The Competition Commission of India (‘CCI’) fined a major social media player for imposing unfair conditions on its users via its 2021 privacy policy update. This update compelled users to accept expanded data–sharing practices without an opt–out option, leading to a significant regulatory response. While this case primarily hinges on a violation of Section 4 of the Competition Act, 2002 (‘Act’), it also raises serious concerns under the Digital Personal Data Protection Act, 2023 (‘DPDPA’). What makes this case significant is the potential for competition law to bolster privacy protections where dominant digital platforms erode user choice and privacy by failing to offer true consent and transparency.

The 2021 privacy policy update constituted a “take-it-or-leave-it” proposition, violating Section 4(2)(a)(i) of the Act, which prohibits the imposition of unfair conditions by a dominant enterprise. The update compelled users to accept expanded data collection and sharing across multiple ecosystems without providing an opt-out mechanism.

While the policy contradicts key principles of DPDPA - i.e., clear and itemised notice as against vague and non-exhaustive terms like “service-related information” or “interaction with others”, which left users uncertain about what data was being collected or how it would be used; or free, informed, specific, unambiguous as against accepting the policy in full or discontinuing using the service - the pertinent question today is the need for Digital Competition Bill (DCB) or an amendment to the Act (whichever the case maybe) and the role of the CCI in privacy matters.

The jurisdictional overlap between the CCI and the proposed Data Protection Board (‘DPB’) has emerged as a significant concern in the digital regulatory landscape. The CCI possesses overlapping mandates that can lead to concurrent investigations into similar issues, particularly concerning the collection and processing of personal data by dominant digital platforms.

The CCI observed that competition authorities play a vital role in curbing anti-competitive practices in data-driven markets and held that, given the overlap between data protection and competition concerns, a coordinated legal approach is essential to safeguard fair and transparent digital markets.

The CCI also held that data protection laws are universally applicable to all organizations that manage personal data, safeguarding individuals’ privacy and rights. In comparison, Section 4 of the Act targets only dominant entities, placing extra responsibilities on them to prevent the misuse of market power. There is no fundamental conflict or inconsistency between these two legal frameworks. Rather, the Act complements data protection regulations by imposing stricter duties on dominant firms to ensure they do not exploit their market position in ways that could distort competition or negatively impact consumer welfare.

The Supreme Court’s ruling in Competition Commission of India v. Bharti Airtel Limited, provides guidance and held that in cases of jurisdictional overlap, the specific sector regulator should first address the issue, with the CCI’s jurisdiction activated if anticompetitive conduct is identified.

The CCI defined two relevant markets: OTT messaging apps via smartphones in India and online display advertising in India. It rejected a unified “market for user attention,” highlighting that mobile–first apps like messaging apps are distinct from desktop services due to user behaviour and mobility. In advertising, CCI separated search and display models, citing differences in delivery and infrastructure, justifying distinct market definitions.

CCI found the social media player dominant, with high daily/ monthly users, strong network effects, switching costs, and limited multi-homing. The parent entity’s integration across platforms and vast data access strengthened its market position. The privacy policy was deemed coercive, expanding data sharing without an opt–out option, violating Section 4(2)(a)(i). The parent entity’s use of the social media player’s data to boost its advertisement business unfairly disadvantaged smaller competitors, breaching Sections 4(2)(c) and 4(2)(e). CCI concluded that the parent company leveraged its dominance in messaging services to entrench its hold over digital advertising, increasing lock-in for users and advertisers.

The CCI also observed that when it comes to services that are offered by e-commerce giants or digital platforms at zero monetary cost, the general population gives less importance to privacy protection, data security and transparency of data practices. The CCI also considered the consensus behind the idea that ‘competition on privacy’ can constitute an element of competition. Finally, CCI also noted that it would await the implementation of the forthcoming data protection laws before taking further steps in light of data governance concerns raised during the assessment.

The need for the Digital Competition Bill (‘DCB’) or an amendment to the Act (whichever the case maybe) arises from the limitations of existing regulatory frameworks in addressing the structural challenges posed by dominant digital gatekeepers. As illustrated by the CCI’s findings against the parent entity, ex-post enforcement under the Act is often reactive and time-consuming. The DCB, as proposed by the Committee on Digital Competition Law (2024), introduces an ex-ante framework specifically tailored to Systemically Significant Digital Enterprises (SSDEs), targeting practices such as self-preferencing, anti-steering, data leveraging, and restrictions on interoperability. These provisions are critical in curbing gatekeeper behaviour before harm occurs, ensuring contestability and fairness in digital markets. However, even in the absence of a standalone DCB, a comprehensive amendment to the Act to incorporate such ex-ante provisions could serve the same purpose. In light of this decision, where data dominance was leveraged to distort both competition and privacy norms, the DCB represents a much-needed structural reform to pre-emptively discipline Big Tech and uphold user choice, innovation, and market access.

This case also illustrates how competition law (and the CCI) can act as a complementary enforcement mechanism to data protection law. Although the DPDPA provides detailed safeguards for user data, it lacks robust mechanisms to prevent coercive consent or structural imbalances in digital markets. Further, the DPB under the DPDPA also lacks the suo moto powers to inquire into breaches and non-compliance, unlike the CCI, which can launch investigations on its own. The CCI’s intervention provides an effective check against such exploitative practices by:

-  Recognizing privacy as a non-price parameter of competition.

-  Highlighting the role of information asymmetry and user lock-in in distorting market outcomes.

-  Imposing remedies that go beyond privacy (e.g., cease-and-desist orders, opt-out requirements), thereby restoring competitive balance.

Notably, DPDPA’s Section 17(2) allows data to be processed without consent for “legitimate uses” such as public interest, safety, or legal obligations. However, the parent entity’s data sharing under WhatsApp’s 2021 policy does not qualify under these exceptions. It is commercial in nature, aimed at improving ad-targeting and monetization. This highlights the overreach by the parent entity and the corrective oversight role played by the CCI.

The CCI rightly emphasized that the social media player’s privacy policy violates the reasonable expectations of users. Most consumers believed their data would be used solely for improving messaging services. Instead, the platform expanded its scope to include sharing for marketing, recommendations, and cross-platform targeting, without any meaningful disclosure or consent.

The CCI’s decision underscores a growing trend: competition law is evolving to address privacy harms, especially where data is used to create market power or suppress rivals. This ruling also highlights a significant point of tension between India’s DPDPA and the behaviour of dominant digital firms. While the DPDPA seeks to ensure transparency and consent, enforcement remains limited without sectoral regulators like the CCI stepping in. As India’s digital economy grows, the convergence of competition and privacy enforcement will be essential to ensuring fair markets and safeguarding consumer rights.

About the authors: Prashanth Shivadass is a Partner, and Shri Gayathri, Ananya K and Sandra Philip are Associates with Shivadass & Shivadass (Law Chambers).

The contents and comments of this document do not necessarily reflect the views/ position of Shivadass and Shivadass (Law Chambers) but remain solely of the author(s).

Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.