WhatsApp's decision of August 2016 to change its privacy policy and to link data from its accounts with data from Facebook accounts has already drawn much attention for potential breaches of data privacy rules. It has now taken a new – and less expected – turn. It led the European Commission (DG COMP) to conclude that Facebook provided it with misleading information during its review of the WhatsApp acquisition in 2014. On 18 May 2017, the Commission sanctioned this conduct with a EUR 110 million fine on Facebook sending a clear reminder to companies of their obligations under the EU Merger Control Regulation (EUMR). In light of the EU General Data Protection Regulation (GDPR) entering into force as from May 2018, this is also a reminder for companies handling personal data in the EU that they can benefit from lessons learned under EU competition law.

When Facebook acquired WhatsApp in February 2014 for more than USD 19 billion, the transaction faced concerns from many regulators, mainly privacy authorities. At the time Facebook and WhatsApp promised users and authorities that they would not link user data associated with their respective accounts – unless with users' prior opt-in consent.

However, in August 2016, WhatsApp announced a change of its privacy policy. It would link its WhatsApp user data to Facebook profiles for targeted advertising and other purposes. This process would be automatic unless users opt-out within 30 days.

Not surprisingly, many data privacy authorities scrutinise WhatsApp and Facebook privacy policies, and especially the change of August 2016. Some of them imposed sanctions due to infringements of data privacy rules. For example, the Italian personal data protection authority imposed a EUR 3 million fine on 12 May 2017. However, the biggest sanction recently imposed on Facebook was on another ground. The Commission fined Facebook EUR 110 million for providing misleading information during the merger control review of its acquisition of WhatsApp in 2014.

The Commission found that it relied on misleading information in its 2014 clearance decision

Given WhatsApp's limited turnover, the Commission did not originally have jurisdiction to review Facebook's takeover of WhatsApp. Because the merger would have been reviewed by the national competition authorities of three EU Member States, Facebook chose to refer the case to the Commission for a single review. The Commission ultimately concluded that the transaction would not give rise to serious competition concerns, and it issued a clearance decision on 3 October 2014 (Case COMP/M.7217).

Among the different elements that the Commission analysed, it examined whether the combination of the two networks would increase Facebook's competitive advantage through the so-called "network effects" (the bigger a network, the more valuable).

The Commission dismissed these concerns. It held that, due to certain market characteristics (e.g. the sector is fast-moving, consumers tend to use several apps simultaneously, the parties do not control essential parts of the networks or any mobile operating system), network effects would not increase the merged entity's power on the market for consumer communication services.

This would have been sufficient to dismiss the concerns on network effects. However, the Commission went one step further by adding another argument "for the sake of completeness" (para. 136 of the Commission decision). It held that the transaction would not significantly strengthen the network effects. The transaction could have substantially strengthened the network effects if Facebook combined both networks in a substantially larger network. Based on information provided by Facebook (and against claims from third parties), the Commission concluded that this would not happen because the transaction would give rise to limited integration. In particular, the Commission relied on Facebook's argument that integration between both networks would face significant technical difficulties. Facebook had submitted that matching WhatsApp users' profile with their Facebook profile would be complicated because they used separate unique user identifiers (Facebook ID and mobile phone number respectively). The Commission stated that "Facebook would be unable to automatically and reliably associate a Facebook ID with a valid phone number used by a user on WhatsApp" (para. 138 of the Commission decision) (emphasis added).

The August 2016 change in WhatsApp privacy policies proved that the information Facebook provided was misleading

In August 2016, Facebook began to integrate both networks. It decided to do so with an opt-out system. This was only possible if Facebook was able to automatically and reliably link both profiles – which third parties previously argued during the 2014 market investigation.

The Commission examined whether the possibility to automatically link the profiles already existed in 2014. It concluded that the possibility existed at the time of the notification and that Facebook staff were aware of such possibility. The Commission adopted its decision finding that the information provided was misleading, and it imposed a EUR 110 million fine (COMP/M.8228).

The Commission has the power to impose fines for misleading information and to reassess a cleared transaction

Article 14 EUMR gives the Commission extensive fining powers in merger control. In particular, the Commission can impose fines of up to 1% of the total group worldwide turnover when the party provides "intentionally or negligently…incorrect or misleading information".

Because Facebook provided misleading information both in the notification form and in a response to a request for information, the Commission concluded that Facebook was liable for two separate infringements.

In addition, Article 6(3) EUMR also provides that "[t]he Commission may revoke the decision it took… where the decision is based on incorrect information for which one of the undertakings is responsible or where it has been obtained by deceit". The Commission may therefore reassess a transaction even (two or more years) after a clearance decision and has done so in the past. However, because it relied on the misleading information only in an "even if" argument, it concluded that its assessment of Facebook's takeover would not have changed and that it was not justified to revoke the clearance decision.

On the setting of the fines, the EUMR provides that the Commission must take into account the "nature, gravity and duration of the infringement", and that the fine cannot exceed 1% of turnover achieved the group in the previous financial year (which was of almost USD 28 billion for Facebook in 2016). The Commission explained that it took into account mitigating factors to reduce the fine, in particular Facebook's cooperation in the proceedings (i.e., Facebook acknowledged the infringement and waived all its procedural rights, such as the right to have access to the file and the right to an oral hearing). The Commission said that, given the facts of the case, a EUR 110 million fine was both proportionate and deterrent.

In fact, this is the first time that the Commission has imposed such fines under the EUMR. The Commission has previously imposed such fines in five cases between 1999 and 2004 and under the previous merger control regulation. Because such fines were capped at EUR 50,000 per infringement, the highest fine ever imposed was EUR 100,000 (for which the Commission took into account that misleading information was provided twice). The Commission has imposed fines in separate decisions, and it has also revoked a clearance decision (and issued subsequently a new clearance decision).

With the Facebook decision, the Commission seems to have started a new cycle of cases sanctioning the provision of misleading information. The Commission explained that, given the tight deadlines that apply in merger control review, it does not have the time to conduct a thorough investigation. It must be able to rely on the information provided by the parties. By fining Facebook, the Commission sent a clear message that it will not hesitate to open more investigations if this is necessary to ensure that it receives accurate information. Investigations are currently reported to be pending for the same infringement. For example, General Electric admitted that it was subject to a Commission investigation regarding the information it provided for its acquisition of LM Wind Power (the transaction was cleared in March 2017).

Upcoming cases, as well as the publication of the Facebook decision, should clarify a high number of points, including the following:

  • Whether it could make sense for companies to spontaneously contact the Commission if they provided, intentionally or negligently, misleading information in the context of a merger control review;
  • Whether the Commission will accept complaints from third parties when merger clearance decisions have relied upon potentially inaccurate or misleading information – especially when the same third parties provided the accurate information during the first market investigation. In the Facebook case, the Commission seems to have relied on public sources to reopen the case. The General Electric investigation seems to have been triggered by doubts that the Commission had during the merger control review. However, several of the cases dating back to 1999-2004 started with complaints from third parties, which indicates that the Commission may also accept – and maybe encourage – complaints in the future.
  • Whether the Commission will also extend this scrutiny on the information provided by third parties. In principle, the EUMR does not allow the Commission to fine third parties which provided incorrect or misleading information on their own initiative. However, the Commission has the power to impose fines to addressees of requests for information for supplying incomplete or misleading information, and it has imposed such fines to third parties that failed to assist the Commission in its merger review tasks.

Conclusion

The Facebook fine is certainly interesting as a clear reminder to companies of their obligations under the EUMR. It also reminds companies handling personal data in the EU that they can benefit from lessons learned from fines imposed under EU competition law. Whereas the fines imposed by data protection authorities have been quite limited so far – in comparison with competition law fines – this will significantly change on 25 May 2018, when the GDPR enters into force. The GDPR will give data protection authorities fining powers that are largely influenced by EU competition law. In particular, it will provide them with the ability to impose fines capped at 2% or 4% of the total group worldwide turnover. There is no doubt that companies will remember Facebook's EUR 110 million fine when authorities start using that power.