What are the key issues facing data driven organisations today? And how should we tackle them? Experts from the fields of data governance, innovation and strategy gathered at our recent breakfast briefing in London to give their take. Here we'll reveal some of their best practice tips, starting with Robert Bond who gives his verdict on how to approach GDPR and evolving global regulation trends.
The decision by Bundeskartellamt, Germany’s competition authority, to rule against Facebook’s plans to merge user data from Messenger, WhatsApp and Instagram is hugely significant and perhaps the first step towards the separation of data from the digital monopolies as I wrote about this week after the French regulator’s record fine for Google.
However there is so much more to the ruling and it affects so many of our businesses (and our personal rights) that we have republished the entire English Q&A below. If you’re in marketing or data processing you must read this.
It may be a German ruling but one can expect the same rulings across Europe and beyond. Now is the time to act.
7 February 2019
Bundeskartellamt prohibits Facebook from combining user data from different sources
Background information on the Bundeskartellamt’s Facebook proceeding
1. What changes will the Bundeskartellamt’s decision bring for Facebook users?
The Bundeskartellamt has imposed on Facebook far-reaching restrictions in the processing of user data.
The situation so far: So far individuals have only been able to use Facebook’s social network if they agreed to the terms of service stipulating that Facebook can collect many data outside of the Face- book website in the internet or on smartphone apps and assign these data to the respective Face- book user account. This means that not only the data collected on Facebook’s website, but also those collected on Facebook-owned websites and apps as well as on third party websites and smartphones, could be combined and assigned to the user’s Facebook account. This combination of data sources in particular enabled Facebook to build a unique database on each individual user.
The third party sources are data generated on the one hand by the use of services owned by Face- book, such as e.g. WhatsApp and Instagram. On the other hand, the data are generated by the use of third party websites and apps. If a third party website has embedded so-called “Facebook Business Tools” such as the “Like” button, “Facebook login” or analytical services such as “Facebook Analytics”, data will be transmitted to Facebook via APIs the moment the user calls up that third party web- site for the first time. In accordance with Facebook’s terms and conditions these data can be combined with data from the user’s Facebook account and used by Facebook, even if users have blocked web tracking in their browser or device settings. In the authority’s assessment, these terms and conditions are neither justified under data protection principles nor are they appropriate under competition law standards.
The changes based on the decision are: The Bundeskartellamt prohibits this practice. In future, Face- book services such as WhatsApp or Instagram can continue to collect data for their services. How- ever, Facebook may only combine these data and assign them to a Facebook user account in the manner and to the extent described above if users give their voluntary consent to this practice. In the case of data from third party websites, voluntary consent by the user is already required for their col- lection. ‘Voluntary’ means that the use of Facebook’s services must not be subject to the users’ con- sent. If users do not consent, Facebook may no longer combine data in the comprehensive manner described above, or only to a highly restricted extent. Without the users’ consent, data processing must generally take place in an internally separated process. When tracking users in the internet and in apps, the comprehensive collection of all user data created in this process is only possible subject to the voluntary consent of the users.
Under the Bundeskartellamt’s decision Facebook is required to adapt its terms of service and data processing accordingly. If Facebook intends to continue collecting data from outside the social net- work and combining them in users’ accounts without the consent of users, the processing of these data must be substantially restricted. A number of different criteria are feasible (e.g. restrictions on the amount of data, purpose of use, type of data processing, additional control options for users, anonymisation, processing only upon instruction by third party providers, limitations on data storage periods, etc). Facebook is obliged to develop proposals for possible solutions and submit them to the Bundeskartellamt. The authority will then examine whether the proposals fulfil the requirements.
What will remain unchanged? Facebook can continue to make the use of its social network subject to the processing of data generated by the use of the Facebook website or app. It must be generally acknowledged that the provision of a social network aiming at offering an efficient, data-based business model funded by advertising requires the processing of personal data. This is what the user expects. The issue of whether these terms can still result in a violation of data protection rules and how this would have to be assessed under competition law has been left open.
Facebook’s subsidiaries, in particular WhatsApp, can process data within their services. The collection of data generated by the use of WhatsApp or Instagram by these Facebook-owned companies has not been examined in this proceeding either.
2. What exactly must Facebook do?
Essentially the Bundeskartellamt has prohibited Facebook from stipulating in its terms of service that the use of the social network Facebook.com is subject to the company being able to collect and use data generated by the use of Facebook-owned services such as WhatsApp and Instagram and assign them to the user accounts of the social network without the consent of the users. Facebook was also prohibited from using terms and conditions allowing the company to collect user data generated by calling up third party websites or using mobile apps via interfaces (Facebook Business Tools), and to use and assign them to Facebook user accounts. The Bundeskartellamt not only prohibited the relevant parts of the terms of service and the explanatory data and cookie policies, but also the actual processing of data carried out by Facebook on the basis of these terms. Facebook must discontinue the conduct objected to within a period of twelve months.
If Facebook intends to continue to combine data collected from other sources with Facebook user accounts without the consent of the users, this type of data processing must be substantially restricted. There are several possible options for a solution to this effect which Facebook must develop within the next four months and submit to the Bundeskartellamt. The decision concerns all private users of Facebook based in Germany.
Facebook has one month to appeal the Bundeskartellamt’s decision to the Düsseldorf Higher Re- gional Court.
3. To what extent have data been collected so far? Does the combination of data from Instagram, WhatsApp and third party sources with the Facebook account represent genuine added value for Facebook at all?
It is correct that Facebook already collects a lot of information on users via its own service, i.e. infor- mation generated by the user behaviour in the social network and additionally by the mobile use of the service. However, the company-owned social services WhatsApp, with more than one billion us- ers worldwide and 40-60 million daily active users in Germany, and Instagram, with more than 500 million daily users worldwide and 10-20 million daily active users in Germany, also have a large reach. The additional data flow is substantial.
Facebook also receives detailed data on the user behaviour of Facebook users from third-party pro- viders which use the developer interfaces offered by Facebook. Via the integration of Facebook inter- faces (APIs), Facebook can track the users’ behaviour on these websites, even if they are not logged into or registered with Facebook. The social plugins (e.g. the “Like” and “Share” buttons), in particu- lar, and the Facebook login are embedded and used in third-party websites or apps in millions1 of cases in Germany.
The measuring and analysis tools for third party businesses also represent an important data source. Apart from providing substantial information on the devices used, these tools allow Facebook to col- lect detailed information in particular on the interactions of visitors with the website via an inte- grated interface. The ID integrated in a cookie and the large number of information on the devices used make it possible to assign these data to the user profile on Facebook.com.
4. How strong is Facebook’s market position?
According to the Bundeskartellamt’s findings Facebook has a dominant position in the German market for social networks and is therefore subject to abuse control under competition law. Facebook has 2.3 billion monthly active users worldwide of which 1.5 billion use Facebook on a daily basis. In Germany, the number of Facebook users was still increasing at the end of 2018 and amounted to approx. 32 million private monthly active users of which 23 million are daily active users.
Facebook is the largest social network. But are there not a large number of services with similar features? After Google+ has disappeared from the market and apart from Facebook, only some smaller German providers are to be included in the market for social networks. However, even their substitutability with Facebook is limited in view of Facebook’s economies of scale and the significance of direct network effects, despite the fact that their products are in general comparable to those provided by Facebook. From the point of view of private users, the size of a social network is decisive.
Professional networks such as LinkedIn and Xing or messaging services which, according to the Bun- deskartellamt’s investigations, include e.g. WhatsApp, are not to be included in the relevant product market as they are not in direct competition with Facebook. The investigations have shown that although YouTube’s business model has some overlaps with those of social networks, the service it provides is not sufficiently comparable to a social network. The same applies to Snapchat, whose central function is a camera that opens automatically for taking “snaps” that are deleted after a short while. Twitter, Pinterest and Instagram, a Facebook-owned service, were not to be included in the relevant product market either. Even if these services are in competition with Facebook, either partly or with regard to individual features (so-called competition from substitutes), they mainly meet different requirements from the point of view of private users.
The product market is to be defined as a national market for social networks, in particular because, according to the investigations, German users predominantly use social networks to stay in touch with friends and acquaintances in Germany.
Does Facebook have a dominant market position? In social networks in Germany, Facebook achieves a user-based market share of more than 90%. Even if services are included that are only partly in competition with the social networks (e.g. WhatsApp, Facebook, Instagram, Snapchat), this will hardly put the market share into perspective, because almost all the services with the highest user numbers also belong to the Facebook group.
However, the Bundeskartellamt’s assessment of a company’s market power is not only based on its market share. With the last amendment to the German competition act the legislator has detailed the methods of assessing market power. In particular the access to competitively relevant data, economies of scale based on network effects, the behaviour of users who can use several different services or only one service and the power of innovation-driven competitive pressure were seen as relevant factors of market power. All these criteria are of relevance to the Facebook case and provide proof of Facebook’s market power, in addition to its high market share.
Facebook’s position is further strengthened by direct network effects. A social network’s attractive- ness increases with an increasing number of other users as this improves the users’ prospects of being able to communicate with precisely those persons they are looking for (so-called “identity-based” direct network effects).
The barriers to market entry are high. Users wishing to switch to other competitors face considerable barriers (so-called lock-in effects involved in network effects). Apart from direct network effects, indirect network effects also make it difficult for new competitors to enter the market: In the case of advertising-financed services (which can also be referred to as “audience providing platforms”), the advertising side profits from a large private user base (positive indirect network effects). A new competitor must achieve a critical number of private users to be able to succeed in entering the market with an ad-financed product. Without such a critical number the product will not be sufficiently attractive for the advertising side. However, direct network effects make it difficult to achieve such a critical number of users.
There are also economies of scale which lead to cost savings that provide Facebook with a far greater scope for strategic decisions than its competitors have.
A relevant extent of parallel use of several different services (“multi-homing”) which can generally have a deconcentration effect, cannot be established.
Facebook has superior access to competition-relevant data, in particular to the personal data of its users. As social networks are data-driven products, access to such data is an essential factor for com- petition in the market. The data are relevant for both the product design and the possibility to mone- tise the service. If other companies lack access to comparable data resources, this can be an addi- tional barrier to market entry.
5. In what way could Facebook have committed an “abuse of market power”?
Where is the harm for users and for competition? Facebook offers its service free of charge. Its us- ers therefore do not suffer a direct financial loss from the fact that Facebook uses exploitative busi- ness terms. The damage for the users lies in a loss of control: They are no longer able to control how their personal data are used. They cannot perceive which data from which sources are combined for which purposes with data from Facebook accounts and used e.g. for creating user profiles (“profil- ing”).
Due to the combining of the data, individual data gain a significance the user cannot foresee. The in- vestigations have shown that users in Germany generally consider the terms and conditions for pro- cessing data to be important and that they are aware of the implications of data transfer. However, because of Facebook’s market power users have no option to avoid the combination of their data. This also violates the constitutionally protected right to informational self-determination. Facebook’s publicly discussed transfer of personal data to third parties, e.g. smartphone manufacturers, shows that from the users’ perspective, unintended data leakage is not merely a theoretical risk.
From Facebook’s perspective, the data are of great economic value. Based on its dominant position, Facebook can use them to optimise its own service and tie more users to its network. With the merg- ing of the data the “identity-based network effects” and the lock-in effects increase to the benefit of Facebook and to the detriment of other providers of social networks. In addition, with the help of the user profiles, Facebook can improve its targeted advertising activities. Facebook is becoming more and more indispensable for advertising customers. This is also reflected in the rapidly increasing turn- over Facebook has been able to generate in the past years. Further competitive harm is caused for advertising customers and competitors in the advertising market which are faced with a dominant supplier of advertising space in social networks.
To what extent is Facebook’s conduct in violation of the law? If a dominant company makes the use of its service conditional upon users granting the company extensive permission to process their per- sonal data, this can be taken up by the competition authorities as a case of “exploitative business terms”.
According to the case-law of the German Federal Court of Justice, civil law principles can also be ap- plied to determine whether business terms are exploitative. Often such principles stem from the leg- islation on unfair contract terms or the German Constitution. This applies to any legal principle that aims to protect a contracting party in an imbalanced negotiation position. Following this approach, the Bundeskartellamt applied data protection principles in its assessment of Facebook’s terms and conditions. Data protection law also aims at protecting individuals from having their personal data exploited by the opposite market side. Data protection legislation seeks to ensure that users can de- cide freely and without coercion on how their personal data are used.
On the basis of data protection principles, in particular under the General Data Protection Regulation (GDPR) applicable since May 2018, the review of the data processing policies showed that Facebook has no effective justification for collecting data from other company-owned services and Facebook Business Tools or for assigning these data to the Facebook user accounts. The processing of data is neither required in order to fulfil contractual obligations nor does a balancing of interests result in the conclusion that Facebook’s interests in data processing outweigh the users’ interests. Also, Face- book did not obtain any effective consent for its processing of the data affected in this case. The us- ers’ consent would only be effective if the provision of the service of Facebook.com were not made subject to this consent.
6. Is European competition law also applicable in this case?
In such proceedings the application of European abuse control provisions is always an issue. Such an abuse control proceeding against Facebook would generally also be possible under the relevant norm of Article 102 TFEU. So far, however, only the case-law of the highest German court has been estab- lished which can take into account constitutional or other legal principles (in this case data protec- tion) in assessing abusive practices of a dominant company. However, due to the cross-border di- mension of this case, the Bundeskartellamt closely liaised with the European Commission and other competition authorities in the course of the proceeding.
7. Data protection and competition law. Why is this a case for a competition authority?
Social networks are data-driven products. Where access to the personal data of users is essential for the market position of a company, the question of how that company handles the personal data of its users is not only relevant for data protection authorities, but also for competition authorities. For this reason, apart from investigating Facebook’s collection of data, the Bundeskartellamt is also tak- ing a close look at the market position of the large data collectors on the data processing side within the framework of its sector inquiry into online advertising.
The legislator has taken account of the fact that in the digital economy the collection and processing of data and the relevant terms and conditions represent an entrepreneurial activity that is highly rel- evant for competition. Access to data, above all in the case of online platforms and networks, has been classified as a relevant factor for market dominance under Section 18(3a) of the German Com- petition Act (GWB).
Monitoring the data processing activities of dominant companies is therefore an essential task of a competition authority, which cannot be fulfilled by data protection officers. In cases of market domi- nance a competition authority must take into account data protection principles, in particular in the assessment of whether terms and conditions for the processing of data are appropriate. In this re- spect there is an interface between competition law and data protection law. The Bundeskartellamt closely cooperated with data protection authorities in this case which explicitly supported the au- thority’s proceeding.
8. Facebook is a US American company. Why does the Bundeskartellamt have competence to in- vestigate in this case?
Irrespective of where a company has its seat, German antitrust law applies in all cases where a com- petition restraint has effects in Germany. Besides, Facebook has a German subsidiary.
9. Why does the Bundeskartellamt not impose any fine?
Dominant companies are subject to stricter obligations than companies that are active in a competi- tive environment. The control of abusive practices is to make sure that a company will not abuse its market power. Among other things, companies may not discriminate against or exploit their custom- ers or suppliers, or demand excessive prices or unfair contract terms.
The Bundeskartellamt often conducts its abuse of dominance proceedings as so-called administrative proceedings, not as fine proceedings. This is because the issue here is to achieve changes in the fu- ture behaviour of companies to the benefit of competitors and users and to oblige companies to ad- here to this. Imposing fines to punish infringements is possible as an additional measure, but mostly the focus of the proceedings is not on fines. In particular if the case in question is complex and in- volves a number of legal and economic issues, administrative proceedings are a suitable approach. The Bundeskartellamt may, however, decide to initiate a fine proceeding in the case of recurrent abusive behaviour or in cases with a high potential for significant harm.
10. How can the Bundeskartellamt enforce the implementation of its decision?
Under the Bundeskartellamt’s decision Facebook is obliged to change the terms of service imposed on its users. Facebook must explicitly undertake not to process data or not to process them without consent. This must be enforceable by the users. Under data protection law Facebook is obliged to make transparent which data processing activities the company is actually carrying out.
Furthermore, the Bundeskartellamt obliged Facebook to submit an implementation plan setting out in detail the technical implementation of the obligations.
Technical monitoring would also be possible in principle und could be carried out on a random basis as the actual flow of data e.g. from websites to Facebook can be monitored by analysing websites and their components or by recording signals.
Decisions of the Bundeskartellamt can also be legally enforced by means of certain enforcement measures. These include the possibility to impose a fine (max. 10 per cent annual turnover) or peri- odic penalty payments (max. 10 million euros per penalty payment) which can be imposed at specific intervals (e.g. monthly).
Please register below to unlock this article.
An email will be sent to you with your membership details.