Facebook has been banned by the German’s national competition regulator, Bundeskartellamt, from combining and processing user data from different social network platforms and services.
Facebook collects data, not only from its website but also from Facebook-owned websites and apps as well as on third-party websites and smartphones. The information available to Facebook, allows the company to combine and assign all the additional information to a user’s Facebook account. This combination of data sources, in particular, enabled Facebook to build a unique database on each individual user. The German national competition regulator prohibits this practice.
Facebook’s terms of service and the manner and extent to which it collects and uses data are in violation of GDPR. Facebook must review its terms of service and data processing, to allow users to have more control over the combination of their information.
Andreas Mundt, President of the Bundeskartellamt: “ In future, consumers can prevent Facebook from unrestrictedly collecting and using their data. The previous practice of combining all data in a Facebook user account, practically without any restriction, will now be subject to the voluntary consent given by the users. Voluntary consent means that the use of Facebook’s services must not be subject to the users’ consent to their data being collected and combined in this way. If users do not consent, Facebook may not exclude them from its services and must refrain from collecting and merging data from different sources.” Otherwise, if Facebook intends to continue to combine data collected from other sources with Facebook user accounts without the consent of the users, this type of data processing must be substantially restricted. Facebook shall develop a solution within the next four months and submit to the Bundeskartellamt.
“The finding that the extent to which Facebook collects, merges and uses data in user accounts constitutes an abuse of a dominant position is an important step forward in the interplay of data protection and competition law,” comments Dr Bostjan Makarovic, Aphaia Managing Partner. “It confirms that some data processing operations may be lawful or unlawful depending on the market power of the data controller. This may be good news not only for individuals but also for innovative small businesses since it acknowledges that the legitimacy of data processing activities may be interpreted to depend on the size and scope of such activities. It remains to be seen though how this notion might be reflected in data protection case law.”
The original document is available here.