 (8).png)
3 weeks ago
3
ARTICLE AD BOX
Summary
Meta was hauled up by India’s competition regulator for WhatsApp’s 2021 take-it-or-leave-it revision of privacy policy. Tribunal rulings have confirmed abuse of dominance. India’s privacy law is yet to take effect but Meta was reined in. From here on, the CCI and DPA need to keep a joint vigil.
When Henry Ford was asked what colour options his pathbreaking Model T would come in, he famously replied, “Any colour, so long as it’s black.” For years, Big Tech in India operated on much the same philosophy. Services were ‘free,’ but consumers paid with their personal data with little room to ask what would be done with it. Sensitive data taken from India would end up in America.
That era is being brought to an end. Not only does India have a Digital Personal Data Protection law whose rules are scheduled to kick in, the National Company Law Appellate Tribunal’s (NCLAT) recent ruling on Meta and WhatsApp makes it clear that Big Tech can no longer hide behind complex privacy policies to collect data that exceeds what is ‘necessary’ to provide services.
The NCLAT’s December 2025 clarification has hammered this home, ensuring that opt-out choices and detailed transparency must apply to the use of such data for all non-WhatsApp purposes, advertising included.
By affirming that privacy can be a market-competition concern if a major platform’s users are deprived of choice on sharing data, the tribunal has relieved Big Tech of a long-running illusion: that user consent equates to carte blanche for data extraction.
This case began in 2021, when WhatsApp users in India were given an ultimatum; to accept new privacy terms that required data sharing with Meta’s other platforms, including Facebook and Instagram, or lose access to the app. It was a classic ‘take-it-or-leave-it’ proposition.
Europeans facing a similar Hobson’s choice were shielded by the EU’s General Data Protection Regulation (GDPR), so WhatsApp was forced to provide them with options to rectify, erase or object to parting with such data processing rights. But Indian users were denied the same when WhatsApp rolled out its revised terms.
Enter the Competition Commission of India (CCI), which launched a rare suo motu probe. The agency argued that coercive data-sharing was not just a privacy breach, but an abuse of dominance under the Competition Act of 2002. Meta fought back aggressively, claiming that the CCI had no business getting into privacy territory. The courts disagreed, ruling that competition law could indeed examine data practices that distort markets.
The ruling effectively allowed India’s antitrust agency to investigate the “competitive harm” of Meta’s data practices even if it overlapped with privacy concerns. In late 2024, the CCI levied a ₹213 crore penalty on Meta and ordered a five-year freeze on cross-platform data sharing.
On appeal, the NCLAT upheld the penalty, but replaced the freeze with a mandatory opt-out mechanism that granted Indian users the right to refuse data sharing without losing access to the platform.
A comparison with Europe’s experience is instructive. When WhatsApp rolled out its controversial policy there, the GDPR was already in force. European users thus had enforceable rights—to rectify, erase or object to data sharing—that Indians lacked.
Earlier, Germany’s Federal Cartel Office had drawn upon the GDPR in its 2019 case against Facebook, concluding that data exploitation by a dominant platform can constitute anti-competitive behaviour.
India had no such luxury, since the country’s own data protection framework was still in gestation. That vacuum led the CCI to improvise, treating excessive data extraction as an “unfair condition” under competition law—a legal first for India.
The implications are profound. By affirming the CCI’s penalty, the NCLAT has redefined privacy as a “non-price” dimension of competition. In a digital economy where users exchange data instead of currency, a loss of privacy is effectively a decline in service quality.
This means that Big Tech can no longer hide behind sprawling privacy policies written in opaque legalese that few platform users can decipher. The NCLAT’s subsequent clarification this month made it explicit: companies must provide opt-out options and transparency across all non-essential uses, which includes the use of data for advertising purposes.
Come 2026, India’s soon-to-be-operational Data Protection Authority (DPA) under the 2023 personal data protection law will inherit the privacy mantle from courts and other regulators.
The success of this ecosystem will depend on how smoothly the DPA and CCI coordinate their oversight. The two must function less as rival regulators and more as a relay team. The DPA must ensure that companies acquire valid consent from people whose data it is, as also its lawful processing, while the CCI should monitor digital spaces to check if data dominance is turning into market distortion.
A cooperative model exists in the UK’s Digital Regulation Cooperation Forum, which we could learn from. Without it, India risks a patchwork of enforcement where privacy rights and competition remedies trip over each other.
The end of data surrender: Henry Ford’s assembly line may have revolutionized automobile making, but his ‘one colour fits all’ dictum soon collided with consumer choice. Likewise, Big Tech’s ‘trade your data or lose access’ approach has hit its limit. The NCLAT verdict restores the power balance. Even before India’s DPA takes its full shape, users have been awarded a real choice in how their information is shared.
In a country where personal data has long been treated as a down-payment for connectivity, this shift is nothing short of revolutionary.
The author is an independent privacy lawyer.
English (US) ·