It surprises no one to say that the largest companies in today’s economy have a consumer base with little geographic boundaries. Facebook, for example, is used by people in almost every country. Over the past few years, Facebook has been forced to confront the European Union’s moral beliefs regarding data privacy as reflected in the General Data Protection Regulation (GDPR). And a recent court order from Germany pushes back against Facebook’s understanding of sufficient consent from consumers that allows the company to then use consumer’s individual data.
Over a span of five years, Facebook’s revenue grew from $7.87 billion in 2013 to $55.8 billion in 2018. Like many other successful social media services, Facebook is free for users. One way Facebook makes money is by taking users’ data (geographic location, search history, likes, and other interactions on affiliate websites, etc.) to make advertising on its site highly effective and valuable to third parties.
“Data” in this instance is the information a user gives Facebook by virtue of simply interacting with the website or application — not by actively posting a status update, but by passively clicking around the interface (or affiliated platforms/services/websites). This practice leads to things like targeted advertisements on a user’s page that caused heated debate in recent years. The company’s CEO, Mark Zuckerberg, maintained that Facebook never sells data about individuals to third party advertisers. “The company says it only shares non-personally identifiable information like telling an advertiser that an ad did well with a certain demographic” (Segarra).
This surge in scrutiny over Facebook’s data privacy policy is due in large part to three issues: questions over whether privacy breaches impacted the 2016 U.S. Presidential election, the massive change in data privacy regulation with the GDPR coming into effect, and how disinformation on Facebook’s platforms (WhatsApp) led to mass killings in some countries. Facebook is taking steps to assure the public that it is responsible in its use of consumer data. In preparation for the GDPR coming into effect, Facebook came out with a new interface for users to learn about their privacy policy, and released an updated Data Policy in April of 2018 (Segarra). For example, there’s a tool found in the Help Center called “Download Your Information,” which allows users to request a copy of their information that is stored by Facebook. This process, however, can take days to complete depending on how much information the user is requesting and over how long a time period. The company’s Data Policy does provide a lot of information to users—if you can get through it. There are multiple tabs on the page and a lot of words that might overwhelm many of today’s ‘immediate gratification’ consumers. Though an improvement, it is yet to be determined whether Facebook has done enough to comply with the GDPR.
Facebook stated on February 4, 2019: “Although we didn’t do enough to anticipate some of these risks, we’ve now made fundamental changes. This past year we’ve invested record amounts in keeping people safe and strengthening our defenses against abuse. We’ve also provided people with far more control over their information and more transparency into our policies, operations and ads.” The company’s policy changes may be fundamental, but the core of the debate lies within the meaning of consent. Technically, Facebook does get an affirmative “yes” from users to allow Facebook to use their data. This comes by virtue of using the service. When Facebook updates its policy, it notifies users. In Facebook’s view, by continuing to use Facebook after having an opportunity to read the policy, users give consent. Zuckerberg himself, however, admits it is no surprise that most people do not read the policy. (Schulze).
Facebook’s Data Policy notes that you can access and delete the information the company collects about you by visiting the various general “Settings” pages. This feels strange. Must users then constantly delete information collected? If information is collected continuously while someone is using the application and affiliated applications, deletion seems like a never-ending and exhausting burden for the consumer to bear if they do not want their information collected or stored by Facebook, period. If you want to use Facebook, you do not have much choice — you must accept their use of your data or else not use the service.
Germany is not interested in accepting these terms. “In a landmark decision, … the Federal Cartel Office [FCO], or Bundeskartellamt, opened a new regulatory frontier by accusing Facebook of abusing its market power by forcing users to agree to nearly limitless data collection in order to use the service” (Kochman). The order requires Facebook to give users the right to affirmatively consent prior to having their data merged from their activity on other affiliate websites into their Facebook accounts. The main argument stems from Germany’s competition law. The idea is that Facebook’s market power compromises the consent users give when simply clicking “I agree” to the company’s terms. Effectively, users must either accept the way that Facebook merges their data across multiple platforms (presumably without most users fully appreciating this point) or not use the social network at all. Since, according to the Bundeskartellamt, Facebook does not face sufficient competition, there is not enough choice and control granted to the user. This “alleged ‘take-it-or-leave-it’ approach to data collection” is also being separately investigated by the GDPR.
Facebook issued a statement about why they disagree with the FCO order. They feel it understates or misunderstands the competition Facebook faces from other social media companies. Facebook wrote: “We face fierce competition in Germany, yet the Bundeskartellamt finds it irrelevant that our apps compete directly with YouTube, Snapchat, Twitter and others.”
We will see how this pans out between Facebook and the Bundeskartellamt. For now, it seems Facebook still has a long way to go before they have a true hold on how user data is being used in connection with the site, considering the fact that they cannot seem to stay out of the headlines on this issue. On February 22nd, a report was released by the Wall Street Journal which found “several phone apps are sending sensitive user data, including health information, to Facebook without users’ consent” (Anderson). Meanwhile in the U.S., consumer groups are pushing Congress to create new federal legislation on privacy and data protection. For now, U.S. consumers will likely reap the benefits—or deal with the consequences—of any changes Facebook and other similar tech giants make in response to both the GDPR and the recent Bundeskartellamt ruling.*
*Amara Lopez is a notes editor on the Michigan Technology Law Review. She can be reached at amaralo@umich.edu.