Pankhudi Khandelwal*

Source : Mattermost

Data portability allows users or consumers to have more control over their data by giving them the ability to decide with whom they want to share their data. It also allows for more competition and innovation in the market by making it easy for consumers to switch between different service providers. Multiple jurisdictions have now included data portability obligations in their privacy acts. However, there is no general data portability provision under any law in India. Instead, data portability in India has been provided for specific conditions under different Acts. This article tries to lay down these different obligations and analyse their implications for the rights of consumers in India. The article first analyses the provisions under the Digital Personal Data Protection Act, 2023 and compares them with the Data Empowerment and Protection Architecture which includes the open banking account aggregator framework, 2016 that allows consumers to shift their financial data between different service providers. Further, the article looks at the data portability obligation imposed under the Digital Competition Bill from the perspective of competition law. The article evaluates the practical implications of this obligation and how it can overlap with other frameworks.

Introduction

Data portability has been defined as “the ability of a natural or legal person to request that a data holder transfer to the person, or to a specific third party, data concerning that person in a structured, commonly used and machine-readable format on an ad-hoc or continuous basis”. In other words, data portability allows users or consumers to have more control over their data by giving them the ability to decide with whom they want to share their data. Further, such rights also allow for more competition and innovation in the market by making it easy for consumers to switch between different service providers.

The General Data Protection Regulation (GDPR) in the European Union (EU) was one of the first legislations to provide a general data portability obligation for all data controllers. Multiple jurisdictions have now included data portability obligations in their privacy acts. For instance, Australia has enacted a Consumer Data Right (CDR) framework across different sectors. However, unlike the GDPR in the EU or the CDR in Australia, there is no general data portability provision under any law in India. Instead, data portability in India has been provided for specific conditions under different Acts. This article tries to lay down these different obligations and analyse their implications for the rights of consumers in India.

The article first analyses the provisions under the Digital Personal Data Protection Act, 2023 (DPDPA) and compares them with the Data Empowerment and Protection Architecture (DEPA) which includes the open banking account aggregator framework, 2016 (AA framework) that allows consumers to shift their financial data between different service providers. Further, the article looks at the data portability obligation imposed under the Digital Competition Bill (DCB) from the perspective of competition law. The article evaluates the practical implications of this obligation and how it can overlap with other frameworks.

Part I – DPDPA

The data portability right was explicitly mentioned as a separate right in the Digital Personal Data Protection Bill (Section 26 in the Personal Data Protection Bill, 2018 and Section 19 in the Personal Data Protection Bill, 2019). However, this provision has been removed from the final Act except in case of consent managers who are required to act as a single point of contact to enable users to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform. Beyond this, the Act does not specify who these consent managers are or which platforms are included within this definition. However, it could refer to intermediaries in specific frameworks, such as the AA framework for open banking in India, where account aggregators are required to share consumer data between financial institutions after obtaining user consent.

One way of looking at these provisions could be that India might be trying to follow the same Consumer Data Rights (CDR) framework as Australia, which is being applied from sector to sector. The DEPA provides an existing structure that can be extended to different services. However, the scope of the provisions of consent managers remains to be seen for other sectors. For instance, the Indian government has already initiated extending data rights in the healthcare sector. Paragraph 3.5.3 of the National Health Data Mission explicitly provides the role of consent managers and the technical standards to be followed for being part of the digital health ecosystem. This federated architecture would also rely on the Aadhaar and DigiLocker consent management framework (paragraph 2.2.4). These frameworks explain the absence of a general data portability right in the DPDPA since the idea might be to extend these rights through sectoral frameworks rather than a general obligation to decrease the compliance costs on small players.

Part II – Digital Competition Bill

In light of the above discussion, it is interesting that data portability has been explicitly mentioned as an obligation in the DCB. The DCB provides for numerous obligations on certain entities identified as Systemically Significant Digital Enterprises (SSDEs). The DCB aims to regulate the dominant big-tech players, such as Google, Amazon, Apple, Meta, etc., to increase competition in the digital markets. The DCB is largely inspired by a similar regulation, the Digital Markets Act (DMA) in the EU, which also imposes certain obligations on the entities designated as gatekeepers (article 3(1)), including enabling data to be transferred from their service to other services (article 6(10)).

Since a few big companies dominate digital markets, there is tension between legislating data portability as a data protection policy or as a competition law remedy. The Competition Commission of India (CCI) has identified data as an essential tool for competition in several orders and market studies. However, it should be noted that there is a difference in the application of data portability under the two regimes. Firstly, the right of data portability usually has asymmetric enforcement in competition law since the duty to share is imposed on large undertakings and not small players. Secondly, while under the data protection policy, data portability applies only to personal data, under the competition law framework, it applies to all kinds of data, including data about the behaviour of users on a platform, which is necessary for third-party providers to understand consumer demand. In this way, data portability can also increase data-driven innovation.

However, this right has certain practical limitations, especially in the context of big tech companies. This has been highlighted in the compliance reports that the designated gatekeepers under the DMA submitted to the European Commission. Many entities, such as Google and Facebook, have claimed that they already allow data portability. However, the services of the gatekeepers benefit from network effects and increasing returns to scale which lead to consumer lock-in by increasing the switching costs between different services. Further, although there are very few studies on the effectiveness of these provisions, it has been suggested that the kind of data porting allowed by big tech does not help competitors provide additional services or innovations to users since they cannot export the context of such data. For instance,  platforms might structure the data in a way that it can only be read by their own services or in the context of the features provided by their services.

Therefore, such regulations might need to provide more technical specifications, such as data standardization and similar technical formats, to be made practically beneficial, which could be a complex exercise. The regulator would also have to identify the services of the big-tech platforms where such obligations can be imposed. Further, provisions relating to data portability require continuous monitoring which can impose high regulatory costs regarding both the resources and the expertise needed to ensure effective implementation.

Part III – Institutional framework

Jurisdictional overlap is a significant issue when regulating big tech. In India, it is still unclear how jurisdictional matters relating to competition in other sectors where sector regulators are present can be resolved. The Supreme Court of India, in CCI v. Bharti Airtel, has stated that while adjudicating jurisdictional conflict between the CCI and sectoral regulators such as Telecom Regulatory Authority (TRAI), in the first instance, TRAI must adjudge the technical issues and only if it finds a prima facie case of anti-competitive behaviour, does the CCI gets have jurisdiction to decide the anti-competitive issue. However, in the case of Monsanto Holdings, the Delhi High Court said that the decision of the Supreme Court was delivered in the context of the specific dispute and the specific role of TRAI and the same cannot be applied to the functions played by the controller under the Patents Act.

Digital markets encompass various kinds of service providers, some of which would also fall within the regulatory domain of other sector-specific regulators. For instance, in the market for payment apps and e-wallets, the Reserve Bank of India has the jurisdiction to lay down regulations to maintain competition among the different providers. However, the CCI has also intervened in these markets in cases relating to competition law issues. This can lead to overlap between different regulators on the same issues.

In the recent final decision of the CCI in the case relating to WhatsApp’s data-sharing policy, the CCI clarified that the Commission can examine such policy from the perspective of competition law. The CCI acknowledged that “due to the growing complexity of the digital economy, data-related practices can fall under different statutes, including data protection, consumer protection and competition laws”. As per the CCI, “data protection and privacy laws focus on maintaining transparency and securing individual rights while competition law addresses the impact of data on market power, ensuring that dominant firms do not exploit their data advantage” (paragraph 28.5).

The CCI has attempted to provide a more harmonious interpretation to the intervention by different authorities. The CCI lists down the differences in the application of the competition law and data protection law in terms of the coverage of different entities and different types of data (discussed in Part II above). However, in a remedy relating to data portability, competition law and data protection framework would have to be applied concurrently, at the very least to cases relating to the sharing of personal data by dominant firms/SSDEs. The uncertainty around jurisdictional conflicts can raise issues relating to forum shopping, double jeopardy and delays in enforcement. Although the Competition Act, 2002 provides a mechanism for the CCI to make a reference to other regulators and vice-versa, this provision is not used frequently by the regulator. Therefore, it might be necessary to lay down clear guidelines on how the right to data portability would be enforced to avoid regulatory uncertainty.

Conclusion

The right to data portability has many benefits. However, implementing this right to seek those benefits is challenging due to both technical and regulatory factors. Considering this, it might be prudent for regulations to require such data-sharing only once there is more certainty regarding the mechanisms that can be installed to ensure their effective enforcement. India has seen a high success rate with interoperability and data portability in the financial sector, especially with respect to the payments system and the open banking framework due to DEPA. However, this success might be difficult to replicate for other digital platforms, which are more complex and are identified with a high level of information asymmetry between the regulator and the regulated entities. It is necessary to consider these challenges before enacting provisions that require big-tech players to compulsorily share data with other services. This is because, designed improperly, such provisions would have self-defeating effects by leaving room for big players to symbolically comply with underspecified regulations while increasing burdens on smaller players.

*Pankhudi is a PhD researcher at the European University Institute. Her research focuses on competition law and regulation in the digital markets.