On 7 February 2019, the German competition law regulator, the Federal Cartel Office (FCO), concluded a lengthy investigation into Facebook.  It found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

The FCO’s probe into Facebook is one of the first cases in the EU concerning the intersection between the EU’s new data privacy laws (contained in the General Data Protection Regulation or GDPR) and competition law. The abuse finding under German competition law (which is broadly the same as the pan-EU competition law in this regard) relied on what was, according to the FCO, a breach of EU data protection law.

What has the FCO found?

Facebook consolidates data into a user’s account from both its other social networking services (WhatsApp and Instagram) and third party apps and websites.  This collection is extensive; for example, the fact that a user has navigated to a third party site which contains a Facebook “Like” button, even if the button is not clicked, is noted and the information is assigned to that user’s account. Users are required to agree to this data sharing in order to use the Facebook social network.

The FCO found that this requirement “force[s] its users to agree to practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts” in order to use the social network. This breached EU data protection law and was an (exploitative) abuse of Facebook’s dominant position in Germany in the market for social networks.

Indeed, the FCO took the view that this behavior had contributed to the acquisition of the dominant position.  The authority commented: “[t]he combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power [in the first place].”

What sanction has been imposed?

Facebook has not been fined – instead, the FCO has imposed restrictions on its processing of user data from private users based in Germany:

• Facebook-owned services (i.e. WhatsApp and Instagram) may continue to collect data, but assigning that data to a Facebook user account will only be possible with the user’s voluntary consent. Where that consent is not given, the data must remain with the other service and not be combined with a Facebook user account.
• Collecting data from third party websites and assigning it to a Facebook user account will also only be possible with a user’s voluntary consent.

Thus, Facebook is required to implement a type of internal unbundling; it can no longer make use of its dominant social network conditional on agreeing to its current data collection and sharing practices relating to its other services or to third party apps and websites.

What has Facebook said in response?

Facebook has issued a detailed response, arguing that:

• The Facebook social network does not have a dominant position in the German social media market. Popularity is not the same thing as market dominance within the meaning of competition law and Facebook faces fierce competition in Germany (including from YouTube, Snapchat and Twitter), which the FCO has ignored.
• Facebook complies with the GDPR and the FCO has failed to consider how Facebook actually processes data and the steps its takes to comply with the GDPR.
• In any event, the proper body to determine whether Facebook is complying with its data protection responsibilities is the Irish Data Protection Commission (IDPC) (as Facebook’s EU headquarters are in Ireland), not the FCO.
• Sharing information across services helps to improve the company’s offering and to protect people’s safety – including, for example, by disabling accounts tied to terrorism, child exploitation and election interference across both Facebook and Instagram.

Analysis

This is a landmark decision under both competition and data protection law in the EU, and it is far from over.  Facebook intends to appeal and, while the FCO “closely cooperated with leading data protection authorities in clarifying the data protection issues involved”, it will be interesting to see how these authorities (and in particular the IDPC) react going forward.

Whatever the outcome of the appeal, this decision does (particularly when considered alongside the recent fine issued by the French data protection regulator to Google) demonstrate once again that:

• EU regulators (on both the competition law and data protection side) have the Internet giants firmly in their sights and competition law at the EU and national level is flexible enough to catch “new” types of anti-competitive practices. The European Data Protection Regulator supported the decision and commented that all digital companies that rely on tracking, profiling and targeting should be on notice.
• An organisation with a pan-EU presence cannot assume that it can select “its” data protection regulator and that data-related issues will be dealt with only by that body. Businesses with an EU base in one country for data protection purposes (Ireland in the case of Google and Facebook) are also heavily exposed to competition law and data protection regulators in the other EU countries in which they operate.