German enforcer attacks Facebook data collection model
Germany’s Federal Cartel Office has banned Facebook from combining user data from different sources – including from services it owns.
The competition enforcer today said that Facebook can only continue to collect data from third parties – including services it owns such as WhatsApp and Instagram – and assign it to user accounts if it obtains users’ consent.
If Facebook does not get this consent, said the authority in a statement, it will have to “substantially restrict its collection and combining of data”. The authority has tasked Facebook with developing proposals for solutions to this effect.
The decision also bans Facebook from excluding users who do not consent from its platform, and orders it to stop collecting and merging non-consenting users’ data from sources other than Facebook.
Facebook’s terms and conditions currently only let users access the platform if they allow the company to collect data from third-party websites, and assign the data to their respective Facebook user accounts. The authority said this practice constituted an abuse of dominance in a preliminary decision in December 2017.
In a statement, the authority’s president Andreas Mundt said: “We are carrying out what can be seen as an internal divestiture of Facebook’s data. In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts.”
The enforcer found that the conduct constituted an abuse of Facebook’s dominant position on the German social network market. It noted that Google+ is set to shut down in April 2019, and that services such as Snapchat, YouTube and Twitter, and professional networks like LinkedIn and Xing “only offer parts of the services of a social network and are thus not to be included in the relevant market”.
Facebook’s terms of service and the manner and extent to which it collects and uses data, said the authority, violate European data protection rules; it said that it cooperated closely with data protection authorities in clarifying the data protection issues involved.
In a statement, Facebook said the decision threatens to undermine the GDPR’s harmonisation of data protection laws across Europe. “The GDPR specifically empowers data protection regulators – not competition authorities – to determine whether companies are living up to their responsibilities,” the company said; it plans to appeal against the decision.
Daniel Pauly, a partner at Linklaters in Frankfurt, told GDR that he did not believe the competition authority had gone beyond its remit.
“The authority is supposed to evaluate business practices in light of applicable law, it can’t sit on a cartel law island,” Pauly said. “Data protection is applicable law, it needs to put it into context regarding the business model,” he said, adding that data protection law is part of the “Bermuda triangle” of applicable law for data-based businesses, which also includes competition law and the law of standard business terms.
Christian Hamann, a partner at Gleiss Lutz in Berlin, said it would be interesting to see how the German courts interpret the competition authority’s jurisdiction over data protection matters. “My view is that the [competition] authority has a good point and a strong position.”
He told GDR that he expects the cartel authority to carry out investigations similar to this one, since it is looking to extend its jurisdiction to consumer protection.
Rob Atkinson, who is president of the Information Technology and Innovation Foundation think tank, said the ruling establishes a “troubling precedent” for the respective roles of privacy and antitrust policy in Europe.
“Antitrust enforcement is not the appropriate remedy for data privacy complaints. The European Union created the GDPR dedicated to data protection – it should be able to handle privacy concerns without being propped up by competition authorities.”
For Phillipp Schröder-Ringe, a partner at HÄRTING in Berlin, only data protection authorities should decide if Facebook needs to seek consent to aggregate user data from different platforms.
“I think that there must be a reason why the data protection authorities did not prohibit Facebook’s business model even though they have the power and the tools to do so,” he said. “The cartel office should neither ignore the competence of the DPAs in this matter nor replace the decision they would like to have based on cartel law,” he said.
Competition lawyer Silke Heinz at Heinz & Zagrosek in Cologne said the authority had largely relied on the violation of data protection rules to determine abuse of dominance. “While indeed the outcome may be desirable under data protection laws, the question remains whether abuse of dominance proceedings form the right tool to achieve compliance with data protection laws,” she said.
Heinz added that the decision raises the question as to whether every violation of any law by a dominant company will be seen as an abuse of dominance in the future.
For Linklaters’ Pauly, while the impact of the decision is limited to companies deemed dominant, it also clearly shows what data-based businesses can and can’t do. “There is clear guidance for future – that businesses can’t limit users’ choice,” he said.
In a statement, Johannes Caspar, the head of the privacy regulator in Hamburg, where Facebook’s German arm is headquartered, said: “Today's decision makes it clear that anti-privacy business practices and fair competition are mutually exclusive. Now, when Facebook looks to merge data from third-party sources, it must consider users' right to self-determination for competition reasons too. Data protection and consumer protection can not be permanently undermined in the EU.”
Marit Hansen, the head of Schleswig-Holstein's data protection authority, said it is "too early to celebrate" from a data protection point of view.
"Facebook can continue with their data-invasive practices for quite some time, and only tiny parts of the overall and already heavily criticised business model have been tackled by this decision. Finally, it will come down to the responsibility of users how to react when they are (later) asked by Facebook whether or not to agree with the data transfer."
She added that data protection and antitrust law intersect when it comes to data transfer between different companies or parts of companies, and that "considering the lack of resources of all these authorities, associations and institutions, contacts and exchange of information can be very valuable".
Facebook said: “The [Federal Cartel Office] underestimates the fierce competition we face in Germany, misinterprets our compliance with GDPR and undermines the mechanisms European law provides for ensuring consistent data protection standards across the EU.”
“The protection of personal data is a fundamental right in the EU and everyone gets equal protections as part of the GDPR regardless of the size of the company involved,” the company said. “We support the GDPR and take our obligations seriously. Yet the [Federal Cartel Office]’s decision misapplies German competition law to set different rules that apply to only one company.”
Facebook has four weeks to appeal to the Düsseldorf Higher Regional Court.
Counsel to Facebook
Latham & Watkins
Partner Hanno Kaiser in San Francisco and partner Michael Esser in Düsseldorf and Brussels are assisted by Jan Höft and Judith Kreher
Copyright © Law Business ResearchCompany Number: 03281866 VAT: GB 160 7529 10