CCI order on WhatsApp policy: Is CCI filling up the vacuum of the Data Protection Regulator? – Published with Legal 500

Published with Legal 500

Published by Legal 500
Click here to view article in Published website.
In a recent order dated 24th March 2021, the Competition Commission of India (“CCI”) has taken suo-motu cognizance of the updated privacy policy and terms of services of WhatsApp which were rolled out by WhatsApp on 4th January 2021 (“Updated Policy”).[1] It directed the Director General to investigate the anti-competitive issues in relation to the Updated Policy. Earlier, the users had to give their consent to WhatsApp to share their personalized data with other Facebook companies. This has been changed by the Updated Policy, which makes it mandatory for users to give consent to such sharing to continue using WhatsApp.

This article analyzes the said order where the proactive anti-trust regulator examines the instant messaging app market, inadequately regulated by lagging data privacy laws.



Before proceeding with the investigation, both WhatsApp and Facebook were asked to submit their responses before the CCI. Facebook submitted that though being a parent company of WhatsApp, the two are separate entities and the Updated Policy governs the instant messaging services provided by WhatsApp. On this basis, Facebook submitted that it should not be a party to this matter. CCI rebutted this by pointing out that Facebook is a “direct and immediate beneficiary” of the Updated Policy and is a proper party to the matter.

WhatsApp on the other hand, challenged the jurisdiction of CCI on the subject-matter, arguing that matters related with Updated Policy falls within the purview of Information Technology Act, 2000, effectively the privacy laws contained under Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,2011. Further, WhatsApp relying on the Supreme Court judgement of CCI vs. Bharti Airtel Limited and Others[2] (“CCI TRAI Case”), responded that the subject matter was currently sub-judice before various judicial forums in India and therefore CCI should only exercise its jurisdiction once proceedings before a sectoral regulator has concluded.



In its order, CCI has essentially pointed out two inter-linked grounds which create manifold anti-trust issues. One, that under the Updated Policy WhatsApp will share personalized user data with other Facebook Companies, and second, that all existing users of WhatsApp had to mandatorily accept the Updated Policy within a stipulated date, for them to continue using the services of WhatsApp.

Analyzing the Updated Policy from Competition perspective

In response to WhatsApp’s submission, CCI explained its role in studying the Updated Policy from competition perspective which would include examining the anti-competitive implications of excessive data collection and the usage of such data. It highlighted that unreasonable collection and sharing of data by dominant players like WhatsApp will grant unfair competitive advantage and may create barrier entry for new entrants.

No sectoral regulator

Another crucial element of this order is CCI’s interpretation of the CCI TRAI Case. The CCI held that this case has no application to the present issue at hand. CCI explained that the crux of the CCI TRAI Case was to establish a ‘comity’ between CCI and TRAI. As WhatsApp had relied on this case in its response, CCI observed that it has failed to demonstrate that the present subject-matter is sub-judice before a sectoral regulator.

Direct network effects and lack of competition

CCI observed that in the ‘relevant market’ of OTT messaging apps’ and based on trailing competitors, vast user base, combined with direct network effects[3] enjoyed by WhatsApp, WhatsApp is clearly dominant. Additionally, imposing a precondition on users to accept the Updated Policy for accessing the services of WhatsApp, would in-turn enable WhatsApp to collect expansive amount of data for sharing with other Facebook Companies. CCI observed that due to lack of competing options, the users may be compelled to accept the Updated Policy.

Non-price parameters for ascertaining abuse of dominance

CCI noted that in the digital economy, organizations compete based on non-price parameters such are quality of service, innovation, customer service etc. Lower data protection coupled with lack of control of the user over their data can be considered as reduction in quality under anti-trust law. CCI observed that the current conduct of WhatsApp and Facebook qualifies as “degradation of non-price parameters of competition viz. quality” and the implementation of the Updated Policy prima facie is imposition of unfair terms and conditions.



Recognizing the sovereign rights of the users over their data, CCI concluded that WhatsApp has prima facie contravened 4(2)(a)(i), 4(2)(c) and 4(2)(e) of the Competition Act. [4] In the current order, CCI is concerned with the non-voluntary and non-transparent collection of data which maybe further used by dominant entities to secure leverage even in unrelated markets and create barrier entries for new entrants. Few anti-trust regulators have attempted to regulate on matters which converge data protection and competition laws. In the United States the Federal Trade Commission (“FTC”), American anti-trust regulator, has sued Facebook in federal court for continuous anticompetitive conduct by acquiring Instagram and WhatsApp and imposing unfair terms on software developers, to maintain its monopoly.[5] If the FTC has its way, Facebook will have to seek prior notice and approval for all future mergers and acquisitions. Although, literature around overlap of competition and data privacy law is limited, CCI’s order has made a compelling case for implementing strong data protection laws which would prevent dominant firms to employ coercive tactics for collection and usage of user data and enforcing its monopoly in relevant markets.



India has started with its attempt to join the league of nations having stringent data privacy laws by tabling the Personal Data Protection Bill, 2019 (“PDP Bill”). The PDP Bill once coming into effect will regulate the processing of personal data by government, as well as companies, both Indian and foreign, processing personal data of individuals. Further, it will establish the Data Protection Authority (“DPA”) which shall be vested with powers to prevent the misuse of personal data, ensure compliance with the act as well as specify code of practice for promoting good practices of data protection amongst other things.

Recently, the Ministry of Electronics and Information Technology (“MeitY”) has directed WhatsApp to withdraw the Updated Policy.[6] In absence of a regulator in the IT sector and inception of the DPA being a distant dream, it is pertinent to note that MeitY, in discharging executive function, may be stepping into the shoes of a data protection regulator. If DPA would have been in existence and had started investigating this matter, then going by the CCI TRAI Case, CCI would have to wait for the conclusion of the matter before DPA. However, the jurisdiction, scope of DPA and CCI investigations, and the orders would have been entirely different. This clearly shows that its high time India have its DPA and PDP Bill in place to cover similar future issues from all aspects.  Once the PDP Bill is enacted, it would be interesting to see how both DPA and CCI regulate overlapping matters on data protection and competition law.



Arunabh Choudhary
Partner, Juris Corp

Arpita Nandi
Associate, Juris Corp

Similar Articles

Subscribe to our Newsletter



The Bar Council of India prohibits advocates from soliciting work or advertising. By clicking ‘AGREE’ below, the user acknowledges that no solicitation has been made, and this website serves as a resource for general information about Juris Corp at the user’s own risk. The information provided here neither constitutes legal advice nor creates a lawyer-client relationship. The links provided are not endorsements by Juris Corp, and Juris Corp is not responsible for any linked content. Users are advised to seek independent legal advice for any legal issues.