The German FCO’s Facebook Case: Blurring The Line Between Competition And Data Protection Enforcement
This week Germany’s Bundeskartellamt, the Federal Cartel Office (FCO), made the news by issuing a decision against Facebook for the alleged abuse of market power “based on the extent of collecting, using and merging data in a user account”. In concrete terms, the FCO takes issue with Facebook merging user data from Facebook-owned properties like WhatsApp and Instagram as well as from third-party websites with a person’s Facebook user account. It ordered Facebook to stop that practice unless users give Facebook their “voluntary consent”. The FCO considers the combining of Facebook data with ‘non-Facebook’ data an exploitative abuse because users have to agree to what FCO President Andreas Mundt refers to as a “practically unrestricted collection” of non-Facebook data if they want to use the service.
This case is set to raise many questions in the competition community but certainly the most striking aspect of the decision is that it is entirely based on an alleged infringement of European data protection rules enshrined in the General Data Protection Regulation (GDPR). The FCO states that Facebook’s “terms of service and the manner and extent to which it collects and uses data are in violation of the European data protection rules”. It is remarkable for a competition authority to determine whether there was a breach of data protection rules given that there are specialized agencies tasked with making precisely that call. Making that call in the context of a competition investigation is equal to saying that because a company is dominant it is more likely to use its market power to impose terms and conditions on its users that are in breach of data protection rules.
That, however, is absurd because a dominant player is just as bound by data protection rules as its smallest competitor. Prof. Justus Haucap rightly remarks that “there is little evidence that would suggest that larger firms violate data protection and privacy standards in a more systematic fashion than smaller firms – if at all, the contrary appears to be true”. This can hardly come as a surprise given that the GDPR imposes one of the highest, if not the highest, data protection standards in the world. Many of its provisions are designed to make sure users have more control over how their data is collected and processed. Because of the high regulatory standard smaller players find it more difficult to comply compared to their bigger, more technically savvy peers. On top of that, it’s precisely the big players who go above and and beyond to make sure they comply with GDPR provisions as they know they will in all likelihood be the first ones to face (potentially very costly) scrutiny. For example, the first GDPR fine imposed by the French data protection authority was against Google.
There can’t be any denying that this investigation severely blurs the line between data protection and competition law enforcement. Would any alleged breach of, for example, environmental, labour or consumer law by a dominant company automatically amount to abuse of a dominant position under competition law? Regulators should be uneasy with this precedent from Germany and it seems they are. As widely reported, the European Commission’s reaction to the FCO’s decision was lukewarm at best. That is not surprising as Europe’s highest competition law enforcer made clear, on many occasions, that data protection considerations do not guide its antitrust enforcement. In the Facebook/WhatsApp merger decision the Commission stated that “[a]ny privacy-related concerns flowing from the increased concentration of data […] do not fall within the scope of the EU competition law rules but within the scope of EU data protection rules”. More recently, Commissioner Vestager confirmed this approach in a speech.
But there could also be other reasons why the European Commission wasn’t thrilled which have much more to do with, again, European data protection rules. To be more precise, the GDPR enforcement framework provides for harmonized, EU-wide enforcement through its so-called ‘one-stop-shop’. Under that mechanism, every company operating in Europe will have to engage with only the data protection authority of its main place of establishment, even if the initial complaint comes from a different EU country. The purpose is to ensure that there really is one set of data protection rules applicable to companies across the EU. Hence, one crucial element of the GDPR is its internal market purpose. That logic will, however, be wholly undermined if national competition authorities come to different conclusions as regards a company’s GDPR compliance.
In concrete terms, Facebook could potentially be forced to change its data collection practices for Germany only because the FCO’s jurisdictional competence is naturally limited to Germany while its case rests on an alleged GDPR violation for which there’s an EU-wide enforcement mechanism. There’s an obvious regulatory clash hollowing out one of GDPR’s key tasks: the prevention of different data protection regimes across the EU. From that perspective alone it is fundamentally important to leave to data protection authorities what’s theirs: making calls about companies’ compliance with data protection rules in a consistent, harmonized and EU-wide manner.