On February 2019, the Germany’s Federal Cartel Office (FCO) held that Facebook was abusing its dominant position in the German market for social networks collecting and combining data from various sources without obtaining users’ explicit consent.
The FCO based the abuse of dominance on the breach of data protection rules, which was the focus of a long standing debate in Germany.
Even though mainly focusing on the competition elements of Facebook’s strategy, non-competition concerns should be incorporated into competition law analysis if they are relevant in the case.
In particular, Facebook makes the use of its social network conditional on consent to limitlessly amass every kind of data generated by using third-party websites and merges it with the user’s Facebook accounts.
The FCO opened its investigation against Facebook because of the offer “take it or leave it”.
When operating this business model Facebook, as a dominant company, must consider that its users cannot switch to other social networks: users are given the choice of either accepting the “whole package” or do not use the service.
The FCO’s investigations only covered the data collected on:
- Facebook owned services such as WhatsApp or Instagram;
- websites and apps of non owned third party operators via the integration of Facebook Business Tools such as APIs, SDKs, the Facebook Pixel, social plugins such as the “like” or “share button”, Facebook Login, etc.
The compilation of data was possible even if:
- the user has blocked web tracking in his browser or device settings;
- the user did not press the “like-button” but visited a website into which such a button was embedded.
With these data -collected in such an extensive manner- Facebook has built a unique database on each individual user.
Data protection breach
Despite the decision is based entirely on s. 19 of the German Act against Restraints of Competition (GWB) – which resembles art. 102 of the TFEU – the FCO has explicitly referred to several provisions of the GDPR. Indeed, accordingly to the precedents of the German Federal Court of Justice, article 19 GWB must be applied in order to protect constitutional rights where a dominant company (or, in general, one contractual party) is able to enforce the terms of the contract. Also, where the appropriateness of conditions agreed in an unbalanced negotiation is concerned, these rule apply to all other areas of the law. This is the reason why data protection law is relevant in the Facebook case: in order to protect the fundamental right to informational self-determination, data protection law provides the individual with the right to decide freely on the processing of their own personal data.
The data protection aspects of the case, for which FCO closely cooperated with data protection authorities, mainly focus on the question “can Facebook lawfully collect data in this extensive way according to art. 6 par. 1 letters a) b) and f)?”.
Art. 6 par. 1 letter a) of the GDPR
According to art. 6 par. 1 letter a) GDPR, consent is not freely given if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they refuse or withdraw the consent. Moreover, art. 43 GDPR states that consent is not freely given when there is a clear imbalance between the data subject and the controller.
Because of Facebook’s dominant position and the service “take or leave it” offered to its users, the consent did not provide a valid legal basis for the processing of the data.
Art. 6 par. 1 lit b) of the GDPR
According to art. 6 par. 1 lit a) GDPR, the process of the personal data should be necessary “for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
The term “necessary” must be interpreted in a restrictive way and must not include any type of data useful to personalize services and advertising. Otherwise -due to the business model- Facebook would be entitled to use any type of data only on the basis that it provides data-driven products.
In order to this consideration, Facebook did not have to process “off-Facebook” data to fulfil its contract.
Art. 6 par. 1 lit f) of the GDPR
According to art. 6 par. 1 lit f) GDPR, the process of personal data should be necessary “for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”.
Facebook’s interest could not offset the interests of third parties (such as commercial partners) and, mostly, the fundamental right of the users to informational self- determination and privacy.
The FCO ordered Facebook to end its anti-competitive behavior and to stop imposing the prohibited data processing policy on its users.
In particular, Facebook was ordered to:
- implement changes and adapt its data and cookies policy within a period of 12 months;
- propose and submit appropriate measures necessary to stop the infringement within a period of 4 months.
Data protection, consumer protection and the protection of competition interlink where data are crucial for companies operating in the digital economy.
Although the FCO has based its decision on the grounds of the German competition law, this may be the boost for a global discussion on the challenges of digital economy.
Also, hopefully, it may be a model in two different ways.
First, Companies with data-driven business models may review their data collection and use policies, mostly if they heve a significant market position. Secondly, developments in data protection law may also influence the viewpoint of data protection and antitrust authorities in other jurisdictions.
 A. Scharf, “Exploitative business terms in the era of big data- the Bundeskartellamt’s Facebook decision”, in European Competition Law Review.
 Art. 102 TFEU: Any abuse by one or more undertakings of a dominant position within the internal market or in a substantial part of it shall be prohibited as incompatible with the internal market in so far as it may affect trade between Member States. Such abuse may, in particular, consist in: (a) directly or indirectly imposing unfair purchase or selling prices or other unfair trading conditions; (b) limiting production, markets or technical development to the prejudice of consumers; (c) applying dissimilar conditions to equivalent transactions with other trading parties, thereby placing them at a competitive disadvantage; (d) making the conclusion of contracts subject to acceptance by the other parties of supplementary obligations which, by their nature or according to commercial usage, have no connection with the subject of such contracts.
 For further information on the competition law aspects of the case, please refer to the Case Summary available at the following link https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__blob=publicationFile&v=4
 With regard to special categories of data.
 Art. 43 GDPR: In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
 FCO, Facebook (B-6 22/16) in https://www.bundeskartellamt.de/SharedDocs/Entscheidung/DE/Entscheidungen/Missbrauchsaufsicht/2019/B6-22-16.html
 According to Andreas Mundt, the FCO’s president, in https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pressemitteilungen/2017/19_12_2017_Facebook.pdf?__blob=publicationFile&v=3
Laureata in Giurisprudenza nel 2017 presso l’Università LUISS “Guido Carli”, dal 2021 è iscritta all’Ordine degli Avvocati di Roma.
Dopo aver conseguito il master in “Diritto e Impresa” erogato dalla 24ORE Business School di Milano, ha collaborato con primarie realtà internazionali, occupandosi – inter alia – di diritto dei dati.
Attualmente collabora con E-Lex Studio Legale, una boutique del diritto romana, altamente specializzata nell’ambito IT Law, Data Protection, IP, TMT, etc.
Dal 2018 assiste altresì – in qualità di cultrice della materia – la cattedra di Digitalizzazione e giustizia penale presso la LUISS “Guido Carli”, tenendo seminari in tema di reati informatici e utilizzo delle nuove tecnologie nell’ambito del procedimento penale.