Federal Cartel Office accuses Facebook of abusive data collection and use

Shortly before the end of the year, the German Federal Cartel Office (FCO) has specified its accusations against Facebook. According to the FCO, Facebook abuses its dominant position in the German market for social networks by infringing European data protection provisions. The data thereby abusively collected is in turn viewed by the FCO as an important factor for market power. The case against Facebook is one of the first proceedings in a Big Data industry which combines the regulatory principles of data protection and antitrust law, creating new challenges for companies and practitioners.

The abuse of dominance proceeding, which was initiated by the FCO in spring 2016 against Facebook Inc., USA, the Irish subsidiary of the company as well as the German company Facebook GmbH, had already piqued public interest in the past year. The German antitrust authority announced it would investigate whether Facebook has abused its dominant position in the market for social networks by applying extensive one-sided terms of service with respect to the collection and use of data to the detriment of the users. Now, the FCO has specified the accusations, although it does not expect a final decision “before early summer 2018”. The matter is an administrative proceeding.

The proceeding is particularly noteworthy since it is one of the first to address the issue of data protection violations with the instruments of antitrust law. Data, especially personal data, has become a “productive factor” as a result of pervasive digitisation. Data is the basis for a variety of digital business models, be it as a kind of input resource for improving algorithms (e.g. Google) or as a database for developing new products and services, for instance highly effective and individualised advertising products (e.g. Facebook). Moreover, from an economic point of view the process of collecting and using data has some special features (non-exclusiveness, non-rivalry in collection and use; as databases grow, the marginal cost for additional data falls while marginal utility rises), making it prone to excessive and potentially abusive behaviour. Lastly, social media network providers have been consistently criticised for lacking transparent rules vis-à-vis users with regard to the collection and use of their personal data, partly leading to the most recent reforms of European data protection provisions.

The European legislator aims to meet the new challenges by implementing the General Data Protection Regulation (“GDPR”), which will come into effect across Europe in May 2018, and the ePrivacy Regulation, which is still at the drafting stage. The Facebook proceeding by the FCO, however, shows that the antitrust authorities do not want to leave the entire field to data protection enforcers.

Antitrust law essentially has two possibly mutually reinforcing theories of harm with respect to the misuse of data:

• Data-based products or data as input factors can lead to a dominant market position (data as a market power factor);


• Data can be used abusively against competitors (cf. the European Commission proceedings with regard to Google AdSense and Google Ads) or collected abusively as compensation for the provision of services (data-related abuse of power).

Two aspects play a decisive role in the Facebook proceeding by the FCO:

• In view of the FCO, Facebook holds a dominant position in the market for social networks. In the background paper published by the FCO it is assumed that the relevant market for social networks is of a national dimension, since the users mainly use social networks to socialise with friends and acquaintances residing in the same country. With regard to the product dimension, the FCO does not include professional networks and messaging services in the relevant market. The FCO also refers to the relevance of data for competition in digital markets (cf. the new list of market power factors included in Sec. 18 para. 3a of the revised Act against Restraints of Competition, “ARC“) and considers Facebook’s “paramount access to competition-relevant data” as a crucial market entry barrier for other social network providers. Thus, the FCO assumes that Facebook’s dominant position is further strengthened by its abusive amassing of data.


• With regard to the abuse of market power, the FCO specifies its accusations against Facebook as follows: the FCO exclusively focuses on data obtained from third-party sources as relevant to the abuse (known as “off-Facebook” data). The proceeding therefore does not concern the collection and use of data on Facebook itself. Third-party sources include Facebook-owned applications like Instagram and WhatsApp, as well as third-party websites and apps, which use plug-ins (e.g. the “Like” button, Facebook login) and measurement and analytical tools for conversion tracking and re-targeting (Facebook Analytics) and thereby allow Facebook to collect user-related data, attribute it to the user's Facebook account and then further process it. The FCO views these processes as abusive, partly because users either do not know about these activities or they do not effectively consent to them, as they occur in the instant that a user visits a third-party website for the first time and even if their browser settings do not permit data tracking.

Essentially, the FCO builds its case on the fact that Facebook only offers its users two options: either to use Facebook with all the consequences relating to the collection of data or not to use it at all. The FCO considers the conduct described as a form of exploitative abuse pursuant to Section 19 para. 1 and 2 no. 2 ARC. In other words, Facebook abuses its dominant market position by inappropriately collecting user data in order to use this data to further strengthen its market position. In order to ascertain the inappropriateness of the data collection, the FCO refers to European data protection principles, especially those in the GDPR (which comes into effect in May 2018).

The Facebook proceeding is an initial practical case of the much debated intersection between antitrust data protection law in the days of Big Data and data-driven business models. Johannes Casper, Data Protection Officer of the City of Hamburg, refers to a “holistic approach”. This raises new questions for companies and practitioners. First, there is a new risk of double regulation, since antitrust laws and data protection laws pursue different objectives. Even though data protection is a core aspect of the FCO’s Facebook proceeding, it remains an antitrust matter. Thus, a possible infringement of data protection provisions would have to be assessed and possibly sanctioned by the competent data protection authorities. Of course, the antitrust authority cooperates closely with the data protection authorities. However, it cannot be ruled out that the practical approaches of the authorities lead to different solutions being developed for identical problems over time. Therefore, the risk of a double sanction increases, bearing in mind the severe sanctions antitrust laws have in their arsenal. The new GDPR gives the data protection authorities the option of imposing a fine of up to  €20m or 4% of worldwide turnover. Hence, companies – especially in industries of an increasingly digital nature – face additional imponderables and risks which can only be appropriately tackled by an equally holistic approach. Effective compliance measures and comprehensive legal advice which bear in mind both antitrust and data protection laws are becoming more important than ever.