The Federal Cartel Office (FCO), which is responsible for investigating anti-competitive behaviour in Germany, found that certain aspects of Facebook’s data collection and processing policies violated German competition law and the General Data Protection Regulation (GDPR).
The FCO focused on Facebook’s collection of user data from other Facebook services (eg. WhatsApp, Instagram) and Facebook plug-ins embedded into third-party websites. It also considered Facebook’s use of this data to personalise each user’s experience on the Facebook website. The FCO concluded that Facebook’s users were unable to effectively consent to this collection and processing of their data. This breached article 6(1) of the GDPR, which requires a data processor to receive consent from the user to process his or her data for a certain purpose. Moreover, these activities were an abuse of Facebook’s dominant position in the social media market, which made it more difficult for their competitors to operate.
The FCO prohibited Facebook from collecting and processing the user data in question and has given the company 12 months to review its policies. Facebook has appealed the decision, so it will be some time before this matter is settled. Nevertheless, the decision shows the breadth of data collection undertaken by Facebook and similar tech companies to ostensibly personalise their services. It also demonstrates how the GDPR can be effectively used by a range of regulatory authorities alongside other laws to safeguard individuals’ privacy rights.
Contributed by Reuel Baptista