For the last several years, commentators have opined on whether privacy is an antitrust issue. I weighed in myself on the side of disentangling the two policy domains.
But on February 7, 2019, the German antitrust authority made the issue real, not theoretical, finding that Facebook’s data practices violate German competition law. Going forward, tech companies would be well advised to assess how their data practices might be viewed by antitrust enforcers.
This innovative decision treats certain data practices as unfair methods of competition precisely because they violate consumer data protection rights, as determined by a competition policy authority.
The competition policy authority found that Facebook’s acquisition of customer data from its own affiliated companies (WhatsApp and Instagram) and from third-party websites was an unfair business practice, threatening competition in the online advertising market.
The German agency reached this conclusion of competitive harm in the advertising market by determining that Facebook did not get legitimate consent for its data practices. Facebook says that its acquisition of user data outside of its own service is legitimate because that is one of the terms of service all users accept when they sign up for Facebook.
The competition authority rejected this idea, saying that users have no real alternative to Facebook, and so their “choice” to accept Facebook’s data collection from affiliated services and on third-party websites “cannot be referred to as voluntary consent.” It found, however, that the choice of Facebook users to allow data collection on Facebook’s own service was voluntary.
This finding of a data protection violation is a weak point in the competition authority’s case. It is telling that no data protection authority has made a similar finding. Why does a competition agency have more expertise in data protection law than the data protection authorities?
Moreover, if the choice is coerced in the case of third-party and affiliated data collection, then why isn’t it coerced for data collection on Facebook’s own service? Both are take-it-or-leave-it choices and the lack of alternatives, if real, should vitiate the voluntariness of both choices, not just one.
The competition authority seems to feel that third-party data collection is so outlandish that no one would ever accept in the presence of genuine conditions of consent. But this conclusion rests on nothing more than the unsupported intuition of the enforcement authority itself.
The remedy to both the competition problem and the data protection problem is to require Facebook to get separate consent for third-party and affiliate data collection.
The decision rests on a finding that Facebook is dominant in the market for social media. That might seem obvious, but it will be an element in Facebook’s appeal. With over 32 million German users, Facebook is far and away the most popular social media service in Germany, but alternatives exist for users who object to Facebook’s data collection practices, including YouTube, Snapchat, Twitter and others.
The German competition authority rejected this idea in advance, noting that social network users have to move together as a group, or not at all, and there is no effective coordination mechanism that would allow them to act together. So, it asserts, moving to another social network – even one easily accessible to people individually – isn’t really a genuine alternative for Facebook users.
The Facebook appeal will challenge both the entanglement of privacy and competition policy law and this finding of dominance in the social network market.
The German competition policy decision might be the tip of the iceberg in bringing antitrust law to bear on the data practices of tech companies. On February 18, 2019, just 10 days after the German competition policy decision, the Digital, Culture, Media and Sport Committee of the UK Parliament released its Final Report on Disinformation and 'fake news'. The report suggested that “Facebook’s handling of personal data” is a legitimate area for “inspection by regulators,” including those responsible for implementing “antitrust and competition law.”
A word of caution is in order, however, before accepting this innovative mixture of privacy and antitrust as a fait accompli. For one thing, Facebook might very well prevail in its appeal. In addition, antitrust enforcers at the European Commission, and certainly in the United States, are less likely to mix privacy law and competition law in this way.
So far, these antitrust enforcers have considered a company’s data practices only in merger reviews. In these cases, they have inquired whether there would be enough data available to competing advertisers after a merger, and they have found that data would be plentiful post-merger.
Data practices also enter merger review when they are “an important parameter of competition and driver of customer choice” in a particular market,” as the European Commission said in approving the 2016 Microsoft-LinkedIn merger. However, even when the Commission finds, as it did in this case, that data privacy is an important parameter of competition it has not blocked mergers because of the merged company’s data practices.
The novel German Facebook case, however, does not involve a merger. The decision condemns the unilateral data practices of a company acting on its own and does so in a way that seems to transgress the European Commission’s dictum that “privacy-related concerns as such do not fall within the scope of EU competition law.” So, it would be quite a leap for the European Competition Commissioner to follow in Germany’s footsteps.
For the same reasons, traditional antitrust enforcers at the U.S. Department of Justice and the Federal Trade Commission are unlikely to follow the innovative path blazed by Germany, even though activist state attorneys general might be tempted to go there. Moreover, the lack of an overarching Federal privacy law, even though it might be remedied this year, reduces for the moment at least company legal exposure in the United States.
Still, there is new legal risk for tech companies. It would be prudent for them to examine their practices much more carefully than they have in the past. It is no longer just the data protection authorities who are looking over their shoulders. It is the guardians of competition who are on the beat as well.
