Home Thought Leadership WhatsApp At CCI: What The First-Instance Defence…
Back to Thought Leadership
Competition LawData ProtectionCCI · 2021–2024

WhatsApp At CCI: What The First-Instance Defence Should Have Looked Like

On 24 March 2021 the Competition Commission of India passed a prima facie order directing investigation into WhatsApp's updated privacy policy. Meta ultimately faced a ₹213 crore penalty in November 2024. Much of the damage was locked in during the first ninety days of response.

The regulatory frame CCI actually adopted

By 2021 the CCI had already begun shifting from a separatist posture (privacy belongs only under the IT Act) toward an integrative one: privacy as a non-price parameter of competition, consistent with its telecom sector market study and ultimately the Digital Personal Data Protection Act, 2023. The 2021 policy was vulnerable because it removed the opt-out that had saved the 2016 policy in Vinod Kumar Gupta v. WhatsApp, and imposed a take-it-or-leave-it consent architecture on a dominant OTT messenger with high lock-in.

That is the frame within which the first response needed to be built. Instead, the dominant litigation strategy challenged CCI's jurisdiction and data-protection competence all the way to the Supreme Court (dismissed October 2022). Jurisdiction fights were not frivolous, but they became a substitute for a merits narrative calibrated to the integrative theory CCI was clearly signalling.

Mistakes counsel commonly make at first instance

  1. Treating privacy as off-limits to competition analysis. Arguing that only MeitY or a future data protection board may opine on consent ignores the Bundeskartellamt Facebook precedent and the ECJ's later affirmation that GDPR breaches can be a "vital clue" to abuse of dominance. CCI explicitly cited this trajectory.
  2. Failing to produce a data-flow architecture map. A credible first response attaches a technical schedule: what categories move WhatsApp → Meta, for what stated purpose, on what legal basis, with what retention and deletion mechanics, and what remains end-to-end encrypted versus metadata. Without this, "vague and open-ended" sticks.
  3. Not distinguishing core messaging from advertising graph enrichment. CCI's final order turned on unnecessary sharing for display advertising and cross-service profiling. Counsel should have segmented processing purposes and offered granular toggles unrelated to core chat, mirroring remedial directions CCI ultimately imposed anyway.
  4. Ignoring multi-homing and contestability evidence. Dominance was proved through user scale, network effects and switching costs. A first-instance reply needs economist-backed evidence on Telegram, Signal and enterprise alternatives, paired with UX friction data on migration, not bare assertions of choice.
  5. Late engagement on legitimate interest and consent design. Even pre-DPDP, SPDI Rules and emerging consent-manager discourse gave language for phased rollout, grandfathering and affirmative granular consents. Silence conceded the "coercive unfair condition" theory under Section 4(2)(a)(i).
  6. Letting appeals eclipse remedial negotiation. Three years of jurisdictional litigation forfeited the chance to shape an early commitment decision: purpose limitation, five-year advertising separation (which CCI later ordered anyway), and third-party audit.

How we would defend at notice stage: File a technical data-processing appendix within the statutory window; propose an independent privacy-commitments monitor; invite CCI to a structured tech hearing (like a FRAND or telecom benchmarking session); and parallel-track a product roadmap showing opt-outs for non-essential sharing without degrading core messaging. Jurisdiction challenges should run on a narrow track, not absorb the entire narrative.

Lesson for GCs and product teams

Privacy policy updates on dominant platforms are now competition events. The first PDF counsel sends to a regulator should read like a DPIA plus market study annex, not a press statement. That is the standard we bring to CCI, MeitY and sector regulators for clients whose products touch personal data at scale.

Takeaway

Winning at CCI on privacy is less about denying overlap with data protection law and more about proving, in product terms, that your processing map is necessary, transparent and contestable. Jurisdiction litigation without a technical merits pack is an expensive way to arrive at the same remedies.