The German Federal Cartel Office (Bundeskartellamt) (“FCO”) has issued a decision imposing far-reaching restrictions on Facebook’s gathering of its users’ data, evidencing a novel application of competition law to the area of data privacy.
The FCO’s decision specifically targets Facebook’s collection of data outside its social network, from its other websites, such as WhatsApp and Instagram, and from third party websites which use Facebook tools. The FCO says that Facebook’s practice of combining users’ data from these other sources with data obtained from users’ Facebook profiles without consent constitutes an abuse of Facebook’s dominant position in the market for social networks in Germany.
Market definition and dominance
The FCO defined the relevant market as the ‘market for social networks in Germany’. It found that Snapchat, YouTube, Twitter and LinkedIn did not form part of the relevant market because they offered only part of the services provided by a social network such as Facebook. Even if these services were included in the relevant market, the FCO considered that Facebook would still achieve very high market shares, which ‘would be indicative of a monopolisation process.’ The FCO concluded that Facebook had a 95% share of the German market for daily active use of social media, noting that its only real competitor, Google+, was planning to shut down its social network in 2019.
Abuse/Theory of harm
The FCO determined that Facebook had abused its dominant position by making use of its network subject to it being able to collect users’ data from third party sources, which data could then be processed by Facebook for numerous purposes. The FCO considered that Facebook users are not aware that in addition to data from their Facebook accounts, Facebook collects an unlimited amount of data from third party sources, and combines this with data from users’ Facebook accounts to create a unique and comprehensive profile for each user. This data is not only collected from Facebook-owned services like WhatsApp and Instagram, but also flows from any website which has embedded ‘Facebook business tools’, such as the ‘like’ button, or which uses ‘Facebook Analytics’.
While the implications of Facebook’s conduct from a data protection perspective are clear, the application of an ‘abuse of dominance’ competition analysis is less obvious. The FCO states that Facebook’s conduct represents a so-called ‘exploitative abuse’. In this regard, it relies on case-law of the German Federal Court of Justice to the effect that civil law principles can be applied to determine whether business terms are abusive. The FCO states that this case law can also be applied to a breach of data protection law, the purpose of which is to counter asymmetries of power between organisations and individuals. In its view, Facebook’s conduct clearly violates the General Data Protection Regulation (“GDPR”) 1 because the processing of data from third-party sources is neither required for offering the social network nor for monetising the network through personalised advertising. The FCO argues that consumers are harmed by this conduct because they lose control over their personal data and how they are used. Facebook’s market power means that users have no option to avoid the combination of their data in this way.
The FCO also identifies two ‘traditional’ instances of competitive harm which result from Facebook’s conduct. Firstly, it finds that the combination of users’ data from various sources allows it to optimise its service and tie more users to its network, to the detriment of other social networks. Secondly, Facebook’s ability to create unique user profiles also makes it indispensable for advertising customers, causing harm both to the customers themselves and to competitors in the advertising market.
In a press release, Facebook has indicated its intention to appeal the decision, arguing that the FCO underestimates the ‘fierce competition’ it faces in Germany and that the decision evidences a misapplication of competition law to apply different data protection rules to one company. It also points out that the GDPR entrusts data protection regulators – and not competition authorities – with the safeguarding of European citizens’ data. In its view, therefore, the Irish Data Protection Commission is the body responsible for ensuring that Facebook Ireland Limited complies with European data protection rules. In a summary of the decision released after Facebook’s press release, the FCO points out that the GDPR does not preclude the examination of data protection breaches by competition authorities, and notes that none of the data protection authorities it contacted in the course of its investigation considered that they had exclusive jurisdiction. Indeed, the FCO specifically mentions that the Irish Data Protection Commission indicated that a competition authority can take action against violations of data protection law if dominant companies are involved.
The immediate impact of the decision is that Facebook is prohibited from stipulating in its terms of service that use of Facebook.com in Germany is subject to Facebook being able to collect and combine users’ data from its other websites and from third party websites. The FCO has required Facebook to offer solutions at to how to implement the required restrictions and to submit them to the FCO for its review.
The FCO has said that it ‘closely liaised’ with the European Commission and other data protection authorities in making the decision. For its part, the Commission said that it ‘took note’ of the FCO’s decision. Despite this cooperation, it is unlikely that the Commission would apply a competition law ‘abuse of dominance’ analysis to Facebook’s conduct in the way that the FCO has done. This is because the Commission’s enforcement under article 102 TFEU focuses on behaviour which is deemed to damage the structure of the market, or maintain high prices. In addition, there is no precedent at European level which establishes that a breach of data protection rules constitutes an abuse of dominance. Indeed, in its Facebook/WhatsApp merger decision, the Commission found that the increased concentration of data within the control of Facebook as a result of the merger did not fall within the scope of EU competition law rules but rather within the scope of EU data protection rules. 2 Conversely, data privacy and consumer protection considerations appear to be central to the FCO’s decision. Having said this, the FCO’s decision and its cooperation with other authorities make it clear that there is a growing awareness at national and European level of the impact of Facebook’s data collection on consumers. As such, this bold move on the part of the FCO may prompt other data protection or competition authorities to take action against what the FCO describes as Facebook’s “unrestricted collection” of users’ data.