Germany’s competition regulator has told Facebook to “substantially restrict” how it collects and combines data about its users unless they give it explicit consent.

The Bundeskartellamt said the social media giant has effectively abused its dominant position to gather users’ personal information via Facebook, its other apps (including Instagram and WhatsApp), and third parties by forcing consumers to give blanket approval to its terms and conditions without users really knowing the extent to which their data would be shared—or for what purpose.

In a background note, the Bundeskartellamt says “social networks are data-driven products. Where access to the personal data of users is essential for the market position of a company, the question of how that company handles the personal data of its users is not only relevant for data protection authorities, but also for competition authorities.”

The ruling—which does not come with a fine, as the regulator wants the company to “change future behaviour”—says:

  • Facebook-owned services like WhatsApp and Instagram can continue to collect data. Assigning the data to Facebook user accounts, however, will only be possible subject to the users’ voluntary consent. Where consent is not given, the data must remain with the respective service and cannot be processed in combination with Facebook data.
  • Collecting data from third-party websites and assigning it to a Facebook user account will also only be possible if users give their voluntary consent.

The German competition authority says if consent is not given for data from Facebook-owned services and third-party websites, the company will have to “substantially restrict” its collection and combining of data.

The case is particularly interesting because it concerns collecting (and selling) consumers’ data to gain market share and market power, rather than violating or breaching consumers’ personal information (which would be the concern of a data regulator).

Last month, Google was handed a €50 million (U.S. $57 million) fine for GDPR violations (the largest penalty to date) after France’s data regulator, the CNIL, similarly found that users were coerced into accepting the company’s data policies and blanket terms and conditions to use its services.

“In view of Facebook’s superior market power, an obligatory tick on the box to agree to the company’s terms of use is not an adequate basis for such intensive data processing. The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent.”

Andreas Mundt, President, Bundeskartellamt

Andreas Mundt, president of the Bundeskartellamt, said in a statement: “In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts. The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power.”

He added: “In view of Facebook’s superior market power, an obligatory tick on the box to agree to the company’s terms of use is not an adequate basis for such intensive data processing. The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent.”

Facebook has one month to challenge the ruling before it becomes legally effective. The company says it intends to appeal.

If the order is upheld, the company must develop technical solutions to ensure it complies within four months. If it refuses to do so, it could in theory be fined up to 10 percent of its annual revenues or be forced to make periodic (such as monthly) penalty payments worth up to €10 million (U.S. $11 million) each.

In a blog post called “Why We Disagree With the Bundeskartellamt,” Yvonne Cunnane, head of data protection, Facebook Ireland, and Nikhil Shanbhag, Facebook’s director and associate general counsel, say the regulator “is trying to implement an unconventional standard for a single company” and “underestimates the fierce competition we face in Germany, misinterprets our compliance with GDPR, and undermines the mechanisms European law provides for ensuring consistent data protection standards across the EU.”

They make the case that “popularity is not dominance,” pointing out that 40 percent of social media users in Germany do not use Facebook and that using information across services helps to make them better and protect people’s safety—for example, cross-checking and disabling accounts more easily that are linked to terrorism, child exploitation, and election interference.

They also argue that data privacy issues are the domain of data protection regulators, rather than competition authorities, and that—because Facebook’s European HQ is in Ireland—the Irish Data Protection Commission (rather than any other EU regulator) should take the lead on any investigation or enforcement action.

While the ruling only applies to the firm’s activities in Germany, it is likely to influence other EU regulators especially. And privacy campaigners are already encouraging the move.

For example, U.K.-based campaign group Privacy International has said if the German ruling holds, Facebook should extend the same rights to its other users. In a statement, the group said: “Privacy harms are directly caused by the business models of companies in dominant positions, which can impose excessive collection of data on people who have become ‘captive users.’ ”