Summary of IFF’s submission on the draft Digital Competition Bill

tl;dr

On March 12, 2024, the Digital Competition Law Report (“Report”) and draft Digital Competition Bill, 2024 (“DCB, 2024”) were published on the official website of the Ministry of Corporate Affairs (“MCA”) with an initial deadline of April 15, 2024 for submitting comments. In our submissions, we highlighted and offered recommendations on four broad areas of concern: friction in the consultation process; inadequacies of the data protection law; potential regulatory overlap with existing and upcoming legislations; and the regulatory approach proposed under the Bill. While the MCA has elaborated upon its reasons for regulating the digital market, we believe there still exists scope and reason to build expertise on the unique and varied market risks and anti-competitive practises by conducting extensive digital market studies. 

Important documents:

1. Digital Competition Law Report (“Report”) and Draft Digital Competition Bill, 2024 (Link)
2. IFF’s submission to the MCA on the DCB, 2024 (Link)
3. IFF’s representation to the MCA on deadline extension (Link)

Our submissions

In a letter to the MCA dated March 21, 2024, we requested them to extend the period to submit comments as it may also allow stakeholders to become well-versed in the various anti-competition practices and understand the various implications of the draft bill on consumer interest. In an open letter, several stakeholders, including IFF, requested an extension of the deadline by five months. The MCA however only extended the deadline to submit comments to May 15, 2024. In addition to extending the timeline, the MCA allowed stakeholders to submit comments via email apart from the initial e-consultation mode. This post includes a summary of suggestions we submitted to the MCA on how they can proceed with the regulation of an ever-evolving and expanding market.

1. Friction in the consultation process: In our March 21 letter to the MCA we also pointed out some concerns with the E-Consultation portal being used by them for accepting responses. Although the portal has some positive features like modifying the submitted comments multiple times during the consultation period, ​​the portal requires the non-registered or non-logged in user to mandatorily submit profile information - such as name, e-mail ID, phone number, address, and profession - before submitting comments. In case a user chooses not to register and log in as a ‘guest’, they will still be required to validate their email ID and mobile number through a one-time password. This model of submitting comments creates significant hurdles as many individuals may not want to register on a government portal and/or share their mobile number for submitting their inputs under a public consultation process. MCA’s complete reliance on a digital mode for accepting submissions and introducing additional layers of mandatory verification raises concerns about digital exclusion. Further, the MCA has stated in its instruction kit for E-Consultations that it would not be making the comments received public on its website. Recent reporting about inaccurate representation of stakeholder positions in the Report released by the MCA also underlines the need for transparency in the drafting and consultation process. The 235-page Report includes a summary of the stakeholder comments received by the Committee on Digital Competition Law (“CDCL”) on the need for a separate, ex-ante law to tackle competition issues. This further highlights the need for transparency in the public consultation process by placing responses in the public domain, such that any similar concerns/allegations are verifiable.

2. Inadequacies of the Digital Personal Data Protection Act, 2023: Although the DCB, 2024 disallows SSDEs from using data of the end user or business user by any third party without the consent of the former,  under the DPDPA, 2023 data fiduciaries do not have to inform principals about the third parties with whom their data will be shared and the duration for which their data will be stored, and if their data will be shared to other locations globally. Another shortcoming of the DPDPA that has not been accounted for by the Committee is the flawed consent framework of DPDPA [Section 7(a)] that relies on an opt-out model of deemed consent as opposed to a privacy-advancing opt-in model. The DCB, 2024 allows processing and sharing of data, except in certain cases, as long as the consent of the end user or business user has been obtained. Given the weak consent framework outlined in the DPDPA and the general consent fatigue among users, the MCA must consider if the recommended safeguards are sufficient to achieve the stated goals of curbing anti-competitive practises. Notably, the DPDPA, 2023 excludes from its application any personal data made publicly available by a data principal or another person to comply with a law. This provision will restrict data principals from protecting their data from online scraping. Given that large enterprises usually have the required resources to conduct such online scrapping, the DPDPA does not provide adequate protection against potential threats arising from such practices. The DCB, 2024 should also impose obligations on entities to have meaningful and transparent consent-seeking mechanisms and prohibit any use of deceptive practices, such as dark patterns, that manipulate users into giving consent. This risk may exist even after the operationalisation of the DPDPA, 2023, as it does not govern interfaces or designs through which personal data is collected (See our suggestion to the Ministry of Consumer Affairs on how consumer data collection through dark patterns can be regulated).

3. Potential regulatory overlap with existing and upcoming legislation: The Committee noted that since a draft of the Digital India Bill (“DIB”) has not yet been released, the exact contours of its applicability cannot be delineated yet. However, it is clear that the DIB, based on the initial broad contours shared by the Ministry of Electronics and IT, will have a broad scope of application. Thus, the MCA must consider the complementary nature of these legislations and allow room for any future conciliation. The MCA must also consider delaying the implementation of such an Act - given that significant regulatory bodies such as the Data Protection Authority under the DPDPA, 2023 and any authority to be notified under the DIB will regulate a similar pool of enterprises as the CCI. Further, the ability of enterprises to think in the long term gets compromised in case of policy uncertainty contributing to regulatory overlap. It may also lead to regulatory uncertainty which may negatively affect business outcomes as well as user experience. The DCB, 2024 borrows the definition of ‘consent’ from the DPDPA, 2023. Similarly, the bill also borrows the definition of ‘intermediaries’ from IT Rules, 2021. The evolving nature of these legislations, as well as the vague and arbitrary nature of these definitions, must be evaluated by the MCA before relying on these legislations. 
4. Broad comments on the regulatory approach proposed under the draft DCB, 2024: The DCB, 2024 proposes ex-ante regulation for addressing anti-competitive practises, i.e. regulatory measures implemented in anticipation of potential issues. Several stakeholders have expressed doubts about the efficiency and effectiveness of an ex-ante approach, especially in providing immediate relief or redressal. The vast number of businesses and sectors and the varied nature of competitive practises will inevitably delay any action by the CCI. Delayed appointments and excessive vacancies in the CCI also raise doubts about the regulator's ability to undertake this enormous responsibility. The CCI would also need expertise on the unique and varied market risks and anti-competitive practises, which can only be understood in depth after conducting an extensive digital market study. With respect to the provisions on penalty under the DCB, 2024, the MCA and CCI must consider if imposing negative reinforcements like monetary penalties are sufficient for driving change in monopolistic practises or anti-competition conduct of large entities. There exists ample evidence to indicate the trend of delaying payment of even hefty fines imposed upon prominent platforms and enterprises under stringent laws like the EU's General Data Protection Regulation (“GDPR”), mostly by appealing against the decisions in Courts and defending their practices. The CCI has also in the past noted differences in the response of prominent platforms to compliance orders by regulators in India as opposed to international jurisdictions, such as the EU. Such delays in compliance not only reduce the deterrent effect of the penalties but also allow the continuation of anti-competitive practises which monetarily benefit the platforms and disadvantages the end or business user. Thus, the MCA must consider and deliberate over other forms of deterrents, incentives, or reinforcements, whether in addition to the monetary penalties suggested under the DCB, 2024 or in place of it, while consciously avoiding rights infringing penalties such as criminal liability for employees.