[Nandinii Tandon is a fourth-year, and Mehul Sharma is a third-year B.A. LL.B. (Hons.) students, respectively, at the Rajiv Gandhi National University of Law (RGNUL), Punjab. In this article, the authors examine the conceptual friction between data monopolisation and consumer privacy in India’s rapidly evolving digital economy. By leveraging a sophisticated comparative analysis of foreign jurisprudence, the piece explores the viability of the “Essential Facilities Doctrine” (EFD) as a tool to curb anti-competitive data hoarding by big-tech incumbents. The core of the article’s original contribution is a doctrinal bridge: the authors argue that Section 7(e) of the Digital Personal Data Protection (DPDP) Act, 2023, can be interpreted to facilitate data sharing under the EFD.]
Introduction
In the digital age, data has emerged as a highly valuable resource and is often described as the ‘new oil’ of the economy. Corporations routinely collect, process and commercially exploit such data. Therefore, big tech companies with access to vast troves of data are at a competitively advantageous position in comparison with new entrants. This becomes particularly concerning when the firm with control over the datasets of consumers holds a dominant position in the relevant market, as it might lead to the establishment of a monopoly in the long run. The refusal to share information with the competitors could lead to effectively limiting competition in the market to the detriment of consumers. In recent times, therefore, the big tech giants have been at the fore of antitrust scrutiny across jurisdictions, with various cases highlighting their exclusionary conduct towards new entrants and competitors. In this backdrop, this piece delves into whether such data can be treated as an ‘essential facility’ as per the Essential Facilities Doctrine (“EFD”), and further, whether the sharing of such data with competitors can be harmonised with the recently enforced Digital Personal Data Protection Act, 2023 (“DPDPA”).
Understanding the Essential Facilities Doctrine
As envisaged in MCI Communications v. AT&T, the EFD applies only where a monopolist (i.e., a dominant entity) controls a facility indispensable to competition that cannot be reasonably or practically duplicated, denies access to it, and providing such access is technically and economically feasible. Although the Competition Act, 2002 (“the Act”) does not specifically mention the EFD, it flows from Section 4(2)(c) of the Act which aims to prevent the abuse of dominance by an enterprise by way of denial of market access. In Indian competition law jurisprudence, the test for the application of the EFD has been laid down in Shamsher Kataria v. Honda Siel Cars Ltd., which requires (i) the essential facility to be controlled by the dominant firm, (ii) incapability to create an alternative, (iii) the denial of access of such facility, and (iv) the feasibility of allowing access to the facility.
In the traditional sense, the EFD covers physical infrastructure or more broadly, tangible facilities. However, in today’s world, where business models of big tech companies rely heavily on their ability to collect, process and monetise data, it can be argued that such ‘data’ ought to be treated as an essential facility.
Data as an Essential Facility
A significant first-mover advantage has entrenched market leadership in digital markets, rendering entities such as Google, Apple, Facebook, Amazon, and Microsoft effectively uncontested due to the accumulation of vast, practically non-replicable datasets over time. “Essential data” refers to datasets that are so critical that, without access to such data, competitors cannot realistically enter or compete effectively in a market. Yet, determining what qualifies as essential is another challenge in itself due to the intangible nature of data. Unlike tangible assets like physical infrastructure, it can be argued that data can be reasonably replicated, and its value is largely context-dependent. While transaction and seller-performance data held by platforms like Amazon provides strong competitive advantages due to its scale, detail, and real-time nature, calling it essential requires careful examination of whether it is truly unique, difficult to replicate, and necessary for effective competition, especially given that it is not equally accessible to all market players and is used for multiple purposes within the platform.
However, despite these challenges, antitrust regulators and scholars alike are signalling a willingness to apply the EFD to digital markets where the prerequisites of the doctrine are fulfilled. This was seen most notably in the Ningbo Senpu Information Technology Ltd. case, where the Chinese court held that Senpu’s control over bond transaction data amounted to monopoly power, as the data was necessary for financial service providers to compete. Senpu’s use of exclusive agreements to deny competitors access was held to foreclose competition and suppress innovation in the financial sector. The Court further ordered Senpu to provide access to the data, thus effectively applying the principles of the EFD. Similarly, the Digital Markets Act (“DMA”) of the European Union (“EU”) indirectly reflects the essential facilities logic, by treating data as a key competitive input, even without expressly invoking the doctrine. Prior to the DMA, in IMS Health GmbH v. NDC Health, the Court of Justice of the EU recognised a database as an indispensable input and mandated access on reasonable and non-discriminatory terms. This case showcases the EU’s functional application of the principles of the EFD without formally applying the doctrine in the digital economy. Although the DMA does not classify data as “essential”, it also notes that access to critical inputs is necessary to foster competition.
Despite the fact that courts have not explicitly applied the doctrine, it is evident that the principles of the EFD have been reinforced in digital markets through various cases. Therefore, it can be interpreted that data can be conceptualised as an essential facility provided that the following conditions are met: (i) the dominant platform exercises control over data that functions as a critical competitive input; (ii) the scale, network effects, and cumulative nature of these datasets renders them unreplicable within reasonable time or cost; (iii) the dominant platform denies access to competitors, which may foreclose downstream competition; and, (iv) such access can be provided in a technically and economically feasible manner, subject to appropriate safeguards. However, this sharing of data raises concerns in terms of the privacy of the data principals, i.e., the individuals whose data would be shared if such data is treated as an essential facility. Thus, it is pertinent to examine how the sharing of data for effective competition in the market can be harmonised with the requirements under the DPDPA.
Application under the DPDPA, 2023
Once data falls under the ambit of being an essential facility, its mandated sharing with a third party (here, the entity alleging monopoly and requiring access to data) must be compliant with the DPDPA. The available lawful basis of processing personal data of an individual under the DPDPA is given under Section 4. The provision states that personal data can be processed either by the provision of consent & notice (delineated under Section 5 & 6), or by the way of certain legitimate uses as described under Section 7.
If the primary route of taking consent of each individual is opted, this may not be realistically possible. Section 5 of the DPDPA mandates that a data fiduciary must provide a privacy notice before processing an individual’s personal data. Such processing is premised on consent, which, as clarified under Section 6, must be free, specific, informed, unconditional, and unambiguous, and must be expressed through a clear affirmative action by the data principal. Applying this in the EFD context would mean that the entity (here, the one exerting monopoly over the essential facility) would need to obtain consent of each individual whose personal data is present in the entity’s datasets. If any court holds data possessed by an entity to be an essential facility, it is inevitable for that dataset to be vast and large-scale, as otherwise it would not be classified as essential facility.
For example, in the GDF Suez (Engie) case, the entity had control over the data of 11 million individuals. In this case, the French Competition Protection Authority directed GDF Suez to provide the requested data to a third party, which the latter had earlier sought, including personal information such as names, addresses, gas consumption details, and telephone numbers contained in the database. Further, GDF Suez was ordered to notify customers whose personal data was proposed to be shared. The notification required informing customers that they could refuse consent by completing and returning a specific form to GDF Suez. In the absence of such a response, consent would be deemed to have been given. The court thus recognised the practical impossibility of obtaining express consent from every individual data subject and, accordingly, suggested a mechanism that treated silence as indicative of consent. However, the DPDPA does not recognise silence, inaction, or non-response as valid consent. Consent under the DPDPA must be expressly communicated through a clear affirmative act. Consequently, any model premised on implied or presumed consent would be incompatible with the Indian data protection framework. It follows that reliance on the consent ground under Section 6 would be impracticable in such circumstances, and any attempt to replicate a “silent consent” mechanism would be legally impermissible.
Since reliance on consent under Section 6 is neither practical nor legally tenable in the EFD context, the analysis must now turn to whether such data sharing can be justified under the “certain legitimate uses” framework under Section 7 of the DPDPA. Section 7(e) of the DPDPA states that a consent-notice mechanism is not required to be undertaken by the data fiduciary “for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India”.
Applying the aforesaid provision to the EFD context, an order passed by a competent authority, such as a court, tribunal, or the Competition Commission of India, directing the sharing of personal data with a third party would amount to a legal obligation. In such cases, the data fiduciary is not making an independent choice to share the data but is merely complying with a binding order. Accordingly, the disclosure of personal data pursuant to an EFD based access order can be justified under Section 7(e) without obtaining individual consent, provided that the sharing is limited strictly to what the order requires and does not extend to any unrelated or excessive use of the data.
Section 7(e) is similar to, and is materially consistent with, the “legal obligation” lawful basis under Article 6(1)(c) of the General Data Protection Regulation (“GDPR”), which permits the processing of personal data where such processing is necessary for compliance with a legal obligation imposed on the data controller by law or by a binding judicial or regulatory order. Recital 41 of the GDPR clarifies that such legal obligation may not be necessarily restricted to a legal enactment by parliament, but also to other measures as long as they are “clear and precise and its application should be foreseeable to persons subject to it”. If a similar interpretation is applied to the Indian aspect, then, when a competition authority issues a reasoned order that clearly specifies the entity involved, the infringement, and the precise remedial steps to be taken, such as granting access to a specific dataset to a particular third party, would satisfy these requirements and qualify as a legal obligation under data protection law. Accordingly, only reasoned and proportionate orders of the competition regulator mandated such sharing of data will qualify under Section 7(e); overly broad or indeterminate orders may still violate the DPDPA. Furthermore, consistent with the principles of data minimisation and privacy by design, personal data should, wherever feasible, be pseudonymised or anonymised prior to sharing, so that only minimal information necessary to maintain effective competition in the market is shared, without compromising the privacy of the data principals.
Conclusion
In conclusion, data can be treated as an essential facility when it is indispensable to maintain effective competition in digital markets, but its mandated sharing must balance competition with individual privacy. Under the DPDPA, Section 7(e) allows such sharing without consent if it is required by a binding legal order, provided the disclosure is reasoned, proportionate, and limited to what is necessary. Using safeguards like pseudonymisation or anonymisation can further protect privacy while ensuring that competition in the market is maintained. Thus, aligning the EFD with the DPDPA ensures digital markets remain fair and open without compromising the rights of data principals.