Facebook has one month to appeal the decision, which it said it will do in a blog post published Thursday.
"The Bundeskartellamt underestimates the fierce competition we face in Germany, misinterprets our compliance with GDPR and undermines the mechanisms European law provides for ensuring consistent data protection standards across the EU," Facebook said.
GDPR, short for the General Data Protection Regulation, is a sweeping set of data privacy rules that went into effect across the EU last May. Companies that don't meet GDPR's requirements face strict fines of up to 4 percent of global annual revenues.
Germany's competition authority said Facebook's terms of service, and the manner in which it collects and uses data, are in violation of Europe's data protection rules. The watchdog said many users are unaware that Facebook collects an "almost unlimited" amount of data from third-party sources, including Facebook-owned Instagram and WhatsApp, that the company then links to a user's Facebook account.
In its blog post, Facebook hit back at the German watchdog, saying it is up to data protection authorities, not competition regulators, to determine GDPR compliance.
"The GDPR also harmonizes data protection laws across Europe, so everyone lives by the same rules of the road and regulators can consistently apply the law from country to country. In our case, that's the Irish Data Protection Commission. The Bundeskartellamt's order threatens to undermine this, providing different rights to people based on the size of the companies they do business with," Facebook said.
The German ruling applies to all private users of Facebook based in Germany. If the decision is upheld, Facebook must develop solutions within four months to meet the watchdog's orders.