Germany’s Federal Cartel Office (FCO), the country’s competition law authority, set a new precedent recently with an antitrust ruling against Facebook. The ruling may force Facebook to make major changes to their data collection practices – at least in Germany.
The ruling sharply limited Facebook’s ability to collect data on user activities outside of the site. According to the company’s official line, Facebook collected anonymous data on anyone visiting a site that has one of their services or apps integrated. Testimony to the United States Congress by Mark Zuckerberg in 2018 revealed that the scope of this data collection was beyond what Facebook had previously been willing to be transparent about, however. The public learned that Facebook was creating “shadow profiles” using every scrap of information they could harvest, including profiles on people who do not have a Facebook account. This collection was not disclosed to end users, and would require logging in to Facebook to opt out of it.
Perhaps the most concise example of the scope of the tech giant’s data collection is the Facebook Pixel. This marketing tool is a single, invisible pixel buried somewhere on a page that transmits a wealth of user data to Facebook without the need to deploy any other services of theirs. The data that is collected by Pixel is primarily meant to serve highly targeted ads to site visitors based on their IP address.
German regulators viewed all of this as anti-competitive, ordering Facebook to give German users a greater degree of notice and choice in how their data is used. Additionally, Facebook will no longer be able to combine Facebook data with data from outside the site in the country; this applies even to other sites and apps that the company owns, such as WhatsApp and Instagram.
How big of a blow is this to Facebook?
Within the boundaries of Germany, this ruling is devastating to Facebook’s advertising revenue streams. However, at this point, this is not something that applies to the company across the whole of the European Union. Facebook can continue with their current data collection in the country for the time being as they work through the appeal process. Should the appeal be denied, Facebook will immediately be required to provide notice of and obtain consent for all of the applicable data types and uses.
The social media giant would also no longer be allowed to keep “mega-files” of collated data on users without first obtaining their specific consent to such a practice. The full process could take up to a year in court. And it could face the logistical nightmare of decoupling all of its ancillary services from Facebook.
In addition to the general lack of transparency and proper notification about the company’s full scope of data collection, the German regulators took specific issue with Facebook’s opt-in policies. The regulators felt that Facebook users were being asked to consent to too much by simply signing up for the service. FCO president Andreas Mundt characterized it as “practically unrestricted collection and assigning of non-Facebook data to … Facebook user accounts.”
Shares of the company dropped 2.41% in the wake of the news.
How this became an antitrust issue
Facebook has already weathered prior legal issues involving its data collection practices throughout the EU, but this is the first case of the company being viewed and regulated as a monopoly.
The FCO argument is that Facebook provides a service unlike any other among the social networks, one for which there is no true equivalent. German users feel compelled to sign up for Facebook and agree to the data handling policies regardless of the terms, and Facebook does not adequately inform them of what data is being collected and how it is being used. Therefore, true consent is never provided by the end user.
This case is also the first of this nature to intertwine privacy with competition issues. The primary harm identified by the FCO is the loss of control over how these often comprehensive data profiles are used, and who ends up having access to them.
Overlap with the GDPR
Though this ruling only applies within the boundaries of Germany, it establishes a precedent that has some overlap with the EU’s General Data Protection Regulation (GDPR).
The model that Facebook has been working under (along with no end of other sites) is that of “implied consent” for many of its data collection and use policies. By simply signing up for the service and agreeing to a standard terms of service, consent is assumed for all sorts of data use that is not necessarily spelled out in detail at any point.
The GDPR directly addresses the concept of implied consent. It’s simply not good enough anymore. Under the GDPR, end users must give explicit and clear consent for each use of their sensitive personal data. Less sensitive kinds of data still require unambiguous consent.
Google is facing a related problem in France, where CNIL is fining them €50 million. Among other things, Google failed to properly inform users of the scope of data use across their multiple services when users agreed to open any kind of an account with them.
The terms of the GDPR require that “consent must … be separate from other terms and conditions” and must be clear and unambiguous, meaning that burying everything on a dense TOS page full of legalese is not adequate to be considered in compliance.
Another GDPR term that is relevant here is the requirement that end user personal information be quickly removed from these databases upon request. That’s a major challenge for Facebook just from within their own sprawling empire of acquired websites and apps, let alone data being passed outside of their ecosystem.
Fallout from the ruling
Facebook has a considerable amount of time to appeal this decision, and has already signaled that they will argue that the FCO does not have a basis to regulate them as this involves services that are free to the end user. Facebook has also tried to portray other popular social media services (such as Twitter and YouTube) as direct competitors of sufficient size such that no monopoly can exist in the market.
While all of this is playing out within the borders of Germany, it’s important to keep in mind that the central purpose of the GDPR was to standardize data handling laws and rights across member countries. An antitrust precedent of this nature set in one member nation could very well lead to a standard adopted by all members.