[Himanshi is a student at Dharmashastra National Law University.]
The Committee on Digital Competition Law released the draft Digital Competition Bill (Bill) in February 2024 along with its recommendations. Formulating separate legislation in the form of this draft Bill reflects India’s commitment to deal with the nuances of the competition in the digital market. The objective of the Bill is to identify systemically significant digital enterprises’ (SSDE), regulate their provision of core digital services, and foster fair competition. In regulating competition in digital markets, ‘data’ is the most critical aspect. While the Bill enlists numerous obligations for the SSDEs, one of the most intriguing provisions is the data usage obligation under Section 12 of the Bill. Section 12(1) prohibits the SSDE from using or relying on non-public data or personal data of business users operating on its core digital service (CDS) to compete with such business users on the identified CDS of the SSDE.
However, this provision leaves out non-personal data from its ambit. In the age of data-driven markets, non-personal data is significant, if not as critical as personal data, for an enterprise competing in the digital market space. Non-personal data is data which is not related to an identified or identifiable natural person. It includes public data collected by government agencies, data collected by private entities, or personal data that has been anonymized. The abuse of non-personal but competition-sensitive data by SSDEs results in creating entry barriers, leading to a denial of market access and giving rise to antitrust concerns under Section 4(2)(c) of the Competition Act 2002.
Governance of Non-Personal Data in India
In India, while there are various legislations catering to the protection and regulation of personal data, not much attention has been paid to the governance of non-personal data. The Report by the Committee of Experts on Non-Personal Data Governance Framework (Report) released in December 2020 provides some guidance in this regard. The Report further classifies non-personal data into government or public data, anonymized data, private non-personal data, etc. Guided by the principles of sovereignty, privacy, and innovation, the Committee in its report emphasised the need for formally creating a framework to regulate non-personal data. The Committee also identified a ‘data custodian’, which may be a Government entity or a private organisation that collects, stores, uses and processes data. The data custodians have been entrusted with the responsibility of handling and sharing non-personal data upon requests made for sharing.
Since SSDEs also store and process data, what follows is that SSDEs, whether government or private entities, assume an added role as data custodians as per the Report. In other words, all SSDEs are obliged to share appropriate non-personal data upon such request. There are various regulatory policies that oblige government enterprises, that may be designated as SSDEs, to facilitate access to non-personal data. While in stark contrast, there is hardly any framework for regulating non-personal data owned by private enterprises, that may be designated as SSDEs.
Government enterprises designated as SSDEs
There are policies such as the National Data Sharing and Accessibility Policy of 2012 and measures like the Open Government Data Platform in place for regulating data possessed by government enterprises. These initiatives aim to facilitate the accessibility of shareable data owned by various states, ministries, departments, and organisations of the government, by creating a national repository of data. Adding to these, the draft National Data Governance Framework Policy 2022 was released by the Ministry of Electronics and Information Technology (MeitY) to catalyze digital governance and revolutionize government data management in the country. The task of overseeing the policy standards has been delegated to the India Data Management Office (IDMO) under the aegis of MeitY. The IDMO would also be responsible for facilitating access to non-personal and anonymized datasets to researchers and start-ups in India. This nationalized channel of accessing data provides several benefits including credibility of information, user privacy, secured data transfers, and fair use of such data.
Private enterprises designated as SSDEs
The private non-personal data owned by private SSDEs is largely unregulated. This raises alarm about the possibility of the abuse of such datasets by private enterprises, leading to data monopoly. Data monopoly happens when one or a few companies control and monopolize a large amount of critical data resources in a specific market, which is especially crucial in relation to tech giants like Google, Apple, Amazon, and Meta. A digital service provider may produce four categories of data, namely provided data collected through surveys; observed data from the cookies on its website; derived data obtained by combining existing raw datasets, and inferred data. For instance, if the SSDE is engaged in the provision of a core digital service like online social networking services, it will have data about the user’s content preferences, along with information from partner apps and the user visits, advertisements viewed, etc. Since this SSDE is deemed as a data custodian as per the Report, it must make such non-personal data freely accessible to enable the creation of newer value-added services and applications. Thus, private SSDEs have an obligation to act in the best interests of the consumers and ensure fair competition in the market by allowing other players to leverage such non-personal data, being collected and processed by them.
Considering this aspect in the European Union (EU), the Regulation on a Framework for the Free Flow of Non-Personal Data 2018 is the main legal framework for the governance of non-personal data. The Regulation provides for the free movement of data within the EU, encourages transparency and interoperability, and measures in case of non-compliance with the obligation to provide access to such data. Article 6(2) of the Digital Markets Act (DMA) makes it an incumbent obligation of the gatekeepers to not process any data that is not publicly available. However, this legislation, too, does not mandate the sharing of non-personal data by gatekeepers.
Similarly, Section 2(b)(3) of the proposed American Innovation and Choice Online Act makes it unlawful for large digital enterprises designated as ‘Covered Platforms’ to engage in the misuse of non-public data generated on the platform. While various government initiatives, such as the Open Government Data Act and the Federal Open Data Policy, promote access to data, there is no federal law mandating the accessibility of non-personal data collected and processed by private entities. This sort of mandate is absent in most jurisdictions, which although, have numerous policies and guidelines for the governance of non-personal data owned by the government, but hardly any framework regulating non-personal data owned by private entities.
Implications of Non-Personal Data in Competition Law
Data is dynamic and has different utility and value for different entities. Some datasets may require the application of specialised techniques to create value and may have a limited useful life. This implies that non-personal data which is inferred and derived by private enterprises is unique to them and has a special utility function, which may be non-replicable, inaccessible, and business sensitive. Such data can enable service providers to enhance their products, improve efficacy, and refine their services according to user preferences. If the SSDEs, especially private entities, are allowed to use such competition-sensitive non-personal data without any obligation to make it freely accessible to others in the provision of the relevant CDS, the SSDEs will have an unfair competitive advantage over the new entrants. This is due to the fact that they will not only possess massive datasets relevant to the CDS but also the algorithms and the infrastructure required to use this data most effectively.
Collecting massive datasets and processing them in a highly competitive data-driven market with huge capital investment requirements is daunting for new players. Meanwhile, they are at a serious disadvantage due to their limited technical and infrastructural capacities. Thus, it will raise the entry requirements, creating an entry barrier in the market, which is in contravention of section 4(2)(c) of the Competition Act. Hence, as recognised by the Competition Commission of India (CCI) in the WhatsApp Privacy Policy case, competition authorities need to intervene in such cases. The dominant entity can leverage its position to exercise undue influence in the relevant market and engage in practices like targeted advertising, etc., thereby creating entry barriers. Moreover, in the case of XYZ v. Alphabet Inc. and Others, the CCI observed that Google’s extensive data collection and its usage caused adverse effects on competition. The data so collected and processed enables Google to outcompete others by improving and innovating its features and services, thus, entrenching its dominance in the downstream markets.
Suggestions and Conclusion
To survive in the global digital market, India still needs to improve the infrastructure for governing non-personal data. Fair competition in the digital market is possible only when all players have equal access to competition-sensitive non-personal datasets. To enable the free flow of non-personal data, it is suggested that the data usage obligation in Section 12 of the Digital Competition Bill be amended to include the mandate for the SSDEs to enable access to non-personal data. The responsibilities of SSDEs must be adequately demarcated in this provision so that there is certainty around the legal obligation for enabling access to non-personal data. The provision must specifically mandate private enterprises designated as SSDEs to enable accessibility to their private non-personal data, as distinguished from other types of non-personal data in the Report (refer to Appendix 3).
This obligation, however, should not be at the expense of infringing the intellectual property rights of the private SSDEs. The private non-personal data possessed by these entities may constitute trade secrets, etc., and may be protected under IP laws. Thus, the duty of enabling accessibility to such data cannot be so rigid and inflexible in such cases, and this exception must be carved out by the concerned authorities. This follows the need for a detailed categorisation of the non-personal data that the SSDEs are required to share mandatorily. Any ambiguity in such classification could lead to uncertainty in the extent of compliances and subsequent penalty determination under Section 28 of the Digital Competition Bill.
Adding the obligation of enabling access to non-personal data and ensuring effective access to others would enhance data transparency and level the playing field for the new entrants in the relevant market. The government must also make efforts to incentivize the sharing of non-personal data by private entities to enable innovation and public welfare. This will also give India a first-mover advantage in comparison to various other nations and will be beneficial for new entrants as well as small enterprises in the digital market. The mandate will also cater to consumer interests by promoting free and fair competition. Concludingly, it is observed that there needs to be an intricate balance between the rights of the private SSDEs, and the genuine interests of the other players and consumers in the digital market.
Comentários