[Ashutosh is a student at Hidayatullah National Law University.]
The Draft Digital Competition Bill 2024 (Bill) was released as a part of the report prepared by the Committee on Digital Competition Law (CDCL). The committee was constituted with the purpose to draft a digital competition law for the country following a report submitted by the Parliamentary Standing Committee on Finance on “Anti-Competitive Practices by Big Tech Companies” before the Lok Sabha on 22 December 2022. The Standing Committee Report identified ten anti-competitive practices by large digital intermediaries and examined the need for a strengthened framework because of three important factors- network effects, winner-takes-most nature, and returns to scale. Central to all the three factors lies the importance of data as a resource and a parameter of competition which enables online platforms to improve services and value offered to the users through data collection and profiling, while also ensuring substantial business advantages to the advertisers as greater data collection ensured more effective distribution of advertisements to the users.
As per its mandate, the CDCL examined the need and structure for a Digital Competition Bill, and finally released the Bill. The Bill envisages specific thresholds for identification of Systematically Significant Digital Enterprise (SSDE) in respect of ‘core digital service’ (CDS). The Bill further lists down a range of obligations in the Act that each SSDE must follow with respect to each CDS.
The Bill has opened a range of different issues that merit examination such as the obligations imposed and the thresholds to specifically identify SSDEs. While more literature is required on analyzing the possible effects of such a legislation in the Indian context, the purpose of this blog is to specifically examine the data usage requirement as is listed down in the Bill. The requirement imposed is compared with similar obligations as are imposed in the UK Digital Markets Consumers and Competition Bill (DMCC), and the EU Digital Markets Act.
Data Usage
Section 12 of the Bill explains the data usage obligation that an SSDE must fulfil w.r.t its CDS. The section lists three negative obligations and one positive obligation. The first negative obligation is mentioned in Section 12(1) which states that:
“A Systemically Significant Digital Enterprise shall not, directly or indirectly, use or rely on non-public data of business users operating on its Core Digital Service to compete with such business users on the identified Core Digital Service of the Systemically Significant Digital Enterprise.”
In effect, the section may foreclose a marketplace platform such as Amazon from using the non-public data of its business users (sellers) to compete with such business users in the same competitive market.
Non-public data has been given a wide, inclusive definition in the explanation of Section 12(1) which states that:
“‘Non-public data’ shall include any aggregated and non-aggregated data generated by business users that can be collected through the commercial activities of business users or their end users, on the identified Core Digital Service of the Systemically Significant Digital Enterprise.”
The second and third negative obligations are featured in Section 12(2) which states that:
“A Systemically Significant Digital Enterprise shall not, without the consent of the end users or business users:
(a) intermix or cross use the personal data of end users or business users collected from different services including its Core Digital Service; or
(b) permit usage of such data by any third party.”
While the obligation in Section 12(1) applied only for non-public data of business users, Section 12(2) introduces prohibition on certain kinds of use of personal data of both business and end-users. This prevents large entities running multiple platforms from creating comprehensive profiles of their users by integrating the data collected through different services. For example, by the effect of such a section, an entity like Meta is foreclosed from integrating the personal data from a user collected through Facebook and Instagram. Further, large entities are foreclosed from permitting usage of such data by third parties.
While the above two raise interesting implications and issues in the field of competition and data privacy, Section 12(3) also raises particularly important issues. It states that:
“A Systemically Significant Digital Enterprise shall allow business users and end users of its Core Digital Service to easily port their data, in a format and manner as may be specified.”
It introduces a positive obligation to SSDEs to ‘allow’ end/business users to ‘easily port their data’ in a format and manner as specified. This condition remains hotly debated within antitrust regimes across the world, though present in EU’s Digital Markets Act, and UK’s DMCC.
The Benefits and Costs of Data Portability
The prime justification in introducing data portability and interoperability obligations lies in reducing switching costs for end users and business users to transfer to competing services, essentially encouraging users to give chances to different entities in a market without being dis-incentivized by the ‘sunk cost’ of existing data and data profiles that the user has created in a CDS offered by an SSDE. By ensuring immediate and effective access of collected data by third parties once authorised by users, the regulators seek to prevent gatekeepers from undermining the contestability of digital markets by restricting switching or multi-homing.
A tendency has been noted in many SSDEs to amass large amounts of data only to leverage their position through exclusively using the data generated and collected from the user to better advance services such as advertisements to the users. This entrenches or bolsters an SSDE’s dominant position in the advertisers’ side of the market, as the advertisers are commercially motivated to advertise on platforms that have the most data collected on the users, thus ensuring them the best return for their investment.
By mandating portability, the regulators seek to ensure that data that is stored by one intermediary may easily be transferred to another on the user’s request. This would further ensure that advertisers can also multi-home without the fear that such non-dominant competing platforms would not have access to the extent of data as available with SSDEs. Portability therefore seeks to ensure a greater potential of multi-homing on both the sides of the market, i.e., business users (advertisers) and end users. Lower costs of such portability would further introduce much-needed competitive pressure on large data collectors.
However, the other side on this issue has fervently opposed the mandate as envisaged by the ex-ante regulations. First, cybersecurity has emerged as a key concern stemming from the push towards data portability in competition law. This is because a push towards data portability would require industry standards to be implemented across different platforms on the format and specifications of stored data. Such standardization decreases the skill involved for hackers to gain unauthorised access over data stored in servers across services. Further, data portability and interoperability lead to the creation of larger, less-dispersed datasets which shares a positive co-relation with the harm caused from security breaches.
Second, data portability requires the setting of privacy standards, and these standards may stifle innovation in enhancing cybersecurity stringency and research on the same within SSDEs and other corporations. The issue that arises is that while small entrants may gain access to data maintained on certain standards, these set standards may simply be too expensive for them to adhere to, and thus may in fact end up stifling entry into the market. At the same time, a standard that is too relaxed to accommodate for small entrants and their stringent costs may end up sacrificing on a higher standard of privacy that may otherwise be provided by the market. In the counterfactual, privacy itself becomes a parameter of competition, with firms competing to offer the highest standards of privacy possible, as has been the case with the growing popularity of applications like DuckDuckGo and Signal, the messaging app.
Third, a serious concern emerging from data portability is that of free-riding. Data is often collected by SSDEs because of constant user interaction. This user interaction itself is generated, it is argued, by the specific engineering of algorithms that ensures users get the most relevant content on a given platform. Therefore, data collection itself must be considered an important parameter of competition in the digital economy. Data portability may, therefore, stifle innovation in the processes used for data collection and generation, thus adversely impacting competition.
Conclusion
Considering the above, the benefits posited by the Bill’s data portability obligations must be taken with a grain of salt. An obligation to maintain data portability could have serious consequences on standards of data privacy, and innovation in ensuring greater security and privacy of data across services. Further, the setting of such standards may also stifle innovation, and act as entry barriers in and of themselves, by mandating certain costs of operation and data formats upon new entrants when cheaper alternatives may be available.
The approach towards data portability must therefore carefully evaluated in the Indian context, where the start-up culture has only recently emerged, and many of them are running on significantly low margins. The notion of ‘participative antitrust’ as propounded in the CDCL report must therefore be followed in its true spirit and standards adopted towards data portability must be set through a consultative process that takes into account the interest of all the stakeholders in the context of the nascent digital landscape in India.
Comentários