This article is authored by Saswati Soumya Sahu
Guest editor: Saswati Soumya Sahu
Undoubtedly, privacy as an issue needs to be addressed via a “cross-disciplinary” approach that uses the two tools in order to apprehend harm. These two tools are competition law tools and consumer protection tools. As a regulator, the roles will not be only limited to rulemaking. Rather, the scope of work of a regulator would expand to research and adjudication. This essay delves into identifying the harms, especially those that could impact the marginalised communities. It has been considered that decisions of regulators have macro effects. The relationship that is built between the market structure and the fragile supply chain & the relationship between data consolidation and security vulnerabilities is acknowledged but has not been explored in the essay.
Is it frightening to know that there are companies that collect information about your credit history? Does it bother you when you get apprised with the fact that credit history includes finding answers to questions like “How many credit cards do you have? How much money do you owe ? How do you pay your bills?” If a company has all this information about you, then is it a plausible approach to create a credit report about you and then sell this report to the multiple businesses who are considering giving you credit? Is it feasible and easy for a consumer to opt out of this data collection process?
- Equifax data breach
Damages in data breach cases are awarded keeping a personal injury approach, i.e psychiatric and psychological injuries in mind. Damages could also keep in mind the instances wherein there has been a “loss of control of confidential information”.This is distinct from cases wherein there has been a “deliberate dissemination of private and confidential information for gain by media publishers”. TLT and others v. Secretary of State for the Home Department and Home Office guides the literature on the ways in which facts and evidence need to be analysed if there is a breach and the adjudicating officer is required to access numerous privacy claims. From a practical point of view, “distress” refers to claims for a data breach that results in significant effects under the applicable law in the United Kingdom and indirect financial implications that must be considered by the data controllers. The same analogy can be extended for cases wherein the claimant has a rational fear regarding the consequences of data breach, or has suffered from shock and fear caused by error of the authorities. This is because liability of the controller arises if “accidental publication of information” eventually results in the misuse of personal information & breach of terms of Data Protection Act, 1988 (“DPA”) in the United Kingdom. This goes on to prove that it is possible for damages to be quantified within the range of 2500 pounds to 12,500 pounds per claimant wherein they claim that they have suffered because of distress and anxiety & there is no pecuniary loss. This example highlights the ambit of factors that are taken into consideration so that the right to privacy is protected. This paper does not deal with the one-dimensional angle of safeguarding privacy as a right by data protection authorities. Instead, it delves into investigating the role played by competition regulators in enforcing privacy as a right. This may be solely or in addition to adjudicating competition law concerns.
The General Data Protection Regulation (“GDPR”) is drafted by lawyers and policy makers and not written by software or information engineers. It is a regulation, i.e, “ it is intended to be a set of rules to restrict, constrain or otherwise organise the processing of data of one or more persons.” It is applicable to persons who are individuals that have a “biological derivation”. Once processing of data occurs, then GDPR enables the emergence of new knowledge and insights that can be used for a specific purpose. It is to be noted that a purpose is defined as an expression of interest by an enterprise. This is different from the specific data that is inferred via analysis either by electronic or other means. At the granular level, there is a difference between data protection and privacy at a conceptual level. A few examples of concepts that are relevant to privacy are (i) role of an agent; (ii) purpose of the communication; (iii) obligations imposed on the party when information is transmitted; and (iv) types of information that are transmitted. On the other hand, a few examples of concepts that are relevant to data protection are (i) data subject; (ii) consent; (iii) declaration; and (iv) form. The aforesaid is a finding after analysing the legal instrument via Formal Concept Analysis (“FCA”) method. From an in-house counsel’s perspective, it is important to know that GDPR is not a complex legal instrument. Instead, it is a legal instrument that provides for attributing the responsibility of an organisation via appointing a Data Protection Officer (“DPO”) and a software designer. Thus, GDPR embeds two aspects in its text, namely the technical architecture and the organisational architecture. The former legal instrument, Directive 95/46/EC did not provide for various processing means, namely the (i) list of compliances present in GDPR; (ii) rights of data subjects before and after processing; (iii) withdrawing consent from processing of data; (iv) various degrees of processing data when the process is automated. The design principles might be the same between the former and later legal instrument, when age based processing restrictions are considered. To conclude, a regulator ought to identify the concepts and its allied attributes for understanding this legal instrument. The concepts and its attributes would be required to be explicitly mentioned in the decision and thus need individual attention. Concepts and attributes are related via consequences of one on another. In a nutshell, GDPR addresses the following:
- “General provisions, terms and definitions
- Rights of data subjects
- Controller and processor restrictions and obligations
- Data transfer restrictions, rules and the intra – dynamics & inter – dynamics in an organisation
- Supervision and supervisory authorities
- Restrictions over the cooperation between multiple organisations and partnerships
- Penalties and liability definitions
- Specific processing scenarios and connected restrictions, penalties
- Implementing acts for the European Economic Area (“EEA”)
- Final provisions and establishment of repealed directives, previous agreements and related reports.”
The importance of this legal instrument is realised in terms of a gamut of compliances deployed majorly in two sectors, namely (i) healthcare information system; and (ii) public governance information systems. It is to be noted that, the following design issues will vary in form depending on the context of the usage of technology and would have different implications depending on the sector in which it is used. These actions that will have implications are (i) over-collection of data; (ii) distortion of data; (iii) appropriation of data; (iv) lack of security on data; (v) unwanted disclosure of data; (vi) forced disclosure of data; (vii) unwanted revelation of data and (viii) unwanted restriction on data. This will work as a starting point for practitioners and enable them to show that they are able to adapt to the compliances required by the GDPR and such has been factored in and thus embedded in their respective designs of softwares. Furthermore, all processes will have to be improved and thus might need to be re-designed with an aim of constructing the software architecture in a manner that the architecture operates in a compliant manner. 
The investigation on Facebook’s conduct in Germany and Italy exemplifies that regulators can intervene in the digital market if there is a market failure. If the same conduct is being investigated by two different regulators, it does not necessarily mean that the applicable law will be the same in both cases. It is open for the regulator to decide a case under consumer law as opposed to competition law. Similarly, it is open for a regulator to opt for data protection law as the applicable law as opposed to competition law. This phenomenon is called the “regulatory dilemma” that is faced by antitrust authorities in Europe. This is valid since the Charter of Fundamental Rights (“Charter”) recognises both the right to trade and right to privacy from an end user’s perspective.
There have been instances wherein competition law has been isolated and has been substituted by consumer law, which provides less deterrent remedies than the former. The tedious tasks of defining the market and getting an understanding of market power is done away with. It is argued that this occurs despite being aware of the fact that “omnibus legislations” like data protection and consumer law fail to tackle the market failure in comparison to competition law that provides for a stronger deterrent effect via imposing higher fines and imposing behavioral commitments. It is a known fact that, even though the three branches of law, namely competition, consumer and data protection law share “family ties”, yet there is a difference between them in terms of their “objectives, scopes and enforcement structure”. This is the reason behind the argument that compliance with one legal regime does not automatically make a conduct comply with other legal regimes as well. The establishment of “digital clearinghouse” ensures that the regulators cooperate and coordinate with each other at the national level for (i) exchanging information for investigating a matter; (ii) keeping the possibility of joint enquiries by two or more regulators open; and (iii) opening up ways for discussing the remedies. However, it is to be noted, digital clearinghouses have not been effective in acting as a platform for coordinating enforcement actions by two nation states. 
Data protection concerns cannot be accommodated amidst competition policy issues since it is not of concern from an economist’s perspective. There is indeed a consensus between the European Commission and the courts in Europe that there is a difference between data protection concerns and competition concerns, within the legal order of the European Union. Nonetheless, the following reading of law can suggest that data protection concerns can be included and paid heed to, while enforcing competition law concerns:
- Treaty on the Functioning of the European Union (“TFEU”)
Article 12, TFEU is needed to be holistically read with Article 16, TFEU. Both these provisions then have to be read in conjunction with Article 7, TFEU. This will provide the legal basis for encompassing data protection concerns withincompetition law enforcement.
- Charter of Fundamental Rights
The right to data protection is provided in the Charter. By virtue of this inclusion, the European Commission is obligated and bound to take this into consideration while weighing the protection of this right while applying competition law.
- EU Merger Regulation (“EUMR”)
Data protection can be invoked as a legitimate public interest factor in merger cases as per Article 21(4) of the EUMR, if there has been no breach of the EU law. This goes on to state that, legal basis exists, even though there might be challenges in its effective implementation. One of the major challenges is that this interpretation cannot be done if public interest criteria are absent in national law. From the ground, the Member States’ approach can be broadly divided into (a) Open-ended that allows the inclusion of data protection; (b) A non-exhaustive list approach that can allow the expansion of specified interests as data protection concerns only after following a specific procedure; and (c) Restrictive approach that provides an exhaustive list of public interest factors that leaves no room for inclusion of data protection, i.e, There is no provision that can be read as a data protection concern. It is to be noted that, in the UK, “a public interest consideration can be adopted by way of adopting a statutory instrument that is approved by the Parliament through an affirmative procedure”. In simple terms, the aforesaid possibility is envisaged under the Enterprise Act, 2002 and has been applied for creating a new public interest ground, i.e., “stability of the financial system” for approving the Lloyds TSB and HBOS merger, by the Secretary of State. This was conducted with the consent of the Parliament. As of now, the data protection authorities have no power to legislate and include competition law concerns within its ambit. Per se, data protection has never been recognised as a public interest ground in any of the member states in the European Union. The national competition law authorities would have to consider including a provision for consulting with the data protection authorities to keep an open-ended approach. Alternatively, data protection authorities can submit their report to the Secretary of State arguing the need for interpreting data protection as a public interest concern. Thereafter, it can be made open to the data protection authority to reach out to the Information Commissioner’s Officer, i.e., UK Data Protection Regulator. If the above approach is adopted, then there is a higher chance for acknowledging data protection concerns within the merger framework. Coming back to the EU, if data driven mergers raise data protection concerns at the time when they are being notified to the EC, then the procedure under article 21(4) becomes relevant.
It has been suggested time and again that, data protection framework is not sufficient to address the privacy concerns that arise in a digital market. The root cause of this conclusion lies in the power asymmetries between the consumers and the service providers in a typical two sided market. The application of system approach would enable an integrated enforcement approach by a regulator because of interdependence of “consumer welfare” in data protection framework with that of competition law framework, i.e., objective. On the other hand, the focus on economic efficiency cannot cure the normative concerns surrounding privacy. If competition law cures this defect, then it can no longer be construed as a separate discipline. Will there be a contradiction of approaches if the same regulator resorts to looking at data protection concerns, if it does not find competition law infringements? As stated above, increased concentration of data in the custody and control of service providers clearly raises privacy related concerns that cannot be holistically looked at by combining these two branches of law. It is to be noted that, “data combination” with firewalls that is allowed per EUMR is distinct from dataset concentration with no underlying justification & its usage for targeted advertising. 
Case Study – Google Pay and the world of coupons & rewards : Is it competitive ?
The practices of favoring certain sellers via deep discounts, heavy discounting under the veil of data masking, charging of exorbitant commissions under the garb of entering into exclusive partnership agreements, predatory pricing of products via entering into price parity agreements by digital platforms always come under the scanner when monitored by industry bodies. The industry bodies view such practice with judgment because, such practices warn the consumers and other stakeholders that there is an imbalance between a dominant platform that gives a quantifiable benefit to its consumers and exorbitant rents that this plausible dominant platform demands from its trading partners, before passing on the benefit to the end user.
At some point, the incentive to trade by non dominant trading partners is discouraged because of the imbalance, thereby hampering innovative outcomes of the market. The market marches towards being a single player market or a two player market with market share. However, to what extent a regulator can differentiate its assessment in a transportation market from the health care and well being market is the central research question that is addressed in this paper. The paper has identified the stakeholders in the broader ecosystem, essential role played by each stakeholder in the respective ecosystem, relationship between stakeholders in this multi actor ecosystem, characteristics that are key to building market power in each sector and consequent actions like delisting specific trading partners after entering into exclusive partnership agreements with trading partners. 
As a competition authority, one comes across terms like “digital platforms”, “digital economy”, “digital markets” and “online platforms”. As per note by the United Nations Conference on Trade and Development (“UNCTAD”) secretariat, every competition case involving online platforms poses a unique challenge. The relevant competition issues vary according to the challenge faced by competition authority.  It is to be noted that, even though the aforesaid words are perceived to be synonymous, they vary in their nature and characteristics. Broadly, the two criteria that is kept in mind by the competition authorities across the globe are:
- Market capitalisation
- Data privacy
Daniele and Jorge describe the economics angle of “platform envelopment strategy”. In such a scenario, the dominant platform is the enveloper. Initially, the market in which it operates is called the origin market. This origin market is the first multi-sided market. As time passes by, the dominant platform enters a second multi-sided market. This second market is called the target market. The dominant platform obtains users and builds relationships in the origin market. It does so by collecting the data of its users. With the passage of time, the dominant platform leverages / tends to share information and extends its relationship with the users in the target market. The environment of the origin market is different from the environment of the target market. From a privacy perspective, the point of relevance is the utility of user information by the dominant platform during its journey of building “shared user relationships” as it marches from one market to another market. 
The investigation on Google by the Competition Commission of India (‘CCI’) is centred around investigating the practice of manipulating search in Google search when users search for payment solutions in Android OS. Does the bundling of Android OS with Google Pay have an impact on the search results? The allegation is that search is manipulated because Google search prompts the appearance of Google Pay on the top. The competitors of Google Pay, namely PhonePe and Paytm do not appear in the search results in Google. The central question is that, if this behaviour can be construed as abuse of dominance? Does it lead to a situation wherein users are being the choice to pay through other payment instruments along with Google Pay ? Is Google leveraging user data on one market to gain unfair advantage in another market that favours its own payment platform ? If that is the case, can this be construed as “unfair advantage” over its competitors because it creates restrictions for other payment firms ?
The regulator also intends to investigate if Google is abiding by the zero Merchant Discount Rate (“MDR”) policy or not ? This is because it intended to charge a 30 percent billing commission from app developers when they put their mobile applications in Google’s Play Store.
Google Pay acts as a merchant for the bank. It can be said that Google Pay acts on behalf of the app developers, when app developers make a payment for putting their mobile application in Google Play Store. The app developers get a point-of-sale (“POS”) machine. MDR is a fee that is levied by the bank from merchants. This fee is charged in exchange for providing merchants with POS machines. For a layperson, Google can be considered as a large business, i.e., a business whose turnover is greater than INR 50 crore. When Google provides its customers, i.e., small and medium enterprises or app developers with low-cost digital modes of payment, i.e., a unique QR code, then banks have been asked not to levy charges when customers of Google Pay make a transaction. From the perspective of a consumer, dealing with digital mode prompts the merchant, i.e., Google Pay to offer rewards in the form of cashbacks & scratchcards.  In my opinion, such rewards have a lock-in effect that binds a consumer’s intrigue. For instance, the digital equivalent of getting a gold coin from someone in your friend circle using Google Pay as a platform, the possibility of requesting someone in your friend circle to create a group in Google Pay and using the same to get voucher from a friend’s heart box, the possibility of getting a bonus heart from a friend’s heart box, the possibility of getting a scratch card from a sibling’s heart box and the possibility of donating meals to Covid 19 impacted meals & propagating gifting / donations as a cultural norm. Can this “unfair privilege” of Google Pay trigger the application of Section 4 of the Competition Act, 2002 ?
An individual consumer has a subjective attitude to privacy & objective cost when their privacy degrades. As per Katherine Kemp, the attitude is not synonymous with a scenario wherein a consumer reads the nutritional information in the packaging of a snack in a non-digital world. The nature of digital platforms, especially social media, is such that consumers express their vulnerability in order to forge social connections with strangers. The purpose may or may not be commercial. In my opinion, suppliers of services tend to manipulate the consumer-customers’ desire and have control to alter the social environment of the consumer-customer without their knowledge. However, it has been noted that, it becomes too late when the consumer wants to either place limitations / restrictions on the information that they have already shared in the past; or intend to opt out from an arrangement and put an end to disclosing any further information of any kind. At this specific point in time, the diligence and the concern of the consumer becomes inactionable.
Anti-competitive conduct in digital market
As per OECD, the following new forms of abuse of dominance conduct has pushed the envelope and has given rise to following forms of conduct that is peculiar to the digital market:
- Forced free riding
This conduct is prevalent in digital platforms that are in the nature of content, i.e., “content scraping” or transaction platforms via foreclosing competition. The later is the case, when platforms act as transaction facilitator and hold a large amount of data about the products placed by buyers and sellers (Khan, 2017, p.782)
Unless there is a unique case, such cases are examined from the perspective of harm theories that emanate from refusal to deal. The harm arises when downstream firms do not get access to consumers and the only way they can access them is via the platform. In such a case, the platform plays an indispensable part of their life.
The other scenario of assessment is when the indispensable platform provides listings of products. It acts as an upstream provider that displays the “price” of products. The assessment can be conducted from the perspective of a regulator to investigate if margin squeeze discriminatory practices are being resorted to or not. What does the indispensable platform do with such data ? Does it use the information of “price” to exclude competitors? Or, does it at least raise “price” and make it difficult for consumers thereby resulting in its artificial scarcity ?
- Abusive leveraging or self-preferencing
Firstly, the harm theory could be exclusionary abuse of dominance via refusing to deal. At times foreclosing competitors might trigger refusal to deal. Indispensability of the dominant platform plays a critical role in the competitive assessment of the case at hand. Refusal to deal shall be ruled out when the dominant platform has a positive obligation to share its assets and thereby enter into agreement with other firms for this purpose.
Secondly, cases of “self preferencing” can be scrutinised from the perspective of applying the theories of harm of bundling and tying. For instance, certain forms of conduct like two platforms being integrated with one another at their design level, i.e, called “technical tying through platform design”. The other example would be the case discussed above wherein two platforms offer their incentives to consumers by portraying themselves as one entity, i.e., “mixed bundling type discount”. Exceptions to the application of theories of harm may apply to the conduct of a “single monopoly profit firm” if its conduct falls under exceptions to bundling and tying.
Thirdly, a case of abusive leveraging can be investigated for trace of “margin squeeze via discrimination”.
Theories of harm will not apply if leveraging of a dominant firm is built on “cross subsidization amongst its own products”, i.e., differentiating between product markets becomes quite difficult. It will not apply in cases of legitimate vertical integration. This will be the case when leveraging generated efficiencies for its consumers, i.e., they are the recipients of rewards that accrue from the innovation process. If consumers gain from the competitive differentiation from vertical integration, it leads to more efficiency from an economist’s perspective and thereby consumers get legitimate awards.
The harm theory could either be
- Exclusionary abuse of dominance; or
- Combination of exclusionary and exploitative abuse of dominance
The aforesaid types of anti-competitive effects are not apparent from Google’s case of offering rewards to its users. Rather, it can be regarded as a successful strategy of entering retail banking by combining an online payment system with its online advertising business.
The data protection concerns get an economic angle when the following instances occur, namely:
- There has been a data breach that has exposed the personal information of people and has thus affected their right to privacy;
- There is a monetary value that is attached to identity theft of fraud in the form of the following:
- A person has incurred loss from unauthorised charges to their account;
- A person has paid fees to professionals like accountants or attorneys in order to seek support and thereby recover from the loss of identity theft;
- A person incurs other expenses while recovering from identity theft like paying the notary fees, shipping of documents, fees, postage and phone charges;
- A person has spent a significant amount of time filing a claim for recovering from the aforesaid loss within a stipulated time, e, 4 years. In Equifax data breach settlement the aggrieved can be compensated at the rate of $25 per hour.
The aforesaid value is called as “identity restoration services” that will be applicable for upto 7 years once notified by the courts. This will be the case when one discovers that there has been a misuse of personal information. The aggrieved will be entitled to the above benefits if their claims are reviewed and validated.  Thus, the above formulae brings the “economics” of privacy concerns, that will aid quasi-judicial authorities in adjudicating matters concerning privacy violation.To conclude, the possibility of filing a public interest litigation, sufficiently justifying locus standi and gathering evidence continue to be matters that will determine the effectiveness of claims of privacy concerns in a competitive assessment.
Federal trade commission, ‘Equifax Data Breach Settlement ‘ (FTC’s website, January 2020) <https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement> accessed 24 September 2021.
  EWHC 2217 (QB)
 Vidal-Hall v Google, Inc.  EWCA Civ 311.
 Tara mukerji, ‘Data Breach Damages : How much ?’ (Kennedy’s, 12th October) <https://kennedyslaw.com/thought-leadership/article/data-breach-damages-how-much/> accessed 24 September 2021
 FCA is “designed to recover the concepts, attributes and implications that are hidden in a regulation, with the same formality and rigour with which the regulation was composed when it was created”. Valtchev P., Jãschke R.,Formal Concept Analysis, Lecture Notes in Artificial Intelligence, vol. 6628, Springer, Berlin/Heidelberg (2011).
 DamianA Tamburri, ‘Design principles for the General Data Protection Regulation (GDPR): A formal concept analysis and its evaluation’  91(101469) Information Systems <https://www.sciencedirect.com/science/article/pii/S0306437919305216#b12 > accessed 24 September 2021
Marco Botta and Klaus Weidemann, ‘The Interaction of EU Competition, Consumer, and Data Protection Law in the Digital Economy: The Regulatory Dilemma in the Facebook Odyssey*’  64(3) SAGE Journals <https://journals.sagepub.com/doi/10.1177/0003603X19863590 > accessed 24 September 2021
 Public security, plurality of the media and prudential rules are considered as “recognised public interest”. This is not a dynamic interpretation and is rather considered as a static interpretation.
 There is a relation between “consumer” and “data subject”. In both cases, there is an absence of commercial purpose.However, if there is a commercial purpose, then privacy concerns will be addressed and can be interpreted as “economic interests” that is covered under Article 169(1), TFEU.
 Article 169, TFEU explains consumer protection to include protection of health, safety and economic interests of consumers and the promotion of right to consumer information, education and formation of consumer interest groups.
 LouiseO’ Callaghan and Klaus Weidemann, ‘The intersection between data protection and competition law : How to incorporate data protection, as a non-economic objective, into EU Competition Analysis’ [NA] NA(NA) NA <https://reddycharlton.ie/wp-content/uploads/2018/08/Intersection-between-Data-Protection-and-Competition-Law-Final.pd > accessed 24 September 2021
 Debarghya Sil, ‘Digital Markets Have Become Centers For Unchecked Dominance: CCI Chairman’ (Inc42, 30 July 2021) <https://inc42.com/buzz/competition-law-to-improve-economic-outcomes-ccis-chairman/> accessed 24 September 2021
 UNCTAD Secretariat, ‘Competition law, policy and regulation in the digital era’ (United Nations Conference on Trade and Development , 7-9 July 2021) <https://unctad.org/system/files/official-document/ciclpd57_en.pdf> accessed 24 September 2021
 Daniele condorelli and Jorge Padilla, ‘Harnessing Platform Envelopment in the Digital World’  NA(NA) SSRN <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3504025 > accessed 24 September 2021
 Keerthi Sanagasetti , ‘All you wanted to know about the zero MDR issue’ (All you wanted to know about the zero MDR issue, 14 January 2020) <https://www.thehindubusinessline.com/opinion/columns/slate/all-you-wanted-to-know-about-the-zero-mdr-issue/article30559534.ece > accessed 24 September 2021
 Katharine Kemp, ‘Concealed data practices and competition law: why privacy matters’ (Tandfonline, 5 November 2020) <https://www.tandfonline.com/doi/full/10.1080/17441056.2020.1839228 > accessed 24 September 2021
 OECD (2020), Abuse of dominance in digital markets, www.oecd.org/daf/competition/abuse-of-dominance-in-digital-markets-2020.pdf
 Federal Trade Commission Guidance, “Monopolisation Defined”, https://www.ftc.gov/tipsadvice/competition-guidance/guide-antitrust-laws/single-firm-conduct/monopolization-defined .
 Federal trade commission, ‘Equifax Data Breach Settlement ‘ (FTC’s website, January 2020) <https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement> accessed 24 September 2021.