Finally, today the FCO concluded its proceedings against Facebook. According to this, the company is prohibited from certain data processing with regard to third party sources. The decision offers potential for stimulated discussions. Here is an initial assessment and answers to the key questions:
What is the case of the FCO against Facebook about?
Facebook has been the subject of critical public debate for several years. Two allegations are also characteristic of this legal procedure: First, the company is suspected of violating data protection law on a large number of occasions. Secondly, the company is powerful on the market, even a monopolist.
In 2016, the German Federal Cartel Office (FCO) announced in a press release that it had initiated formal antitrust proceedings against Facebook. The aim was to investigate whether the company was violating German anti-trust law, in particular whether it was committing a so-called abuse of conditions. The FCO put this in connection with a possible (to be ascertained) violation of the applicable data protection law. The expectations were accordingly high that the FCO would now support the data protection authorities and help them to enforce the data protection law.
At the end of 2017, the FCO announced the first interim results and its preliminary assessment in the proceedings. Accordingly, the company has a dominant position on the defined market for identity-based networks. In this market, the company abuses its dominant position by allowing itself „extensive leeway in the processing of personal data“. At the same time, the authority made it clear that the proceedings did not relate to the use of data on Facebook itself, i.e. within the social network. Instead, it concerns contractual terms in connection with data from so-called third-party sources, by which the authority means all websites outside the social network. This also applies to services that belong to the Facebook group, but which are offered as a separate service. In this case, the data is forwarded to Facebook via interfaces. A well-known example of this is the Facebook Like button, which can be integrated into websites. In a background paper, the BKartA also presents its legal assessment that „data protection evaluations“ must be taken into account when assessing the possible cartel infringement.
The FCO enforces antitrust law, but is this not about data protection?
The most important question of the procedure is: Can privacy law as such be enforced via the lever of antitrust law? So is a violation of antitrust law dependent on a data protection violation that has been positively established?
The legal link of this procedure is the prohibition of abuse of a dominant market position under antitrust law. This prohibits a company with a strong market position from abusing its market position. Firstly, a dominant market position must exist at all and secondly, it is precisely this position that must be abused. In addition to this prohibition of abuse of market power, antitrust law also includes the general prohibition of cartels and merger control, both of which are not affected in this procedure.
One case group of the prohibition of abuse of market power is exploitative abuse. This prohibits the company from obtaining abusive advantages from the other party which it is not entitled to. This can be done either by allowing the company to grant a price that could not be charged in competitive circumstances. In simplified terms, this is the case where a dominant company has high prices which it can enforce solely on the basis of its market position.
The other variant of exploitative abuse is the abuse of conditions also investigated by the FCO in this procedure. In addition to the price, other conditions that the dominant company can grant itself are also covered. In this case it is also important whether the company receives advantages which it is not entitled to under competitive circumstances. However, these advantages do not consist in a price, but in the company’s other terms and conditions. These may in principle include conditions relating to the processing of personal data. In the context of abuse of conditions, it can therefore be examined in principle whether a dominant company exploits its market counterparty in connection with the use of data.
What specific problems arise from this?
The most important question in this procedure is how an abuse of conditions in connection with the use of data could be determined. Is it really important that a dominant company violates explicit data protection laws? In this case, the current data protection law would set the sole standard. The violation of antitrust law could thus be fulfilled by a violation of data protection law, and would therefore be accessory in this constellation.
However, this simple procedure would be critical for several reasons, as a very banal example shows: If the positive infringement of the law by the dominant company were the only factor, numerous other infringements could also be blamed on it. A dominant company should therefore not violate environmental law, labour law and many other regulations just for antitrust reasons. That would not only be critical under the rule of law. This also results from the wording of the antitrust provisions on the prohibition of abuse of market power, which requires the abuse of a dominant market position. Thus, not every violation of the law by a market leader can at the same time trigger its antitrust liability.
But where is the corrective for such an excessive interpretation of the exploitation abuse? On the one hand, this could be sought in the respective regulations themselves. It is often argued, for example, that violations of the law could in any case constitute an abuse of exploitation if the underlying legal norm has a “ competitive reference „. In the case of data protection law, this would mean that the data protection law would have to be reviewed with regard to its relation to competition. In part, this is assumed with a reference to the objective of the free movement of personal data laid down in Art. 1 (1) GDPR. That would, admittedly, be too easy and would mean that the reference to competition could already be established in a law by a corresponding objective note alone.
The other important question is about the market power of Facebook. An answer to this question is not as trivial as it has been repeatedly said in recent times. On the one hand, Facebook offers its services to the end user without payment. It has already been clarified by German law that this does not result in the disappearance of the relevant market, which can thus be investigated under antitrust law. But also in other respects, platforms can be assumed to have a market relationship precisely for the reason that they can achieve what is supposed to be free of charge by shifting their costs to another user group, in this case advertising customers among others. The latter are then offered the range via the network as a service, which is paid for accordingly. End users do not have to pay a fee for being part of this network and thus strengthening the „saleable“ range. In other words, they receive a kind of discount on the fact that they are part of the network at all. However, this multi-sidedness of such platforms also leads to strong interactions between the individual user groups. Their role in antitrust law has not yet been sufficiently clarified, so that the Facebook procedure will also bring news here.
How did the FCO decide now?
From the beginning, the procedure was not designed to impose a fine. As expected and not surprisingly, the FCO has prohibited the company from collecting data to the extent that data from other platforms are merged on Facebook without the users‘ consent. If this consent has not been obtained, the data records may not be combined. The President of the FCO, Andreas Mundt, explained this with a „kind of internal unbundling“ of Facebook. The Bundeskartellamt has not assessed the data collection practice on the Facebook platform itself.
How did the Bundeskartellamt dogmatically justify the abuse of conditions by Facebook? A direct application of data protection laws in any case does not result from the previous communication. The user would not have the opportunity to evade data processing which he could not oversee. The FCO considered this to be an infringement of the fundamental right to informational self-determination by German fundamental rights law. This wording does not appear ill-considered, but points to a different procedure than a merely accessory linking of the abuse of conditions to data protection law. I had already argued in an essay in German magazine WRP in 2016 that it was not the positive infringement of non antitrust law that could be decisive, but that the regulations on the abuse of conditions already offer sufficient possibilities for a decision. The assessment of what an abuse represents in the exploitation of a dominant market position depends on a balancing act. This means that the authority must make a decision on the basis of the specific interests and circumstances. The interests that can be included in the assessment are those principles that also affect the freedom of competition. In this respect, this can also affect the right to informational self-determination. An antitrust balancing decision can come to the same conclusion as the legal requirements of other non-antitrust laws, provided that the respective interests or protected purposes are congruent.
This is also how the case-law of the German Federal Supreme Court cited by the FCO should initially be understood. This is because it does not assume an abuse of conditions through every violation of law, as is clear from the word „can“ in the BGH’s decision „VBL-Gegenwert I“. Rather, it is still a question of an assessment originally based on antitrust law. However, the FCO also mentions that it „examined“ the inappropriateness of the conditions on the basis of the legally positive evaluations. This again points to an accessory evaluation. In particular, the authority also refers to the provisions of the DSGVO. However, it is not clear why it did not immediately adopt their „valuations“ in full. In its evaluations, the FCO thus appears to have „somehow“ also examined data protection law, but whether this examination was carried out without legal errors under data protection law cannot be assessed without the full text of the decision. Niko Härting also strongly criticised the data protection consistency of the FCO’s decision in a first commentary in the CR blog.
The company’s market power has no longer been assessed by the Authority on the basis of market shares alone. Instead, it distinguishes on the basis of qualitative characteristics, in particular user activity and user shares. This is quite understandable considering that it is not only registered users who make up the special effect of a network. A particularly striking example could be the probably still numerous user accounts on formerly heavily used platforms such as StudiVZ, which are now, however, rather insignificant. Moreover, it is precisely these active users who are the factor that determines the value of a range-oriented platform. According to the FCO’s supplementary paper on the procedure, it also assessed the market position according to the criteria newly included in Section 18 (3a) ARC since 2017.
Now what consequences does this decision have for Facebook and its users?
An initial development has already been announced a few weeks ago. According to public sources, Facebook plans to merge the news services of its various offerings. This would unite WhatsApp, Instagram and Facebook under one service. If the decision practice remains that the extensive processing scope outside the service constitutes an abuse of conditions, it could already be circumvented with this simple integration step. However, the FCO has already clarified that a merger can only take place with the consent of the users.
A further question arises from the justification of the FCO’s decision. Although it is also important under antitrust law whether and how the users have consented to the extensive processing of personal data, this means an extra examination effort for companies with market power. They must therefore not only comply with the provisions of the GDPR on the legality of consent in particular, but must also independently consider the risks involved in antitrust law. For even if consent were permissible under data protection law in individual cases, the question of appropriateness under antitrust law is still not anticipated. Facebook sees this differently, as can be seen from its reference to the implemented GDPR.