The Competitive Effects of Personal Data Protection Bill, 2019

– Devansh Kaushik†

Introduction

In a digital economy, most transactions inherently involve transfer of data. As technology has grown to realise the economic value of data, data firms have become some of the most valuable commercial enterprises in the world. These firms deliver digital services through algorithms, which rely on large amounts of data as input. The larger, more precise and more varied these datasets are, the more accurate and economically productive services are rendered by the algorithms to consumers. Competition in such an economy requires that the flow of data be as unrestrained as possible. An ideal digital market should allow for easy entry and scaling up of start-ups, in order to engender free competition for the benefit of consumers.

However, as commercial enterprises gain access to personal data of consumers, there also emerges the need to enact a data protection law to uphold the privacy rights of individuals. Towards that end, the Union Government had tabled the Personal Data Protection Bill 2019 (hereinafter “PDP Bill”), which is currently pending before a Joint Parliamentary Committee.

While there is no dearth of literature on the merits of the proposed bill in terms of upholding individual privacy, this article adopts a relatively less-considered perspective on the upcoming law, by examining its expected effects on competition in the digital economy. I argue that the compliance-heavy approach of the bill can result in concentration of market power. This will limit the scope for competition and innovation, which will invariably lead to the detriment of total welfare. Such costs of privacy interventions should be accounted for in regulatory decision-making, and be mitigated through a shift in enforcement standards.

The Effects of PDP on Competition

The upcoming PDP bill imposes several sweeping obligations on ‘data fiduciaries’, that may permanently alter the dynamics of the digital economy in India. For quite some time, a major concern with the state of competition in digital markets has been that a few major companies exercise significant market power, by virtue of their economics of scale and network effects. Due to the scope of prohibitions under the PDP Bill, there is a risk of such a state of affairs being further entrenched, as will be demonstrated in this article. Unfortunately, the Justice Srikrishna Committee which authored the initial draft of the bill, did not examine in detail, the competitive effects of privacy regulation in its report.

Newer market players, which lack an established user base, rely on acquiring data-sets externally, in order to develop their algorithms and optimise their services. Creating and maintaining PDP compliant data sets will inevitably impose transaction costs on firms, in terms of ensuring informational security, collecting informed consent from users, maintaining data quality, obtaining regulatory approvals etc (S.4-11 of PDP 2019).

This increase in data processing costs will act as a barrier to new entrants in the market, some of whom may now find it unprofitable to collect and process necessary data. Furthermore, such firms will be rendered unable to compete with larger, entrenched firms, which by virtue of their first-mover advantage, had established a large user base, long before privacy obligations come up. Such larger firms are also able to use their scale to spread their own compliance costs and remain profitable. The PDP bill also notably includes data localisation obligations (S.33-34), which requires firms to set up local data facilities, and obtain regulatory approval for cross-border data transfers. These requirements will act as market entry barriers for small-scale firms based in foreign countries, further affecting competition in the Indian digital economy.

Even in terms of technology advancement and diversification, existing larger firms enjoy a comparative advantage over smaller firms. Firms that operate multi-utility platforms with wide user bases, have an enhanced capability to engage in relatively easier internal data collection. On the other hand, small-scale and less diversified firms, have to rely on more cumbersome, external data collection. The bill itself provides little leeway to new market entrants, with only manual data processing by small entities being exempted (S.39).

The costs of non-compliance under the PDP Bill are also high, with penalties upto INR fifteen crore or 4% of worldwide turnover, whichever is higher (S.57). This is further compounded by the relative ease by which firms can inadvertently breach any of myriad compliance requirements. (For instance, the similarly framed European GDPR saw around 270 breach notifications daily in 2020.) This increases the risks of doing business, particularly for smaller market players. Large established companies are able to easily bear these risks due to their vast reserves and valuations, as has been repeatedly demonstrated elsewhere.

A number of provisions in the PDP Bill grant discretionary powers to the central government and the Data Protection Authority (“DPA”) for setting standards, granting exemptions and expanding the scope of regulation (S.49,50 etc.). This aggravates regulatory uncertainty. Moreover, in terms of institutional design, the DPA lacks sufficient independence. Appointment, removal and remuneration of DPA members are under the exclusive control of the central government (S.42-44). This apparent increases the risk of potential rent-seeking behaviour and regulatory capture by larger firms. In light of the risk of regulatory intervention, risk averse firms/individuals would also prefer to invest in and entrust their data to larger, more reputable firms.

Shifting the Goalposts

In order to maximise total welfare, regulators need to strike the right balance between privacy and competition. While certain provisions of the Bill such as the right to data portability (S.19) and provision for a regulatory sandbox in case of emerging technologies (S.40), do indeed enable competition to an extent, there is a larger need to reconsider the regulatory approach towards privacy itself. The concentration of market power and the consequent centralisation of data and services, in the hands of a few firms also reduces the privacy choices available to consumers in the long run.

The PDP Bill largely follows the same norms of western privacy jurisprudence, best encapsulated in the European General Data Protection Regulations (GDPR). It follows an ex-ante, user-centric approach (Preamble). The utility of the consent-based approach has already been widely questioned. The privacy policies that such regulations seek to prescribe and enforce, are hardly read or understood by consumers in reality. Yet, the penalties under the Bill can potentially be triggered by the slightest deviations from these ex-ante requirements, irrespective of the ultimate welfare outcome. Such pre-emptive actions by regulators have already been witnessed in Europe under GDPR. In fact, a parallel can be drawn here to the early days of anti-trust jurisprudence, which was also similarly focused on ‘protecting’ consumers and restricting business, without considering effects on total welfare. Anti-trust law later evolved to appreciate the equal importance of efficiency gains for total welfare, and provided leeway for legitimate business consolidation to take place. A similar evolution can be expected in the future for privacy jurisprudence as well.

Privacy regulation, at least at the level of enforcement, needs to move from an ex-ante expectations approach towards an ex-post facto, harm-based approach. There should not be a threat of penalty for mere deviations from privacy expectations. Rather than seeking to pre-emptively restrain business flexibility, regulatory intervention should be focused on those egregious breaches of privacy, that result in an appreciable harm to consumer welfare, such as those involving deliberate misrepresentations or resulting in material loss of autonomy of consumers.

Merely the fact that firms gain access to more personal data does not ipso facto imply a loss of welfare. In fact, use of such information may further improve welfare. For instance, merely retaining personal data beyond the period necessary (as prohibited by S.9 of PDP), does not necessarily translate into substantial consumer injury in all cases. Similarly, the obligation to give prior notice of purpose of any data processing (S.5), actually hinders the use of machine learning techniques to gain unanticipated learnings from data. Thus, regulators should more precisely articulate the privacy harms that they seek to prevent. Before any intervention, privacy regulators should strive to identify and quantify the alleged loss of consumer welfare resulting from the ‘illegal’ data flows that they seek to restrict, and compare the same with the expected efficiency gains. Such a methodology would pre-empt mechanical imposition of penalties and induce the DPA to expressly consider and balance the competitive effects of its enforcement action, in interests of total welfare. Egregious breaches of privacy resulting in direct harm to consumers would exceed any marginal efficiency gain and thus continue to be sanctioned. Such a methodology would however, allow for a more considered assessment of the greyer areas of regulation, to the benefit of all stakeholders.

Conclusion

While the need for a privacy law in India is urgent and indisputable, it is equally important to align privacy regulations with a holistic viewpoint of the digital market. The PDP Bill in its current form risks concentrating market power and limiting data flows in the digital market. Such privacy regulation can have appreciable effects on competition and innovation, thus adversely affecting total welfare. Such effects should be expressly accounted for in privacy regulation, without which the cost of regulatory actions will be undervalued. A higher standard for enforcement and penalisation may mitigate such costs to some extent. Whenever the PDP bill does come into force in India, the DPA should seek to enforce it in a phased manner, to allow the industry, particularly newer and smaller players, to adapt and build up compliance capacity. The DPA should actively take into account the competitive effects of its actions and strive to enhance total welfare in the long run.

† Devansh Kaushik is a III-year BA LLB Hons. student at the National Law School of India University.

Image Credits: LiveMint