Facebook and Google’s Data-control Tactics Aren’t Just a Privacy Issue Anymore
David Meyer
It used to be that the only regulators who were interested in Facebook and Google’s data-controlling ways were privacy watchdogs. No longer.
Competition regulators are increasingly getting in on the action, too – and it’s a controversial trend, particularly in Europe.
On Wednesday, the U.K.’s Competition and Markets Authority (CMA) became the latest to join the fun when it opened a probe into Facebook and Google’s dominance of the digital advertising market. The investigation is largely about competition in that market, but it will also examine the issue of “consumer control over data collection practices.”
“We propose to consider whether consumers have the knowledge, skills and desire to control how data about them is collected and used by the online platforms, and how far they are able to exercise such choice,” the CMA said. “Within this theme, we will examine the relationship between consumers and consumer-facing online platforms and whether the choices of consumers are limited through terms and conditions or other practices, for example website or app design.”
A New Global Trend
The Australian Competition & Consumer Commission (ACCC) carried out a similar study last year, also looking at the digital advertising industry with a partial focus on data control.
“The ACCC is in particular concerned about the length, complexity and ambiguity of online terms of service and privacy policies, including… agreements with take-it-or-leave-it terms,” it said when releasing a preliminary report in December. “Without adequate information and with limited choice, consumers are unable to make informed decisions, which can both harm consumers and impede competition.”
In the U.S., a dozen state attorneys general raised the same issue in a submission to the Federal Trade Commission last year – it remains to be seen how the FTC will respond.
Closer to the U.K., Germany’s Federal Cartel Office ruled in February that Facebook had been illegally combining user data from different sources, such as WhatsApp and third-party websites, without users’ consent. The antitrust watchdog banned Facebook from doing this in Germany any longer – though the company then launched an appeal.
The German competition authority’s justification for tackling the issue was similar to that of the Australian watchdog: consumers can’t say no to the platforms they have to use, in order to participate in regular online life.
“In view of Facebook’s superior market power, an obligatory tick on the box to agree to the company’s terms of use is not an adequate basis for such intensive data processing,” said Federal Cartel Office chief Andreas Mundt at the time. “The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent.”
However, the German decision was controversial, since it was seen as treading into the domain of European privacy law.
Same Problem, Different Regulators
Once, EU antitrust regulators were better equipped to tackle Big Tech than their privacy-watchdog counterparts, due to their ability to hit companies with heavier fines. But last year the EU General Data Protection Regulation (GDPR) came into effect, allowing data protection authorities to fine firms up to 4% of their global annual revenues. The GDPR is largely concerned with giving people more control over how their data is collected and used.
And for that reason, legal experts have predicted that, as far as personal data is concerned, EU competition watchdogs would in the future most likely stick to the issue of the size of the data hoards that tech firms amass, rather than the way they collect that information.
This prediction was seemingly backed up in May by the European Commission’s antitrust office, which said the German case was a matter of that country’s particular take on competition law. EU lawmakers have “made sure that the type of conduct in question is addressed by the General Data Protection Regulation,” the Commission said.
But here we are: the competition authority of the U.K., which is still part of the EU, is tackling the same question.
On Wednesday, the British authority said the solutions to the problem could include forcing companies to introduce “fairness by design” to the way they let people control how their data is collected and used.
“We will consider whether… there should be rules on what defaults are fair, including when it is acceptable to restrict users from accessing a service if they do not consent to the provider of the service accessing their data,” the CMA said.
Neither Facebook nor Google had responded to a request for comment at the time of writing.