The German competition authority, the Federal Cartel Office (“FCO“) last week announced the results of its investigation into Facebook for a novel abuse of dominance involving consent for its data collection. Whilst the full decision is not yet public, the FCO has published a background paper here. In short, the FCO found that Facebook had a dominant position in the German market for social networks, and abused this with its data collection policy. The FCO did not impose a fine on Facebook, but has instead required Facebook in the future to only use data from non-Facebook sources where it has users’ voluntary consent, the withholding of which cannot be used to deny access to Facebook. Facebook has announced that it will appeal.

The FCO’s concerns centre around Facebook’s practice of collecting user data from third party websites and apps (including WhatsApp and Instagram, owned by Facebook) and combining this data with data from the user’s Facebook account. In particular, the FCO was concerned that users are required to consent to this practice as a condition for using Facebook’s service.

Data Privacy implications

What makes this case particularly noteworthy is that, in its assessment on whether Facebook’s terms of service are abusive, the FCO took into account data protection principles. It found, in particular, that – given Facebook’s dominant position – users did not give “voluntary” consent for this type of data processing. FCO President Andreas Mundt commented that “In view of Facebook’s superior market power, an obligatory tick on the box to agree to the company’s terms of use is not an adequate basis for such intensive data processing.” In the FCO’s assessment, Facebook’s conduct represents above all a so-called “exploitative abuse”. Such abuses are less common in competition law infringements than an exclusionary abuse (excessive pricing is another example of an exploitative abuse). This seeming convergence of competition law and data protection rules is unprecedented in EU law jurisprudence.

However, the case appears to leave a big question mark regarding regulatory oversight in the field of data protection. The GDPR governs the processing of personal data across Europe and it charges the national data protection authorities in Europe with regulatory responsibility for ensuring compliance with data protection rules. The GDPR does not contemplate any enforcement action for breaches of data protection laws by anyone other than the competent data protection authorities. The decision of the FCO to impose regulatory sanctions on Facebook on the basis of a decision by the FCO that Facebook is in breach of its data protection obligations therefore highlights a potential tension building between competition and data protection regulation. Data protection compliance is an area where competition authorities have previously steered clear. In the Facebook/WhatsApp merger decision the European Commission stated that “privacy-related concerns flowing from the increased concentration of data […] do not fall within the scope of the EU competition law rules but within the scope of EU data protection rules”. It remains to be seen whether the FCO decision represents the beginning of a more blurred approach to competition and data protection regulation.

In addition, the case appears to highlight a tension between national competition regulation and pan-European data protection regulation. So far there has been no finding from the data protection regulators in Europe (including in Germany or in Ireland where Facebook has its European headquarters) that Facebook’s collection of data either from Facebook-owned websites and apps, or from third party websites and apps, is in breach of the GDPR rules. As such, Facebook appears to be now left with the difficult position of potentially having to amend its practices in Germany, where the FCO has jurisdiction, despite those practices not having been found to be in breach of pan-European data protection rules.

It also seems a possible consequence of the FCO decision that the relevant data protection authorities in Europe may now decide to further investigate Facebook’s GDPR compliance and could end up imposing their own sanctions for the alleged breaches forming the basis of the FCO’s decision. It is not clear what would happen were the relevant authorities to find Facebook not to be in breach of GDPR after all.
In any event, it is clear from the decision that data remains a hot topic for regulation across Europe and beyond, and digital companies in particular will be following any appeal closely.

For further information regarding the competition analysis of this case, please see our competition bulletin available here.

Miriam Everett
Miriam Everett
Head of Data Protection and Privacy, London
+44 20 7466 2378