By: Rohan Bannerji
On the 6th of February 2019, the German Bundeskartellamt (BKA) (Federal Cartel Office) expanded the long arms of competition authorities into an area that had previously been untouched by themselves and their ilk, holding social media mammoths to account for their data privacy practices. The FCO found that Facebook had abused their dominant position in the market for social media by making private use of the network subject to the site being able to collect an unlimited amount of any type of user data from third party sources, allocating them to users’ Facebook accounts, and using them for innumerable data processing processes. Though they did not impose a fine on Facebook, they instead decided to evoke their power to compel Facebook to remedy their practices, by gaining voluntary consent from users when collecting data from non Facebook sources in the future, the withholding of which cannot be used to deny access to Facebook. To the head of the BKA, Andreas Mundt, the fact that every user of Facebook must consent to their data being used in such a manner constitutes an inappropriate contractual term- a further factor that contributes to their practices constituting exploitative abuse. The implications of the BKA’s actions have been felt far and wide- and I shall seek to examine the most pressing questions that have arisen out of them. Are other regulators going to follow in the BKA’s footsteps? Will this start a turf war between competition authorities and data privacy watchdogs (such as the Competition and Markets Authority and the Information Commissioner’s Office in the UK)? How is Facebook responding to this overlap in the Venn diagram with competition law on one side, and data privacy protection on the other?
In July, the CMA launched an investigation into Facebook and Google’s dominance of the digital advertising market. Though their investigation is largely about competition in that particular market, it is also intended to examine the issue of consumer control over data collection practices. The BKA found that the choice of consumers to consent to their personal data being processed as data subjects under the GDPR is limited through terms and conditions, which is a line that the CMA seek to explore in their investigation. Moreover, the Australian Competition and Consumer Commission (ACCC) found in their preliminary report into Google, Facebook and Australian news and advertising that consumers have limited choice, and are “unable to make informed decisions about divulging their data, which can harm both consumers and impede competition.” In addition, the State Attorneys General of a dozen US States, including California and New York, wrote to the Federal Trade Commission (one of the US’ competition authorities) to investigate into Facebook and Google, citing the lack of consumer consent in the collection of their data with the alternative of having to forego these services. The investigations of these other authorities are in their infancy, and it remains to be seen as to whether any of them will go as far as the FCO in imposing remedial measures on Facebook to change their data collection policies. A subsequent question that often arises, is as to whether these authorities are well equipped to be handling such issues in the first place.
The European Commission, who serve as the EU’s competition authority, in response to the FCO’s decision, said that it is not the role of competition authorities to deal with the data privacy issues brought about by the harvesting of data by Facebook and Google, in light of the fact that under the GDPR, the EU data privacy watchdog can impose fines of up to 4% of a firm’s global revenue for breaching data privacy regulations. This did not stop the CMA from initiating their investigation into Facebook along the same lines that the FCO did, though it is uncertain as to whether other authorities in the single market will follow suit. This is important as the Commission and the competition authorities of countries within the EU often work together to tackle abuses of competition law. Authorities in other jurisdictions, such as Australia, have a wider remit than bodies such as the CMA and the FCO, because they are tasked with protecting consumers as well, and not merely ensuring that markets are kept competitive by adherence to competition law.
Facebook appealed the decision of the FCO to the Dusseldorf Higher Federal Court, who on the 26th of August, allowed their appeal, and overruled the decision of the FCO. The FCO is going to appeal the Dusseldorf Court’s verdict to the Federal Court of Justice, which is the country’s highest court. In response to the original decision, Yvonne Cunnane, Facebook’s Head of Data Protection, released a statement in which she said that their popularity does not mean dominance of the market, and that the company was indeed complying with the GDPR. Furthermore, she argued that using information across services helped make them better, and actually furthered safety. To her, “using information across our services also helps us protect people’s safety and security, including, for example, identifying and disabling accounts tied to terrorism, child exploitation and election interference across Facebook and Instagram.”
A month after the decision was overruled, it is clear that other regulators are following the example of the FCO and pursuing the same lines that led to them imposing the remedies that they did on Facebook. Data privacy regulators may feel the need to step in and play a part that many think is theirs, while Facebook is likely to keep on fighting these decisions in any country whose regulators find against them.
