.png)
The authors are Aryan Sharma and Arav Akolkar, 3rd year students at Maharashtra National Law University Mumbai.
Introduction
The internet has played a major role in altering the world. It has generated billions of dollars of revenue for people, corporations, governments etc. As per the authors, ‘data’ is the main reason behind this phenomenon. In fact, data is said to be the driving force behind the 4th industrial revolution.
Data is a non-rival good that may be accessed by many concurrent users without compromising its quality or increasing the likelihood that its supply will run out. ‘Data Economy’ is a worldwide digital ecosystem where businesses, individuals, and organisations gather, organise, and share data to produce economic value. The value of the data economy has seen exponential growth, and will continue to do so, with the European Commission estimating the value of the data economy growing to €829 billion in 2025; and if data is optimally shared, an extra €185 billion in profit during 2021–2030.
Recognising the potential of the data economy, the European Union (“EU”) created the European strategy for data and its regulation as per ‘European Principles and Ethics’. The potential for the Indian data economy’s growth is extremely high, with reports showing India's data market to be ranked 13th. A recent NASSCOM report shows the economic benefits of regulating the Open Data economy. The Digital Personal Data Protection Act, 2023 (“DPDPA”) solely deals with digital personal data, ignoring other forms of data. Moreover, it does not regulate Business-to-Business (“B2B”) activities and solely focuses on Business-to-Consumer (“B2C”) regulation, unlike the EU legislation.
The need to have B2B regulation of data markets
The data economy presents a fundamental market imbalance that demands B2B regulation. This imbalance is substantiated through the following four key arguments: Firstly, the ability to collect and analyse data is key to gaining success in the data economy. In data markets, the inability to access data may act as a barrier to entry. Companies control large amounts of data and gain significant market power and this data strengthens their core services and creates network effects that reinforce their dominant positions. The market dynamics of the data economy are such that as companies expand their capabilities and retain more users, the amount of data they collect increases.
In its WhatsApp Suo Moto Order, the CCI established WhatsApp’s market power based on its user base and unique features, underscoring the role of network effects. It is pertinent to note that network effects, combined with minor actions by platforms, can exclude and marginalize competitors.
Secondly, in data markets, there is also a huge concern about entry barriers when new companies are unable to collect or buy access to similar data. Large firms benefit from economies of scale, positive feedback loop and network effects, making it difficult for smaller competitors to enter and compete. The main challenge is having access to almost all raw information but lacking the processing power to engage with different types of information.
Thirdly, high switching costs due to lack of data portability prevent consumers from moving into new systems, creating additional barriers to entry. Therefore, data is often used as a tool to hinder marker entry. The data economy relies heavily on innovation, which is driven by new entrants. However, the dominance of established companies poses a significant risk to the advancement of the data economy due to the barriers to entry.
Lastly, firms often have much more information about consumers than consumers have about the firm’s data practices leading to market failures where consumers cannot make informed decisions. Antitrust policies need to address the transparency of data usage and ensure fairness in how data is collected and used. For instance, in a case against Facebook investigated by the German Federal Cartel Office, extensive restrictions were imposed on Facebook’s processing of user data. Facebook’s terms and conditions required users to agree to the collection of their data not only on the website but also across the internet and on apps.
In conclusion, the CCI’s observation in FHRAI v. MMT merits attention, that in a ‘winner-takes-all’ market, it is important to address and eliminate anti-competitive behavior promptly if it is not based on merit. Due to the aforementioned considerations, it is clear that if a company’s use of data harms competition to the extent that it outweighs the benefits, it prompts an enforcement response.
Insufficiency in existing laws regarding B2B data regulation
The current Indian laws, while comprehensive in some aspects, have notable insufficiencies in addressing the nuances of the data-driven market. Indian legislations such as the Competition Act and the DPDPA face challenges in addressing the contours of the data economy.
A. Competition Act, 2002
Applying the Competition Act to digital markets presents some problems, as these markets often function as ‘zero-price markets,’ which conflict with traditional legal and economic theories related to competitive harm. Competition law struggles to address the competitive distortionscreated by zero-price models in the data economy, where consumers receive free services in exchange for their data.
The CCI’s stance on data misuse is still evolving, as evidenced by its closure of cases, such as in XYZ v. Alphabet Inc. & Ors based on uncorroborated assertions, but it is not fully there yet. The nature of data-driven markets requires specialized regulations that can effectively govern data sharing, processing and its competitive effects.
B. Digital Personal Data Protection Act, 2023
The K.S. Puttaswamy judgment established the fundamental right to privacy under Article 21 and influenced the framing of the DPDPA, which marks a significant step in India’s journey toward regulating data protection. However, the DPDPA fails to provide for regulation of business data and other forms of non-personal data. This is a data privacy concern because machine learning can merge non-personal data or business data with personal data collected through cookies, trackers, and other methods from various sources, which poses a huge risk to data privacy. Additionally, there is a lack of specific mechanisms for data transfers creates potential legal risksfor businesses engaging in international data flows. This hinders cross-border trade, thus affecting the global integration of Indian businesses.
Moreover, under the DPDPA, data principals do not have the right to data portability to opt out of automated decision-making. This right was included in the earlier Draft Bills of 2018 and 2019. Because of the lack of provisions for data portability, it is difficult for consumers to switch between platforms, thereby strengthening the dominance of established players. The Information Technology Act, 2000 was designed for a different technological era and fails to encompass the contemporary challenges of the data economy.
Data Governance in India: Lessons from the EU
Every specialised market needs a governing law (for instance, the SEBI Act for the Securities Market). Currently, there is no such governing law that specifically regulates data economy in India. The European Union faced a similar situation and, to tackle this gap, it passed the Data Governance Act, which establishes guidelines for common data spaces in strategic domains. The data spaces guarantee that businesses and individuals retain sovereignty over their data while increasing the amount of data available to the economy and society. Additionally, the Act creates the European Data Innovation Board, which is responsible for facilitating B2B data exchange through intermediation and interoperability.
Similarly, in India, there exists a government-managed open data platform, the Open Government Data (OGD) Platform, which serves as a centralized repository of data intended to facilitate public access to shareable data owned by the Government. While this initiative is commendable, it is insufficient, as highlighted by the NASSCOM Report. The report reveals that India’s OGD is not being efficiently governed and emphasizes how it can be utilized to create jobs and drive innovation. The quality and clarity of data on the platform are inadequate. The authors believe it is important to highlight additional shortcomings and offer recommendations for a suitable data ecosystem.
Firstly, the repository consists solely of government data, with no provision for private data sharing. Secondly, it operates as a centralized system of data sharing. To provide context, there are 2 main models of data governance: centralized and federated. A centralized system collects data in a repository, like the OGD Platform. In contrast, a federated system is more democratized, featuring interconnected repositories with high interoperability. While data administration is said to be simpler with central storage, giving people more control over their data and eliminating users’ reliance on data collectors for access, a centralized repository also creates a single point of failure, making it easier for hackers to target a system containing personal information. A breach could jeopardize the sensitive personal information of the entire population if all such data were housed in one location.
A federated system is safer than a centralized system as it reduces the risk of a single point of failure. The European model incorporates the federated system by setting guidelines on data-sharing and regulating the participants in the data ecosystem. Such a model would thus instill trust amongst the participants in data-sharing markets.
The EU Data Framework heavily depends on the voluntary sharing of data. This concept is not foreign to the existing Indian framework. SEBI has a data sharing policy to share anonymised data that is not publicly available; and recently, SEBI released a new circular that provides guidelines on data sharing policy for research/analysis purposes. It introduces a framework to ensure uniformity in sharing securities market data by Stock Exchanges, Clearing Corporations, and Depositories. However, data sharing for commercial purposes is strictly restricted; the policy primarily focuses on allowing data sharing for research and academic purposes by accredited institutions, with a clear distinction between publicly shareable aggregate data and sensitive, individual-level data that cannot be shared for commercial use.
The EU's proactive approach to regulating data sharing through their Data framework provides a valuable blueprint for India. The recent Committee on Digital Competition Law came up with a Digital Competition Bill, specifically targeting Tech Giants and their anti-competitive activities in the digital market. While the bill is a step in the right direction, the bill inadequately regulates the sharing of data between firms. The committee accepted the concerns of members who disagreed over the addition of interoperability of data in the draft bill. There are concerns that such regulations could increase user costs and stifle investment. One of the guiding principles of competition law is to benefit the consumer and increased costs are antithetical to the same.
Therefore, India must develop a strong legislative framework with precise norms for data sharing. This framework should include sufficient measures to guarantee that data collected by private entities is safe and not lost if a data collector ceases operations, in addition to protecting the stored data from potential leaks.
Way Forward
Throughout this article, several arguments in favor of government regulation of the data economy were put forth, which ranged around antitrust and privacy concerns, as well as taking inspiration from the EU’s legislative approach. To effectively regulate the data economy in India, the following suggestions are proposed:
Mandatory data sharing systems should be established that require large companies holding important market data to share anonymized datasets with smaller competitors (for a reasonable cost). These systems must incorporate standardized data formats to ensure interoperability. This would directly address market power concentration and foster innovation among smaller players.
Considering the close relationship between the data economy and competition in digital markets, there should be harmonization based on coordination between the Digital Competition Bill and potential data-based legislations. An example of this can be seen in the EU's Data Act, where Article 5(3) clearly states that any company designated as a gatekeeper under the Digital Markets Act cannot benefit from the B2B data-sharing provisions.
Also, as proven earlier, in the new age digital world, success is greatly determined by having access to good quality data; and firms in the present scenario face a lot of entry barriers due to the lack thereof. By facilitating access to data, the Indian data legislation can enable businesses, especially small and medium-sized enterprises, to develop better products and services. This can happen once there is fair, reasonable and non-discriminatory access to data. The same can take place with the creation of ‘common data spaces’, which provide structured environments where data can be shared under agreed-upon standards and practices, which would enhance trust and cooperation among stakeholders. Establishing such spaces will enhance the findability, accessibility, interoperability, and reusability of data while maintaining strong cybersecurity standards. This democratization will reduce entry barriers and allow businesses to finally be able to compete based on the quality of their services rather than the volume of data they possess.
The government has taken positive steps by establishing the Expert Committee Report on Non-Personal Data Governance Framework however, much more needs to be done. While the government’s role is undoubtedly important, the stakeholders must ensure that they follow healthy practices that don’t muddy the waters of the growing data economy. Self-regulation can certainly help manage data because, ultimately, the most significant influence lies with the players themselves. This was seen in the recent Disney-RIL merger, wherein the major reason for the approval by CCI was the voluntary conditions the parties imposed on themselves.
That is also why leading AI firms have pledged to ensure the responsible use of data in AI by self-regulation. Instances include DeepMind’s development of AlphaFold and its decision to provide it for free to the scientific community, Anthropic’s pledge to increase capabilities once certain security criteria are met and OpenAI’s announcement to allocate 20% of their compute resources exclusively to alignment. Unfortunately, wide-scale self-regulation is a distant reality. A B2B data-sharing law in India could address the gaps by ensuring that data generated through business activities is accessible to various stakeholders. By doing so, India can spur innovation, particularly in emerging fields such as artificial intelligence, the Internet of Things and big data analytics.
Comments