The case strikes at Facebook’s business model, but may not have Europe-wide application
24 June 2020 (Chania, Crete) – The German Supreme Court dealt a blow to Facebook yesterday in a German case that focuses on how the social network leverages users’ data from across the internet to create profiles that are attractive to advertisers. The country’s Supreme Court sided with a 2019 order from Germany’s competition watchdog that stated Facebook should stop combining users’ data from different sources, including Whatsapp and Instagram accounts.
NOTE: the links herein are to German decisions. My translation team has produced English versions of relevant parts and they are quoted below.
The judges labeled Facebook’s terms of use “abusive” and threw their weight behind the German competition authority. The case attracted widespread attention because of the trailblazing way the competition authority combined antitrust and privacy concerns.
The case strikes at the company’s business model because Facebook gathers user data from its suite of apps and through external websites to create targeted user profiles, which it then sells to advertisers. This case, and similar cases across Europe, center on an increasingly heated debate over whether Facebook abuses its dominance as a social media platform by forcing its users to agree to a widespread collection of their data from across the internet and creating “super profiles” that are very attractive to advertisers. These profiles would then give Facebook an edge over its competitors.
And what was unique in this case was that it was the first time a major competition enforcer in the EU had relied on the failure to meet data protection principles as the constituent element of a competition law offense. The authority found Facebook to be Germany’s dominant social network, with 95 percent of the country’s daily active users and more than 80 percent of monthly active users. It did not consider that the company had any serious head-to-head competition with the likes of Twitter, YouTube or Snapchat.
But the Supreme Court judges did not follow the competition authority’s innovative approach of considering infringements of data protection rules as constituting an abuse of a dominant position according to competition rules. Instead, they took the more straightforward approach that:
the terms of use are abusive and leave private Facebook users with no choice, whether they want to use the network with a more intensive personalization of the user experience, which is associated with a potentially unlimited access to characteristics of their ‘off-Facebook’ internet use by Facebook, or whether they only want to consent to personalization based on the data they reveal on facebook.com.
Facebook users currently need to accept the terms and conditions in their entirety, allowing the social media giant to gather their data all over the internet — not just on Facebook’s own site. The Supreme Court decision means that German Facebook users will now need to give their consent to allow the social network to combine data from their Facebook accounts with data from their WhatsApp and Instagram accounts, and from third-party websites. (The practicality and structure of such a consent option I shall leave for another day.)
So the results? The court is actually even stricter than the competition authority: it requires a protection of privacy laws, and says that freedom of choice and autonomy of users is key in such cases. This is an important step forward, making the users’ self-determination a benchmark for competition on the internet. Although, quite frankly, the slow proceedings in Germany (common in other EU member states as well) are problematic. The EU competition authorities should be able to act more effectively and more quickly in these cases. Big Tech knows the system well and will always play for time, or seek other ways to abuse the system (see link to companion Facebook article below).
A few words on platforms
Regulation is challenging, contentious – and supranational agreements are impossible. The large platforms operate on a global scale. Their services span continents and national boundaries. It would take years to organize the necessary legislation for effective data regulation, especially in the current global political climate.
I often wonder: if Facebook (and others) did not have an ad-funded business model, would they behave differently? Conversely, if Facebook users were paid subscribers, would they hold the platform to a different standard of responsibility? That is the heart of the Facebook design problem. I even had a crazy idea: instead of focusing on regulating the relationship between platform and user, what about regulating the relationship between platform and advertiser? The ”Follow the money” rule. You probably cannot regulate the advertisers, but you might be able to regulate the product that is made available.
The problem regarding platforms is their power at the global, geo-political level. I’ve spent a fair amount of time looking at the dominant platforms and how they are used in multiple countries for search, social networking, e-commerce, etc. as well as mobile hardware and telecoms infrastructure. In the switch from industrial to digital, Europe is a re-developing economy, more like India than the US, and it finally realizes it has no home-grown Internet platform usage outside of the Nordics. GDPR and other legislative initiatives are being used merely to try and slow down everybody else since regulation is the only tool in Europe’s toolbox.
NOTE: so far, fintech and payments are still the only areas dominated by geo-regulatory boundaries and pre-internet incumbents, or by telcos in areas where smartphone penetration is less, such as in Africa. Only in China are internet payment platforms dominant. It’s why the WhatsApp’s payment trials in India and the duplicate launch in Brazil are of huge strategic importance, plus the concurrent investment by Google and Facebook in these technologies. These mega-platforms want fintech and payments to be global, too. It is one of the few areas where Europe has a narrowing window of opportunity to build a global platform – but without the reach of a social network or chat service to embed fintech apps in, it is unlikely to realize this opportunity.
It’s why discussion regarding the regulation of Big Tech always falls flat. The global network effects of Big Tech are so wide that, ultimately, it’s going to lead to conflicts with more and more parts of the wider global al tech scene: Streaming, Music, Cloud, etc. And regulators, having made such a pig’s breakfast of the GDPR and the California Consumer Privacy Act (which has loopholes you can drive a truck through), cannot possibly cope, not having a clue how the digital infrastructure works, not knowing the true meaning of “monopolies”.
And this whole idea that “private control is better than a public one” on any of these topics is absurd. The key issue is that country-specific rules will simply not work as there are no borders around the data flows they control.
NOTE: just take the German case above. The German probe was partially based on specifics of German competition and data protection law, which made it less significant for other data authorities in the EU. Data privacy lawyers told me some of the legal reasoning might work in other cases but it will not allow a cookie cutter approach.
In my view, when a company has to create loopholes in order to justify the battles that it’s not picking, then the whole system doesn’t work, isn’t equal. It’s monopolistic, it doesn’t benefit the consumer. For example, Apple invented the “Reader” app category where the IAP rules can be bypassed in order to avoid the battles with Spotify, Netflix, Amazon, etc. (I explain that in more detail in my just-out brief on Apple to clients. I’ll try to produce a reduced version for my regular readers).
All of this can only be examined through a systemic lens. And … oh, the irony … when we began to look at the key ingredients of systemic efficiency for COVID-19 tracking and tracing we quickly found that governments with their home grown technology and their “centralized” databases were failures. The large digital platforms were the only organizations with truly international capabilities. And since viruses don’t care much about borders, they potentially hold the key to models that would allow travel to resume and economies to restart. And without a touch of irony one EU regulator noted:
“Of course we need them. Their data flows and systems are global and they’re free of regional constraints”.
It’s why any viable regulation solution is impossible. To mandate platform rules (terms of service) that only relate to direct country service provision gets us nowhere. You need to enact terms that relate to the platform’s wider global business to clearly avoid breach of any competition or data laws. That’s not going to happen.
Having worked in this space for a while, and having looked at how platform ecosystems are designed, I can see how most consumers do not really care. There are means and incentives to optimize their “love” across the ecosystem. This is especially the case when platforms also participate in the game they run (like Apple with its own apps or Amazon with its own products) since self-preferencing may be a tempting option to maximize profits while making consumers happy.
But having said all that, and given the economic importance of platforms, it’s no surprise competition authorities and regulators around the world are now looking at angles for possible interventions (both ex-post using competition law and ex-ante by designing new data regulations). If you want to dive into this a bit more and read some interesting thoughts on this topic, read “XIII – Platforms, regulation and competition” in the book Platform Strategy (www.platformstrategy.co) which was published a few years ago but is still quite relevant.
Ah, Facebook. For an interesting saga on how Facebook is trying to bypass the GDPR, slurp domain owners’ personal data via the “Whois info” portal using an obscure process and the U.S. courts .. plus flooding registrars with unjustified data requests … click here.