In one of the first decisions to consider data protection and competition issues side by side, the German competition regulator (the Bundeskartellamt) last week found that Facebook had both abused its market power in Germany and breached EU data protection laws in the way in which it collects data from its users’ accounts.
During a three-year investigation, the Bundeskartellamt found that, as a mandatory condition of their use of its social media platform, Facebook requires its users to consent to their data being shared across both WhatsApp and Instagram (which Facebook owns) and other third-party apps and websites. As well as being a breach of the EU’s General Data Protection Regulation (GDPR), the Bundeskartellamt ruled that this practice of gathering and merging data from multiple sources without explicit consent enabled Facebook first to build, and then to exploit, its market power in Germany by “substantially contribut[ing] to the fact that [it] was able to build a unique database for each individual user”.
Rather than fining Facebook, the Bundeskartellamt has ordered that it must make plans to change the way it collects data from its German users so that it “will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts”. In future, Facebook must only merge data collected from other apps and websites with that collected from its own accounts with the voluntary and explicit consent of its users.
Facebook has confirmed its intention to appeal the decision on two grounds:
- Rather than being dominant in the German social media market, it states that is merely “popular” and, in reality, faces “fierce competition” from the likes of Snapchat, Twitter and other apps which the Bundeskartellamt found did not operate in the same market because their services are more limited.
- The Bundeskartellamt has not only misinterpreted Facebook’s compliance with the GDPR, but also acted outside the scope of its powers by ruling on data protection issues - which should be the exclusive domain of data protection regulators. Facebook’s EU headquarters are in Ireland, and so it considers that its data protection compliance should be monitored by the Irish Data Protection Commission.
You can read the Bundeskartellamt’s press release about its decision here - and follow this blog for further updates on Facebook’s appeal.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.