Germany’s dual approach to data regulation under the GDPR

Though the GDPR has not changed the law around data protection too much, lawyers suggest its introduction—alongside much stiffer penalties and an improved appetite to monitor suspected abuses—has shone a light once again on the practices that underpin the business models that enable such firms to operate.

And one European Union country in particular seems to have taken a giant torch to practices it has found “questionable” on two fronts—violations of data privacy and violations of competition law: Germany.

So far, German authorities have chosen to “direct” tech firms into reviewing the way they operate and to make the necessary changes to comply without fining them. But how long that approach may last is uncertain, particularly as the heat around their abusive practices does not appear to be dying down.

In February last year, Germany’s competition authority, the Bundeskartellamt, barred Facebook from pooling data collected from its Instagram app, other subsidiaries, and third-party Websites. In its ruling, the regulator said the social media giant had effectively abused its dominant position to gather users’ personal information via Facebook, its other apps (including Instagram and WhatsApp), and third parties by forcing consumers to give blanket approval to its terms and conditions without users really knowing the extent to which their data would be shared—or for what purpose.

Facebook appealed the decision, and the case is expected to be heard later this year in the Federal Court of Justice, Germany’s highest court.

But Facebook remains under attack. On Jan. 24 a Berlin court partially upheld a complaint by the Federation of German Consumer Organizations (VZBV) which found certain Facebook terms of use violated a principle of the GDPR that requires users to give “informed consent” before their data is collected.

In its findings, the court criticized a default setting that allows search engines to display a link to a user’s Facebook profile, as well as a requirement that users allow Facebook to use their name and profile picture for commercial purposes. The upshot of the ruling, says the VZBV, is that other consumer rights champions could seek legal enforcement of the GDPR without the involvement of an affected consumer.

In response, Facebook said the case related to user settings that have long been modified and are no longer in use.

There is no indication yet whether Facebook will be hit with a fine by one of the country’s 16 federal data regulators for GDPR violations as a result of this ruling. But the pressure on Facebook—and other tech firms in the country to mend their ways—is mounting, and not just in terms of GDPR compliance and enforcement.

Last week, the German Federal Ministry for Economic Affairs published the draft of the 10th amendment to Germany’s competition law, which addressed the role of and access to data in the digital economy. The proposed amendment would give broader definitions of dependency, new rules on personal data, and easier interim measures to speed up procedures if passed.

Lawyers suggest that how Big Tech companies (in particular) gather, share, and sell personal data will continue to come in for even closer scrutiny—and not just in Germany.

Dr. Daniel Pauly, technology, media, and telecom partner at law firm Linklaters, says the way German authorities are combining data protection law and competition law “to forge an even sharper sword” is “quite unique,” but adds regulators in other EU states “will follow.”

Matthew Hall, competition lawyer at law firm McGuireWoods, says the German Facebook cases “show that EU regulators (on both the competition law and data protection side) have the internet giants firmly in their sights, and competition law at the EU and national level is flexible enough to catch ‘new’ types of anti-competitive practices.”

Like Pauly, Hall does not think Germany will be alone for much longer in taking on Big Tech on privacy/data protection and competition concerns: Other EU states, as well as the Commission, are likely to take a similar approach. “The use by the German competition regulator of alleged GDPR breaches to create a competition law breach is new but unlikely to remain an isolated example,” Hall says.

There is already a strong push for changing competition law at the EU and national level to deal more quickly and adequately with Big Tech. Indeed, following the Bundeskartellamt’s Facebook decision last February, the European Data Protection Supervisor—the EU’s data privacy regulator— said all digital companies that rely on tracking, profiling, and targeting should be “on notice.”

Some EU members are considering setting up separate digital regulators specifically to take on Big Tech. Last July—following recommendations from March laid out in the “Furman report” on increasing digital market competition—the U.K.’s Competition and Markets Authority warned that a new regulator may need to be set up to deal specifically with the market dominance of tech firms such as Google and Facebook and how they use and sell customer data to maintain market share. One key measure being considered to increase consumer protection includes blocking technology giants from sharing data between different parts of their businesses as a way of boosting revenues through online advertising.

France—whose own data protection authority, CNIL, was not only the first to issue a fine against a Big Tech firm but which also has handed out the biggest GDPR penalty to date (€50 million, or U.S. $55 million) against Google—is also considering setting up its own digital regulator.

Meanwhile, the European Commission is also considering whether changes need to be made to competition law at the EU level. Some lawyers believe moves to beef up legislation may gain fresh impetus as the new Commission gears up.

“The German presidency of the Council later this year and the dual role of Margrethe Vestager as commissioner for competition and executive vice-president for a Europe fit for the digital age suggest that these issues will remain in the spotlight,” says David Naylor, head of the data protection practice at law firm Wiggin.