebook to collect data from other Facebook-owned services – like WhatsAapp and Instagram. Given Facebook’s dominant position, the regulator could not presume that users effectively consented to such data collection and as such, the collection was not just a violation of privacy law but also of competition law. The regulator considered the term which permitted Facebook to collect data from third parties, as unfair.
PART – 2: JURISDICTIONAL CONFLICT
In light of the concerns pointed out in Parts I, it is vital to examine whether a competition regulator should investigate privacy violations or leave them to a data protection authority. This is a critical analysis in the Indian context, considering the imminent enactment of the Bill. To undertake such a study, it is crucial to understand the jurisdictions of these bodies. The Legislature has entrusted The Competition Commission of India with the task of preventing practices that harm competition in the market. The Bill, on the other hand, lays down the obligations of data fiduciaries while collecting and processing personal data. Section 7 of the Bill requires data fiduciaries to issue a notice to the data principal (the person to whom the data relates) specifying important information including the purpose for which data is processed, the nature and categories of data collected, and so on. The Bill provides for the establishment of a Data Protection Authority to ensure data fiduciaries comply with their obligations but is also entrusted with the responsibility to specify codes of practice promoting data protection. Once the Data Protection Bill, 2019 is enacted, instances of privacy violation will fall under the purview of the authority (Section 49).
However, with the recent changes in how markets operate, privacy violations also affect competition. In that case, jurisdictional clashes between the Data Protection Authority and the Competition Commission may come up. Therefore, we must examine how the CCI shares the jurisdictional space with another legally established body. Commentators have argued that CCI has decided not to investigate breach of Information Technology Act, 2000 in Vinod Kumar Gupta v. Whatsapp Inc.. However, the Commission did not examine an alleged violation of the Information Technology Act, 2000 only because a related dispute was pending before the Hon’ble Supreme Court. The decision in Vinod Kumar Gupta does not mean CCI will continue to adopt such an approach in the future as well. In fact, the Competition Act, 2002 contemplates the Commission ruling on issues which may also fall within the domain of a sector-specific regulator. Section 21A of the Act permits the Commission to seek expert opinion of a sector-specific regulator if the need arises. The regulator has to provide its statement within 60 days. Similarly, Section 56 of the Bill requires the Data Protection Authority to consult with other regulators who may have concurrent jurisdiction. Therefore, in the coming years, we may see the Commission and Data Protection Authority working together.
The Supreme Court of India, in the case of CCI v Bharti Airtel, has tried to resolve a jurisdictional conflict that may exist between a sector-specific regulator and CCI. The Supreme Court acknowledged the Commission’s jurisdiction to deal with a regulated issue, would not be ousted because of a sectoral regulator (such as TRAI). Instead, the sectoral regulator would defer the competition issue to a later point until it has decided on the preliminary issues that are strictly within its purview. Therefore, a sectoral regulator, such as a data protection authority may decide on the violation of data protection law and may refer to competition issues to CCI.
In this post, we have examined how regulators intervene when tech entities abuse their dominant position by accumulating data or by demanding excessive personal data. As of now, the competition regulator in India has not examined either of these aspects. The US House Judiciary Aanti-Ttrust committee, on the other hand, has discussed how Facebook, Amazon, Google, Apple and Microsoft engage in anti-competitive conduct. Whether their conduct constitutes an abuse of a dominant position in India is for the regulator to determine. But as has been discussed in the post, the Indian law and jurisprudence elsewhere provide sufficient guidance to CCI.