07 February 2019

Pin It

Germany prohibits Facebook from combining user data from different sources

Germany Bans Facebook from combining user data from different sources

Thursday,February 7,2019

Germany restricts Facebook from Collecting Users Data

Facebook is a US American company. Why does the Bundeskartellamt have competence to investigate in this case?
Irrespective of where a company has its seat, German antitrust law applies in all cases where a competition restraint has effects in Germany. Besides, Facebook has a German subsidiary

The decision is the culmination of a three-year investigation into the social media company by the German watchdog.

Germany's antitrust watchdog ruled on Thursday that Facebook abused its market dominance in collecting, merging and using user data.

The competition authority of Germany said Facebook could no longer combine users' data from separate apps like WhatsApp and Instagram without voluntary user consent.

The Bundeskartellamt has imposed on Facebook far-reaching restrictions in the processing of user data.

According to Facebook's terms and conditions users have so far only been able to use the social network under the precondition that Facebook can collect user data also outside of the Facebook website in the internet or on smartphone apps and assign these data to the user’s Facebook account. All data collected on the Facebook website, by Facebook-owned services such as e.g. WhatsApp and Instagram and on third party websites can be combined and assigned to the Facebook user account.

The authority’s decision covers different data sources:
(i)     Facebook-owned services like WhatsApp and Instagram can continue to collect data. However, assigning the data to Facebook user accounts will only be possible subject to the users’ voluntary consent. Where consent is not given, the data must remain with the respective service and cannot be processed in combination with Facebook data.

(ii)    Collecting data from third party websites and assigning them to a Facebook user account will also only be possible if users give their voluntary consent.

If consent is not given for data from Facebook-owned services and third party websites, Facebook will have to substantially restrict its collection and combining of data. Facebook is to develop proposals for solutions to this effect.

Andreas Mundt, President of the Bundeskartellamt: "“With regard to Facebook’s future data processing policy, we are carrying out what can be seen as an internal divestiture of Facebook’s data.In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts. The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power.

In future, consumers can prevent Facebook from unrestrictedly collecting and using their data. The previous practice of combining all data in a Facebook user account, practically without any restriction, will now be subject to the voluntary consent given by the users. Voluntary consent means that the use of Facebook’s services must not be subject to the users’ consent to their data being collected and combined in this way. If users do not consent, Facebook may not exclude them from its services and must refrain from collecting and merging data from different sources.

Facebook is the dominant company in the market for social networks

In December 2018, Facebook had 1.52 billion daily active users and 2.32 billion monthly active users. The company has a dominant position in the German market for social networks. With 23 million daily active users and 32 million monthly active users Facebook has a market share of more than 95% (daily active users) and more than 80% (monthly active users).
Its competitor Google+ recently announced it was going to shut down its social network by April 2019.
Services like Snapchat, YouTube or Twitter, but also professional networks like LinkedIn and Xing only offer parts of the services of a social network and are thus not to be included in the relevant market. However, even if these services were included in the relevant market, the Facebook group with its subsidiaries Instagram and WhatsApp would still achieve very high market shares that would very likely be indicative of a monopolisation process.

Andreas Mundt: "“As a dominant company Facebook is subject to special obligations under competition law. In the operation of its business model the company must take into account that Facebook users practically cannot switch to other social networks. In view of Facebook’s superior market power, an obligatory tick on the box to agree to the company’s terms of use is not an adequate basis for such intensive data processing. The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent.”"

Abuse of market power based on the extent of collecting, using and merging data in a user account

The extent to which Facebook collects, merges and uses data in user accounts constitutes an abuse of a dominant position.

The Bundeskartellamt’s decision is not about how the processing of data generated by using Facebook’s own website is to be assessed under competition law. As these data are allocated to a specific service users know that they will be collected and used to a certain extent. This is an essential component of a social network and its data-based business model.

However, this is what many users are not aware of: Among other conditions, private use of the network is subject to Facebook being able to collect an almost unlimited amount of any type of user data from third party sources, allocate these to the users’ Facebook accounts and use them for numerous data processing processes. Third-party sources are Facebook-owned services such as Instagram or WhatsApp, but also third party websites which include interfaces such as the “Like” or “Share” buttons. Where such visible interfaces are embedded in websites and apps, the data flow to Facebook will already start when these are called up or installed. It is not even necessary, e.g., to scroll over or click on a “Like” button. Calling up a website with an embedded “Like” button will start the data flow. Millions of such interfaces can be encountered on German websites and on apps.

Even if no Facebook symbol is visible to users of a website, user data will flow from many websites to Facebook. This happens, for example, if the website operator uses the “Facebook Analytics” service in the background in order to carry out user analyses.

Andreas Mundt: "By combining data from its own website, company-owned services and the analysis of third party websites, Facebook obtains very detailed profiles of its users and knows what they are doing online.”"

European data protection provisions as a standard for examining exploitative abuse

Facebook’s terms of service and the manner and extent to which it collects and uses data are in violation of the European data protection rules to the detriment of users. The Bundeskartellamt closely cooperated with leading data protection authorities in clarifying the data protection issues involved.

In the authority’s assessment, Facebook’s conduct represents above all a so-called exploitative abuse. Dominant companies may not use exploitative practices to the detriment of the opposite side of the market, i.e. in this case the consumers who use Facebook. This applies above all if the exploitative practice also impedes competitors that are not able to amass such a treasure trove of data. This approach based on competition law is not a new one, but corresponds to the case-law of the Federal Court of Justice under which not only excessive prices, but also inappropriate contractual terms and conditions constitute exploitative abuse (so-called exploitative business terms).

Andreas Mundt: "“Today data are a decisive factor in competition. In the case of Facebook they are the essential factor for establishing the company’s dominant position. On the one hand there is a service provided to users free of charge. On the other hand, the attractiveness and value of the advertising spaces increase with the amount and detail of user data. It is therefore precisely in the area of data collection and data use where Facebook, as a dominant company, must comply with the rules and laws applicable in Germany and Europe.”"

The Bundeskartellamt’s decision is not yet final. Facebook has one month to appeal the decision to the Düsseldorf Higher Regional Court.

In depth Explained Restictions and What will not change because of this order restricting Facebook -

So far individuals have only been able to use Facebook’s social network if they agreed to the terms of service stipulating that Facebook can collect many data outside of the Facebook website in the internet or on smartphone apps and assign these data to the respective Facebook user account. This means that not only the data collected on Facebook’s website, but also those could be combined and assigned to the user’s Facebook account. This combination of data sources in particular enabled Facebook to build a unique database on each individual user.

The third party sources are data generated on the one hand by the use of services owned by Facebook, such as e.g. WhatsApp and Instagram. On the other hand, the data are generated by the use of third party websites and apps. If a third party website has embedded so-called “Facebook Business Tools” such as the “Like” button, “Facebook login” or analytical services such as “Facebook Analytics”, data will be transmitted to Facebook via APIs the moment the user calls up that third party website for the first time. In accordance with Facebook’s terms and conditions these data can be combined with data from the user's Facebook account and used by Facebook, even if users have blocked web tracking in their browser or device settings. In the authority's assessment, these terms and conditions are neither justified under data protection principles nor are they appropriate under competition law standards

The changes based on the decision are: The Bundeskartellamt prohibits this practice. In future, Facebook services such as WhatsApp or Instagram can continue to collect data for their services. However, Facebook may only combine these data and assign them to a Facebook user account in the manner and to the extent described above if users give their voluntary consent to this practice. In the case of data from third party websites, voluntary consent by the user is already required for their collection. ‘Voluntary’ means that the use of Facebook’s services must not be subject to the users’ consent. If users do not consent, Facebook may no longer combine data in the comprehensive manner described above, or only to a highly restricted extent. Without the users’ consent, data processing must generally take place in an internally separated process. When tracking users in the internet and in apps, the comprehensive collection of all user data created in this process is only possible subject to the voluntary consent of the users.

Under the Bundeskartellamt’s decision Facebook is required to adapt its terms of service and data processing accordingly. If Facebook intends to continue collecting data from outside the social network and combining them in users’ accounts without the consent of users, the processing of these data must be substantially restricted. A number of different criteria are feasible (e.g. restrictions on the amount of data, purpose of use, type of data processing, additional control options for users, anonymisation, processing only upon instruction by third party providers, limitations on data storage periods, etc). Facebook is obliged to develop proposals for possible solutions and submit them to the Bundeskartellamt. The authority will then examine whether the proposals fulfil the requirements.

What will remain unchanged?
Facebook can continue to make the use of its social network subject to the processing of data generated by the use of the Facebook website or app. It must be generally acknowledged that the provision of a social network aiming at offering an efficient, data-based business model funded by advertising requires the processing of personal data. This is what the user expects. The issue of whether these terms can still result in a violation of data protection rules and how this would have to be assessed under competition law has been left open.
Facebook’s subsidiaries, in particular WhatsApp, can process data within their services. The collection of data generated by the use of WhatsApp or Instagram by these Facebook-owned companies has not been examined in this proceeding either.

2. What exactly must Facebook do?
Essentially the Bundeskartellamt has prohibited Facebook from stipulating in its terms of service that the use of the social network Facebook.com is subject to the company being able to collect and use data generated by the use of Facebook-owned services such as WhatsApp and Instagram and assign them to the user accounts of the social network without the consent of the users. Facebook was also prohibited from using terms and conditions allowing the company to collect user data generated by calling up third party websites or using mobile apps via interfaces (Facebook Business Tools), and to use and assign them to Facebook user accounts. The Bundeskartellamt not only prohibited the relevant parts of the terms of service and the explanatory data and cookie policies, but also the actual processing of data carried out by Facebook on the basis of these terms. Facebook must discontinue the conduct objected to within a period of twelve months.

If Facebook intends to continue to combine data collected from other sources with Facebook user accounts without the consent of the users, this type of data processing must be substantially restricted. There are several possible options for a solution to this effect which Facebook must develop within the next four months and submit to the Bundeskartellamt. The decision concerns all private users of Facebook based in Germany

3. To what extent have data been collected so far?
Does the combination of data from Instagram,WhatsApp and third party sources with the Facebook account represent genuine added value for Facebook at all?
It is correct that Facebook already collects a lot of information on users via its own service, i.e. information generated by the user behaviour in the social network and additionally by the mobile use of the service. However, the company-owned social services WhatsApp, with more than one billion users worldwide and 40-60 million daily active users in Germany, and Instagram, with more than 500 million daily users worldwide and 10-20 million daily active users in Germany, also have a large reach.
The additional data flow is substantial.
Facebook also receives detailed data on the user behaviour of Facebook users from third-party providers which use the developer interfaces offered by Facebook. Via the integration of Facebook interfaces (APIs), Facebook can track the users’ behaviour on these websites, even if they are not logged into or registered with Facebook. The social plugins (e.g. the “Like” and “Share” buttons), in particular, and the Facebook login are embedded and used in third-party websites or apps in millions1 of cases in Germany.
The measuring and analysis tools for third party businesses also represent an important data source.
Apart from providing substantial information on the devices used, these tools allow Facebook to collect detailed information in particular on the interactions of visitors with the website via an integrated interface. The ID integrated in a cookie and the large number of information on the devices used make it possible to assign these data to the user profile on Facebook.com.

4. How strong is Facebook’s market position?
According to the Bundeskartellamt’s findings Facebook has a dominant position in the German market for social networks and is therefore subject to abuse control under competition law. Facebook has 2.3 billion monthly active users worldwide of which 1.5 billion use Facebook on a daily basis. In Germany, the number of Facebook users was still increasing at the end of 2018 and amounted to approx. 32 million private monthly active users of which 23 million are daily active users.
Facebook is the largest social network. But are there not a large number of services with similar features? After Google+ has disappeared from the market and apart from Facebook, only some
smaller German providers are to be included in the market for social networks. However, even their substitutability with Facebook is limited in view of Facebook’s economies of scale and the significance of direct network effects, despite the fact that their products are in general comparable to those provided by Facebook. From the point of view of private users, the size of a social network is decisive

Professional networks such as LinkedIn and Xing or messaging services which, according to the Bundeskartellamt’s investigations, include e.g. WhatsApp, are not to be included in the relevant product market as they are not in direct competition with Facebook. The investigations have shown that although YouTube’s business model has some overlaps with those of social networks, the service it provides is not sufficiently comparable to a social network. The same applies to Snapchat, whose central function is a camera that opens automatically for taking “snaps” that are deleted after a short while.
Twitter, Pinterest and Instagram, a Facebook-owned service, were not to be included in the relevant product market either. Even if these services are in competition with Facebook, either partly or with regard to individual features (so-called competition from substitutes), they mainly meet different requirements from the point of view of private users.

Does Facebook have a dominant market position?
In social networks in Germany, Facebook achieves a user-based market share of more than 90%.

Facebook has superior access to competition-relevant data, in particular to the personal data of its users. As social networks are data-driven products, access to such data is an essential factor for competition in the market. The data are relevant for both the product design and the possibility to monetise the service. If other companies lack access to comparable data resources, this can be an additional barrier to market entry

5. In what way could Facebook have committed an "abuse of market power"? Where is the harm for users and for competition?

Facebook offers its service free of charge. Its users therefore do not suffer a direct financial loss from the fact that Facebook uses exploitative business terms. The damage for the users lies in a loss of control: They are no longer able to control how their personal data are used. They cannot perceive which data from which sources are combined for which purposes with data from Facebook accounts and used e.g. for creating user profiles (“profiling”).

Due to the combining of the data, individual data gain a significance the user cannot foresee. The investigations have shown that users in Germany generally consider the terms and conditions for processing data to be important and that they are aware of the implications of data transfer. However, because of Facebook's market power users have no option to avoid the combination of their data.  This also violates the constitutionally protected right to informational self-determination. Facebook’s publicly discussed transfer of personal data to third parties, e.g. smartphone manufacturers, shows that from the users’ perspective, unintended data leakage is not merely a theoretical risk

From Facebook’s perspective, the data are of great economic value. Based on its dominant position, Facebook can use them to optimise its own service and tie more users to its network. With the merging of the data the "identity-based network effects" and the lock-in effects increase to the benefit of Facebook and to the detriment of other providers of social networks. In addition, with the help of the user profiles, Facebook can improve its targeted advertising activities. Facebook is becoming more and more indispensable for advertising customers. This is also reflected in the rapidly increasing turnover Facebook has been able to generate in the past years. Further competitive harm is caused for advertising customers and competitors in the advertising market which are faced with a dominant supplier of advertising space in social networks

To what extent is Facebook’s conduct in violation of the law?
If a dominant company makes the use of its service conditional upon users granting the company extensive permission to process their personal data, this can be taken up by the competition authorities as a case of "exploitative business terms".

According to the case-law of the German Federal Court of Justice, civil law principles can also be applied to determine whether business terms are exploitative. Often such principles stem from the legislation on unfair contract terms or the German Constitution. This applies to any legal principle that aims to protect a contracting party in an imbalanced negotiation position. Following this approach, the Bundeskartellamt applied data protection principles in its assessment of Facebook's terms and conditions. Data protection law also aims at protecting individuals from having their personal data exploited by the opposite market side. Data protection legislation seeks to ensure that users can decide freely and without coercion on how their personal data are used.
On the basis of data protection principles, in particular under the General Data Protection Regulation (GDPR) applicable since May 2018, the review of the data processing policies showed that Facebook has no effective justification for collecting data from other company-owned services and Facebook Business Tools or for assigning these data to the Facebook user accounts. The processing of data is neither required in order to fulfil contractual obligations nor does a balancing of interests result in the conclusion that Facebook’s interests in data processing outweigh the users’ interests. Also, Facebook did not obtain any effective consent for its processing of the data affected in this case. The users’ consent would only be effective if the provision of the service of Facebook.com were not made subject to this consent.

6. Is European competition law also applicable in this case?
In such proceedings the application of European abuse control provisions is always an issue. Such an abuse control proceeding against Facebook would generally also be possible under the relevant norm of Article 102 TFEU. So far, however, only the case-law of the highest German court has been established which can take into account constitutional or other legal principles (in this case data protection) in assessing abusive practices of a dominant company. However, due to the cross-border dimension of this case, the Bundeskartellamt closely liaised with the European Commission and other competition authorities in the course of the proceeding.

7. Data protection and competition law. Why is this a case for a competition authority?
Social networks are data-driven products. Where access to the personal data of users is essential for the market position of a company, the question of how that company handles the personal data of its users is not only relevant for data protection authorities, but also for competition authorities. For this reason, apart from investigating Facebook’s collection of data, the Bundeskartellamt is also taking a close look at the market position of the large data collectors on the data processing side within the framework of its sector inquiry into online advertising.
The legislator has taken account of the fact that in the digital economy the collection and processing of data and the relevant terms and conditions represent an entrepreneurial activity that is highly relevant for competition. Access to data, above all in the case of online platforms and networks, has been classified as a relevant factor for market dominance under Section 18(3a) of the German Competition Act (GWB).

Monitoring the data processing activities of dominant companies is therefore an essential task of a competition authority, which cannot be fulfilled by data protection officers. In cases of market dominance a competition authority must take into account data protection principles, in particular in the assessment of whether terms and conditions for the processing of data are appropriate. In this respect there is an interface between competition law and data protection law. The Bundeskartellamt closely cooperated with data protection authorities in this case which explicitly supported the authority’s proceeding

8.Why does the Bundeskartellamt not impose any fine?
Dominant companies are subject to stricter obligations than companies that are active in a competitive environment. The control of abusive practices is to make sure that a company will not abuse its market power. Among other things, companies may not discriminate against or exploit their customers or suppliers, or demand excessive prices or unfair contract terms.
The Bundeskartellamt often conducts its abuse of dominance proceedings as so-called administrative proceedings, not as fine proceedings. This is because the issue here is to achieve changes in the future behaviour of companies to the benefit of competitors and users and to oblige companies to adhere to this. Imposing fines to punish infringements is possible as an additional measure, but mostly the focus of the proceedings is not on fines. In particular if the case in question is complex and involves a number of legal and economic issues, administrative proceedings are a suitable approach. The Bundeskartellamt may, however, decide to initiate a fine proceeding in the case of recurrent abusive behaviour or in cases with a high potential for significant harm.

Decisions of the Bundeskartellamt can also be legally enforced by means of certain enforcement measures. These include the possibility to impose a fine (max. 10 per cent annual turnover) or periodic penalty payments (max. 10 million euros per penalty payment) which can be imposed at specific intervals (e.g. monthly)

9.How can the Bundeskartellamt enforce the implementation of its decision?
Under the Bundeskartellamt’s decision Facebook is obliged to change the terms of service imposed on its users. Facebook must explicitly undertake not to process data or not to process them without consent. This must be enforceable by the users. Under data protection law Facebook is obliged to make transparent which data processing activities the company is actually carrying out.
Furthermore, the Bundeskartellamt obliged Facebook to submit an implementation plan setting out in detail the technical implementation of the obligations.
Technical monitoring would also be possible in principle und could be carried out on a random basis as the actual flow of data e.g. from websites to Facebook can be monitored by analysing websites and their components or by recording signals.

Facebook said in a blog post it will appeal the decision.

Source - Background information on the Bundeskartellamt’s Facebook proceeding.

Reality views by sm -

Tags – Germany Facebook Ruling Data Collection Banned