MEF regulatory advisor Serafino Abate examines recent privacy events in Europe where in Germany courts took action against Facebook’s practices and the EU’s first GDPR implementation report was published.
A few weeks back, we saw two different, but related, public interventions on privacy and data protection. In Germany, the Supreme Court upheld the decision by the German Federal competition enforcer, the Bundeskartellamt. To follow, the EU then published its first GDPR implementation report, two years after the seminal piece of legislation was adopted in Europe.
In the German case, the regulator had concluded in February 2019 that Facebook was dominant in the market for digital social platforms in Germany and that it was abusing its dominance by way of degrading users’ data protection. In particular, the regulator took aim at two practices.
Firstly, the “all or nothing framing” of users’ consent, which left them with little choice but to click “I agree” when signing up to Facebook’s social platforms. In fairness to Facebook, the practice is quite common among digital platforms and service providers, but in singling out Facebook the regulator made an explicit link between its dominant position, which under German competition law carries a special responsibility to its users, and the practice under scrutiny.
Secondly, the regulator asked Facebook to stop combining the data of users from its three different platforms – Whatsapp, Instagram and Facebook – unless it got proper consent for it, as well as taking aim to the practice of Facebook and other major platforms to collect users data from third party websites, even when users of those pages where not aware of it and were not users of the platform itself, and combining with their own data on those users, to build very detailed personal profiles of digital users.
While the report rightly points to the “establishment of a privacy culture of compliance” and a heightened awareness among citizens of their privacy rights, it fails to analyse, how compliance with GDPR has affected small and medium size businesses and what the economic cost in terms of reduced competition and effective choice for consumers it might have had.“
The decision was first challenged by Facebook in a regional German court, which found in favour of Facebook in June 2019. However, the latest ruling will be more difficult to challenge, and found the Supreme Court in full agreement with the competition regulator on the essential points of its decision.
At the time of the decision, there had been much discussion on whether competition authorities had any right to “meddle” with privacy, especially given the newly established European privacy regulation framework under the GDPR.
Like others, at that time I considered the case to be of much interest in terms of both being detailed and well documented in articulating the potential consumer arm, and also in having the ability to offer some “teeth” to enforcement via the strong remedy powers available to competition enforcers, including structural separation. Whether or not this would be necessary in the long term, I argued in a conference paper, would also depend on how privacy enforcement developed under the GDPR.
Which brings us to the second relevant event, namely the EU’s publication of the first GDPR implementation report. The report does not offer much in terms of facts and numbers. In my view, it fails to acknowledge the paucity of the cases especially, but not only, against the big platforms and the risibility of the fines when set against the revenues and profits of the big players. While the report rightly points to the “establishment of a privacy culture of compliance” and a heightened awareness among citizens of their privacy rights, it fails to analyse, for example, how compliance with GDPR has affected small and medium size businesses compared to large players, and what the economic cost in terms of reduced competition and effective choice for consumers it might have had. It also should have looked more closely at how the “increased culture of compliance” has translated, or not, into clearer framework for users’ consent to collecting and using personal data.
My personal experience in the past two years, like many others, point to a pretty much unchanged situation which means there is still a prevalence of the “all or nothing framing” model of users’ consent among digital service providers and platforms. On the positive side, the report does offer important recommendation on the need to improve coordination and alignment among enforcers. However, even this should be taken with a pinch of salt, as national regulators do cooperate on cases involving international organizations, and there are well established networks for sharing information and aligning case management. But improvements can and should be made on this count.
In conclusion, I think in the near future, much more has to be done in terms of focusing enforcement of the GDPR on effective change of consent framing practices, and one wonders whether a co-regulatory solution, based on an industry-wide code of conduct with some level of regulatory oversight, might be the right way forward. Meanwhile, at least for some time, competition enforcement based on consumer exploitation and harm deriving from privacy degradation might continue to have a role to play, and might in the long term constitute an important form of deterrent which could co-exist with privacy enforcement by the DPAs.