German antitrust authority restricts Facebook's processing of user data

On 7 February 2019 the German antitrust authority (Bundeskartellamt) found that the extent to which Facebook collects, merges, attributes to and uses data in user accounts amounts to an abuse of a dominant position on the market for social networks. Under Facebook's current terms and conditions, users have to agree to Facebook: (1) collecting user data from both Facebook-owned services like WhatsApp and Instagram, and from third party websites that use Facebook links in the foreground or Facebook analytics in the background, and (2) combining and assigning that data to the user's Facebook account. According to head of the authority Andreas Mundt, as a result Facebook "obtains very detailed profiles of its users and knows what they are doing online".

Facebook’s acquisition of WhatsApp was cleared by the European Commission in 2014. However, in 2017 the Commission fined Facebook EUR110 million for providing incorrect or misleading information in relation to that acquisition – Facebook made statements to the Commission during the merger control review which were inconsistent with an announcement by WhatsApp after the deal had been cleared, relating to the possibility of linking WhatsApp users’ phone numbers with Facebook users’ identities.

In last week’s decision the Bundeskartellamt concludes that Facebook’s practice in relation to the data obtained by its services is to the detriment of the consumers who use Facebook, and gives rise to a so-called 'exploitative' abuse. It also impedes competitors, who are not able to amass similar levels of data.

The case is exclusively based on German law, referring in particular to a Federal Supreme Court line of cases that considers terms and conditions as exploitative if they conflict with other (non-antitrust) laws – most notably the laws with respect to general terms and conditions. Here, the Bundeskartellamt claims that Facebook did not comply with principles of data protection laws (although the decision apparently reaches beyond black letter data protection rules – the authority applied a broader assessment of the whole mechanism of collecting and processing data). It is worth noting that even though the decision is grounded in German (case) law, in principle the determination of an exploitative abuse follows the same criteria as under the EU abuse of dominance rules. EU Competition Commissioner Vestager has, however, stated (as reported by Bloomberg) that while the European Commission will study the decision with interest, she does not think it would serve as a ‘template’ for EU action.

The Bundeskartellamt handled the case as an administrative proceeding. As a result no fine was imposed, which is typical for an entirely new theory of harm. But this does not mean that Facebook is off the hook: the Bundeskartellamt is requiring it to change the way it processes the data of German users. Going forward, assigning data from WhatsApp and Instagram to Facebook user accounts will only be possible if the user has given his/her voluntary consent. The same goes for collecting data from third party websites and assigning it to Facebook user accounts – voluntary consent will be needed.

Under GDPR, this means that the use of Facebook’s services must not be conditional on the user’s consent, meaning they must be available even without the user’s consent to the profiling activities involving combinations of data across services. Facebook and Facebook services, such as WhatsApp or Instagram, can continue to collect data for use in connection with those services. However, Facebook may only combine these data and assign them to a Facebook user account if users give their prior consent. In practice, obtaining valid consent to an extensive matching of user data could be challenging in light of the strict transparency and information requirements for consent under the EU General Data Protection Regulation (GDPR). Further, according to the Bundeskartellamt, the use of the Facebook like button and Facebook analytics is not sufficiently transparent to the user.

Facebook has announced that it will appeal the Bundeskartellamt’s decision. It argues that the authority underestimates the level of competition it faces in Germany, and has misinterpreted Facebook's compliance with GDPR. It takes the firm position that it is the job of data protection regulators – not antitrust authorities – to determine whether companies are living up to their data protection responsibilities. Whether this would lead to a different outcome is unclear. Several German data protection authorities and the European Data Protection Supervisor (EDPS) have already welcomed and affirmed the Bundeskartellamt’s decision. German data protection authorities stated that it is now their turn to launch investigations into Facebook’s data processing as ‘several aspects of Facebook’s current business model do not comply with data protection laws’. They also announced that they are prepared to take it to the European Data Protection Board if the Irish data protection authority – which is Facebook’s lead supervisory authority under Article 56 GDPR – disagreed.

The decision is important as one of the first to combine data protection issues with antitrust analysis. It will no doubt add fuel to the debate as to whether antitrust authorities are best placed to look at this type of issue.