This article was first published in Privacy Laws & Business International Report, April 2019.
On 7 February 2019, the Bundeskartellamt (the competition regulatory authority in Germany) completed an investigation into Facebook that had taken almost three years. Unusually for a competition inquiry, this investigation focussed centrally on Facebook’s data collection practices, and on the relationship between compliance with data protection and competition laws.
The Bundeskartellamt concluded that: (i) Facebook held a dominant position in the German market for social networks; and (ii) Facebook had infringed competition law by abusing this dominant position through its data collection practices. The Bundeskartellamt ordered Facebook to cease the infringing behaviour. Although the full decision has not been released yet, the Bundeskartellamt has published an explanatory memo. In this article, we explain what Facebook did and why the Bundeskartellamt considered that this broke the law in Germany. We then explore the implications of this decision, particularly as regards the overlap between competition law and data protection law, and what other companies should be thinking about for compliance purposes.
It is common knowledge that Facebook collects a substantial amount of data on its users as they use the Facebook social network. It is perhaps less well known that Facebook also collects data through third party websites and services. This includes services like WhatsApp or Instagram, which Facebook owns, and also any other third party website which uses ‘Facebook Business Tools’, for example having a Facebook ‘like’ or ‘share’ button embedded on a page. Millions of third party websites have these tools embedded and Facebooks collects data on its users when they visit such websites, even if the user does not actually click on the buttons. Facebook’s terms of service require users to agree that any data collected through these third party services can be combined with data from the user’s Facebook account, even if they have blocked web tracking in their browser or device settings.
Nature of the abuse identified by the Bundeskartellamt
The Bundeskartellamt determined that Facebook holds a dominant position on the German market for social networks. Companies in dominant positions have special responsibilities. Under Article 102 TFEU, they are prohibited from abusing their dominant position, for example by taking advantage of a lack of alternative options for users or customers to impose unfair terms or prices. In deciding that Facebook held a dominant position, the Bundeskartellamt said that other services such as LinkedIn, YouTube and Snapchat were not sufficiently comparable to a social network to fall within the same market, despite some similarities, and despite the existence of frequent “multi-homing” (i.e. use of multiple social networks) by users. This narrow market definition enabled the Bundeskartellamt to conclude that Facebook held a market share of over 90%.
The Bundeskartellamt described Facebook’s conduct as an ‘exploitative business practice’ that abused Facebook’s dominant position. It recognised that the business model of a social network funded by advertising requires the processing of personal data, and that users expect this. However, the Bundeskartellamt was concerned that Facebook was making the use of its service conditional upon users granting it the extensive permissions necessary to enable Facebook to combine user account data with data collected from third party websites.
The Bundeskartellamt assessed Facebook’s conduct using data protection principles (particularly those arising under the General Data Protection Regulation (GDPR)). It said that it was entitled to do so under case law of the German Federal Court of Justice, which enables civil law principles to be applied to determine whether business terms are exploitative. Applying these principles, the Bundeskartellamt determined that Facebook had no objective justification for collecting data from third party sources and assigning this data to users’ Facebook accounts. It had not obtained effective consent from users, the processing of data was not required to fulfil contractual obligations, and Facebook’s interest in processing the data did not outweigh users’ interests in retaining control over their data.
Although Facebook’s service is free, and its users therefore did not suffer a direct financial loss from Facebook’s business terms, the Bundeskartellamt said that users were damaged through a loss of control over how their personal data is used. The Bundeskartellamt referred to the public reports of Facebook’s transfer of personal data to third parties such as smartphone manufacturers, to note that ‘data leakage’ is not merely a theoretical risk for users. It also noted that users’ personal data is of great value to Facebook, allowing it to optimise its service to tie more users to its network, as well as to improve its targeted advertising services and to reinforce its indispensable position for advertising customers, which caused further competitive harm.
The Bundeskartellamt has now imposed an obligation on Facebook to change its terms of service; Facebook is also required to undertake not to process data collected from third party websites without ‘voluntary consent’ from users, i.e. users must be given a real choice and cannot be required to agree to this practice in order to use Facebook. If users do not consent, or Facebook does not seek their consent, it must severely restrict its processing of users’ data. The Bundeskartellamt has ordered Facebook to develop proposals for how this restricted processing will operate, noting that several different criteria are feasible, for example: restricting the amount of data collected; limiting the purpose it can be used for; anonymising data; or giving users additional control options.
The Bundeskartellamt is likely to carry out technical monitoring of any proposal implemented by Facebook. Though the Bundeskartellamt has not imposed any fine upon Facebook at this stage, instead focussing on securing a change in business practices, it is likely to impose a fine if Facebook fails to make the ordered changes to its conduct.
It will be interesting to see if Facebook changes its practices in other countries, or just in Germany. Competition authorities around the world are watching the perceived market power of major platforms such as Facebook, and the Bundeskartellamt’s decision will doubtless be carefully reviewed by other European competition authorities. We understand that Facebook intends to appeal the Bundeskartellamt’s decision.
The implications of this decision
The overlap between competition law and data protection law
Although this is the first competition law infringement decision which directly intersects with data protection law, the question of how the two bodies of law interrelate has been the subject of policy considerations for a few years. Notably, in September 2016 the European Data Protection Supervisor (EDPS) released an Opinion on coherent enforcement of fundamental rights in the age of big data. The Opinion proposed establishing a Digital Clearing House through which regulators from various disciplines could voluntarily share information.
The Bundeskartellamt has said that it cooperated closely with (unspecified) data protection authorities during its investigation into Facebook, and that those authorities explicitly supported it proceeding with the case. It comes as no surprise then, that the EDPS has commented favourably upon the Bundeskartellamt’s investigation. In an article entitled This is not an article on data protection and competition law, the EDPS described the Bundeskartellamt’s decision as ‘pioneering’ and noted that it could not have taken place without the cooperation of relevant data protection authorities.
The application of competition law to conduct regulated (and even permitted) under other laws is not a new development. The European Commission has previously established that seeking an injunction based on infringement of standard essential patents can be an abuse of a dominant position under Article 102 TFEU. The CJEU agreed in Huawei v ZTE, providing a framework for negotiating a licence to standard essential patents that, if followed, offers a safe harbour through which a patent holder can seek an injunction without risking abusing a dominant position. In 2012 the CJEU held that AstraZeneca had abused a dominant position by selectively withdrawing certain marketing authorisations, so that generic pharmaceutical companies could no longer rely on them to bring competing products to market, even though this conduct was permissible under the regulatory regime applicable at the time.
These cases extended the scope of EU competition law. While they showed the effectiveness of competition regulators in holding companies to account, they arguably did so at the cost of using competition law to fill regulatory gaps rather than amending the relevant body of law directly (although in the second case mentioned above, regulatory change did follow). Data protection law in Europe has been subject to a very substantial overhaul in the past years. The Bundeskartellamt’s actions could be taken to suggest a lack of confidence in these reforms to protect consumers.
The Bundeskartellamt’s decision also appears to clash with the ‘one-stop-shop’ principle envisaged by the GDPR. Facebook’s base of operations in Europe is in Ireland, and the Irish Data Protection Commission is its lead supervising authority. According to European Commission guidance, the Irish Data Protection Commission should have primary responsibility for dealing with a cross-border data processing activity. Instead, the German competition authority has investigated Facebook’s conduct in Germany only. However, since Facebook is collecting data from third party websites from around the world, it would seem artificial to claim that Facebook’s conduct does not have a cross-border element, despite the investigation’s focus on users in Germany.
To date, there is no evidence that any of the data protection authorities that the Bundeskartellamt worked with intend to bring a separate investigation into the conduct scrutinised in the decision. But what about data protection authorities in other EU Member States that were not contacted by the Bundeskartellamt? What would happen if they investigated the same conduct by Facebook or another company but concluded that it was permissible under data protection law? What about a potential future scenario where a competition regulator takes unilateral action to investigate a competition law infringement based on data protection principles without working with any data protection authorities? It is easy to see how this could lead to different standards and different rules being enforced in different European Member States, despite the aim for harmonisation under the GDPR. Whether or not any such tension arose in this particular case, it seems clear that there is potential for conflict between regulatory regimes in the future.
What does this case mean for other companies?
The conduct assessed by the Bundeskartellamt to be abusive in this case was relatively narrow. The Bundeskartellamt has made clear that it has not examined the collection of data generated by WhatsApp and Instagram (both Facebook-owned), only the combination of that (and other third party) data with users’ Facebook accounts. It has also adopted a very narrow product market (excluding services like LinkedIn and Snapchat from the definition of social network) and has assessed the geographic market as being national in scope.
In the light of those limitations, it could be argued that this case should be confined to its facts and easily distinguished from any future investigations. However, in reality, this case is part of a growing trend of competition regulators taking an interest in data. Although the European Commission in the Facebook/WhatsApp merger said that “privacy-related concerns flowing from the increased concentration of data within the control of Facebook…do not fall within the scope of the EU competition law rules but within the scope of the EU data protection rules”, regulators have been considering other ways in which data is relevant to competition law. The Bundeskartellamt worked with the French competition authority to produce a joint paper on Competition Law and Data in 2016 which includes a section on data-related anti-competitive conduct. The Bundeskartellamt has also launched a sector inquiry into online advertising, noting that “the issue of access to and the processing of data is also highly relevant from a competition point of view”, and in October 2018 the UK’s Competition and Markets Authority confirmed that it is also considering an inquiry into the digital advertising market. In March 2019, in a statement to the EU Parliament, Competition Commissioner Margrete Vestager noted that: “data accumulation in the hands of a single firm may raise competition concerns. At the same time, when firms collect personal data, a degradation of data protection may result in harm to competition that can be addressed by EU competition law”.
Data-rich companies certainly need to be aware of this Facebook decision. However, they also need to be aware of the trend for data-related inquiries more generally. Particularly where data has high monetary value (for example, in terms of driving ad revenue), it will be important for companies to think about their proposed approach to data protection compliance in the round with competition law colleagues. This is all the more the case if competition authorities adopt similarly narrow market definitions to the ones the Bundeskartellamt has used here, as these increase the risks of any given company being found to hold a dominant position.
Even companies which are not dominant in these fields need to be aware of these developments. Competition authorities’ interest in data is not limited to abuse of dominance investigations or merger assessments. The potential for investigations based on anti-competitive collusion under Article 101 TFEU also exists. For example, the Commission has suggested that privacy could be regarded as a non-price parameter of competition. If this is the case, if companies operating within a market in which privacy is an important factor in the decision to purchase a product or service all agreed (even informally) to relax their privacy policies to make it easier to monetise data, this could amount to an infringement of competition law under Article 101.
The Bundeskartellamt’s decision may prove to be an outlier. It could also prove to be one of the first of many cases in which the lines between data protection and competition law are blurred. In either case, companies should be aware of the relevance of data to competition compliance.