Violation of data privacy laws
In order to access Facebook’s social network, users must first agree to the company’s collection and use of their data by accepting the terms of service. There is considerable doubt as to the validity of this procedure, in particular under applicable national data protection law as it requires informed consent. Such informed consent is effective only when based on the data subject’s free decision, in addition data subjects have to be informed of the purpose of collection, processing or use and, in so far as the circumstances of the individual case dictate or upon request, of the consequences of withholding consent. Whether Facebook complies with these requirements is disputed by several German data protection authorities. Moreover, in addition to proceedings by the German data protection authorities, if there is a connection between an infringement of data protection laws and market dominance, this could also constitute an abusive practice under competition law.
Abuse of terms as a violation of competition law
Subject to the result of further market investigations, the Federal Cartel Office has voiced that there are indications that Facebook has a dominant market position in the separate market for social networks. Pursuant to German anti-trust laws unlawful terms and conditions of a company with a dominant position in a market could represent an abusive imposition of unfair conditions on users and whether a connection exists between the possibly dominant position of the company and the use of such clauses.
According to Andreas Mundt, President of the Federal Cartel Office “dominant companies are subject to special obligations,” including “the use of adequate terms of service as far as these are relevant to the market.” For this reason it is in the Federal Cartel Office’s opinion, essential to “also examine under the aspect of abuse of market power whether the consumers are sufficiently informed about the type and extent of data collected.”
The proceedings brought against Facebook based on anti-trust laws are the latest example of authorities addressing the competitive effects of companies’ activities in collecting and using data and to push the boundaries between antitrust law and data protection law.
So far, the German Data Protection Authorities had little success enforcing privacy laws against social media companies like Facebook. First, for most data protection issues, the relevant courts in Ireland have jurisdiction in the European Union, as Facebook does have its business seat there. And even if a Court held Facebook to be non-compliant with domestic data privacy law, enforcing the law has also proven to challenging: Recently the Regional Court in Berlin fined Facebook EUR 100,000 due to the company not adhering to an earlier judgment of the Regional Court in Berlin where the court found that the social media company did not sufficiently inform its users how the company would use content posted on the social network. Unlike anti-trust law, where fines can be imposed of up to ten percent of the total revenue of a company, current data protection laws in Germany only allow for fines up to EUR 300,000.
The new European General Data Protection Regulation, however, grants data protection authorities the ability to impose fines up to four percent of a company’s revenue of the last business year, giving the authorities more severe sanction possibilities in addition to the aforementioned proceedings by the national competition authorities.