The German anti-monopoly watchdog Bundeskartellamt announced yesterday that Facebook will no longer be able to collect data of German users from its other apps, namely WhatsApp and Instagram, or from third-party websites, without obtaining voluntary consent from individual users.
Bundeskartellamt added that if individual users do not provide their consent for the integration of their data between Facebook-owned apps or between Facebook and third-party websites, Facebook will have to "substantially restrict its collection and combining of data" and their data will remain with the respective apps or websites.
In late January, The New York Times quoted several sources from Facebook saying that CEO Mark Zuckerberg had initiated a fresh exercise to integrate the underlying technical infrastructure of WhatsApp, Instagram and Facebook Messenger to allow over 2.6 billion users to communicate across the platforms.
It added that Zuckerberg's goal was to complete the integration by the end of this year or early 2020 and that his intent was to keep users from migrating to other social media apps and thereby boost Facebook's advertising business and introduce new revenue-generating services.
Soon afterward, the Irish Data Protection Commission asked Facebook Ireland for an urgent briefing on its proposal to integrate the Facebook, WhatsApp and Instagram platforms.
"Previous proposals to share data between Facebook companies have given rise to significant data protection concerns and the Irish DPC will be seeking early assurances that all such concerns will be fully taken into account by Facebook in further developing this proposal. It must be emphasised that ultimately the proposed integration can only occur in the EU if it is capable of meeting all of the requirements of the GDPR," it said.
In order to apply further brakes to Facebook's plan to integrate its apps and services which may or may not involve voluntary user consent, Germany's anti-monopoly watchdog Bundeskartellamt today upheld the supremacy of user consent, announcing that Facebook would be prohibited from collecting or combining data of German users from its other apps, namely WhatsApp and Instagram, or from third party websites without obtaining voluntary consent from individual users.
"With regard to Facebook’s future data processing policy, we are carrying out what can be seen as an internal divestiture of Facebook’s data. In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts," said Andreas Mundt, president of the Bundeskartellamt.
Mundt added: "The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power. In future, consumers can prevent Facebook from unrestrictedly collecting and using their data. The previous practice of combining all data in a Facebook user account, practically without any restriction, will now be subject to the voluntary consent given by the users.
"Voluntary consent means that the use of Facebook’s services must not be subject to the users’ consent to their data being collected and combined in this way. If users do not consent, Facebook may not exclude them from its services and must refrain from collecting and merging data from different sources."
Bundeskartellamt observed that Facebook Group, along with its subsidiaries Instagram and WhatsApp, enjoys a dominant market share in Germany even if other services such as Snapchat, YouTube, Twitter, LinkedIn or Xing, which did not offer complete social networking experience, were to be added to the relevant market.
It added that Facebook could not be allowed to use its dominant position in the market to force users to provide consent for "intensive data processing" as Facebook users practically cannot switch to other social networks.
"The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent," Mundt observed.
According to the anti-monopoly watchdog, allowing Facebook to obtain data of users from third-party websites would also allow the company to create very detailed profiles of each user. A large number of websites and apps use the Facebook Analytics service to carry out user analyses and every time a user hits the "like" or "share" button" on a website, the information goes straight to Facebook.
This will allow Facebook to observe what individual users are doing online, what websites they are visiting and what their likes and preferences are.
Based on these observations, Bundeskartellamt noted that Facebook’s terms of service and the manner and extent to which it collects and uses data are in violation of the European data protection rules to the detriment of users and that Facebook must comply with the rules and laws applicable in Germany and Europe. Facebook has been given a month to appeal Bundeskartellamt’s decision in a German court.
In March last year, Information Commissioner Elizabeth Denham announced that WhatsApp had signed a public commitment not to share personal data of British users with Facebook until concerns aired by the UK's data protection authorities were addressed.
"People have a right to have their personal data kept safe, only used in ways that are properly explained to them, and for certain uses of their data, to which they expressly consent. This is a requirement of the Data Protection Act," she said in a blog post.
Commenting on the restrictions imposed by Germany on Facebook's collection of user data, Morten Brøgger, CEO of Wire, told SC Magazine UK that while Facebook potentially face the prospect of a $1.63 billion EU fine for breach of the new GDPR, companies can learn the lessons of the past and choose not to opt for platforms that don’t respect their privacy.
"The lesson here is that you cannot simply trust firms that rely on the exchange of data as its main offering, and firms using Facebook-owned applications should have a rethink about the platforms they use to do business. Companies need to choose wisely when it comes to communication platforms, and that means choosing platforms that have been independently audited, are open sourced and end-to-end encrypted so that their security framework can be held to account," he added.
According to Colin Truran, principal technology strategist at Quest and an expert in personal data privacy, many users provide their consent to certain services without appreciating the potential impact and risk the services may have to their online and physical lives.
"As we see more and more smaller service providers being consumed by these huge multinationals we fail to grasp the true implications of consolidating all that data and how combining this data enables organisations to dramatically affect our daily lives.
"The fact that you like a cat picture says a lot more than you think and combining that with your chats and online shopping habits can give insights into your political and socioeconomic status you would probably prefer to keep to yourself. This information can then be used to provide not just targeted advertising but also affect search results, service access and financial incentives to name but a few.
"Nothing is for free, so we always need to ask ourselves, ‘why am I not being asked to pay for this, what’s in it for them?’ What’s more concerning is that without truly knowing what the information we are providing is being used for, we would not know its true value and therefore are we being ripped off? Just look at the profits of these super providers offering these free to use services and ask that question again.
"It’s great to see that progressive authorities such as Germany’s competition regulator is taking a stance on this free-for-all data pillage and at the very least, bringing some much-needed attention to the problem. I hope other authorities around the world will take a similar view. I’m not anti-Facebook or any other social media organisation, I just want the users to not lose ownership of their identity and freedoms as a result," he added.