The Asia Pacific Antitrust Evaluate
This chapter explores the interplay between competition law and data privacy law in the Asia-Pacific region, covering key developments in legislation, enforcement, litigation and mergers.
- Latest developments at the intersection of competition and data privacy law in the Asia-Pacific region.
- The competing interests of competition and data privacy regimes and the issues this may cause for data handlers and enforcement agencies, in particular with respect to dual enforcement.
- The direction of travel for legal frameworks in the region to address these challenges and regulate data markets fairly and effectively.
Referenced in this article
- Australian Competition and Consumer Commission (ACCC)
- Competition Commission of India (CCI)
- Indonesian Competition Commission (KPPU)
- Japan Fair Trade Commission (JFTC)
- China’s State Administration for Market Regulation (SAMR), Anti-Monopoly Law (AML) and Personal Information Protection Law (PIPL)
- Taiwan Fair Trade Commission (TFTC)
- India’s Draft Data Protection Bill
This contribution explores the interplay between competition law and data privacy law in the Asia-Pacific region. In an age defined by data monetisation and fierce competition for users and their valuable behavioural data among technology’s biggest players, issues at the intersection of these two legal areas are coming into sharp focus. Broad regulatory enforcement against ‘Big Tech’ companies in China, the introduction, expansion and gradual harmonisation of data privacy regimes across the Asia-Pacific region, and the significant investment made by enforcement agencies in Asia to better understand how competition and data privacy issues interact, particularly in the context of the digital economy, are all reflective of the region’s increasing cognisance of the complexities at the intersect of competition and data privacy law.
In 2021, China introduced one of the world’s strictest data protection regimes, Australia began consulting on a proposal to expand its data privacy laws, and India’s legislature considered its first data protection bill, which it looks likely to pass in 2022. The strengthening of data protection regimes has an obvious benefit to consumers, but it creates a risk for companies that both competition and data privacy laws will be enforced against the same conduct, such that companies could face punishment twice. Dual enforcement is not an efficient use of scarce regulatory resources; in the near future, policymakers must align on whether abuses concerning data better fit in the realm of protecting competitive markets, or protecting consumer privacy. Stricter criteria for handling personal information may also have the unintended effect of raising barriers to entry and entrenching a dominant player’s position. For instance, a dominant market player may legitimately decline to share its dataset of personal information with new entrants, and regulators may be restricted from ordering a transfer of data to address the potential anticompetitive effects of a merger or an abuse of dominance.
This article considers the latest developments at the intersect of competition and data privacy law in Australia, China, India, Indonesia, South Korea, Taiwan and Japan.
Australia’s data protection regime is currently governed by the Privacy Act 1988 and associated Australian Privacy Principles (together, the Privacy Act). However, commencing in 2020, the Attorney-General is undertaking a wholesale review of the Privacy Act with a view to aligning the country’s regime more closely to international standards, such as the European Union’s General Data Protection Regulation (GDPR), and reflecting recent developments in the digital economy. The review is due to conclude in 2022, and a final report and proposed amendments to the Privacy Act will be submitted to government in due course.
This review has been conducted concurrently with a public consultation on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill), which was released in October 2021. The Online Privacy Bill relevantly proposes to establish a binding privacy code for social media platforms, data brokerage services and large online platforms, in addition to expanding the enforcement options available to the regulator for non-compliance. Public submissions collected in 2021 will inform further development of the Online Privacy Bill before its introduction to Parliament in 2022.
The issue of competition in digital markets was hot on Australia’s regulatory agenda in 2021. The Australian Competition & Consumer Commission (ACCC) conducted the Digital Advertising Services Inquiry 2020–2021, which analyses competition and efficiency in the supply of ad tech services. In addition, the ACCC is conducting the ongoing Digital Platform Services Inquiry 2020–2025, which examines, inter alia, ‘the intensity of competition in markets for the supply of digital platform services, with particular regard to the concentration of power, the behaviour of suppliers, mergers and acquisitions, barriers to entry or expansion and changes in the range of services offered by suppliers of digital platform services’. In the former, the ACCC concluded that competition for ad tech services in Australia is ineffective, with Google dominating the market. The ACCC considered that Google’s access to data contributed to its dominance in the ad tech services market, and found that the company engaged in self-preferencing conduct. In the latter, the ACCC’s investigation continues into the operation of markets in a range of digital platform services, including search engine, social media, online private messaging and electronic marketplace services.
The ACCC is one of the many antitrust agencies that reviewed Google’s acquisition of Fitbit, a maker of wearables such as the Fitbit watch, which collects data including heart rate, steps, calories and location. The ACCC considered that the transaction raised concerns because of the aggregation of data: post-transaction, Google will be able to (1) incorporate Fitbit data into its existing user profiles, likely enabling improved ad targeting, and (2) use the data at the aggregate level to draw broader insights about groups of people with specific attributes, for use across different parts of the business such as in the supply of data-dependent health services.
The ACCC was concerned that the transaction could lessen competition in the supply of data-dependent health services. It noted that Google would have faced stronger competition had the transaction not gone ahead, given Fitbit’s extensive pool of data. In addition, the ACCC expressed concern that the combination of Google’s analytical capabilities, its existing data and the data it will acquire via Fitbit, could result in Google developing a strong foothold in the market for data-dependent health services. The ACCC considered that the transaction could also reduce competition in the supply of ad tech services. Third parties indicated to the ACCC that certain data from wearables is unique and cannot be captured accurately (or at all) by other means, including data related to heart rate, sleep activity and oxygen saturation. Therefore, combining Fitbit data with Google’s existing dataset may enable Google to ‘even more effectively target advertising to consumers with health-related issues, or interests in particular fitness products’. The transaction could therefore eliminate an important source of potential competition for Google in the supply of certain ad tech services.
To address these concerns, Google offered commitments to the ACCC under section 87B of the Australia Competition and Consumer Act. However, unlike its counterparts in the EU, Japan and South Africa, the ACCC rejected the proposed commitments. Google subsequently completed its acquisition and the ACCC’s investigation into the transaction is ongoing.
Google has also come under fire in Australia in recent years due to alleged breaches of data privacy laws. In July 2020, the ACCC announced that it had launched Federal Court proceedings against Google, alleging that the company had ‘misled Australian consumers to obtain their consent to expand the scope of personal information that Google could collect and combine about consumers’ internet activity, for use by Google, including for targeted advertising’.
In particular, Google combined user data from Google accounts with user data on non-Google sites that used Google technology, formerly DoubleClick technology, to display ads. The ACCC cleared Google’s acquisition of DoubleClick in 2008. Notably, at that time, Google made submissions to the US Federal Trade Commission and European Commission (EC) that it would not combine Google’s and DoubleClick’s data on consumer internet activity post-merger. However, the regulators did not rely on these statements to approve the transaction.
More recently, Australia’s Federal Court ruled in April 2021 that Google misled consumers about personal location data collected through Android mobile devices between January 2017 and December 2018, in a world-first enforcement action brought by the ACCC. The court ruled that when consumers created new Google Accounts during the initial set-up process of their Android devices, Google misrepresented that the ‘Location History’ setting was the only Google Account setting affecting whether Google collected, kept or used personally identifiable data about their location. In fact, another Google Account setting (Web & App Activity) also enabled Google to collect, store and use personally identifiable location data when turned on, and the setting was turned on by default. The ACCC is seeking declarations, pecuniary penalties, publications orders and compliance orders.
Interaction of privacy and consumer laws
These recent proceedings demonstrate that there is a significant risk of dual enforcement under privacy and consumer laws in Australia. While data subjects in Australia do not have a personal cause of action under the Privacy Act, the Privacy Commissioner has demonstrated a willingness to take enforcement action for significant privacy breaches. The ACCC’s proceedings against Google demonstrate a growing propensity to bring actions citing breaches of competition and consumer laws against major platform companies for their use of consumer personal information. While we have not yet seen coordination in enforcement between the Privacy Commissioner and the ACCC, we expect coordinated proceedings in the future given the general focus on curtailing the market power of major platform companies and their data collection and use.
While the criminal codes of Australia’s states and territories include provisions against double jeopardy, these are unlikely to prevent dual enforcement by the Privacy Commissioner and the ACCC, particularly in relation to the range of administrative remedies and civil penalties available to each regulator. Criminal penalties do exist for certain breaches of the Privacy Act and Australian competition and consumer law; however, they are available in more limited circumstances in relation to particularly severe violations of each law. As also explained in the Chinese context below, it is not certain that the provisions preventing double jeopardy for criminal offences would apply when the same act violates two different laws.
China’s Personal Information Protection Law (PIPL) came into effect on 1 November 2021. It is the first comprehensive piece of Chinese legislation to protect the personal information rights of natural persons within China, and it supplements data privacy-related legislation such as the Cybersecurity Law and the Data Security Law. The PIPL creates new rights of action for individuals whose personal information rights are violated, and sets requirements and penalties for personal information handlers (PIH) that violate the law. It shares many similarities with the GDPR, including its extraterritorial effect, the creation of personal information rights, and the inclusion of penalties for PIH in cases of breach. The PIPL gives agencies at different levels enforcement powers over its regulations.
The PIPL’s adoption will have an impact on the enforcement of China’s Anti-Monopoly Law (AML), the main source of competition law in China. The AML prohibits anticompetitive agreements between competitors, including price-fixing, output restrictions, market allocation and boycotts. It also prohibits vertical agreements that restrict or eliminate competition, and abuses of a dominant position. The AML includes a presumption of dominance where a single undertaking’s market share exceeds 50 per cent. The State Administration for Market Regulation (SAMR) enforces the AML, and may impose a fine of between 1 and 10 per cent of a company’s turnover in case of a breach of the prohibition on anticompetitive agreements or abuses of dominance.
Interaction of privacy and competition laws
There is a significant risk of dual enforcement against anticompetitive conduct involving breaches of the PIPL, in that both SAMR and the enforcement agencies responsible for enforcing the PIPL can investigate (and potentially impose fines for) conduct that breaches both the PIPL and the AML. In the absence of a memorandum of understanding between the two agencies, it is unclear whether and how they will coordinate their enforcement actions, which creates the risk that companies may be fined twice for the same conduct. While China’s Administrative Penalty Law includes a provision against double jeopardy, it is unlikely to provide meaningful protection against dual enforcement as on a literal reading of this provision, double jeopardy only applies in the case of two violations of the same law. This would mean that double jeopardy does not apply when the same act violates two different laws, such as the PIPL and the AML.
Additionally, the PIPL may curtail SAMR’s ability to order remedies involving personal information. For example, when investigating an alleged refusal to grant access to personal data by a dominant firm, SAMR may wish to order the dominant firm to ‘cease and desist’ such conduct, which practically means that the dominant firm must grant access to the data. However, pursuant to the PIPL, a PIH can only transfer personal data to a third party in a limited set of circumstances listed in article 13. The most relevant legal grounds for transferring data are article 13(1) of the PIPL (consent) and article 13(3) of the PIPL (which authorises data processing ‘where necessary to fulfil statutory duties and responsibilities or statutory obligations’, and which does not require consent from the individual). It is unlikely that the dominant firm will have the individuals’ consent to transfer their personal information to a competitor. The other possible ground is article 13(3), but it is not obvious that a SAMR decision to cease and desist a specific conduct will constitute a valid ‘statutory duty and responsibility’ or a ‘statutory obligation’ to transfer such data. Hence, the dominant firm will therefore need to obtain such consent in accordance with article 23 of the PIPL, unless guidance is issued to the effect that a ‘cease and desist’ order from SAMR constitutes a statutory duty or obligation pursuant to article 13(3) of the PIPL.
Article 17(3) of the AML prohibits undertakings with a dominant position from refusing to deal without ‘justified reason’. However, in the context of a refusal to provide access to personal data, enforcing article 17(3) is likely to prove difficult. From a competition law perspective, a plaintiff will have to demonstrate that a defendant PIH holds a dominant position, which is onerous as market shares are often difficult to calculate in data-related markets. Additionally, if the plaintiff claims that the data is an essential facility, it will have to demonstrate that such data is necessary or indispensable to compete. Given that data is non-exclusive and non-rivalrous, it is likely that such a claim will fail. Even if these competition law issues are surmounted, the PIPL may provide the PIH with a justified reason for refusing access to personal data, as a PIH can only transfer personal data to a third party in the limited set of circumstances listed in article 13 of the PIPL.
The courts may soon have a first opportunity to opine on a case involving a refusal of access to personal data. In November 2021, the Changsha Intermediate People’s Court accepted an antitrust complaint brought by Eefung Software, a data analytics company based in Hunan province. After Sina Weibo allegedly terminated its cooperation with Eefung Software, the latter company unsuccessfully attempted to reconnect with the former. Eefung Software alleges that its business model was destroyed by the termination, and alleges abuse of dominance by virtue of Sina Weibo’s refusal to deal. It seeks the use of Sina Weibo’s data under reasonable conditions, as well as compensation for economic loss and reasonable legal costs. This case will likely set a precedent for future cases involving the intersection of antitrust and data access.
The AML includes a prohibition on anticompetitive mergers, with a focus on concentrations that result or that may result in the elimination or restriction of market competition. However, there are unfortunately very few SAMR decisions to serve as precedent for SAMR’s approach to such transactions when they involve personal data. While SAMR and its predecessors have never expressly stated that transactions involving variable interest entities (the corporate structure used by virtually all Chinese big tech companies (VIEs)), do not need to be notified, in practice these transactions have generally gone unreported. As noted above, in 2021, SAMR introduced the Platform Guidelines which made it clear that transactions involving VIEs ought to be notified if the thresholds for compulsory notification are met. This could lead to an influx of SAMR decisions involving tech companies and personal data issues in the near future. Notably, the Platform Guidelines state that when evaluating a concentration, SAMR may consider, inter alia, (1) the difficulties faced by market participants in obtaining necessary resources and essential facilities such as data, and the scale of capital investment necessary to enter the market, and (2) the merger party’s ability to improperly use consumer data post-transaction.
While India as yet has no omnibus data protection laws, a final draft of its Data Protection Bill was submitted by the Indian Joint Parliamentary Committee (the Committee) in December 2021. The Bill is largely in line with the GDPR. The Committee’s report on the Bill recommended a phased approach to implementation after the law takes force, likely in the first half of 2022. Once the Bill comes into force, there is a risk that the same conduct will breach both competition and data protection laws in India, increasing the risk of dual enforcement.
The interplay between data privacy and competition regulation was further explored by the CCI in its Market Study Report on the Telecom Sector in India, released in January 2021. The Report examined, inter alia, data competition in the digital communications market, and the inherent conflict between allowing user access and protecting consumer privacy. The CCI considered that there is a conflict between allowing access and protecting consumer privacy in the context of data in the digital communications market. It noted that while privacy can take the form of non-price competition, competition analysis must also focus on ‘the extent to which a consumer can ‘freely consent’ to action by a dominant player’. The CCI acknowledged that India is yet to introduce its Data Protection Law, but concluded that the antitrust law framework is ‘broad enough to address the exploitative and exclusionary behavior arising out of privacy standards, of entities commanding market power’.
Litigation and enforcement
There is currently no single law governing data protection in Indonesia; the applicable regime is enshrined in various different sector-specific laws and regulations. To address this, a draft of the Personal Data Protection Act (PDP Bill) was introduced in the Indonesian parliament in January 2020, to consolidate rules related to data protection and align Indonesia more closely with international standards like the GDPR, including by introducing concepts such as data controllers and data processors and imposing administrative and criminal sanctions for non-compliance. However, despite the ongoing efforts of Indonesian legislators, the PDP Bill is yet to pass into law.
Law No. 5 of 1999 on the Prohibition of Monopolistic Practices and Unfair Business Competition is the main source of competition law in Indonesia. In November 2020, Law No. 11/2020 on Jobs Creation came into force (the Omnibus Law), which amended various provisions of Law No. 5 of 1999. Most significantly, the Omnibus Law removed the 25 billion rupees (approximately US$1.7 million) cap on fines for competition law infringements. In May 2021, the Indonesian Competition Commission (KPPU) issued its implementing regulation for the Omnibus Law which granted the CCI has the power to impose fines of up to (1) 50 per cent of relevant net profits, or (2) 10 per cent of relevant turnover during the infringement period, for companies that violate competition laws.
In May 2021, Gojek, a leading mobile on-demand services and payments platform in Southeast Asia, and Tokopedia, a leading online marketplace in Indonesia, announced a merger of their businesses to form the largest technology group in Indonesia, GoTo Group. According to Tokopedia, the GoTo Group encompasses 2 per cent of Indonesia’s GDP.
The KPPU has announced that it continues to monitor the GoTo Group post-transaction. According to the KPPU, it is yet to receive any notification of the merger in accordance with domestic regulations. However, the KPPU has stated that it will use the studies it has conducted into the digital sector to oversee the merger. In its 2020 study into the digital economy, the KPPU found that market power in the digital economy depends largely on the control of data and network effects, meaning that these factors should be considered when assessing a concentration’s competitive (or anticompetitive) effects.
Data protection in South Korea is currently governed by the Personal Information Protection Act (PIPA). In January 2020, the Korean National Assembly adopted amendments to the PIPA and other data protection laws, to implement a more streamlined approach to personal data protection in South Korea and align the PIPA with international standards. The amendments were also aimed at facilitating an adequacy decision from the EC, which was subsequently received in December 2021 and promotes the transfer of personal data between South Korea and the EU without additional mechanisms or authorisations for data transfers. The Personal Information Protection Commission is the exclusive supervisory authority in South Korea and has the competency to impose fines similar to those provided for under the GDPR.
In November 2021, the Korean National Assembly adopted amendments (the Amendments) to the Unfair Competition Prevention and Trade Secret Protection Act (the UCPA), which are due to come into force on 20 April 2022. The Amendments expand the scope of data protection and the definition of unfair competition. In particular, the Amended UCPA now covers data defined under the Framework Act on the Promotion of Data Industry and Promotion of Utilization, defined as ‘technical or business information provided to a specific person or a large number of specific persons for business, accumulated and managed in a substantial amount by electronic means, and not managed as confidential’. The Amendments also clarify the categories of data use that will constitute unfair competition.
The Personal Data Protection Act 2015 (PDPA) and its related Enforcement Rules govern data protection in Taiwan. As in South Korea, Taiwanese legislators have sought to align the country’s data protection regime more closely with the GDPR to obtain an adequacy decision from the EC. Taiwan is in continued discussions with the EU in relation to the adequacy decision and may implement additional amendments to the PDPA to achieve a favourable outcome.
Taiwan’s Digital Economy Committee has published the issues for consideration in its 2021 White Paper, which focuses in part on the development of national data strategies to facilitate healthy market competition. The Committee suggests that the government provides the newly established Ministry of Digital Development ‘with a mandate to promote a more open, less restrictive digital economy’. It notes that the new ministry was set up to encourage ‘reasonable market competition’, and argues that the recommended mandate would further support digitalisation.
Taiwan’s Fair Trade Commission (TFTC), is currently conducting a market inquiry to explore antitrust issues in digital markets, with the aim of establishing whether there is a need to investigate specific market players. The inquiry is expected to conclude by the end of 2022. This comes after the TFTC closed an investigation into Google’s Android operating system in May 2021, finding a lack of sufficient evidence of wrongdoing following allegations of abuse of market dominance. Although the investigation has been dropped, the moves suggest that data processors will face increasing scrutiny in Taiwan with respect to competition law issues.
The Act on the Protection of Personal Information (APPI) sets out the general data protection regime in Japan and reflects significant reforms implemented in 2015. Despite this, data protection reform in Japan has been ongoing and in June 2020 the Japanese parliament adopted an amending bill to better align the APPI with the GDPR and strengthen Japan’s data protection regime. The bill will take force on 1 April 2022 and expand the rights of data subjects, in addition to increasing the applicable criminal penalties for both individuals and entities.
In June 2021, the Japan Fair Trade Commission (JFTC) published its Report of the Study Group on Competition Policy for Data Markets (the Report). The Report notes that data is increasingly seen as a source of competitiveness, and that businesses have started to utilise data in physical spaces (eg, automatic driving, medical care and agriculture) as well as in cyber spaces (eg, search engines and social networking services). The Report discusses the various challenges involved with drafting effective competition policy in data markets, and recommends, inter alia (1) involving a wide range of stakeholders when establishing frameworks to ensure individuals’ security and trust; (2) providing free and easy access to data to limit competition concerns, and (3) ensuring data portability and interoperability to enable users to switch without obstacles or to use multiple different platforms (multi-homing). Significantly, the JFTC makes clear that when addressing personal data issues, competition, data privacy and consumer protection should not be discussed separately, but rather regulators should adopt a holistic approach considering the three areas together.
In January 2021, the JFTC, like many other regulators, reviewed Google’s acquisition of Fitbit. The JFTC’s assessment paid close attention to the potentially anticompetitive effects of Google combining its own dataset with that of Fitbit’s, for use in its advertising business. However, on the basis of the commitments offered by Google, the JFTC ultimately concluded that the acquisition would not substantially restrain competition. Google undertook, for a period of 10 years, to (1) supply operating systems for smart phones and healthcare databases on a non-discriminatory basis; (2) segregate the parties’ healthcare database from Google’s other datasets and restrict the use of such database for Google’s digital ads, and (3) report to the JFTC every six months via a monitoring trustee.
The legislation, enforcement, litigation and mergers examined in this contribution demonstrate the increasing significance of issues at the intersection of data privacy and competition law in the Asia-Pacific region. Legislators, regulators and lawyers are working to define how modern legal issues concerning the digital economy can or should be framed under existing competition, data privacy and consumer laws, or otherwise, how these legal frameworks should be developed to tackle nascent data privacy issues. Evidently, the answer is not simple, and challenges remain: most notably, coordination between enforcement agencies is needed to prevent dual enforcement under different regimes for the same conduct.