A few weeks ago, Privacy News Online wrote about the Hamburg Commissioner for Data Protection and Freedom of Information taking action against Facebook, in a move that signalled growing unhappiness with how the GDPR is being enforced. Two years ago, there was another move in Germany against Facebook, by Germany’s competition authority, the Bundeskartellamt, that may prove to be even more significant. That’s because the German authority argued that Facebook’s use of “forced consent” to data processing was an abuse of its market power. In other words, the Bundeskartellamt ignored the GDPR completely, but used its own antitrust powers to protect the privacy of Facebook users in Germany.
There is increasing evidence that this may become a common approach to tackling privacy abuses. Both the EU and the UK have announced that they are investigating how Facebook gathers and uses huge amounts of personal data to sell targeted advertising. Here’s what Executive Vice-President Margrethe Vestager, in charge of the EU’s competition policy, said in a press release on the move:
Facebook is used by almost 3 billion people on a monthly basis and almost 7 million firms advertise on Facebook in total. Facebook collects vast troves of data on the activities of users of its social network and beyond, enabling it to target specific customer groups. We will look in detail at whether this data gives Facebook an undue competitive advantage in particular on the online classified ads sector, where people buy and sell goods every day, and where Facebook also competes with companies from which it collects data. In today’s digital economy, data should not be used in ways that distort competition.
Similarly, in the UK, the Competition and Markets Authority has launched a probe into whether Facebook has gained an unfair advantage over competitors in providing services for online classified ads and online dating, through how it gathers and uses personal data. Meanwhile, France’s competition authority has just fined Google 220 million euros over its practices in the online ad sector.
What all of these investigations underline is that personal data is now so valuable to companies, and so central to the way that the online world currently works, that antitrust authorities are intervening in this area to ensure that the market is operating fairly. That approach lies at the heart of two important EU laws that are starting to work their way through the legislative process, the Digital Services Act (DSA) and the Digital Markets Act (DMA). As a previous post on this blog noted, one of the key issues the DSA will address is micro-targeted advertising, possibly by banning it. As far as the DMA is concerned:
The Digital Markets Act addresses the negative consequences arising from certain behaviours by platforms acting as digital “gatekeepers” to the single market. These are platforms that have a significant impact on the internal market, serve as an important gateway for business users to reach their customers, and which enjoy, or will foreseeably enjoy, an entrenched and durable position. This can grant them the power to act as private rule-makers and to function as bottlenecks between businesses and consumers. Sometimes, such companies have control over entire platform ecosystems. When a gatekeeper engages in unfair business practices, it can prevent or slow down valuable and innovative services of its business users and competitors from reaching the consumer. Examples of these practices include the unfair use of data from businesses operating on these platforms, or situations where users are locked in to a particular service and have limited options for switching to another one.
Although not named, the main digital “gatekeepers” are Google and Facebook. The bulk of their income comes from advertising based on gathering personal data. In other words, the DMA is once more about reining in Google and Facebook, for example by strengthening privacy protections. However, this would not be by using or enhancing the GDPR, but by taking what is essentially an antitrust approach aimed at curbing potential market abuse.
This new approach will arguably be even more important in the US, which lacks a national equivalent of the GDPR. Antitrust actions could therefore offer a way of boosting privacy indirectly. The first moves have already taken place. Last December, the Federal Trade Commission sued Facebook, alleging that the company was illegally maintaining its personal social networking monopoly through a years-long course of anticompetitive conduct. Around the same time, Google, too, was hit with an antitrust suit in the US. It was brought by ten states, and once again focused on the monopoly created by Google’s huge database of personal information.
These moves on both sides of the Atlantic are important because they open up a radically different avenue for protecting personal data. Moreover, it’s one to which giants like Google, Facebook, and Amazon are likely to become more vulnerable as they become even larger and more successful. It is also an approach that is completely independent of the GDPR, and not an either/or situation. As a result, if the GDPR’s evident problems can be resolved – for example, by creating a central EU data protection agency, instead of the unsatisfactory current system – then GDPR and antitrust authorities could start working in tandem, attacking abuses from two different directions, and making it much harder for hordes of well-paid corporate lawyers to find loopholes in the legal actions. The new wave of antitrust investigations are also welcome because they confirm that privacy is no longer some “nice to have” feature, but a “must have” that is central to the modern online world. Protecting it is therefore even more crucial.
Featured image by Paul Brennan.