:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/DOTQITQG4AB24XZPUCRRWL3BHY.jpg)
:quality(70)/s3.amazonaws.com/arc-authors/irishtimes/2a429887-bb72-4814-bd40-0cbf79fe8d51.png)
A ruling last week in Germany has the potential to change the parameters of surveillance capitalism by forcing Facebook and many other companies to limit how they gather and share data.
The significance of the decision from the country's Bundeskartellamt – the federal cartel office that handles antitrust actions – notably pairs privacy and antitrust legislation. If upheld, it will be far-reaching.
The decision would upend the murky business models of not just Facebook but other data-gathering companies large and small which currently rely on exploiting personal data that is gathered in ways consumers cannot fully understand, then stockpiled and used for purposes and profiling that are mostly invisible.
The ruling follows a three-year investigation and states that Facebook abuses a dominant market position by requiring users to consent to having their data shared across other widely-used apps, Instagram and WhatsApp, which are also owned by the company, and even to being tracked when they leave Facebook and visit other websites.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/UUHZW2KIIE4ODYQULZ377UH5W4.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/B2X3AL5XXDNJGRNU3QVIHORJC4.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/6SOM7DY6PTNWSKVILR52NS5R2M.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/RUVGA26JHVOWOT5PYQNHDNHQWI.jpg)
The Bundeskartellamt noted that visitors to third-party websites are tracked if they simply visit any website that contains a Facebook “like” button. Visitors are tracked regardless of whether or not they clicked the “like” button.
“Above all, we see the collection of data outside the Facebook social network and its inclusion in the Facebook account as problematic,” Andreas Mundt, president of the Bundeskartellamt noted last December.
In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data
For years, Germany has consistently been the toughest country in Europe in terms of regulating data collection and privacy. So, in many ways, it isn't surprising that it has taken a groundbreaking position here.
But this decision is far more than an attempt to restrain Facebook’s data collection activities.
If allowed to stand, the ruling lays the ground for possible European antitrust action against Facebook (or other mega-data collectors such as Google). It’s right there in the title: cartel office. For the first time, a regulatory body is making an explicit business and antitrust link to privacy violations.
Non-Facebook data
“In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts,” Mundt said in a statement.
“The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power.”
In other words, because Facebook gathers data in this indiscriminate and mandatory way, without any opt-out for users, it both exploits and further consolidates a dominant market position.
The ruling says the company cannot track people across other websites, and cannot gather and share data across its Instagram and WhatsApp apps, without first gaining explicit opt-in permission from users.
This is a dramatic interpretation that, trust me, will be keeping corporate lawyers up at night right now (as well as the board of directors, if they are paying attention).
While there will of course be a certain number of people willing to share their data, especially within Facebook’s own properties, people are surely far less likely to opt in to having their actions tracked on sites that have nothing to do with Facebook, other than serving as a data-gathering opportunity for the company.
This is important. Facebook (and pretty much every data gathering company) relies on users not having any such options and not fully understanding what data is sucked in and how it is marketed and monetised). Facebook knows full well that if forced to disclose, up front, the sweeping scope of its data gathering and user tracking, currently hidden behind vague user agreements and relationships with third parties, most users will simply say no.
The key thing here is that Facebook cannot then just withdraw services. If it wishes to offer Facebook as it currently exists, it must allow users to opt out of this invisible mega-harvest of data, but still offer the same service. Mundt's office is saying that Facebook cannot avoid the consent element here, which it argues is intrinsic to the EU's General Data Protection Regulation (GDPR).
I see two intriguing, relevant points here. First, if Facebook challenges this ruling, it must ultimately end up with the European Court of Justice. While some observers (and Facebook) argue that privacy and antitrust (ie, business) determinations should be kept separate, and that an antitrust office cannot rule on privacy issues, it’s worth recalling that the ECJ initially had a role as the top EU court for business rulings, yet in recent years has taken on far-reaching data protection and privacy cases, ruling with significant bite.
The ECJ surely is the global court most likely to understand the interrelatedness between mass data gathering and market domination.
Second, if this decision is upheld as a violation of GDPR, it would have dramatic, European-wide effect not just on Facebook, but many other companies.
And, if Europeans get the right to opt out of these particular surveillance capitalism techniques, users everywhere will want the same option.
Definitely, a case to watch.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/sandbox.irishtimes/GW3FWAURWFGM7FF4RMYJLBG7ZI.png)