Germany's antitrust watchdog ruled on Thursday that Facebook abused its market dominance in collecting, merging and using user data.
The German competition authority, called the Bundeskartellamt, said it was imposing far-reaching restrictions on how Facebook processes user data and gathers consent. Specifically, it said Facebook could no longer combine users' data from separate apps like WhatsApp and Instagram without voluntary user consent. The decision is the culmination of a three-year investigation into the social media company by the German watchdog.
"In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts," Andreas Mundt, president of the Bundeskartellamt, said in a press release Thursday.
Facebook has one month to appeal the decision, which it said it will do in a blog post published Thursday.
"The Bundeskartellamt underestimates the fierce competition we face in Germany, misinterprets our compliance with GDPR and undermines the mechanisms European law provides for ensuring consistent data protection standards across the EU," Facebook said.
GDPR, short for the General Data Protection Regulation, is a sweeping set of data privacy rules that went into effect across the EU last May. Companies that don't meet GDPR's requirements face strict fines of up to 4 percent of global annual revenues.
Germany's competition authority said Facebook's terms of service, and the manner in which it collects and uses data, are in violation of Europe's data protection rules. The watchdog said many users are unaware that Facebook collects an "almost unlimited" amount of data from third-party sources, including Facebook-owned Instagram and WhatsApp, that the company then links to a user's Facebook account.
"In view of Facebook's superior market power, an obligatory tick on the box to agree to the company's terms of use is not an adequate basis for such intensive data processing," the Bundeskartellamt said.
In its blog post, Facebook hit back at the German watchdog, saying it is up to data protection authorities, not competition regulators, to determine GDPR compliance.
"The GDPR also harmonizes data protection laws across Europe, so everyone lives by the same rules of the road and regulators can consistently apply the law from country to country. In our case, that's the Irish Data Protection Commission. The Bundeskartellamt's order threatens to undermine this, providing different rights to people based on the size of the companies they do business with," Facebook said.
The German ruling applies to all private users of Facebook based in Germany. If the decision is upheld, Facebook must develop solutions within four months to meet the watchdog's orders.
