Intersection of competition law and data privacy poses challenges to market regulation

This is an Insight article, written by a selected partner as part of GCR's co-published content. Read more on Insight

In summary

This article explores the interplay between competition law and data privacy law in the Asia-Pacific region, covering key developments in legislation, enforcement, litigation and mergers.

Discussion points

  • Competing interests of competition and data privacy regimes, and issues this may cause for data handlers and enforcement agencies, in particular with respect to dual enforcement
  • Direction of travel for legal frameworks to address challenges as well as regulate data markets fairly and effectively

Referenced in this article

  • Australian Competition and Consumer Commission
  • China’s State Administration for Market Regulation, Anti-monopoly Law and Personal Information Protection Law
  • Competition Commission of India
  • Indonesian Competition Commission
  • Japan Fair Trade Commission
  • Korea Fair Trade Commission
  • Taiwan Fair Trade Commission


This article explores the interplay between competition law and data privacy law in the Asia-Pacific region. In an age defined by data monetisation and fierce competition for users and their valuable behavioural data among technology’s biggest players, issues at the intersection of these two legal areas are coming into sharp focus. Recent years have been characterised by regulatory enforcement against Big Tech companies; the introduction, expansion and gradual harmonisation of data privacy regimes across the Asia-Pacific region; the significant investment made by enforcement agencies to better understand the digital economy; and the role of competition and data privacy regimes in regulating this growing market.

In 2022, China amended its Anti-monopoly Law (AML) to reference data issues for the first time and levied a fine against Didi Chuxing of approximately US$1.2 billion for violation of its data privacy laws. Australia started the expansion of its data privacy law, with further amendments expected in 2023 as the government wraps up its wholesale review of the country’s data privacy regime. Indonesia introduced its first comprehensive data privacy law, while India’s legislature continues to consider iterations of its data protection bill, which is set to pass in 2023. The strengthening of data protection regimes has an obvious benefit to consumers, but it creates a risk for companies that both competition and data privacy laws will be enforced against the same conduct, such that companies could face punishment twice. Dual enforcement is not an efficient use of scarce regulatory resources: in the near future, policymakers must align on whether abuses concerning data better fit in the realm of protecting competitive markets or protecting consumer privacy.

Stricter criteria for handling personal information may also have the unintended effect of raising barriers to entry and entrenching a dominant player’s position. For instance, a dominant market player may legitimately decline to share its data set of personal information with new entrants, and regulators may be restricted from ordering a transfer of data to address the potential anticompetitive effects of a merger or an abuse of dominance.

This article considers the latest developments at the intersect of competition and data privacy law in Australia, China, India, Indonesia, Japan, South Korea and Taiwan.



Australia’s data protection regime is currently governed by the Privacy Act 1988 (the Privacy Act). However, as of 2020, the Australian government has undertaken a wholesale review of the Privacy Act, with a view to implementing significant reforms to the country’s privacy regime. The Attorney-General’s Department released a discussion paper in October 2021 that, along with submissions from the public, ultimately formed the basis of a final report submitted to government in December 2022.[1] The Attorney General will now consider the report and is expected to publicly release it in the first half of 2023, along with its proposed response.[2] The 2021 discussion paper indicates the direction of travel, proposing wide-ranging reforms to align Australia’s privacy regime more closely with global equivalents (such as the EU General Data Protection Regulation (GDPR)) to reflect recent developments in the digital economy, including to:

  • expand the definition of personal information;
  • impose stricter anonymisation requirements on organisations subject to the laws;
  • increase maximum civil penalties for non-compliance;
  • strengthen the rights of individuals to object to the collection and use of disclosure of their information and to require its erasure; and
  • modify the framework for international data transfers.

The government’s review was initially conducted concurrently with a public consultation process on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (the Online Privacy Bill), which was released in October 2021.[3] The Online Privacy Bill proposed to establish a binding privacy code for social media platforms, data brokerage services and large online platforms; expand the enforcement options available to the regulator; increase the penalties for serious or repeated privacy breaches; and significantly broaden the extraterritorial reach of the Privacy Act. Although the government ultimately decided not to pursue the Online Privacy Bill, it tabled and passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Privacy Enforcement Bill) in November 2022, amending the Privacy Act.[4] The Privacy Enforcement Bill retained the amendments to the enforcement and penalty regime, as well as the expansion of the Privacy Act’s extraterritorial reach proposed in the Online Privacy Bill, but omitted the privacy code. It remains to be seen whether the government will include the code in the broader set of amendments to the Privacy Act, which are expected in 2023.

On the antitrust side, companies that breach Australia’s competition (and consumer) laws could face new and higher penalties under amendments introduced by the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022[5] passed by both Houses of Parliament on 27 October 2022.[6] The changes consist of two parts:

  • the introduction of penalties and other changes relating to unfair contract terms (representing the first ever penalties for unfair contract terms); and
  • significant increases in maximum penalties for breaches of certain provisions of the Competition and Consumer Act (CCA), including the Australian Consumer Law.

The maximum penalties for companies that breach certain provisions of the CCA have increased to the greater of A$50 million or three times the value derived from the relevant breach, or, if the value derived from the breach cannot be determined, 30 per cent of the company’s turnover during the period it engaged in the conduct. The new legislation looks set to enter into force in late 2023.

Market studies

The issue of competition in digital markets continued to be hot on Australia’s regulatory agenda in 2022. Starting in 2017, the Australian Competition and Consumer Commission (ACCC) has conducted three inquiries into digital platforms: the Digital Platforms Inquiry 2017–2019 (which considered the impact of online search engines, social media and digital platforms on competition in the media and advertising services markets);[7] the Digital Advertising Services Inquiry 2020–2021 (which considered the competition and efficiency in the supply of ad tech services);[8] and the Digital Platform Services Inquiry 2020–2025 (DPSI) (which is still ongoing).[9]

As part of the DPSI, the government directed the ACCC to examine competition in markets for the supply of digital platform services, including internet search engine, social media, online private messaging, digital content aggregation platform, media referral and electronic marketplace services. As a testament to the importance the government is placing on digital platforms, the ACCC is required to publish an interim report on the inquiry every six months until the final report is released in March 2025.[10]

In 2022, the ACCC published its fourth and fifth interim reports (in March and September 2022, respectively), and passed the midpoint of the DPSI. The fourth interim report considered competition and consumer issues associated with online retail marketplaces in Australia. While the ACCC did not find any one marketplace to be dominant, it did find a number of issues at the intersection of competition and data privacy, including transparency and control over data collection and use, including for use to improve product recommendation algorithms, access to consumers and consumer data by sellers and third parties, and the collection of data by hybrid marketplaces (ie, marketplaces that sell their own products as well as third parties’), leading to issues of self-preferencing. The fifth interim report considered whether reform is needed to address the challenges posed by digital platforms. The ACCC concluded that new and strengthened laws are required to better protect Australian consumers and small businesses – who are increasingly reliant on digital platforms – and new measures to promote competition in the supply of digital platform services.

The ACCC’s recommendations include mandatory codes of conduct for specific digital services that address issues such as barriers to entry caused by access to data. For example, a code of conduct for search services could require digital platforms to share certain click-and-query or third-party data, facilitate data portability in respect of that data, or impose data limitations on these platforms (eg, to keep certain data separate).[11]


The ACCC is one of many antitrust agencies that reviewed Google’s acquisition of Fitbit, a producer of activity-tracking wearables such as the Fitbit smartwatch, which collects data including heart rate, steps, calories and location.[12] The ACCC considered that the transaction raised concerns because of the aggregation of data.[13] Post-transaction, Google will be able to incorporate Fitbit data into its existing user profiles, likely enabling improved ad targeting, and use the data at the aggregate level to draw broader insights about groups of people with specific attributes for use across different parts of the business, such as in the supply of data-dependent health services.[14]

The ACCC was concerned that the transaction could lessen competition in the supply of data-dependent health services. It noted that Google would have faced stronger competition had the transaction not gone ahead, given Fitbit’s extensive pool of data. In addition, the ACCC expressed concern that the combination of Google’s analytical capabilities, its existing data and the data it will acquire via Fitbit could result in Google developing a strong foothold in the market for data-dependent health services. The ACCC considered that the transaction could also reduce competition in the supply of ad tech services. Third parties indicated to the ACCC that certain data from wearables is unique and cannot be captured accurately (or at all) by other means, including data related to heart rate, sleep activity and oxygen saturation.[15] Therefore, combining Fitbit data with Google’s existing data set may enable Google to ‘even more effectively target advertising to consumers with health-related issues, or interests in particular fitness products’.[16] The transaction could therefore eliminate an important source of potential competition for Google in the supply of certain ad tech services.

To address these concerns, Google offered commitments to the ACCC under section 87B of the CCA.[17] However, unlike its counterparts in the European Union, Japan and South Africa,[18] the ACCC rejected the proposed commitments.[19] Google subsequently completed its acquisition and the ACCC’s investigation into the transaction is ongoing. While the ACCC has not taken any enforcement action to date in relation to the parties closing the deal, the ACCC has indicated that it will continue its post-completion review.


Google has also come under fire in Australia in recent years due to alleged breaches of data privacy laws. In July 2020, the ACCC announced that it had launched Federal Court proceedings against Google, alleging that the company had ‘misled Australian consumers to obtain their consent to expand the scope of personal information that Google could collect and combine about consumers’ internet activity, for use by Google, including for targeted advertising’.[20] In particular, Google combined user data from Google accounts with user data on non-Google sites that used Google technology, formerly DoubleClick technology, to display ads.[21] The ACCC argued that this newly combined information was used to improve Google’s advertising business and reduced the rights of account holders without obtaining explicit consent. However, in December 2022, the Federal Court found that the notification and the changes to the privacy policy were not misleading because Google had sought the informed consent of account holders to implement the changes. The Federal Court also noted that account holders’ rights were not reduced under the privacy policy.[22]

More recently, the Federal Court ruled in April 2021 that Google misled consumers about personal location data collected through Android mobile devices between January 2017 and December 2018, in a world-first enforcement action brought by the ACCC. The court ruled that, when consumers created new Google accounts during the initial set-up process of their Android devices, Google misrepresented that the location history setting was the only Google account setting affecting whether Google collected, kept or used personally identifiable data about their location. In fact, another Google account setting (web and app activity) also enabled Google to collect, store and use personally identifiable location data when turned on, and the setting was turned on by default. In August 2022, the ACCC succeeded in its proceedings against Google to pay A$60 million in penalties for the breach.

Interaction of privacy and consumer laws

These recent proceedings demonstrate that there is a significant risk of dual enforcement under privacy and consumer laws in Australia. While data subjects in Australia do not have a personal cause of action under the Privacy Act, the Privacy Commissioner has demonstrated a willingness to take enforcement action for significant privacy breaches. The ACCC’s proceedings against Google demonstrate a growing propensity for bringing actions citing breaches of competition and consumer laws against major platform companies for their use of consumer personal information. While we have not yet seen coordination in enforcement between the Privacy Commissioner and the ACCC, we expect coordinated proceedings in the future given the general focus on curtailing the market power, data collection and data use of major platform companies.

Although the criminal codes of Australia’s states and territories include provisions against double jeopardy,[23] they are unlikely to prevent dual enforcement by the Privacy Commissioner and the ACCC, particularly in relation to the range of administrative remedies and civil penalties available to each regulator. Criminal penalties do exist for certain breaches of the Privacy Act and Australian competition and consumer law; however, they are available in more limited circumstances and in relation to particularly severe violations of each law. As also explained in the Chinese context below, it is not certain that the provisions preventing double jeopardy for criminal offences would apply when the same act violates two different laws.



China’s Personal Information Protection Law (PIPL) came into effect on 1 November 2021, but continued to take shape in 2022 as the Cyberspace Administration of China (CAC) issued a wide range of implementing regulations to provide further colour to the law. The PIPL is the first comprehensive piece of Chinese legislation to protect the personal information rights of natural persons within China, and it supplements data privacy-related legislation such as the Cybersecurity Law and the Data Security Law. In particular, the PIPL creates new rights of action for individuals whose personal information rights are violated, and sets requirements and penalties for personal information handlers (PIHs) that violate the law. It shares many similarities with the GDPR, including its extraterritorial effect, the creation of personal information rights and the inclusion of penalties for PIHs in cases of breach.[24] The PIPL gives agencies at different levels enforcement powers over its regulations.[25] Notably, in 2022, the CAC issued regulations to facilitate data transfers outside China[26] as well as to restrict the inclusion of certain categories of information in push notifications by (among others) website and app operators.[27]

Until recently, China’s competition law regime did not reference data or explicitly recognise the relevance of data to competition assessment. However, recent amendments to the AML (the main source of competition law in China) and the introduction of the Antitrust Guidelines in the Field of Platform Economy (the Platform Guidelines),[28] which provide guidelines on the application of the AML to platforms, signal that China’s lawmakers are engaging with issues at the intersection of competition law and data, with a focus on the digital economy.

China’s first-ever amendments to the AML came into force on 1 August 2022. The amendments, among other things, prevent undertakings from ‘us[ing] data and algorithms, technologies, capital advantages, platform rules, etc, to engage in monopolistic behaviour prohibited by this Law’[29] and state that undertakings ‘with a dominant market position shall not use data, algorithms, technologies, platform rules, etc, to engage in the abuse of a dominant market position as prescribed in the preceding paragraph’,[30] which refers to the full list of acts considered to be abuse of dominant position. The former principle appears to apply to all monopolistic behaviour prohibited by the AML, including monopoly agreements between undertakings (ie, horizontal agreements), and is not limited to cases of abuse of market dominance.

The expansion of data privacy rules in China with the adoption of the PIPL, alongside the update of China’s competition regime to tackle data issues, leaves no doubt that Chinese regulators will have to grapple with how these two regimes can be enforced side by side.

Interaction of privacy and competition laws

There is a significant risk of dual enforcement against anticompetitive conduct involving breaches of the PIPL, in that both the State Administration for Market Regulation (SAMR) and the enforcement agencies responsible for enforcing the PIPL can investigate (and potentially impose fines for) conduct that breaches both the PIPL and the AML. In the absence of a memorandum of understanding between the two agencies, it is unclear whether and how they will coordinate their enforcement actions, which creates the risk that companies may be fined twice for the same conduct. While China’s Administrative Penalty Law includes a provision against double jeopardy, it is unlikely to provide meaningful protection against dual enforcement as, on a literal reading of this provision, double jeopardy only applies in the case of two violations of the same law. This would mean that double jeopardy does not apply when the same act violates two different laws, such as the PIPL and the AML.

Additionally, the PIPL may curtail SAMR’s ability to order remedies involving personal information. For example, when investigating an alleged refusal to grant access to personal data by a dominant firm, SAMR may wish to order the dominant firm to cease and desist such conduct, which practically means that the dominant firm must grant access to the data. However, pursuant to the PIPL, a PIH can only transfer personal data to a third party in a limited set of circumstances listed in article 13. The most relevant legal grounds for transferring data are article 13(1) of the PIPL (consent) and article 13(3) of the PIPL (which authorises data processing ‘where necessary to fulfil statutory duties and responsibilities or statutory obligations’, and does not require consent from the individual).[31] It is unlikely that the dominant firm will have the individuals’ consent to transfer their personal information to a competitor. The other possible ground is article 13(3), but it is not obvious that an SAMR decision to cease and desist a specific conduct will constitute a valid statutory duty and responsibility or a statutory obligation[32] to transfer such data.[33] Hence, the dominant firm will need to obtain such consent in accordance with
article 23 of the PIPL, unless guidance is issued to the effect that a cease-and-desist order from SAMR constitutes a statutory duty or obligation pursuant to article 13(3) of the PIPL.

Litigation and enforcement

Article 22(5) of the AML prohibits undertakings in a dominant position from imposing unreasonable trading conditions, including through the use of data or algorithms, technology or platform rules, while the Platform Guidelines explicitly advise against ‘compulsory collection of unnecessary user information’.[34] A PIH in a dominant position that requires users to provide unnecessary information (or to consent to a transfer of personal information to a third party) as a condition for using its services could therefore be in breach of both the PIPL and the AML. There is no guidance on the term ‘unnecessary information’, but a narrow interpretation would mean that a PIH can only collect information that is strictly necessary to use its services (or, where relevant, to deliver its products).

Article 22(3) of the AML prohibits undertakings with a dominant position from refusing to deal without a justified reason, including through the undertaking’s use of data or algorithms, technology or platform rules, among others. However, in the context of a refusal to provide access to personal data, enforcing
article 22(3) is likely to prove difficult. From a competition law perspective, a plaintiff will have to demonstrate that a defendant PIH holds a dominant position, which is onerous as market shares are often difficult to calculate in data-related markets. Additionally, if the plaintiff claims that the data is an essential facility, it will have to demonstrate that such data is necessary or indispensable to compete. Given that data is non-exclusive and non-rivalrous, it is likely that such a claim will fail. Even if these competition law issues are surmounted, the PIPL may provide the PIH with a justified reason for refusing access to personal data, as a PIH can only transfer personal data to a third party in the limited set of circumstances listed in article 13 of the PIPL.

The courts may soon have their first opportunity to opine on a case involving a refusal of access to personal data. In November 2021, the Changsha Intermediate People’s Court accepted an antitrust complaint brought by Eefung Software, a data analytics company based in the Hunan province. After Sina Weibo allegedly terminated its cooperation with Eefung Software, the latter company unsuccessfully attempted to reconnect with the former. Eefung Software alleges that its business model was destroyed by the termination and alleges abuse of dominance by virtue of Sina Weibo’s refusal to deal. It seeks the use of Sina Weibo’s data under reasonable conditions, as well as compensation for economic loss and reasonable legal costs. This case will likely set a precedent for future cases involving the intersection of antitrust and data access.

Arguably the most significant event to occur in China in 2022 was the fine imposed on Didi Chuxing for data privacy violations. In July 2022, the regulator announced that it had fined the ride hailing platform 8 billion yuan for violations of the PIPL, the Cyber Security Law and the Data Security Law.[35] Following an investigation, the CAC found that Didi Chuxing had:

  • collected illegal and excessive personal information from users;
  • failed to clearly and accurately explain the processing purposes of personal information collected; and
  • failed to fulfil its obligations of cybersecurity, data security and personal information protection.

The severity of the CAC’s sanctions suggests that it is now prepared to utilise its broad investigatory and enforcement powers regardless of the potential business impact to companies, particularly those in the technology sector and with overseas operations. The classification of Didi Chuxing as a ‘critical information infrastructure operator’ also indicates that the CAC and other Chinese regulators intend to adopt a broad interpretation of this concept as defined under the Cyber Security Law, as well as to link mobility data, including location data, with national security.


The AML includes a prohibition on anticompetitive mergers, with a focus on concentrations that result or that may result in the elimination or restriction of market competition. The recent amendments to the AML have confirmed SAMR’s powers to review transactions that do not meet the notification threshold, in circumstances where the transaction nevertheless ‘may have the effect of eliminating or restricting competition.’[36] However, there are unfortunately very few SAMR decisions to serve as precedent for SAMR’s approach to transactions which raise anticompetitive concerns involving personal data. While SAMR and its predecessors have never expressly stated that transactions involving variable interest entities (VIEs)[37] do not need to be notified, in practice these transactions have generally gone unreported.[38] As noted above, SAMR introduced the Platform Guidelines in 2021,[39] which made it clear that transactions involving VIEs ought to be notified if the thresholds for compulsory notification are met. This could lead to an influx of SAMR decisions involving tech companies and personal data issues in the near future.

For now, SAMR is sending a clear message to tech companies that there will be consequences for failing to file in China. SAMR has issued penalties against a range of companies for failing to file, including tech companies Taobao, Baidu and Didi Chuxing. In July 2021, SAMR for the first time imposed remedies post-closing on a significant Chinese company for failing to notify its acquisition of a controlling stake.[40] In this case, SAMR not only concluded that the transaction was reportable, but also identified anticompetitive effects.



In August 2022, the Indian government withdrew the Personal Data Protection Bill (the PDP Bill), which had been pending before Parliament since 2019. In its place, India’s Ministry of Electronics and Information Techology proposed a new draft bill, entitled the Digital Personal Data Protection Bill 2022 (DPDP).[41] The DPDP applies extraterritorially to organisations processing personal data outside India if such processing involves the profiling of data principals in India or the offering of goods and services to individuals in India.

The DPDP removed the PDP Bill’s data localisation requirement and states that ‘the Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data’.[42] Instead of requiring entities to store data in India, the government may assess different countries’ data protection regimes and confirm whether personal data can be transferred to such countries. The DPDP also changed the PDP Bill’s penalty for non-compliance, limiting fines on a data fiduciary to approximately US$62 million in place of the 4 per cent international revenue cap originally proposed. The DPDP underwent public consultation until 2 January 2023 and will now follow the notoriously onerous Indian legislative process.

On the antitrust side, the process for legislative change has been similarly slow. In August 2022, the government introduced the Competition (Amendment) Bill 2022 to Parliament[43] two years after it initially published and consulted on the draft Competition Amendment Bill 2020. The Competition (Amendment) Bill, among other things, seeks to expand the powers of merger review of the Competition Commission of India (CCI) by introducing a deal value threshold. The Competition (Amendment) Bill 2022 requires that deals with a transaction value of more than 20 billion rupees be notified and approved by the CCI, and is expected to be considered by Parliament in spring 2023.

Market studies

Following the trend set by regulators around the world, the CCI has launched market studies into the telecommunications, pharmaceutical and e-commerce sectors in recent years. The Market Study Report on the telecommunications sector, released in January 2021, examined data competition in the digital communications market and the inherent conflict between allowing user access and protecting consumer privacy, among other areas.[44] The CCI considered that there is a conflict between allowing access and protecting consumer privacy in the context of data in the digital communications market. It noted that, while privacy can take the form of zero-price competition, competition analysis must also focus on ‘the extent to which a consumer can “freely consent” to action by a dominant player’.[45] The CCI acknowledged that India had yet to introduce its data protection law (the PDP Bill at the time), but concluded that the antitrust law framework is ‘broad enough to address the exploitative and exclusionary behaviour arising out of privacy standards, of entities commanding market power’.[46]

Litigation and enforcement

The issue of dual enforcement has already reared its head in India in the WhatsApp case.[47] The CCI ordered a suo motu investigation into changes to WhatsApp’s privacy policy while the same issue was ‘sub judice before various courts and other fora in India’.[48] Prior to conducting any investigation, the CCI took the prima facie position that the changes constituted an imposition of unfair terms. WhatsApp challenged the characterisation of its policy update and argued that the CCI should only be able to exercise jurisdiction after the judicial challenges are resolved, and appealed the CCI’s decision to open an investigation. In October 2022, the Supreme Court dismissed the appeal, allowing the CCI’s investigation to resume.



The year 2022 was a landmark year for data protection in Indonesia. In September, the House of Representatives approved the Personal Data Protection Bill, which was then enacted in October as Law No. 27 of 2022 on Personal Data Protection (the PDP Law).[49] Years in the making, the PDP Law consolidates the rules related to personal data protection in Indonesia and establishes data sovereignty and security as the keystone of Indonesia’s data protection regime to align it more closely with international standards, such as the GDPR. Notably, the PDP Law imposes criminal sanctions for certain violations of prohibitions on the use of personal data, including unlawfully obtaining personal data, or collecting, disclosing or using personal data that is not a person’s own. Corporations may face fines of up to 2 per cent of their annual revenue in addition to seizure and freezing of the profits or assets derived from the crime and deregistration at an entity level. Individuals, including management and beneficial owners, may also be subject to prison sentences for an organisation’s violation of the PDP Law.

As part of the implementation of the PDP Law, the Indonesian government recently announced the creation of a new data protection authority, which is to be set up by April 2023. The government has made assurances to stakeholders that the newly created authority will consult closely with stakeholders on the development of privacy rules and regulations. As there are now clear definitions of what types of personal data will be regulated and when, as well as certainty in terms of the liabilities of the data controller and the data processor, companies with operations in Indonesia can now start conducting a gap analysis with respect to how those existing operations may need to change to comply with the new requirements.


In May 2021, Gojek (a leading mobile on-demand services and payments platform in South East Asia) and Tokopedia (a leading online marketplace in Indonesia) announced a merger of their businesses to form the largest technology group in Indonesia, GoTo Group. According to Tokopedia, the GoTo Group encompasses 2 per cent of Indonesia’s gross domestic product.[50]

The Indonesian Competition Commission (KPPU) has announced that it continues to monitor the GoTo Group post-transaction. According to the KPPU, it has yet to receive any notification of the merger in accordance with domestic regulations. However, the KPPU has stated that it will use the studies it has conducted into the digital sector to oversee the merger.[51] In its 2020 study into the digital economy, the KPPU found that market power in the digital economy depends largely on the control of data and network effects, meaning that these factors should be considered when assessing a concentration’s competitive (or anticompetitive) effects.[52]



The latest amendments to Japan’s Act on the Protection of Personal Information (APPI) took effect in April 2022. As a consequence, the APPI now has extraterritorial applicability insofar as it applies to organisations collecting personal data outside Japan if such processing involves offering goods and services to individuals in Japan. The APPI includes, but is not limited to, requirements related to cross-border data transfers and data breach notifications.

On the antitrust side, as a result of the extensive market studies conducted by the Japan Fair Trade Commission (JFTC), the government has introduced a number of laws directed at regulating the digital economy, including the Act on Improving Transparency and Fairness of Digital Platforms 2021 (TFDPA) and the Act for the Protection of Consumers who use Digital Platforms 2021 (PCDP). The TFDPA introduces obligations for certain digital platform providers to disclose terms and conditions, and prior notice of changes, to vendors of online marketplaces, as well as to submit annual reports to the government that include a self-assessment of their compliance with the TFDPA. The PCDP was introduced to regulate the relationship between consumers and digital platforms, and ensure that consumers are adequately protected. The PCDP seeks to introduce a non-prescriptive approach whereby digital platforms are encouraged to make voluntary efforts to protect the interests of consumers.

Market studies

The JFTC has undertaken a number of initiatives to better understand the digital economy in recent years. In 2021, the JFTC released the Report on Algorithms/AI and Competition Policy, and the Report on Competition Policy for Data Markets (the Report on Data Markets).[53] The Report on Data Markets notes that data is increasingly seen as a source of competitiveness and that businesses have started to utilise data in physical spaces (eg, automatic driving, medical care and agriculture) as well as in digital spaces (eg, search engines and social networking services). The Report on Data Markets discusses the various challenges involved in drafting effective competition policy for data markets and recommends, among others:

  • involving a wide range of stakeholders when establishing frameworks to ensure individuals’ security and trust;
  • providing free and easy access to data to limit competition concerns; and
  • ensuring data portability and interoperability to enable users to switch without obstacles or to use multiple different platforms (multi-homing).[54]

Significantly, the JFTC makes clear that, when addressing personal data issues, competition, data privacy and consumer protection should not be discussed separately, but regulators should adopt a holistic approach and consider the three areas together.

More recently, in June 2022, the JFTC released a statement on its active promotion of competition policy.[55] The JFTC sought to strengthen its response to fast-changing markets, such as the digital economy, by focusing on enforcement and advocacy (ie, market studies, recommendations and guidance, among others), and the interaction between the two. The JFTC recognised that investigations into digital market operators can be conducted more openly than other industries and the complex nature of digital markets merits the JFTC speaking to a broader range of market participants. As a result, the statement announced that the JFTC may publish a case summary and invite responses from third parties at the very early stages of an investigation into digital markets. The chair of the JFTC, Kazuyuki Furuya stated in his New Year’s Day speech that the JFTC will actively use the information gained through its advocacy activities in its enforcement efforts and, in particular, in the fast-changing digital market.[56]


The JFTC has reviewed a number of mergers involving issues at the intersection of competition and data, including Google/Fitbit (2021) and Salesforce/Slack Technologies (2021).

The JFTC’s assessment of Google/Fitbit paid close attention to the potentially anticompetitive effects of Google combining its own data set with that of Fitbit for use in its advertising business. However, on the basis of the commitments offered by Google, the JFTC ultimately concluded that the acquisition would not substantially restrain competition.[57] Google undertook, for a period of
10 years, to:

  • supply operating systems for smartphones and healthcare databases on a non-discriminatory basis;
  • segregate the parties’ healthcare database from Google’s other data sets and restrict the use of such databases for Google’s digital ads; and
  • report to the JFTC every six months via a monitoring trustee.

In Salesforce/Slack Technologies, part of the JFTC’s investigation assessed whether the combined data collected by the two companies gave the merged entity a competitive advantage. The JFTC found that Salesforce is mainly engaged in the business of providing customer relationship management software and Slack Technologies is engaged in the business of providing business chat services. Since all of these products and services are used for the common purpose of improving the efficiency of operations and communications by companies as users, there is a certain complementarity between them. However, the JFTC concluded that, due to the strict limits placed on the client data that the two companies acquire or can access, the combined accumulation of user data posed no competitive advantage.

South Korea


Data protection in South Korea is currently governed by the Personal Information Protection Act (PIPA). In January 2020, the Korean National Assembly adopted amendments to the PIPA and other data protection laws to implement a more streamlined approach to personal data protection in South Korea and align the PIPA with international standards. The amendments were also aimed at facilitating an adequacy decision from the European Commission, which was subsequently received in December 2021 and promotes the transfer of personal data between South Korea and the European Union without additional mechanisms or authorisations for data transfers.[58] The Personal Information Protection Commission is the exclusive supervisory authority in South Korea and has the competency to impose fines similar to those provided for under the GDPR.

As of 12 January 2023, the Korea Fair Trade Commission (KFTC) has implemented new guidelines for digital platforms that define the screening criteria for abuse of dominance cases. As these platforms can generate revenue through, for example, targeted advertising services using user data, the KFTC recognised that a market can be defined for zero-price services. In this case, a relevant market is the range of services that can be substituted as the amount of personal data collected grows. When evaluating market dominance, the new guidelines suggest looking at five factors:

  • the presence of market entry barriers;
  • whether platforms have significant influence as gatekeepers to control access to major user groups;
  • platforms’ ability to collect, store and use data;
  • platforms’ research and development status; and
  • the potential of new services.

The new guidelines highlight major types of competition-restraining practices adopted by platforms – including multi-homing restraints, most-favoured-nation treatment, self-preferencing and tying – with applicable provisions of the competition law attached to each type of conduct.

Notably, the KFTC has implemented guidelines – as opposed to
regulations – as it recognises the nuance of platforms’ multi-sided nature and other characteristics of digital markets, such as data concentration. Nonetheless, the KFTC also recognises that such characteristics can lead to tipping effects affecting online platforms whereby several platforms with larger numbers of users (such as search engines, social media, video streaming services, mobile operating systems, digital advertising services and others) raise barriers to new entrants. Going forward, the number of users, frequency of use and other variables could be assessed instead of market share for platforms that offer free services. Whether or not platforms’ actions hinder competition may be determined, the new guidelines suggest, by weighing the competition restraints against efficiency gains or customer benefits.

The KFTC has announced that, after 40 years, it will be overhauling its merger control regime. The proposed changes include implementing a new system whereby merging companies can propose their own remedies and, if the regulator determines that these remedies are adequate to remove competition constraints, such mergers can be approved on a conditional basis.


In December 2022, the Seoul High Court ruled in favour of the KFTC by determining that Naver, a Korean online marketplace, had indeed abused its dominant position by manipulating its search algorithms to self-preference its own platform Smart Store over competitors and that the KFTC had succeeded in issuing its antitrust fine of 26.6 billion won. The KFTC alleged that Naver regularly monitored the effect of its search algorithm changes on the visibility of Smart Store items and adjusted its strategy accordingly. As a result, the KFTC found that Naver’s exposure of items hosted on its own marketplace at the top of search results to entice customers was an unfair trade practice as it went against consumer expectations that searches would provide the most relevant results.



The Personal Data Protection Act 2015 (PDPA) and its related Enforcement Rules govern data protection in Taiwan. As in South Korea, Taiwanese legislators have sought to align the country’s data protection regime more closely with the GDPR to obtain an adequacy decision from the European Commission. Taiwan is in continued discussions with the European Union in relation to the adequacy decision and may implement additional amendments to the PDPA to achieve a favourable outcome.

Market studies

In 2021, Taiwan’s Digital Economy Committee published the issues for consideration in its White Paper on Competition Policy in the Digital Economy, which focused in part on the development of national data strategies to facilitate healthy market competition.[59] The committee suggested that the government provide the newly established Ministry of Digital Development ‘with a mandate to promote a more open, less restrictive digital economy’. It noted that the new ministry was set up to encourage ‘reasonable market competition’ and argued that the recommended mandate would further support digitalisation. The Taiwan Fair Trade Commission (TFTC) published its own White Paper on Competition Policy in the Digital Economy in December 2022, following public consultation on an earlier draft.

The TFTC’s White Paper summarises 14 competition issues in the digital economy, and provides its position and guiding principles of enforcement for enterprises’ reference. These issues include challenges to data privacy, market competition and algorithms. The TFTC indicated that the TFTC’s White Paper also provides suggestions of possible regulatory amendments, such as to review the guidelines of market definition to adapt to the market features of the digital economy. Moreover, in the future, the TFTC will progressively introduce information technology in the course of case analysis and improve its technological enforcement capability by employing digital tools.


The legislation, enforcement, litigation and mergers examined in this article demonstrate the increasing significance of issues at the intersection of data privacy and competition law in the Asia-Pacific region. Legislators, regulators and lawyers are working to define how modern legal issues concerning the digital economy can or should be framed under existing competition, data privacy and consumer laws or, otherwise, how these legal frameworks should be developed to tackle nascent data privacy issues. Evidently, the answer is not simple and challenges remain – most notably, coordination between enforcement agencies is needed to prevent dual enforcement under different regimes for the same conduct.


[1] Australian government, Attorney-General’s Department, ‘Privacy Act Review – Discussion paper’,
10 January 2022.

[2] Brandon How, ‘Privacy Act Review complete after three years’,, 20 December 2022.

[3] Australian government, Attorney-General’s Department, ‘Online Privacy Bill Exposure Draft’,
6 December 2021.

[7] ACCC, ‘Digital platforms enquiry: project overview’, last updated 26 July 2019.

[10] id.

[11] As are already being implemented for Google’s ad tech services in response to the UK Competition and Markets Authority’s investigation into Google’s Privacy Sandbox. See ACCC, ‘Digital platform services inquiry - September 2022 interim report - Regulatory reform’, 11 November 2022.

[13] The ACCC also considered that the transaction raised vertical concerns, as it could give Google the incentive and ability to foreclose competition on the market for wearables by restricting access for rival wearable suppliers to WearOS, Google Maps and the Google Play Store or to limit the interoperability of rival wearables with Android smartphone software.

[14] Statement of Issues (see footnote 12), paragraph 86.

[15] Statement of Issues (see footnote 12), paragraph 111.

[16] Statement of Issues (see footnote 12), paragraph 114.

[18] See European Commission, ‘Conditional approval: Case M.9660 – GOOGLE/FITBIT’, 17 December 2020; Japan Fair Trade Commission (JFTC), ‘The JFTC Reviewed the Proposed Acquisition of Fitbit, Inc. by Google LLC’, 14 January 2021; and Competition Commission South Africa, ‘Competition Commission conditionally approves the Google/Fitbit merger’, 22 December 2020.

[19] See ACCC, ‘ACCC rejects Google behavioural undertakings for Fitbit acquisition’, 22 December 2020. However, similar conditions were accepted by the European Commission, the JFTC and Competition Commission South Africa (see footnote 18).

[21] The ACCC cleared Google’s acquisition of DoubleClick in 2008. Notably, at that time, Google made submissions to the US Federal Trade Commission and the European Commission that it would not combine Google’s and DoubleClick’s data on consumer internet activity post-merger. However, the regulators did not rely on these statements to approve the transaction.

[23] See section 17, Criminal Code Act 1899 (Qld); section 100, Crimes (Appeal and Review) Act 2001 (NSW); and section 46 Criminal Appeals Act 2004 (WA).

[24] There are also many differences between the GDPR and the PIPL. See Xu Ke et al, ‘Analyzing China’s PIPL and how it compares to the EU’s GDPR’, IAPP, 24 August 2021.

[25] PIPL, article 60. An unofficial English translation of the PIPL can be accessed via Stanford University’s DigiChina project.

[26] See the Technical Specification for Certification of Cross-Border Transfers of Personal Information (issued December 2022); the Measures for Security Assessment for Cross-Border Data Transfers (issued July 2022); and the Draft Provisions on Standard Contracts for the Export of Personal Information.

[27] See the Administrative Provisions on Internet Pop-up Push Notifications (issued September 2022).

[28] The Platform Guidelines can be accessed via the SAMR’s official website.

[29] AML, article 9.

[30] AML, article 22.

[31] It seems that article 22 of the PIPL, which requires PIHs to inform users and obtain their consent in the case of a transfer to another PIH, would not apply in the case of a statutory obligation to transfer data because article 13(7) explicitly provides that consent is not required.

[32] The term used by the PIPIL is ‘法定义务’, which we have translated as ‘statutory obligation’. The term ‘statutory obligation’ appears to suggest a prerequisite statutory law, order or regulation that would give rise to an obligation to comply. In the present case, a cease-and-desist decision appears to fall short of this requirement.

[33] Under article 6.1(c) of the GDPR, data can be processed where it is ‘necessary for compliance with a legal obligation to which the controller is subject’. It is debatable whether this would be a sufficient ground for allowing access to data under article 102 of the Treaty on the Functioning of the European Union, which prohibits abuses of dominance. Indeed, according to recital 41 of the GDPR, ‘such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it’. See V Kathuria and J Globonick, ‘Exclusionary conduct in data-driven markets: limitation of data sharing remedies’, Max Planck Institute for Innovation and Competition Research Paper No. 19-04, page 23.

[34] Platform Guidelines, article 16(5).

[36] AML, article 19.

[37] The VIE corporate structure is used by virtually all big Chinese technology companies.

[38] Frank Jiang et al, ‘China signals VIE no longer an obstacle in merger filing’, Competition Policy International, 29 October 2020.

[39] See footnote 28.

[41] The DPDP can be accessed via the Ministry of Electronics and Information Technology’s official website.

[42] DPDP, Chapter 4, section 17.

[43] The Competition (Amendment) Bill 2022 can be accessed via the Indian Parliament’s official website.

[45] id., paragraph 70.

[46] id.

[47] In re: Updated Terms of Service and Privacy Policy for WhatsApp Users, Suo Motu Case No. 1 of 202.

[48] id., paragraph 11.

[49] The PDP Law can be accessed via the Indonesian House of Representatives’ website.

[57] See footnote 18.

[59] The issues for this White Paper can be accessed via the TFTC’s official website.

Unlock unlimited access to all Global Competition Review content