loader image

Navigating the recent WhatsApp/ Meta v. CCI’s NCLAT Order: Key takeaways and potential implications on data protection in India

The recent order by the National Company Law Appellate Tribunal (“NCLAT”) dated January 23, 2025 (“NCLAT Order”), in the case(s) of Meta Platforms Inc. & WhatsApp LLC v. Competition Commission of India (“CCI”) following the recent Draft Digital Personal Data Protection Rules 2025, adds intrigue to India’s evolving data protection landscape.

So far as the current market share of WhatsApp in India is concerned, it is not a surprise that WhatsApp is dominant through OTT messaging, and Meta holds a dominant position in the space of online display advertising in India.

WhatsApp’s 2021 Privacy Policy

The genesis of the NCLAT Order arises from CCI’s suo moto cognizance into WhatsApp’s 2021 Privacy Policy (“Policy”) (vide Press Release dated November 18, 2024 (“CCI Decision”). As per the Policy, WhatsApp expanded the scope of data collection as well as mandatory data sharing with Meta Companies, to continue using WhatsApp.

Analysing CCI Decision

The CCI Decision concluded that the Policy, on a “take-it-or-leave-it” policy constituted denial of market access in display advertisement market, and abuse of dominant position under Section 4 of the (Indian) Competition Act, 2002. These observations were made in view of network effects and lack of effective alternatives to WhatsApp in India.

In view of the aforesaid anti-competitive practice, CCI imposed a monetary penalty of INR 213.14 crores on WhatsApp, along with several compliance directives, including data sharing ban for a period of five years. Vide CCI Decision, WhatsApp was also directed to provide details of user data dissipated with other Meta and Non-Meta Companies/ Company Products.

Challenge to CCI’s decision

Assailing the CCI Decision, WhatsApp and Meta approached NCLAT seeking a stay on the penalty and the five-year data-sharing ban imposed by the CCI. It was alleged that contrary to the intent of Section 4 of the Competition Act, 2002 which covers “actual” anti-competitive practices, CCI had passed its decision on the basis of “potential” anti-competitive practices. It was also argued by WhatsApp and Meta that the enforcement of the new Digital Personal Data Protection Act, 2023 (“DPDPA”), ought to have awaited before CCI could render its findings against WhatsApp. Therefore, CCI’s decision suffered from jurisdictional overreach.

CCI refuted these allegations on the premise that they acted within its jurisdiction to investigate and penalize abuse of dominance under the Competition Act, 2002. It was also argued that under the Policy, WhatsApp users had limited control over their data, and the opt-out option was not clearly communicated. CCI further stressed on the potential harm to consumer choice and competition in the digital ecosystem due to WhatsApp’s anti-competitive practices.

NCLAT Interim Findings

NCLAT, whilst granting an interim stay on the five-year ban, upheld the other compliance directives and directed WhatsApp to deposit 50% of the penalty amount, recognizing the need for urgent regulatory clarity. NCLAT acknowledged that WhatsApp’s data-sharing practices raised concerns but stopped short of an outright ban, allowing them to continue their operations with stricter oversight.

Analysing NCLAT findings

While hefty fine on WhatsApp remains in place during the pendency of the Appeal, NCLAT’s focus seems to be on striking a balance between practical business operations and regulatory compliance. As also rightly observed, NCLAT held that the ban of five years on WhatsApp on data sharing with Meta may lead to failure of its business model in India, more importantly considering that WhatsApp services are provided free of cost in India.

The aforesaid proceedings are also a testament to the evolving landscape of India’s data protection framework under DPDPA and highlights the need for a more centralized regulatory approach. Unlike European Union’s General Data Protection Regulations, which entrusts data protection through dedicated Data Protection Authorities, India currently navigates overlapping jurisdictions like CCI in addressing anti-competitive practices coupled with data privacy concerns.

Be that as it may, as India progresses towards implementing the DPDPA, businesses will also need to adapt compliance strategies to align with the evolving regulatory environment. A dedicated and streamlined oversight structure will not only enhance compliance clarity but also foster a more business-friendly environment by reducing overlapping regulatory interventions.

Conclusion

Whilst the final judgment on the issue is yet to be conclusively adjudicated, the NCLAT Order represents a bold stance. At one end, NCLAT has recognized CCI’s jurisdiction to address privacy-related anti-competitive allegations made against WhatsApp, while at the other end, it also protects practical business operations of corporates like WhatsApp amidst unsettled regulatory measures. With this in place, one should hope that the pending enforcement of DPDPA will redefine the regulatory landscape for data privacy in India.

 

AUTHORS: Sanampreet Singh (Senior Associate) | Tushar Sinha (Associate)

[email-subscribers-form id="1"]
This page contains general information regarding Khaitan Legal Associates and is not intended as a solicitation or an advertisement of its services or any invitation or inducement of any sort. Nothing contained in this website constitutes legal advice or creation of a lawyer-client relationship. If you have any issues, you must seek legal advice. Khaitan Legal Associates is not liable for the consequences of any action taken by relying on the material/information provided on this website. For more information, please read our terms of use and our privacy policy.