This website is only for informational purposes. Visitors are requested to note that the information is intended to be correct, complete, and up-to-date. Juris Corp does not warrant that the information contained on this website is accurate or complete, and disclaims any and all liability to any person for any loss or damage caused by errors or omissions, whether such errors or omissions result from negligence, accident or any other cause.

This website is not intended to be a source of advertising or solicitation. The reader must not consider the information contained herein to be an invitation for a lawyer-client relationship, must not rely on information provided herein and must seek independent advice. Transmission, receipt or use of any information on this website does not constitute or create a lawyer-client relationship. No recipients of content from this website should act or refrain from acting, based upon any or all of the contents of this website.

Furthermore, Juris Corp does not wish to represent anyone desiring representation based solely upon viewing this web site. Finally, the reader is warned that the use of e-mail for confidential or sensitive information is susceptible to inherent risks of lack of confidentiality associated with sending e-mail over the internet.

By clicking on the "I understand and agree" button below, the user acknowledges that:

  • This website is not a mode of advertisement, promotion, personal communication, or solicitation of any sort whatsoever and the user wishes to gain information about us for his/her own reasons;
  • Entering into this website does not establish a lawyer-client relationship.

We are not liable for any consequence of any action taken by the user relying on information provided under this website. In cases where the user has any legal issues, he/she must seek independent legal advice.

JC - Article - CCI order on WhatsApp policy: Is CCI filling up the vacuum of the Data Protection Regulator? - Published with Legal 500


15 Jun 2021

CCI order on WhatsApp policy: Is CCI filling up the vacuum of the Data Protection Regulator? - Published with Legal 500

Published by Legal 500
Click here to view article in Published website.

In a recent order dated 24th March 2021, the Competition Commission of India (“CCI”) has taken suo-motu cognizance of the updated privacy policy and terms of services of WhatsApp which were rolled out by WhatsApp on 4th January 2021 (“Updated Policy”).[1] It directed the Director General to investigate the anti-competitive issues in relation to the Updated Policy. Earlier, the users had to give their consent to WhatsApp to share their personalized data with other Facebook companies. This has been changed by the Updated Policy, which makes it mandatory for users to give consent to such sharing to continue using WhatsApp.

This article analyzes the said order where the proactive anti-trust regulator examines the instant messaging app market, inadequately regulated by lagging data privacy laws.


Before proceeding with the investigation, both WhatsApp and Facebook were asked to submit their responses before the CCI. Facebook submitted that though being a parent company of WhatsApp, the two are separate entities and the Updated Policy governs the instant messaging services provided by WhatsApp. On this basis, Facebook submitted that it should not be a party to this matter. CCI rebutted this by pointing out that Facebook is a “direct and immediate beneficiary” of the Updated Policy and is a proper party to the matter.

WhatsApp on the other hand, challenged the jurisdiction of CCI on the subject-matter, arguing that matters related with Updated Policy falls within the purview of Information Technology Act, 2000, effectively the privacy laws contained under Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,2011. Further, WhatsApp relying on the Supreme Court judgement of CCI vs. Bharti Airtel Limited and Others[2] (“CCI TRAI Case”), responded that the subject matter was currently sub-judice before various judicial forums in India and therefore CCI should only exercise its jurisdiction once proceedings before a sectoral regulator has concluded.


In its order, CCI has essentially pointed out two inter-linked grounds which create manifold anti-trust issues. One, that under the Updated Policy WhatsApp will share personalized user data with other Facebook Companies, and second, that all existing users of WhatsApp had to mandatorily accept the Updated Policy within a stipulated date, for them to continue using the services of WhatsApp.

Analyzing the Updated Policy from Competition perspective

In response to WhatsApp’s submission, CCI explained its role in studying the Updated Policy from competition perspective which would include examining the anti-competitive implications of excessive data collection and the usage of such data. It highlighted that unreasonable collection and sharing of data by dominant players like WhatsApp will grant unfair competitive advantage and may create barrier entry for new entrants.

No sectoral regulator

Another crucial element of this order is CCI’s interpretation of the CCI TRAI Case. The CCI held that this case has no application to the present issue at hand. CCI explained that the crux of the CCI TRAI Case was to establish a ‘comity’ between CCI and TRAI. As WhatsApp had relied on this case in its response, CCI observed that it has failed to demonstrate that the present subject-matter is sub-judice before a sectoral regulator.

Direct network effects and lack of competition

CCI observed that in the ‘relevant market’ of OTT messaging apps’ and based on trailing competitors, vast user base, combined with direct network effects[3] enjoyed by WhatsApp, WhatsApp is clearly dominant. Additionally, imposing a precondition on users to accept the Updated Policy for accessing the services of WhatsApp, would in-turn enable WhatsApp to collect expansive amount of data for sharing with other Facebook Companies. CCI observed that due to lack of competing options, the users may be compelled to accept the Updated Policy.

Non-price parameters for ascertaining abuse of dominance

CCI noted that in the digital economy, organizations compete based on non-price parameters such are quality of service, innovation, customer service etc. Lower data protection coupled with lack of control of the user over their data can be considered as reduction in quality under anti-trust law. CCI observed that the current conduct of WhatsApp and Facebook qualifies as “degradation of non-price parameters of competition viz. quality” and the implementation of the Updated Policy prima facie is imposition of unfair terms and conditions.


Recognizing the sovereign rights of the users over their data, CCI concluded that WhatsApp has prima facie contravened 4(2)(a)(i), 4(2)(c) and 4(2)(e) of the Competition Act. [4] In the current order, CCI is concerned with the non-voluntary and non-transparent collection of data which maybe further used by dominant entities to secure leverage even in unrelated markets and create barrier entries for new entrants. Few anti-trust regulators have attempted to regulate on matters which converge data protection and competition laws. In the United States the Federal Trade Commission (“FTC”), American anti-trust regulator, has sued Facebook in federal court for continuous anticompetitive conduct by acquiring Instagram and WhatsApp and imposing unfair terms on software developers, to maintain its monopoly.[5] If the FTC has its way, Facebook will have to seek prior notice and approval for all future mergers and acquisitions. Although, literature around overlap of competition and data privacy law is limited, CCI’s order has made a compelling case for implementing strong data protection laws which would prevent dominant firms to employ coercive tactics for collection and usage of user data and enforcing its monopoly in relevant markets.


India has started with its attempt to join the league of nations having stringent data privacy laws by tabling the Personal Data Protection Bill, 2019 (“PDP Bill”). The PDP Bill once coming into effect will regulate the processing of personal data by government, as well as companies, both Indian and foreign, processing personal data of individuals. Further, it will establish the Data Protection Authority (“DPA”) which shall be vested with powers to prevent the misuse of personal data, ensure compliance with the act as well as specify code of practice for promoting good practices of data protection amongst other things.

Recently, the Ministry of Electronics and Information Technology (“MeitY”) has directed WhatsApp to withdraw the Updated Policy.[6] In absence of a regulator in the IT sector and inception of the DPA being a distant dream, it is pertinent to note that MeitY, in discharging executive function, may be stepping into the shoes of a data protection regulator. If DPA would have been in existence and had started investigating this matter, then going by the CCI TRAI Case, CCI would have to wait for the conclusion of the matter before DPA. However, the jurisdiction, scope of DPA and CCI investigations, and the orders would have been entirely different. This clearly shows that its high time India have its DPA and PDP Bill in place to cover similar future issues from all aspects.  Once the PDP Bill is enacted, it would be interesting to see how both DPA and CCI regulate overlapping matters on data protection and competition law.


Arunabh Choudhary
Partner, Juris Corp
Email: arunabh.choudhary@jclex.com

Arpita Nandi
Associate, Juris Corp
Email: arpita.nandi@jclex.com