Doing double damage: The German competition authority’s Facebook decision manages to undermine both antitrust and data protection law
The FCO decision is incoherent competition policy
From what we know of the FCO’s decision based on the agency’s press release and an FAQ doc, it considers the following a violation of German antitrust law:
users have so far only been able to use the social network under the precondition that Facebook can collect user data also outside of the Facebook website in the internet or on smartphone apps and assign these data to the user’s Facebook account.
This is not an obvious antitrust violation, and reaching that conclusion requires putting together a number of disconnected concerns in several leaps of logical reasoning.
Andreas Mundt, head of the FCO, begins with an explanation that “Facebook’s superior market power” makes the use of “obligatory” check boxes on privacy policies invalid:
The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent. (Emphasis added)
This lack of “voluntary consent” is translated into an antitrust violation when “a dominant company makes the use of its service conditional upon users granting the company extensive permission to process their personal data.” In such a case, “this can be taken up by the competition authorities as a case of ‘exploitative business terms.”
But “voluntary consent” doesn’t appear in Germany’s (already wide-ranging) antitrust laws, and the offering of a “take-it-or-leave-it” deal is not inherently “exploitative,” even for dominant firms. So where does that standard come from? The answer is European data protection law.
According to the FCO, a violation of Europe’s General Data Protection Regulation (GDPR) — or indeed any consumer protection law — by a dominant firm can constitute cognizable harm under antitrust law. As the agency said in its background document when it announced its preliminary assessment in the case:
On principle, any legal principle that aims to protect a contract party in an imbalanced negotiation position can be [applied to determine whether business terms are exploitative].
The argument the FCO makes is that GDPR protects users against a loss of control over their data, and that that loss of control may arise from a firm’s market power. According to the FCO, consent by users to the collection of third-party data and its inclusion in users’ Facebook profiles is illusory because it is offered only on Facebook’s take-it-or-leave-it terms, which it can maintain only because of its alleged dominance.
This assertion is problematic for several reasons.
The first problem is that the FCO equates violation of the GDPR with antitrust injury. But why should the loss of control sufficient to constitute a violation of GDPR also constitute a cognizable antitrust injury? While “loss of control” may well be an ascertainable harm addressed by the GDPR, it is not clear why it is also an antitrust harm. The FCO’s answer to this question is little more than “because we say so”:
Where access to the personal data of users is essential for the market position of a company, the question of how that company handles the personal data of its users is not only relevant for data protection authorities, but also for competition authorities.
Yet all sorts of features are “essential for the market position” of firms: product quality, price, and other terms of exchange, of course, but also intellectual property, branding, consumer loyalty, reputation, and so forth. Any of these may perhaps be “relevant” for competition authorities, but that says nothing about where to draw the line between competitive behavior and anticompetitive harm, and between core and ancillary product attributes.
The problematic, but logical, end result of the FCO’s approach in this case is that competition authorities would become economy-wide super-regulators and enforcers, policing — and interpreting — all manner of laws under the auspices of their competition authority.
On the other hand, if the FCO is not arrogating vast power to itself more generally, it fails (at least in the materials it has released so far) to make the specific case about why data protection is so fundamentally different from other competitive features of a firm’s business model that a violation of any given data protection law deserves to be considered an antitrust law violation, as well.
More specifically, if there’s no nexus between dominance and violation of data protection standards, why would it make sense to use violation of data protection standards as a trigger for antitrust liability under an abuse of dominance theory? And why should the dividing line between abuse of dominance/not abuse of dominance map onto violation/non-violation of GDPR? There’s nothing sacrosanct about GDPR; it’s a new law, with very particular attributes. Would a violation of the law that preceded it, or any other privacy law, no matter how it draws the line between permissible and impermissible uses of data, also constitute an antitrust violation?
Moreover, the GDPR line was determined and established without any reference to competition whatever; it arises out of Europe’s effort to operationalize its fundamental right to privacy, and has never had anything to do with the size, market power, or competitive environment of the firms it regulates. Indeed, a firm need not have any market power, nor act anticompetitively, to violate its customers’ privacy.
In fact, small firms are arguably more likely to abuse users’ privacy and/or violate accepted data protection practices, including GDPR, either because the cost of compliance is too high or because true consumer harm will injure the firm’s reputation and limit the size of its user base. As one cybersecurity firm noted in the run-up to GDPR implementation:
SMBs [small and medium size businesses] are the most vulnerable to the effects of the new GDPR regulation because they don’t have the same resources or ability to hire data protection officers like large enterprises can.
Meanwhile, the evidence post-implementation is that a large proportion of small firms are not compliant with GDPR, while larger firms have expended enormous resources ensuring their compliance. Using violation of the GDPR as a proxy for anticompetitive harm appears both arbitrary and capricious.
There is some small sense in which the FCO attempts to address the manifest disconnect between GDPR (or any data protection law, for that matter) and antitrust principles by tying the lack of control arising from Facebook’s take-it-or-leave-it offer to Facebook’s dominance and implying that, if Facebook had less market power, users would be able to refuse the take-it-or-leave-it offer and Facebook’s terms of service would thus be far more favorable to users.
But prominent among the problems with this explanation is that the FCO bases its logical leap between market power and loss of control on insufficient user information:
[Users] cannot perceive which data from which sources are combined for which purposes with data from Facebook accounts and used e.g. for creating user profiles (“profiling”).
Due to the combining of the data, individual data gain a significance the user cannot foresee.
But if the problem is the absence of transparency, how would the size of the firm or its power in the market affect users’ ability to make informed decisions regarding the use of data? It is unclear why the FCO thinks that users’ lack of information is related in any way to the extent of Facebook’s alleged market power.
In fact, I know of no reason to believe that larger firms are less likely to be transparent. Indeed, a quick glance at, say, the FTC’s privacy actions over the years shows at least as much concern with the conduct of small firms as large firms. And if concerns about data protection were entirely or even predominantly limited to dominant firms, it’s unclear why the EU would adopt a comprehensive and wide-ranging data protection law that contains only trivial carve-outs for small firms, and none tied to a firm’s market power.
And yet the FCO simply asserts that users’ inability to “avoid the combination of their data” is, first, a cognizable antitrust harm, and, second, “because of Facebook’s market power.”
Thus, for the FCO, the fact that Facebook is extremely popular, despite the harm it purportedly visits upon users, constitutes a sufficient condition to impose antitrust liability, even though a less popular firm would assuredly give users no better ability to make an informed decision.
As a last resort, Mundt refers to the old European standby that “[a]s a dominant company Facebook is subject to special obligations under competition law.”
Fine (well, not really, but for argument’s sake…). But even “special obligations” have to have a discernible basis in law. Indeed, under German law, a claim of the sort that the FCO alleges requires that the allegedly abusive terms of service at issue “differ from those which would very likely arise if effective competition existed.”
In other words, such a claim requires that, because of its dominance, a firm is able to extract onerous terms of service from its users that non-dominant ﬁrms can’t. There is no indication the FCO established that causal relationship here, however.
What’s more, Facebook was certainly not dominant when it entered the German market (with, by definition, a zero percent market share at the outset). Yet, as far as I know, Facebook has always offered the same take-it-or-leave-it terms it offers today, and Facebook’s immense popularity came about while it offered users those terms. In other words, its conduct did not come about because of its market share; its market share came about despite (or because of?) its conduct.
In short, the FCO’s attempt to cobble together a competition law basis for “correcting” the problems it perceives in Facebook’s data-gathering practices is extremely problematic, and the basis for its decision decidedly tenuous.
The decision upends the EU’s GDPR regime, as well
Not only is the FCO’s decision a failure as an antitrust matter, it also (for better or worse…) upends the EU’s data protection regime.
First, the FCO takes it upon itself to decide whether there is a violation of the GDPR. But under the GDPR there are carefully hashed out processes for this determination, beginning with the fact that any entity operating in the EU is, as far as possible, supposed to be subject to data protection rulings by a single national authority — the so-called “one stop shop” principle. Under the GDPR, in other words, if there is an alleged violation by Facebook in Hamburg, it must be raised before the Irish Data Protection Commission — the lead supervisory authority for Facebook — and the DPC is empowered to determine whether Facebook has complied with the GDPR. Never-mind that the FCO is not a supervisory authority under the GDPR of any sort; it is most certainly not the lead authority for alleged violations by Facebook.
Second, under GDPR there are six bases upon which a firm may process personal data. Among these are consent, performance of a contract, and the legitimate interests of the data processor. Each of the six is a distinct and wholly sufficient basis for data processing.
But under the FCO’s reading, only consent will suffice to establish a dominant firm’s ability to process data.
The fact that GDPR offers alternative bases upon which such activities may be premised is irrelevant to the FCO because
[o]n the basis of data protection principles, in particular under the General Data Protection Regulation (GDPR) applicable since May 2018, the review of the data processing policies showed that Facebook has no effective justification for collecting data from other company-owned services and Facebook Business Tools or for assigning these data to the Facebook user accounts. The processing of data is neither required in order to fulfil [sic] contractual obligations nor does a balancing of interests result in the conclusion that Facebook’s interests in data processing outweigh the users’ interests. (Emphasis added)
In the FCO’s (unauthorized) expert determination, Facebook does not have sufficient interest in the data processing involved in the FCO’s complaint. Never-mind that the FCO has no authority to make that determination. But, having dismissed the possibility of an interest- or contract-based justification, only reliance upon consent would justify Facebook’s practices, and, for the FCO, Facebook did not adequately secure this consent because it made use of its service conditional upon users’ granting it.
The ability to process data for the data controller’s legitimate interest is indeed not unbounded under the GDPR. Rather, under GDPR there are five additional criteria that the data controller must assess in order to justify its processing under its legitimate interest.
The additional criteria are indeterminate and vague; no doubt there will be a raft of litigation and adjudication to hash them out. And without the FCO’s decision, we don’t know exactly what its analysis of these criteria looked like.
But at least two things are clear. First, the decision about their applicability rests first with the data controller itself (i.e., Facebook), and second with the relevant DPA. Nowhere under GDPR is the determination left in the hands of member state competition or other regulators.
Turning voluntary contract terms that are not, in and of themselves, anticompetitive into an antitrust violation requires a remarkable and unprecedented sleight of hand. Yet that is what the FCO has done. Under its interpretation, in certain circumstances — chosen essentially arbitrarily by the FCO itself — the mere collection of data would be tantamount to a new antitrust infringement, irrespective of any analysis (let alone evidence) of anticompetitive harm. This zealous antitrust invention impairs both legal certainty and the effectiveness of the FCO’s existential goal: i.e., tackling evidenced anticompetitive harms.
At the same time, wrapping up data protection and privacy concerns inside an antitrust package leads to bad public policy that undermines the incentive for firms to innovate and aggressively compete, while simultaneously doing little to protect the reasonable privacy expectations of consumers. And enlisting competition policy to fill gaps that the legislative branch was unwilling or unable to address not only impoverishes the democratic process, it also turns competition policy on its head. And yet, this is precisely the trap into which the FCO has blundered. Its decision promotes its own idiosyncratic preferences and arrogates power to itself, likely at the expense of competition, undoubtedly giving short shrift to consumer welfare in the process.