Facebook forbidden from merging data from multiple platforms in Germany

Facebook acquired photo-sharing app Instagram for $1bn (£0.8bn) in 2012 and encrypted messaging app WhatsApp for $19bn (£15bn) in 2014. In 2017, the European Commission fined Facebook €110m (£94m) for misleading the executive body about its acquisition of WhatsApp; Facebook had publicly claimed that it would not be able to match user accounts on Facebook and WhatsApp, but went on to do so regardless.

Later in the year, the French data privacy watchdog warned Facebook to stop sharing user data with WhatsApp.

Amid growing concerns about Facebook’s handling of user data, the German Federal Cartel Office (FCO) established an investigation into Facebook’s collection of user data.

The FCO has concluded that Facebook’s extreme data-collecting behaviour constituted “an abuse of a dominant position” in the market, and that many users were unaware of Facebook’s ability to collect and process an almost unlimited amount of data from different sources. Websites with Facebook’s Like and Share buttons integrated – and those which run Facebook Analytics tools – share user data with Facebook, even if users never interact with those buttons.

According to the FCO, Facebook must heavily restrict how it gathers data on its German users across its platforms unless they give explicit consent. Instagram and WhatsApp will be permitted to continue to collect data, although they are forbidden from combining this information with a user’s primary Facebook account without the consent of the user. Similar restrictions will be placed on merging data collected from third-party websites with a user’s Facebook account.

The FCO said that an “obligatory tick on the box” to agree to all of the company’s terms was not sufficient consent for “intensive” data processing. If users refuse to consent, Facebook must not exclude them from its services.

Unless it is overturned, the ruling is set to become set in law in one month, and Facebook must ensure that it complies within four months in order to avoid fines of up to 10 per cent of its annual revenues.

“With regard to Facebook’s future data-processing policy, we are carrying out what can be seen as an internal divestiture of Facebook’s data,” said Andreas Mundt, president of the FCO. “In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts. The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power.

“In future, consumers can prevent Facebook from unrestrictedly collecting and using their data. The previous practice of combining all data in a Facebook user account, practically without any restriction, will now be subject to the voluntary consent given by the users.”

The ruling may cause difficulties for Facebook’s plans to more closely integrate Facebook, Instagram and WhatsApp so that users can send messages between the platforms.

Facebook has claimed that the FCO has made demands that fall under the remit of a different regulator (the data protection regulator), and that it will appeal the decision. Facebook argued that it faced “fierce competition” in Germany as 40 per cent of social media users in the country did not use Facebook, and that by collecting this data, it was not only personalising adverts and helping advertisers but also helping the company combat terrorism and child abuse.