NCLAT Reassesses CCI'S Order On Whatsapp-Meta's Data Ban

Introduction

The National Company Law Appellate Tribunal's (NCLAT) recent decision concerning Meta Platforms and WhatsApp represents a significant improvement in the regulatory treatment of data-driven business models.¹ The Tribunal upheld the Competition Commission of India's (CCI) monetary penalty for coercive implementation of WhatsApp's privacy policy in 2021, but removed the CCI's five-year ban on information sharing between WhatsApp and Meta entities. This decision redefines the permissible scope of competition remedies in India's digital economy and clarifies the limits of the CCI's jurisdiction on matters related to data protection.

The purpose of this article is to explore the reasoning of the Tribunal, analyze its legal and regulatory implications, and offer forward-looking considerations.

Legal Background: Competition Law and Data Governance

The CCI took suo motu action after noting that the update had removed the option for users to opt out of data sharing, violating the provisions of the Competition Act, 2002 ("the Act")². It concluded that WhatsApp's revised privacy policy required users to accept unfair terms. As a result of the "take-it-or-leave-it" model, users are left with no meaningful alternative. In November 2024, it ruled that WhatsApp, due to its extensive network effects and entrenched user base, occupied a dominant position in the market for Over-the-Top (OTT) messaging services³. Under Section 4 of the Act, the Commission ruled that the 2021 privacy policy update, which required users to approve expanded data sharing with Meta companies, constituted abusive conduct.

In response, the CCI fined WhatsApp 213.14 crores and instructed it to cease sharing user data with Meta for advertising purposes for five years and to clearly indicate the purposes for collecting each category of data. Through enforcement of antitrust laws, the order represented an assertive regulatory stance aimed at addressing privacy-related harms. In light of the Tribunal's subsequent intervention, the evidence and the merits of such remedies have been reevaluated.

NCLAT's Key Findings

1. Coercive Conduct Attracts Antitrust Liability

It was held that imposing a non-negotiable privacy policy that substantially alters data-sharing practices without giving users meaningful choice can constitute an abuse of dominance. NCLAT upheld the financial penalty, confirming that non-price parameters, including privacy, transparency, and user autonomy, may legitimately be considered in digital market competition analyses.

2. Restrictions must not be Overreaching

In the ruling, the Tribunal ruled to set aside a five-year embargo on data sharing. According to NCLAT, the CCI overstepped its authority by imposing a remedy that affected the manner in which WhatsApp and Meta operate their integrated services. The Tribunal ruled that such structural or quasi-structural interventions must ensure that the evidence of necessity meets a high threshold and there should be a clear link between the impugned conduct and competitive harm. In addition, the commission must undertake proportionality assessment in relation to the commercial and consumer impact. In Tribunal's opinion, CCI's economic analysis was not sufficiently developed to justify such a substantial remedy.

3. Separating Competition Law and Data Protection Framework

It was emphasized by NCLAT that the regulation of personal data privacy, the limitation of a data set's purpose, as well as the transfer of data between entities falls primarily under data protection law. In cases where privacy degradation results from dominance-driven coercion, competition authorities may intervene, but they cannot apply competition remedies to data protection functions. Clearly, this position delineates regulatory competencies that will have an impact on future enforcement efforts.

Critical Analysis

The decision by the Tribunal upholds proportionality as a guiding principle. The Tribunal adheres to comparative international standards on behavioural interventions in digital markets by demanding narrowly tailored remedies. With this decision, emerging data protection authorities will not be involuntarily be included by competition law, thereby reducing the risk of regulatory conflicts. Furthermore, by affirming coercive behavior as anticompetitive, privacy-related harm may qualify as a competitive harm where market power is involved.

However, the ruling also raises certain structural and policy concerns including challenges of evidentiary proof in digital markets. Data-driven environments tend to have more qualitative rather than quantitative anticompetitive effects. Even though the Tribunal's evidentiary requirement is consistent with procedural rigor, it may constrain the regulatory response to new digital harms.

It is possible that businesses will still be subject to fragmented enforcement with inconsistent compliance expectations if there is no formal system for coordination among competition, data protection, and consumer protection regulators. Companies with complex data architectures may be able to take advantage of the distinctions between legal entities to circumvent regulatory scrutiny, provided regulators begin to examine data integration from a functional perspective rather than purely corporate.

Implications of the Decision

1. Reassessment of Consent Mechanisms

Although the Tribunal has relaxed the data sharing ban, its endorsement of the coercion finding emphasizes the importance of robust consent mechanisms. It is important for organizations to ensure that clear and detailed disclosures are provided. The companies should aim at getting explicit and informed consent along with easy opt-out options wherever feasible.

2. Integration of Competition Considerations into Product Design

As part of the product development process, product teams must be made aware of the competition risks associated with the integration of data ecosystems, default design choices, and bundling practices. Further, to minimize enforcement exposure, it is important to obtain legal advice early in the process.

3. Enhanced Governance Over Data-Sharing Protocols

As a result, companies should maintain detailed inventories of their data sharing practices, provide rationales for necessity and proportionality, and document their internal data consolidation decisions even if there is no ban.

4. Preparedness for Multi-Regulatory Scrutiny

In light of the overlap between digital market regulation and data protection regulation, organizations should expect to be subjected to parallel scrutiny from the competition authorities, the data protection regulator, and sectoral authorities. It is recommended that internal governance frameworks be aligned.

Forward-Looking Considerations and Conclusion

The NCLAT's decision marks a significant milestone in India's evolving approach to platform-based ecosystem regulation. The Tribunal, in upholding the penalty yet striking down the operational ban, has indicated that coercive conduct can be addressed under competition law, however, the legal remedies must be proportionate and evidence-based. Furthermore, the decision affirms the need for a more coordinated approach between competition and data protection regimes, particularly as India's digital economy matures and data-driven business models expand in scope. Regulations must develop more sophisticated analytical frameworks to evaluate the competitive significance of data aggregation without exceeding statutory boundaries.

In light of India's ongoing development of a digital regulatory architecture, this ruling could serve as a benchmark for future disputes involving data governance and competition law. It is imperative for companies to adopt transparent, user-centric, and compliance-aligned data practices in order to navigate this increasingly complex environment.

Footnotes

1. NATIONAL COMPANY LAW APPELLATE TRIBUNAL PRINCIPAL BENCH: NEW DELHI Competition Appeal No. 1 of 2025. (n.d.). https://nclat.nic.in/display-board/view_order

2. COMPETITION COMMISSION OF INDIA. (n.d.). https://www.cci.gov.in/antitrust/orders/details/100/0.

3. Suo Motu Case No. 01 of 2021 of 2024. (n.d.). https://www.cci.gov.in/images/antitrustorder/en/order1732001619.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.