German Antitrust Authority Finds Antitrust Infringement on the Basis of a Data Protection Breach
The German antitrust authority (FCO) has ordered Facebook to stop collecting data outside Facebook’s platform without the user’s “voluntary consent.” The decision breaks new ground because it links data protection and antitrust breaches. While the debate about the interplay between other fields of law, such as data protection, and antitrust is several years old, this is the first decision to establish an antitrust violation on the basis of a data protection infringement. The decision is rooted in German law, but may have set a precedent beyond German borders.
Facebook collects data about its users through its own platform, but also through Facebook-owned apps such as WhatsApp and Instagram, as well as third-party websites that have embedded Facebook business tools (Like button, Facebook Login) or Facebook analytical services (Facebook Analytics). When a Facebook account holder engages with such services or sites, data are transmitted to Facebook, that can then combine it with the user’s Facebook account. The FCO concluded that this practice is neither justified under the General Data Protection Regulation (GDPR) nor appropriate under competition law standards applicable to monopolists.
Antitrust and Data Protection
The lifeblood of social networks is data, which led the FCO to take the view that Facebook’s terms and conditions affect not only data protection but also competition. The FCO found that Facebook holds a monopoly position in the German market for social networks. Monopolists are not allowed to exploit their counterparty, in this case the consumers who were found to be in an inferior negotiating position. Due to Facebook’s dominant position users have no option other than to accept Facebook’s terms and conditions.
The decision does not deal with the collection and processing of data generated by the use of Facebook’s own service. The FCO explicitly states that users expect platforms to combine their data to some extent, and this is an essential component of social networks’ business models. The FCO concluded, however, that Facebook’s data collection through non-Facebook services violated the GDPR: Facebook had no effective justification to gather data from its subsidiaries, WhatsApp and Instagram, or other external services, nor did it obtain effective, voluntary consent from its users. To come to this conclusion the FCO cooperated closely with data protection authorities.
The damage to competition is not caused by any financial loss, given that Facebook is a free service, but by a loss of control: Facebook users are unable to control what data is used for Facebook’s profiling. This infringes their constitutional right under German law to informational self-determination. In addition, the FCO found that the gathering of increasing amounts of data also allows Facebook to strengthen its monopoly position further to the detriment of other social network providers. Finally, the FCO also concluded that the data allows Facebook to improve its position in targeted advertising services to the disadvantage of customers and competitors in the advertising space.
What Facebook Must Change
The FCO has ordered Facebook to terminate its current practices and only collect and combine data gathered from outside Facebook if German-based users have given their “voluntary consent.” “Voluntary consent” means that access to the service cannot be limited to users who consent: if users do not consent, Facebook may not exclude them from its services but will have to substantially restrict its collection and combining of data from different sources.
The FCO did not impose a fine, given the complexity and novelty of the issues. Facebook now has four months to submit a proposal which the FCO will assess. If Facebook does not comply with the FCO’s decision and continues its practices, the FCO can impose penalty payments. Facebook has already announced that it will appeal the decision.
Potential Ramifications Outside Germany
The FCO’s decision is based on German law and only applies to German-based users. That said, the FCO stated publicly that it closely cooperated with other antitrust authorities, including the European Commission, because of the cross-border aspects of the case. This suggests that there may be some level of agreement among antitrust authorities about the outcome of the case. The decision might indeed encourage other jurisdictions to follow a similar path and have more regard for data protection (or principles from other fields of law) in antitrust investigations.