` German Antitrust Regulator: Facebook Violates GDPR - Clarip Privacy Blog

German Antitrust Regulator: Facebook Violates GDPR

The GDPR data protection authorities are not the only organizations in Europe which are considering the data practices of large companies. The Federal Cartel Office (FCO or Bundeskartellamt) in Germany, which enforces German antitrust and competition law, has ordered Facebook to stop combining user data between its platforms, as well as the information gathered from third-party sources, without the voluntary consent of its users. In the Press Release, the FCO indicated it “closely cooperated with leading data protection authorities” and “Facebook’s terms of service and the manner and extent to which it collects and uses data are in violation of the European data protection rules to the detriment of users.”

The intersection of competition and data privacy law has been a topic that has been mentioned several times by Federal Trade Commission (FTC) Commissioners during discussions about the FTC’s regulation of data privacy and potential changes in federal privacy law. One of their concerns is that privacy regulation may dampen competition since it is harder for small business to comply with new laws. They have expressed concern that it will lock in large businesses which grew large in an era with limited privacy regulation.

The FCO dives into Facebook’s GDPR compliance from the perspective of its regulation of large, dominant companies which may use its market power to create “exploitative business terms”. The Frequently Asked Questions published about the decision explains the GDPR violation further – which appears to be on the fact that there is no lawful basis for the processing:

“On the basis of data protection principles, in particular under the General Data Protection Regulation (GDPR) applicable since May 2018, the review of the data processing policies showed that Facebook has no effective justification for collecting data from other company-owned services and Facebook Business Tools or for assigning these data to the Facebook user accounts. The processing of data is neither required in order to fulfil contractual obligations nor does a balancing of interests result in the conclusion that Facebook’s interests in data processing outweigh the users’ interests. Also, Facebook did not obtain any effective consent for its processing of the data affected in this case. The users’ consent would only be effective if the provision of the service of Facebook.com were not made subject to this consent.

The data processing at issue is the sharing of data about users between services owned by Facebook, such as WhatsApp, Instagram and

Why did the decision come from an antitrust regulator?

The FCO defended its decision to take a look at the market position of large data collectors. It further said that it “closely cooperated with data protection authorities in this case which explicitly supported the authority’s proceeding.

Facebook has one month to appeal the decision. Facebook has already indicated in a blog post that it intends to do so. The case will be heard by the Dusseldorf Higher Regional Court. It could be the second high profile appeal about GDPR – Google has already said that it intends to appeal the 50 million euro fine levied by France’s CNIL concerning the transparency and consent of its data collection for the Android operating system.

APIs and Your Privacy

For those that are interested in learning more about the broad data collection and sharing by companies like Facebook, and have not heard Clarip CEO Andy Sambandam speak about the data sharing and privacy concerns that may happen as a consequence of building parts of a website or mobile app with third-party technology, there is a recent report titled APIs and Your Privacy compiled by a team from Fordham Law School and the University of Michigan. It clearly explains the third-party data sharing that is happening with or without the knowledge of users of websites and apps. The report was presented at the AT&T Policy Forum’s Symposium on Application Programming Interfaces and Privacy in Washington. The PDF of APIs and Your Privacy is available on the Fordham Law website.

The report discusses how APIs are used within websites and apps to gather, share and utilize data. It specifically examines how the APIs of 11 popular online services and mobile apps can be used to enable data to be shared with third-parties or enable those platforms to gather more information. It also describes how an embedded tool using an API from a weather provider on a website provides information to not only the website you are visiting but also the weather service.

The report explains how large technology companies that have become part of the web ecosystem through embedded technology are able to collect data:

“The presence of the Facebook Login button means that Facebook code is included on the website and every time you visit such a website information about your visit gets [sent] to Facebook. The same holds true for Facebook Like buttons, the Facebook Comments feature or the other social media share buttons that many websites use to enable their visitors to quickly share an article with their Facebook friends or on other social media services. In this way, companies like Amazon, Facebook and Google have huge insight into how you browse the web, even when you are visiting other websites and applications.”

The report also discussed the possible use of data from analytics tracking run by major technology companies:

“[I]f you are visiting different websites to look at paint samples, to learn how to put up drywall and recommendations for electricians in your area, Google will very likely learn what products you are interested in and might be able to infer that you are doing construction on your home, even if you never use a Google website like Google Search or YouTube in the course of your research.”

The implications of this for data privacy are further discussed:

“Once an application has access to your data, nothing technically prevents it from storing your data on its own servers and/or analyzing your data with data mining and machine learning to learn facts about you and your behavior that might be useful to that company (e.g., to target you with advertising or sell information about you to other companies).

This section of the report may not have adequately considered the above in the context of GDPR and the California Consumer Privacy Act, however. To the extent that Facebook is operating as a processor of a controller under GDPR, it would need to limit its processing to the written instructions of the controller under Article 28. It likely does describe the situation across much of the United States, so long as the company is adequately disclosing its practices in its privacy policy.

This is, of course, changing. If the decision by the German antitrust authority is taken at face value and the appeal is unsuccessful, there are a lot of websites permitting Facebook to collect and use data in excess of what is permitted under GDPR. Although Germany is pursuing Facebook, which it has been investigating since 2016, the companies allowing Facebook to operate could also be pursued (by the DPAs in the European Union). For example, there was a decision last year that a company running a Facebook page was a co-controller of the data collected by Facebook and had its own disclosure obligations to the users of the page.

Google Adds Privacy to Risk Factors

It looks like the quiet period following the implementation of GDPR in May 2018 is over. In its latest 10-K, Google disclosed to investors data privacy as a few of its risk factors:

– “Data privacy and security concerns relating to our technology and our practices could damage our reputation and deter current and potential users or customers from using our products and services.”

– “Our business is subject to complex and rapidly evolving U.S. and international laws and regulations regarding privacy and data protection. Many of these laws and regulations are subject to change and uncertain interpretation and could result in claims, changes to our business practices, penalties, increased cost of operations, or declines in user growth or engagement, or otherwise harm our business.”

With investigations of data practices at Google and Facebook bringing insight into the expectations of the DPAs, it is a good time for many businesses to start making incremental improvements to their data practices in response. Read the resources Clarip has posted on the California Consumer Privacy Act (CCPA) and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.

Show Buttons
Hide Buttons