German court: Facebook data practices

German court: Facebook data practices breach competition law.

German court: Facebook data practices breach competition law due to its data collection practices from its suite of apps and through external websites.


Germany strikes Facebook’s business model as the German Competition Authority  has launched an inquiry into the data collection practices of the social media and data collection giant with their local court. This is the first major country in the EU to ever launch any legal action against the company especially since the recent implementation of the GDPR. To be specific Facebook’s ability to provide detailed marketing data to companies who would pay for this information is now hindered greatly as the company is being limited in the collection of data and its integration from their full suite of apps. In its recent article, Politico reported that the Bundeskartellamt has ruled that German citizens will have to explicitly and knowingly consent to cross-app data integration by Facebook.


While Facebook hasn’t been found guilty of data protection malpractice by the GDPR,their practices breached Germany’s national privacy policies 


Cambridge Analytica revelations showed that this data integration had a marked effect on many important political outcomes such as Brexit and US 2016 elections. These targeted ads may cause more harm than perceived and Germany is the first to seek to protect its citizens from this. Facebook hasn’t been found guilty of data protection malpractice by the GDPR, as it is important to note the decision was made via Germany’s national privacy policies not the EU’s. The EU is still keeping a watchful eye on the proceedings as Facebook has the opportunity to fight the decision or suspend the case, and a decision has yet to be made. The GDPR states that data subjects need to provide “freely given, specific, informed and unambiguous” consent where data is used for commercial purposes.


Facebook is the only company thus far, found to be in breach of Germany’s competition law.


So far the Bundeskartellamt has only targeted Facebook with this wave of action due to its wide monopoly on Social Media in Germany, as it records over eighty percent of monthly active users on social media in the nation state. YouTube, Twitter and Snapchat were all seen as secondary and were not subject to any legal action. These companies however will be taking note of these changes in policy as it could affect how they operate in the future and may prevent an integrated platform to the likes of Facebook (at least in Germany) due to these restrictions. Facebook will need to implement the decision over the next 12 months.


The EU may be forced to implement new protocols for the GDPR.


Companies with existing competition and data privacy lawsuits, and open decisions such as Google and Amazon are keenly affected by this type of legislature change as well. If a major detriment to these data integration practices can be found by the Bundeskartellamt, the EU may be forced to implement new protocols for the GDPR and police these data collection services more diligently as some have already been accused of seeking consent in deceptive fashions, being unclear in data use or vaguely outlining the detail or extent of data being collected. The impact it could possibly have on E-commerce in the European sphere is definitely something worth paying attention to. Especially since the GDPR is one of the more universally referenced examples of a good starting point for current standard in Data protection policy.


According to Cristina Contero Almagro, Partner in Aphaia, “Combining data from different sources requires at least to put in place a Data Protection Impact Assessment first. Apart from that, it is deemed profiling, so it may be subject to Article 22 GDPR requirements, plus additional guarantees should be applied due to its commercial purpose”.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

GDPR and social media

GDPR and social media : EU Court on fan pages on Facebook

Earlier this month the ECJ published a preliminary ruling finding the fan page admin jointly responsible with Facebook for the personal data of the visitors. Although the decision refers to the previously enforceable EU Data Protection Directive, the new rule paves the way for GDPR and social media practice, since the definition of the processor has not been altered.

GDPR and social media

The dispute had arisen in 2011 when the the data-protection authority of Schleswig-Holstein ordered an educational academy, under the name of Wirtschaftsakademie, to delete its facebook fan page because it failed to inform its users that personal data had been collected and processed via cookies. In particular,  Wirtschaftsakademie used the Insights tool provided by Facebook which provided demographic data of its audience following the processing of personal information such as age, sex, relationships, occupation, information on the lifestyles and centres of interests etc. Based on the anonymised demographic data the admin is able to customise its Facebook content targeting the relevant audience.

Wirtschaftsakademie argued before the German administrative courts that it was not responsible for the data collected by Facebook without its instructions. However, the ECJ after being asked by the national court decided that the fan page admin and facebook are jointly responsible as controllers of the personal data. The fact that the platform used to process the personal data was provided by Facebook cannot justify an exemption of the joint liability.

Nonetheless, in this dispute with crucial GDPR and social media implications, the European Court clarified that the responsibility of the two controllers, who are involved in different stages of the process, may not be equal. Therefore the level of responsibility of each operator should be assessed after taking all relevant circumstances of the case into consideration.

Do you require assistance understanding GDPR and social media ? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.