Germany’s Federal Cartel Office Prohibits Facebook from Combining User Data from Different Sources

February 2019 Ecem Süsoy Uygun
% 0


In its decision of 06.02.2019 (“Decision”)[1], Germany’s Federal Cartel Office (Bundeskartellamt) (“FCO”) has imposed certain restrictions on Facebook[2] in its processing of user data based on its data processing policy and has ordered the termination of its conduct[3] in this respect. Pursuant to the Decision, Facebook is obliged to change the terms of service that is imposed on its users who are based in Germany. This Decision is significant since it examines Facebook’s comprehensive processing of personal data in terms of both data protection and competition law aspects.

FCO’s Suspicions of Facebook: Beginning of the Story

Until now, individuals have been able to use Facebook’s social network if they agreed to the terms of services stipulating that Facebook can collect data outside of the Facebook website on the internet, or on the smartphone apps, and assign this data to the related Facebook user account[4]. In this respect, not only the data collected on the Facebook website, but also those collected on Facebook-owned websites and apps, as well as on third-party websites and smartphones, could be combined and assigned to the user’s Facebook account[5].

Third-party sources collect the data by using the corporate services of WhatsApp, Oculus, Masquerade, and Instagram, which are owned by Facebook, and through the use of third-party websites and apps[6]. If a third-party website has embedded “Facebook Business Tools,” e.g. the “Like” button, “Facebook login,” or analytical services, such as “Facebook Analytics,” data will be transmitted to Facebook via APIs when the user calls up that third-party website for the first time[7]. As per Facebook’s terms and conditions, even if users have blocked web tracking in their browser or device settings, this data can be combined with data from the user"s Facebook account and used by Facebook. In accordance with Facebook’s terms and conditions, this data can be combined with the data from the user"s Facebook account and used by Facebook, even if users have blocked web tracking in their browser or device settings[8]. Pursuant to the FCO, these terms and conditions are neither justified under data protection principles, nor are they appropriate under competition law standards[9].

Such combination of data sources and building a unique database on each individual user[10] by Facebook attracted the FCO’s attention. Then the FCO initiated a proceeding against Facebook Inc., USA, the Irish subsidiary of the company, and Facebook Germany GmbH, Hamburg, in March, 2016[11]. The initial suspicion focused on Facebook"s terms and conditions of use that may possibly violate data protection provisions. However, in the case in question, it found that Facebook’s usage of terms and conditions could represent an abusive imposition of unfair conditions on its users[12]. Therefore, the FCO investigated whether Facebook has abused its possibly dominant position in the market for social networks with its specific terms of service with respect to its handling of user data[13].

Without having conducted further market investigations, Andreas Mundt, President of the FCO, hinted at considering Facebook as a dominant company in a separate market for social networks, and sent a message to dominant companies through Facebook, as follows: “Dominant companies are subject to special obligations. These include the use of adequate terms of service as far as these are relevant to the market. For advertising-financed internet services, such as Facebook, user data is hugely important. For this reason, it is essential to also examine, under the aspect of abuse of market power, whether consumers are sufficiently informed about the type and extent of data collected."[14].

The FCO intervened in Facebook’s data gathering from a competition law perspective since the data protection boundaries set forth in the General Data Protection Regulation (“GDPR”) were overstepped, also in view of Facebook’s dominant position[15].

Facebook’s Market Position in Germany

Facebook is the platform that develops and operates various digital products, and online services and applications for smartphones (apps)[16]. In Germany, has been available in Germany since 2008 and, in 2018, the number of daily active users in Germany was approximately 23 million, while approximately 32 million users were classified as monthly active users[17].

In determining the relevant market, the FCO has made a detailed analysis. It has examined Facebook’s business model and its special characteristics as a multi-sided network market with free services[18]. Based on the demand-side substitutability in the market, the FCO defines the product market as a private social network market, with private users as the relevant opposite market side[19]. The relevant geographic market is determined to be Germany. Additionally, pursuant to the FCO’s findings, Facebook has a dominant position in the German market for social networks for private users and is consequently subject to abuse control under German competition law[20].

The FCO examined the user-based market share of Facebook on the relevant market that exceeds 95%[21]. When assessing the market share, the FCO considered the amount of time spent intensively using the network as an important indicator of the competitors’ actual market position[22]. However, in accordance with the last amendment to the German Competition Act, the FCO’s assessment of a company’s market power is not only based on its market share[23]. The factors that determine market power are broadened, such as the access to competitively relevant data, economies of scale based on network effects, the behaviour of users who can use several different services or only one service, and the power of innovation-driven competitive pressure[24]. In addition to Facebook’s high market share, the above-stated criteria reveal the market power of Facebook[25]. Furthermore, the FCO found that Facebook"s position is further strengthened by direct network effects, and users’ switching to another social network is difficult[26].

Facebook’s Abuse of its Dominant Position

By using and implementing the Facebook data policy, Facebook is enabled to collect user and device-related data from sources outside of Facebook, and to combine it with data that is collected through Facebook[27]. This collection and combination of data is found to be an abuse of a dominant position in the social network market, in the form of exploitative business terms by the FCO[28]. The FCO has not imposed a monetary fine on Facebook. In this case, it seems that the FCO has not focused on imposing fines to punish infringements, but to change the future behaviour of Facebook[29]. The FCO may, however, decide to impose a fine in the event of recurrent abusive behaviour, or in cases with a high potential for significant harm[30].

Coexistence of Competition and Data Protection Law

In this case, the FCO closely examined the relation between the German competition law provisions and data protection principles of the GDPR that are mainly enforced by the data protection authorities[31]. Based on the Decision, it appears that the FCO finds indispensable to examine the conduct of dominant companies like Facebook under competition law, also in terms of their data processing procedures[32]. It is the FCO’s view that the European data protection regulations, which are based on constitutional rights can or, considering the case-law of the German Federal Court of Justice (VBL-Gegenwert and Pechstein cases), must be taken into account when assessing whether data processing terms are appropriate under competition law[33]. As interpreted by the FCO, the regulations in the GDPR do not rule out the FCO’s assessment on whether data processing terms infringe upon the GDPR[34]. Also, during the proceeding, the FCO had contact with data protection authorities, none of which considered they had exclusive competence[35].

Should a dominant company like Facebook make the use of its service conditional upon users granting the company extensive permission to process their personal data[36], this can be considered to be "exploitative business terms" and raise data protection concerns, as well. As per the FCO, monitoring the data processing activities of dominant companies cannot be fulfilled solely by data protection officers and, therefore, need the support of the competition authorities[37].

The FCO examined whether the data policy is in line with the data protection assessments of the GDPR yet found that Facebook’s extensive processing of personal data from other corporate services, as well as Facebook Business Tools, violates European data protection requirements, and is subject to the affected users’ consent pursuant to data protection requirements[38]. It is deduced that in view of Facebook"s dominant position in the market, users give consent to Facebook’s terms and conditions only for the purpose of concluding the contract, which cannot be assessed as their free consent under the GDPR. Therefore, Facebook must no longer combine data in any comprehensive manner unless users give their express consent.


Pursuant to the FCO’s Decision, Facebook is required to adapt and change its terms of service imposed on its users who are based in Germany and data processing conditions. Although Facebook disagrees with the FCO’s Decision and intends to appeal the same in order for its users in Germany to continue to benefit from Facebook services[39], the Decision has created a significant impact in both the competition and data protection law environments. This Decision is remarkable in many aspects. On the one hand, the market definition analysis of, and the criteria used for, determining Facebook’s market power by the FCO is noteworthy in the Decision. On the other hand, and most importantly, the FCO, as a competition authority, finds itself competent to act against violations of data protection requirements where a dominant company is involved.

[1] Decision, Case Summary, 15 February 2019. (Access date: 04.03.2019).

[2] Facebook Inc., Menlo Park, USA, Facebook Ireland Ltd., Dublin, Ireland, and Facebook Germany GmbH, Hamburg, Germany.

[3] Decision, p. 1.

[4] Background information on the Bundeskartellamt’s Facebook proceeding, 7 February 2019, p. 1,;jsessionid=A938E8B12BF636C287E75EDC2CC1AF3E.2_cid378?__blob=publicationFile&v=6

[5] Please see. fn. 4.

[6] Please see. fn. 4.

[7] Please see fn. 4.

[8] Background information, p. 1.

[9] Please see fn. 8.

[10] Background information, p. 1.

[11] Please see. (Access date: 03.03.2019).

[12] Please see fn. 11.

[13] Please see fn. 11.

[14] Please see fn. 11.

[15] Decision, p. 1, 2.

[16] Decision, p. 2.

[17] Decision, p. 4.

[18] Please see fn. 17.

[19] Decision, p. 3.

[20] Background information, p. 3.

[21] Decision, p. 6.

[22] Please see fn. 21.

[23] Background information, p. 4.

[24] Please see fn. 24.

[25] Background information, p.4.

[26] Decision, p. 6.

[27] Decision, p. 7.

[28] Please see fn. 27.

[29] Background information, p. 7.

[30] Please see fn. 30.

[31] Decision, p. 8.

[32] Please see fn. 31.

[33] Please see fn. 31.

[34] Please see fn. 31.

[35] Decision, p. 9.

[36] Background information, p. 6.

[37] Background information, p. 7.

[38] Decision, p. 10.

[39] Please see. (Access date: 04.03.2019).

All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.

Other Contents

Newsletter Articles
The Regulation on Protection and Processing of Personal Data by the Social Security Institution

The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...

Personal Data Protection February 2022
Newsletter Articles
A New Era: The Personal Information Protection Law of the People’s Republic of China

The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...

Personal Data Protection February 2022
Newsletter Articles
All Eyes of the Data Protection Authorities are on Cookies!

In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...

Personal Data Protection January 2022
Newsletter Articles
The Right to Be Forgotten
Personal Data Protection November 2021
Newsletter Articles
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Personal Data Protection September 2019
Newsletter Articles
The General Data Protection Regulation in Force
Personal Data Protection May 2018
Newsletter Articles
Destruction of Personal Data
Personal Data Protection November 2017
Newsletter Articles

For creative legal solutions, please contact us.