Freely given consent vis-à-vis socially dominant market players like Facebook
under the new GDPR. An analysis and the current state of opinion
Author: Miles Krist
Supervisor: dhr. dr. T.A.J.A. (Thomas) Vandamme Date of submission: 8 January 2018
Abstract
Articles 7 and 8 of the Charter of Fundamental Rights of the European Union protect the respect for private life as well as the personal data of the Union citizens. As an expression of their right to self-determination, the citizens can set aside this protection by consenting to the processing of their personal data. However, this consent has to be freely given. Under the newly adopted General Data Protection Regulation (GDPR) the conditions for consent will be more prescriptive in this regard. Though, especially younger generations have social difficulties to ignore the services of big data collectors in a modern information society. According to Facebook subscriber statistics of 30 June 2017 almost 50% of European Union citizens use the social media network. Out of the 252,070,000 users, the majority comprises citizens from the age of 18 to 34. When social pressure to engage in online social networking is that compelling, the hypothesis arises that there could be no room for freely given consent vis-à-vis socially dominant market players like Facebook in modern everyday life and the consequence might be an indirectly forced consent, only given in order to be able to socially participate. Against this background, it can be questioned if the legal instrument of consent can still ensure digital privacy in such circumstances. This thesis argues that, when using the new GDPR as a yardstick, EU citizens actually do not give consent to the processing of their personal data freely when they contract with a big market player like Facebook. This is due to a clear power imbalance between the company and the EU citizens which originates from their high social dependence on Facebook’s services in modern everyday life. The social dependence simultaneously leaves EU citizens without a genuine or free choice or at least unable to refuse or withdraw their consent vis-à-vis Facebook without social detriment. Thus, such consent cannot provide a valid legal basis for the processing of personal data in this case. Subsequently to this analysis, the thesis maps the relevant state of opinion on the issue amongst the EU bodies, in particular the CJEU, as well as the legal literature and finally looks at the matter from a competition law angle, overall finding recently materialising strong support for the view put forward.
Table of Contents
1. Introduction 1 2. Taking Stock 2
a) Legal Situation 2
aa) Data Protection Framework 2 bb) Consent under the GDPR 4 b) Social Situation 5
aa) Personal Data Collection and Usage 6 bb) Market Concentration 7
cc) Social Impacts 7
dd) Social Norms 8
ee) Lock-In Effects 9 c) Preliminary Results 10
aa) Data Unnecessary for Service Performance 11
bb) Clear Imbalance Between Data Subject and Controller 11 cc) No Genuine Choice or Refuse without Detriment 12
dd) Outcome 13
3. Mapping the Current State of Opinion 13
a) EU Bodies 13
aa) Article 29 Working Party 13
bb) European Union Agency for Fundamental Rights 15 cc) European Commission 17
b) CJEU Case Law 19 c) Legal Literature 22
4. Competition Law 22 5. Conclusion 25 Table of Cases 26 Table of Legislation 26
Table of Policy Documents 27 Bibliography 27
1. Introduction
Articles 7 and 8 of the Charter of Fundamental Rights of the European Union protect the respect 1
for private life as well as the personal data of the Union citizens. As an expression of their right to self-determination, the citizens can set aside this protection by consenting to the processing of their personal data. However, this consent has to be freely given. 2
Under the newly adopted General Data Protection Regulation (GDPR) which recently 3
entered into force, the conditions for consent will be more prescriptive in this regard. In particular, the Regulation emphasises that consent should not be regarded as freely given where there is a clear imbalance between data subject and data controller or when the data subject has no genuine or free choice or is unable to refuse or withdraw his or her consent without detriment. Simultaneously, especially younger generations have social difficulties to ignore the services of big data collectors in a modern information society. According to Facebook subscriber statistics of 30 June 2017 almost 50% of European Union (EU) citizens use the social media network. Out of the 252,070,000 users, 4
the majority comprises citizens from the age of 18 to 34. 5
When social pressure to engage in online social networking seems that compelling though, the question arises if there can even be room for freely given consent vis-à-vis big market players like Facebook in modern everyday life or whether the consequence might be an indirectly forced consent, only given in order to be able to socially participate. Against this background, it appears questionable if the legal instrument of consent can still ensure digital privacy in such circumstances. Whether that is the case or not should therefore be assessed in this thesis.
For this purpose, section 2 will first take stock of the legal situation under the new EU data protection framework and then look at the current social situation from a statistical and sociological perspective, using the example of Facebook as one of the biggest data collectors in the EU. The company’s activities have been selected here for being easily accessible and highly relevant due to Facebook’s wide popularity, the resulting huge extent of its data collection activities and the
Charter of Fundamental Rights of the European Union [2012] OJ C 326/391 1
German Federal Constitutional Court, Census Act [1983] BVerfGE 65, 1-71; translation of essential parts, 2
in particular C. II. 1a) <https://freiheitsfoo.de//files/2013/10/Census-Act.pdf> accessed 8 January 2018 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the 3
protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1
Miniwatts Marketing Group, ‘Internet Users in the European Union - 2017’ [2017] 4
<www.internetworldstats.com/stats9.htm> accessed 8 January 2018
Statista, ‘Distribution of Facebook users worldwide as of January 2017, by age and gender’ [2017] 5
consequent high potential for causing legal friction in this field, which has actually manifested itself vividly and repeatedly during the time of writing this thesis. Section 2 ends with an assessment of the lawfulness of the processing of personal data by Facebook based on consent of the data subject under the new and stricter EU data protection framework. Section 3 then maps the present state of opinion on the matter. It looks at how, if even at all, the EU bodies, in particular the CJEU in its case law, as well as the legal literature perceive and assess the issue. Section 4 additionally looks at the matter from a competition law angle while section 5 draws a final conclusion.
2. Taking Stock
a) Legal Situation
In the EU everyone has the right to respect for his or her private life as well as to the protection of personal data concerning him or her. Any limitation on the exercise of these rights must be 6
provided for by law and respect the essence of these rights. 7
aa) Data Protection Framework
The GDPR and the ePrivacy Directive constitute the two main pillars of the legal framework that 8
safeguards these rights in the digital field and thereby assure digital privacy of EU citizens. In this regard, the GDPR alone regulates the definition of, and conditions for consent as a legal basis for the processing of personal data. The ePrivacy Directive, while representing lex specialis in relation 9
to the GDPR, does not contain any distinct regulation in that respect and fully refers to the 10
GDPR. This relationship was not modified on the occasion of the ePrivacy Directive’s amendment 11
in 2009 and also under the recently proposed Regulation on Privacy and Electronic 12
Articles 7 and 8(1) Charter of Fundamental Rights of the European Union 6
Article 52(1) Charter of Fundamental Rights of the European Union 7
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the 8
processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L 201/37
Articles 4(11), 6(1)(a), 7 and 8 GDPR 9
Article 1(2) and Recital (10) ePrivacy Directive; Article 95 and Recital (173) GDPR 10
Article 2(f) and Recital (17) ePrivacy Directive 11
Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending 12
Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws [2009] OJ L 337/11
Communications, which seeks to replace the ePrivacy Directive in order to align the pillar with 13
the novel GDPR, it is not supposed to change. Thus, while social networking sites like Facebook 14 15
might need to observe the amended ePrivacy Directive when they use cookies and although other issues of application emerged, regarding inter alia Over-the-Top communications services like Facebook Messenger or WhatsApp, the ePrivacy Directive can be left aside in the following, since in any case substantive legal questions associated with consent are governed solely by the GDPR.
Also, any perceived uncertainties whether the scope of the GDPR includes Facebook, as being United States based, were cleared up by the Court of Justice of the European Union (CJEU) 16
in its Schrems judgement which confirmed full application. Equally, Facebook users can now 17
invoke the GDPR’s provisions on consent directly against the company in a national court of a Member State, which is known as horizontal direct effect. Although, the existence of horizontal 18
direct effect of EU fundamental rights is still controversial, the GDPR implements the right to 19
respect for private life and protection of personal data as seen above. In contrast to directives, the Regulation is directly applicable in the Member States, which means that its application is not dependent on further national implementing measures, and the provisions on consent are sufficiently precise and unconditional, which means that they have direct effect. Therefore, the 20
GDPR not only provides for the right of the data subject to lodge a complaint with a supervisory authority, but also the right of the data subject to an effective judicial remedy directly against a 21
controller or processor where he or she considers that his or her rights under the GDPR have been
European Commission, Proposal for a regulation of the European Parliament and of the Council 13
concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), Brussels, 10 January 2017, COM/2017/010 final – 2017/03 (COD) CELEX:52017PC0010
Recital (173) GDPR 14
Article 9(1) and Recital (3) of the Proposal for a Regulation on Privacy and Electronic Communications 15
Aleksandra Kuczerawy, ‘Facebook and its EU users - Applicability of the EU data protection law to US 16
based SNS’ in M Bezzi and others (eds), Privacy and Identity Management for Life (Springer 2010) 75 Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650, para 17
45; see now also Article 3(2)(b) GDPR
Damian Chalmers, Gareth Davies, Giorgio Monti, European Union Law (3rd edn, Cambridge University 18
Press 2014) 297
Thomas Van Danwitz, Katherina Paraschas, ‘A Fresh Start for the Charter - Fundamental Questions on the 19
Application of the European Charter of Fundamental Rights’ (2017) 35 Fordham International Law Journal 1396, 1425
Robert Schütze, European Union Law (Cambridge University Press 2015) 91 20
Article 77 GDPR 21
infringed as a result of the processing of his or her personal data in non-compliance with the Regulation. Insofar, proceedings against Facebook may as well be brought before the court of the 22
Member State where the user has his or her habitual residence. 23
Lastly, the GDPR entered into force on 24 May 2016 and shall apply from 25 May 2018. 24
Hence, Directive 95/46/EC which will be repealed by the GDPR from 25 May 2018 applies at 25 26
the time of writing this thesis. Nonetheless, the GDPR will be used as a yardstick in the following. This approach seems preferable because Directive 95/46/EC will be entirely replaced by the GDPR in the legal data protection framework, consent that has already been given will only continue to 27
apply if it has been given in a manner which is in line with the conditions of the GDPR, the 28
objectives and principles of Directive 95/46/EC, especially the concept of freely given consent as a core processing condition, remain sound under the Regulation and the GDPR, in that regard, 29
transposes into law to a large extent what was already called for by certain data protection authorities under the present regime. 30
bb) Consent under the GDPR
Under the GDPR consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies agreement to the processing of personal data relating to him or her. It serves as a legal basis for the processing of 31
personal data. Thereby it is the only base providing for self-determination of the data subject as 32
Article 79(1) GDPR 22 Article 79(2) GDPR 23 Article 99 GDPR 24
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of 25
individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31 Article 94(1) GDPR 26 Article 94(2) GDPR 27 Recital (171) GDPR 28 Recital (9) GDPR 29
Baker & McKenzie LLP, ‘Consent under the GDPR’ [2016] 1 <http://globalitc.bakermckenzie.com/files/ 30 Uploads/Documents/Global%20ITC/13%20Game%20Changers/BM-Consent%20under%20the%20 GDPR.pdf> accessed 8 January 2018 Article 4(11) GDPR 31 Article 6(1)(a) GDPR 32
otherwise the necessity of the processing is decisive. While all elements of consent as defined by 33
the GDPR can raise concerns, the focus in the following will be on the element of ‘freely given’. 34
In that regard, the GDPR firstly clarifies that consent is highly likely to be not freely given if the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for such performance. Secondly, the Regulation 35
indicates that consent will not be freely given if there exists a clear imbalance between the data subject and the controller. Thirdly, the GDPR emphasises that consent should not be regarded as 36
freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. Insofar, the Regulation is more prescriptive than its predecessor from 37
1995. This intensification constitutes the legislator’s response to substantial social developments towards an information society. 38
b) Social Situation
The GDPR points out in recital (6) that ’[r]apid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life’. One of those private companies that collect vast amounts of data is Facebook. The undertaking provides websites and applications for mobile devices that offer social networking, consumer communications as well as photo and video
Article 6(1)(b)-(f) GDPR 33
See for instance issues with ‘informed consent’ and a proposed solution in Mario Pascalev, ‘Privacy 34
exchanges: restoring consent in privacy self-management’ (2017) 19(1) Ethics and Information Technology 39
Article 7(4) and Recital (43) GDPR. (Note that ‘presumed’ in Recital (43) does not mean ‘required’ but 35
stands for ‘suspected’ in this context. This becomes clear if one reads the Recital in conjunction with Article 7(4) that speaks in tendencies instead of certainties. The French version of the GDPR confirms this as well, as it uses the word ‘présumé’ which can only be interpreted in the sense of probability. In contrast, the German version ‘gilt nicht als freiwillig erteilt’ (is not valid as freely given) seems to be an editorial inaccuracy.) Recital (43) GDPR 36 Recital (42) GDPR 37 Recital (7) GDPR 38
sharing functionalities. In particular, it provides the consumer communications applications ‘WhatsApp’ and ‘Facebook Messenger’ as well as the social networking platform ‘Facebook’. 39
aa) Personal Data Collection and Usage
Social networking platforms enable users to create or join networks of like-minded individuals. Users can provide personal data to create a description of themselves in a ‘profile’ in order to express their interests by posting their own materials like photographs and diary entries and share them through the platform with other users, enabling them to connect and interact. Facebook derives much of its revenue from targeted advertising based on that user-generated information. The collected data offers a refined market for advertisers that can serve their advertising alongside the web pages set up and accessed by the users. Facebook’s business model therefore relies heavily on the information provided by its users. Thus, in order to access and use Facebook’s services, users 40
first have to agree to the company’s collection and use of their data by accepting the terms of service. Consequently, Facebook collects every information that they provide and leave behind. 41
This comprises not only data generated while using the platform, but also covers user data from third party sources, including user information obtained by companies that are owned or operated by Facebook, such as WhatsApp, Facebook Messenger or Instagram as well as user data from third-party websites that have embedded Facebook products such as the Like button or Facebook Analytics. The collection of information even takes place where the user blocks web tracking in 42
his or her browser or device settings. 43
European Commission Decision of 3 October 2014 declaring a concentration to be compatible with the 39
common market (Case No COMP/M.7217 - Facebook / Whatsapp) according to Council Regulation (EC) No 139/2004 [2014] CELEX:32014M7217, paras 2 and 191
Article 29 Data Protection Working Party, ‘Opinion 5/2009 on online social networking’ [2009] 4-5 40
<http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2009/ wp163_en.pdf> accessed 8 January 2018
Facebook Ireland Ltd., ‘Statement of Rights and Responsibilities’ [2017] <www.facebook.com/legal/ 41
terms> accessed 8 January 2018
Facebook Ireland Ltd., ‘Data Policy’ [2016] <www.facebook.com/full_data_use_policy> accessed 8 42
January 2018
German Federal Cartel Office, ‘Background information on the Facebook proceeding’ [2017] 2 43
<www.bundeskartellamt.de/SharedDocs/Publikation/EN/Diskussions_Hintergrundpapiere/2017/Hintergrund papier_Facebook.docx?__blob=publicationFile&v=5> accessed 8 January 2018
bb) Market Concentration
Facebook subscriber statistics of 30 June 2017 show that almost 50% of EU citizens use the social networking platform. In addition, the 252,070,000 EU Facebook users concentrate in younger age 44
groups. Almost 9 in 10 internet users in the EU aged 16 to 24 years participated in social networks 45
in 2016. Facebook is thereby omnipresent in modern life. Actually, the latter statistics themselves 46
were found on the Facebook presence of Eurostat. The Directorate-General of the European Commission posted them there with a link to their website on 13 July 2017. Moreover, Facebook’s 47
consumer communications applications WhatsApp and Facebook Messenger which enable inter-personal communications like instant messaging or calling over the internet both have now 1.2 48
billion users worldwide with their geographical focus being on Western and Eastern Europe. 49 50
Finally, Facebook’s user numbers are constantly and exponentially growing year after year, making Facebook, already statistically, too big to ignore. 51
cc) Social Impacts
In view of those huge numbers it seems difficult if not impossible not to choose Facebook in an information society. This is especially true for the younger age groups in which the users concentrate. Social participation in those peer groups depends nowadays to a vast part on Facebook. Whether it concerns a working group at university or the party after the exams, the organisation most likely takes place over the company’s services. This happens because the majority already uses Facebook. And if someone has not yet joined the bandwagon, the pressure to comply is overwhelming. Needless to say, that it is almost unthinkable and could be actually dangerous for a
Miniwatts Marketing Group, ‘Internet Users in the European Union - 2017’ [2017] 44
<www.internetworldstats.com/stats9.htm> accessed 8 January 2018
Statista, ‘Distribution of Facebook users worldwide as of January 2017, by age and gender’ [2017] 45
<www.statista.com/statistics/376128/facebook-global-user-age-distribution/> accessed 8 January 2018 Eurostat, ‘Are you using social networks?’ [2017] <http://ec.europa.eu/eurostat/web/products-eurostat-46
news/-/DDN-20170713-1?inheritRedirect=true&redirect=/eurostat/> accessed 8 January 2018
Eurostat on Facebook, ‘Post from 13 July 2017’ [2017] <www.facebook.com/EurostatStatistics/> accessed 47
8 January 2018
Memorandum 1.1. of the Proposal for a Regulation on Privacy and Electronic Communications 48
TechCrunch, ‘Facebook now has 2 billion monthly users… and responsibility’ [2017] 49
<https://techcrunch.com/2017/06/27/facebook-2-billion-users/> accessed 8 January 2018
Oratio GmbH, ’Current numbers for mobile messengers (Q1 2017)’ [2017] <https://orat.io/blog/current-50
numbers-for-mobile-messengers-q1-2017/#fn:1> accessed 8 January 2018
Zephoria Digital Marketing, ‘The Top 20 Valuable Facebook Statistics – Updated November 2017’ [2017] 51
student’s career if he or she refuses to join Facebook and thereby cutting him or herself off from the communication with his or her working group that uses the company’s services to work out the next graded group presentation for a mandatory university course. The same goes if the university itself uses a Facebook presence to keep in touch with its students and feeds them with news about networking events with potential future employers (which finally pre-screen their job applicants on the social networking platform). One can think of an unlimited number of such examples, which displays the high social penetration of Facebook in modern life as well as the self-amplifying mechanism that ensures its durability and unstoppable growth. The social influence of the company increases constantly, parallel to its market penetration, due to its already existing high popularity and social interrelations which in combination draw in more and more users.
dd) Social Norms
In social sciences this is described as a social norm which, in this context, affects and determines privacy decisions. Big market players like Facebook have become pervasive in daily social life. 52
Most people experience Facebook therefore as essential for basic social participation. Using 53
Facebook has thus become a social norm. This in turn creates high social pressure to conform to that social norm for non-users and thereby renders their privacy concerns irrelevant. Although 54
most people are highly concerned about the collection and use of their personal data online, they 55
take part in structured power relations which they want to refuse to accept but feel powerless to contest. In some cities of the United States, citizens even called the local emergency services 56
when Facebook went down for a few hours. This vividly portrays the power imbalance between 57
Alessandro Acquisti, Laura Brandimarte, George Loewenstein, ‘Privacy and human behavior in the age of 52
information’ (2015) 347(6221) Science 509, 510
Shoshana Zuboff, ‘Big other: surveillance capitalism and the prospects of an information 53
civilization’ (2015) 30 Journal of Information Technology 75, 83
Tuukka Lehtiniemi, Yki Kortesniemi, ‘Can the obstacles to privacy self-management be overcome? 54
Exploring the consent intermediary approach’ [2017] Big Data & Society 4-5 <https://doi.org/10.1177/20539 51717721935> accessed 8 January 2018
Pew Research Center, ‘Public Perceptions of Privacy and Security in the Post-Snowden Era’ [2014] 55
<www.pewinternet.org/2014/11/12/public-privacy-perceptions/> accessed 8 January 2018
Mark Andrejevic, ‘The Big Data Divide’ (2014) 8 International Journal of Communication 1673, 1677-78 56
Los Angeles Times, ‘911 calls about Facebook outage angers L.A. County sheriff's officials’ [2014] 57
<www.latimes.com/local/lanow/la-me-ln-911-calls-about-facebook-outage-angers-la-sheriffs-officials -20140801-htmlstory.html> accessed 8 January 2018
the big company and its socially dependent users to their disadvantage. As a 29 year old female 58
user put it in 2014: ‘I just click agree, because what else can I do? I think that frustration sometimes just translates into: “I won’t even think about it, because what can I do?” It [Facebook] becomes part of how you connect with people. It’s really useful for your career, for your choices in life. It doesn’t mean you can’t live without it, but living with it becomes important.’. The social 59
dependence hence leads to an overpowering sense of inevitability. This is even aggravated in the 60
younger age groups where the pressure to conform is the highest due to the biggest concentration of users. Studies in the United States show that most of the highly privacy concerned undergraduates join Facebook despite their reservations. 61
Lastly, the peer pressure that originates from social norms is paired with other common behavioural patterns that facilitate compliance in the context of privacy decisions. There is for instance a human desire to share and disclose personal information. Also, people unconsciously reason that a consciously as risky perceived behaviour is safe when other people around them perform it as well. And once performed, people’s inhibition threshold regarding the behaviour additionally lowers, so that they have even less concern to repeat or maintain it in the future which in turn decreases the inhibition threshold even further. 62
ee) Lock-In Effects
Moreover, market concentration and the resulting social norms are supplemented and deepened further by the so-called ‘lock-in effect’. The term describes a practice, where a company makes it incredibly difficult for its users to leave it, even if the users want to. The effect exists in a social as 63
well as technological sense. The social lock-in effect, on the one hand, is the result of the dominant position of big companies and is particularly obvious in the social networking market. It consists of
Shoshana Zuboff, ‘Big other: surveillance capitalism and the prospects of an information 58
civilization’ (2015) 30 Journal of Information Technology 75, 83. See also Alessandro Acquisti, Laura Brandimarte, George Loewenstein, ‘Privacy and human behavior in the age of information’ (2015) 347(6221) Science 509, 514
Mark Andrejevic, ‘The Big Data Divide’ (2014) 8 International Journal of Communication 1673, 1684 59
Shoshana Zuboff, ‘Big other: surveillance capitalism and the prospects of an information 60
civilization’ (2015) 30 Journal of Information Technology 75, 85
Alessandro Acquisti, Ralph Gross, ‘Imagined Communities: Awareness, Information Sharing, and Privacy 61
on the Facebook’ in G Danezis and P Golle (eds), Privacy Enhancing Technologies (Springer 2006) 36, 43 Alessandro Acquisti, Laura Brandimarte, George Loewenstein, ‘Privacy and human behavior in the age of 62
information’ (2015) 347(6221) Science 509, 510-12
Gábor Kézdi, Gergely Csorba, ‘Estimating Consumer Lock-In Effects from Firm-Level Data’ (2013) 13 63
the user’s motivation to remain on a network, considering his or her social relationships and number of connections established and benefitted from on the social networking platform. This lock-in immanently confines the user’s options to reproduce the same network somewhere else. At the same time, it further reinforces with every action that the user takes in order to develop his or her social network which in other words translates to using the platform as it is intended to serve. On the other hand, the technological lock-in effect pertains to technological conditions and data formats which the company uses to offer its services. This lock-in confines data portability and the transfer to other services which provide for the same features by installing technological incompatibilities.
Overall, it can be noted that the social situation, in which market concentration and associated lock-in effects result in social norms and pressure to conform, bears the overwhelming probability that citizens accept not having effective self-determination over their privacy decisions and therefore their personal data. 64
c) Preliminary Results
As seen above, Articles 7 and 8 of the Charter of Fundamental Rights of the European Union protect the respect for private life as well as the personal data of the EU citizens. Thus, processing of their personal data is only lawful if it draws upon a legal basis. Such legal bases are provided 65
for by the EU data protection framework. This framework also applies to Facebook as an United 66
States based private company. If Facebook wants to collect and use the personal data of EU 67
citizens in return for the provision of its services, the only legal bases that the company could rely on are those that require the data subject to give consent to the processing of his or her personal data, as processing must not take place necessarily in any manner in this relationship. The GDPR 68
defines the conditions for consent. In particular, consent has to be freely given. 69 70
Alessandro Mantelero, ‘The future of consumer data protection in the E.U. Re-thinking the “notice and 64
consent” paradigm in the new era of predictive analytics’ (2014) 30 Computer Law & Security Review 643, 645
Article 52(1) Charter of Fundamental Rights of the European Union 65
Article 6(1) GDPR 66
Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650, para 67
45; see now also Article 3(2)(b) GDPR Article 6(1) GDPR
68
Articles 4(11), 7-8 and Recitals (42)-(43) GDPR 69
Article 4(11) GDPR 70
aa) Data Unnecessary for Service Performance
Firstly, this is highly likely not the case according to the Regulation if the performance of the contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for such performance. In this case, consent is presumed to be not freely given. In order to access the services of Facebook, the user first has to agree to the company’s 71
collection and use of his or her data by accepting the terms of service. However, Facebook’s performance of its services, especially the provision of a social networking platform and the enabling of its usage, is not in any way dependent on the collection and use of personal data of the contracting party. This should not be confused with Facebook’s business model. The circumstance 72
that the company mainly provides its services for the purpose of gaining personal data from its users, does not correlate with the possibility of technical performance of its services without this data. Also, the fact that the usage of the services mainly consists in generating personal data, does not render the provision of the service impossible when the company, in contrast to the users, cannot use this data. Finally, the circumstance that Facebook provides its services free of charge is equally irrelevant in that context. Therefore, it is presumed that EU citizens’ consent to the 73
processing of their personal data has not be freely given when they contract with Facebook. This presumption would need to be rebutted by the company.
bb) Clear Imbalance Between Data Subject and Controller
Secondly, the GDPR states that in order to ensure that consent is freely given, it should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. As seen above, Facebook is a huge 74
market player. Almost 50% of EU citizens use its social networking platform and out of the global 1.2 billion WhatsApp and 1.2 billion Facebook Messenger users a big part originates in Europe. These user numbers alone make the vast market penetration of the company in the EU manifestly obvious. The resulting omnipresence of Facebook closely correlates with a pervasive social dependence of a large number of EU citizens on the company’s services in modern everyday life.
Recital (43) GDPR 71
Only the technically needed processing of data that permits the user to install, maintain and get access to 72
his or her profile, like a user name, a password and an email address, could be considered necessary for the performance of the service according to Article 6(1)(b) GDPR.
Article 3(2)(a) and Recital (23) GDPR 73
Recital (43) GDPR 74
This relationship of dependence to the disadvantage of the citizens equals an imbalance between them and Facebook. This imbalance is also a clear one, due to its high degree of penetration and saturation in numbers and affected social relations. Using Facebook has become a social norm which puts high social pressure on non-users to comply. Social science findings show that this pressure makes self-determined acting upon privacy concerns highly unlikely in the specific situation of firstly consenting to the terms of service of Facebook which enables the processing of personal data by the company. The same holds true for present users in the situation of a potential renewal of their consent and is in this context further complicated by lock-in effects, that inhibit users to abandon the service in favour of an alternative service due to the non-transferability of already established social relations within the used service which applies both on a social and technical level. Having regard to the foregoing, it must therefore be concluded that consent is unlikely to be freely given when a data subject agrees to Facebook’s terms of service and hence does not provide a valid legal ground for the processing of personal data by the company under the GDPR. 75
cc) No Genuine Choice or Refuse without Detriment
Lastly, the GDPR emphasises that consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. This is 76
also the case here. As seen above, Facebook applies a ‘take it or leave it’ approach to its data policy. The refusal to disclose personal data therefore entails not being able to use the company’s services altogether. Due to the vast market penetration of Facebook and the accompanying high prevalence of its services, the EU citizens vastly experience them as essential for social participation in modern information society life. Therefore, non-use is simply not feasible irrespective of privacy attitudes or individual reservations in regard to passing on personal data. The decision is not taken by the data subject itself but is governed by social norms. Thus, there is also no genuine or free choice of the data subject regarding consent in this case. Due to the fact that social norms work according to a self-amplifying mechanism, namely they are enhanced by any conforming decision because the more people comply, the more difficult it gets to diverge from the norm, as well as the circumstance
In case where a divergent result in regard of the probability is advocated, it should be noted that the GDPR 75
only requires a normal degree of unlikelihood according to its wording and that at least in younger citizen age groups, where the social pressure is highly elevated due to the overwhelming user concentration, this threshold should be met. If already the existence of a clear imbalance is contested, it should be noted that such power asymmetry can at least be inferred from an information imbalance in the age of big data, which will be touched upon below in section 3c).
Recital (42) GDPR 76
that Facebook has benefitted from this mechanism and presently possesses a huge user base and social prevalence in the EU, the social pressure to conform is particularly high in the case in point. Hence, the data subject is at least unable to refuse or withdraw consent vis-à-vis Facebook without social detriment. As a result, consent should not be regarded as freely given under the GDPR.
dd) Outcome
Overall, it can be concluded that, at the moment of writing this thesis, processing of EU citizens’ personal data by Facebook cannot be lawfully based on their consent under the new GDPR. Firstly, it is presumed that user consent is not freely given, due to the circumstance that the processing of their data is unnecessary for Facebook to provide its services. Secondly, a clear imbalance between Facebook and the EU citizens makes it unlikely that consent is freely given in the specific situation in which the citizen accepts or renews his or her acceptance of the company’s terms of service. And finally, EU citizens have no genuine or free choice or are at least unable to refuse or withdraw their consent vis-à-vis Facebook without social detriment.
Considering the company’s continuous increase in market penetration over the last years, this finding is also not likely to change in the near future. At the same time, the number of EU citizens which are limited in the exercise of their fundamental rights in this way, is tremendous. These circumstances provoke the question of how, if even at all, the issue is perceived by the EU bodies, in particular the CJEU in its case law, and the legal literature.
3. Mapping the Current State of Opinion
In order to map the current state of opinion, this section will first of all screen various EU bodies for awareness of the issue described above. Where such exists, it will also analyse the relevant handling by the body. Secondly, the case law of the CJEU will be assessed. Finally, the legal literature will be researched in the same way.
a) EU Bodies
aa) Article 29 Working Party
While conducting this research, Article 29 Working Party (WP29) has actually confirmed the view put forward here. The WP29 is a Union body set up by Article 29 of Directive 95/46/EC as a ‘Working Party on the Protection of Individuals with regard to the Processing of Personal Data’. The body has advisory status and acts independently. It mainly consists of a data protection 77
Article 29(1) Directive 95/46/EC 77
authority representative from each Member State. The WP29 promotes in particular the uniform 78
application of Directive 95/46/EC in the Member States and advises the European Commission on 79
any measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data. Furthermore, it draws up an annual report on the corresponding situation. The 80 81
body’s opinion is therefore of decisive importance in regard to the data protection of natural persons vis-à-vis private data collectors in the EU.
In 2014, the European Commission cleared Facebook’s acquisition of WhatsApp. In 2016, 82
WhatsApp performed updates to its terms of service and privacy policy, providing for the possibility to match phone numbers of WhatsApp users with user identities of Facebook’s social network. The WP29 addressed its general concerns about this procedure to WhatsApp in a letter of 83
16 December 2016. After further investigating the issue and because WhatsApp has not remedied 84
the situation yet, the Union body specified its concerns to the company in a very recent second letter of 24 October 2017:
As regards the requirement for consent to be ‘freely given’, the WP29 notes the pre-eminence of WhatsApp’s messaging service amongst other similar services, and the extent to which Facebook’s social networking service is embedded into the digital lives of European citizens. The means by which WhatsApp sought to introduce its updated terms of service and privacy policy has, however, effectively resulted in WhatsApp adopting a ‘take it or leave it’ approach in which users either signal their ‘consent’ to the sharing of data or they are unable to avail themselves of WhatsApp’s messaging service: ‘If you do not agree to our Privacy Policy, as amended, you must stop using our services’. For this reason, and having regard to the particular circumstances of this case, the WP29 considers that consent
Article 29(2) Directive 95/46/EC 78
Article 30(1)(a) Directive 95/46/EC 79
Article 30(1)(c) Directive 95/46/EC 80
Article 30(6) Directive 95/46/EC 81
European Commission Decision of 3 October 2014 declaring a concentration to be compatible with the 82
common market (Case No COMP/M.7217 - Facebook / Whatsapp) according to Council Regulation (EC) No 139/2004 [2014] CELEX:32014M7217, para 191
The European Commission recently fined Facebook 110 million euros for giving misleading information 83
about this during the merger investigations in 2014, see European Commission Press release from 18 May 2017 [2017] <http://europa.eu/rapid/press-release_IP-17-1369_en.htm> accessed 8 January 2018
Article 29 Working Party, ‘Letter from the Art. 29 WP regarding WhatsApp updated Terms of Service and 84
Privacy Policy’ [2016] <http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/ files/2016/20161027__letter_of_the_chair_of_the_art_29_wp_whatsapp_en.pdf> accessed 8 January 2018
could not be freely given by WhatsApp users in the absence of sufficiently granular user controls allowing for an appropriate level of control over the sharing of the data. 85
Simultaneously, the WP29 emphasises the fact, that personal data processing by Facebook and WhatsApp concerns millions of Union citizens every day, as well as the importance of Facebook and WhatsApp to look ahead to compliance with the GDPR. In light of the impacts of the matter on EU citizens, the Union body has now installed a task force which will engage WhatsApp and Facebook in order to reach a resolution of the issue. The argumentation put forward by the WP29 actually concurs largely with the view advanced in this thesis. The focus on the ‘pre-eminence of WhatsApp’ and ‘the extent to which Facebook’s social networking service is embedded into the digital lives of European citizens’ considered in relation to ‘WhatsApp adopting a ‘take it or leave it’ approach’ leading in total to consent being not freely given, completely falls in line with the argumentation seen above. Thus, it can be noted that the EU bodies are (by now) aware of the issue and even go in the same direction as this thesis in terms of its assessment.
However, according to the WP29, WhatsApp would be able to remedy the situation if the company provides for ‘sufficiently granular user controls allowing for an appropriate level of control over the sharing of the data’. The Union body does not explicate this any further in its letter. Therefore, it remains to be seen, how such controls could be designed to allow for ‘an appropriate level of control’ or rather what ‘control’ actually means in this context.
bb) European Union Agency for Fundamental Rights
The European Union Agency for Fundamental Rights (FRA) issued a handbook on European data protection law in conjunction with the Council of Europe and the European Court of Human Rights. This handbook explains European data protection law for those working in this area and is inter alia based on the published opinions of the WP29. The FRA constitutes the EU’s centre of fundamental rights expertise and provides advise to the Union bodies and the Member States in this respect. With regard to free consent, the FRA assumes the definition of the WP29, namely that ‘[t]he existence of free consent is valid only ‘if the data subject is able to exercise a real choice and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent’. 86
Article 29 Working Party, ‘Letter of the Chair of the ART 29 WP to Whatsapp’ [2017] <http://ec.europa.eu/ 85
newsroom/just/document.cfm?doc_id=47964> accessed 8 January 2018
European Union Agency for Fundamental Rights, Council of Europe, Handbook on European data 86
The FRA then elaborates on how it interprets this condition in practice and illustrates its view with an example:
On the other hand, whenever sufficiently important goods or services can be obtained only and exclusively if certain personal data are disclosed to third parties, consent of the data subject to the disclosure of his or her data can usually not be considered a free decision and is, therefore, not valid under data protection law.
Example: Agreement expressed by passengers to an airline that it transfers so-called passenger name records (PNR), namely data about their identity, eating habits or health problems to the immigration authorities of a specific foreign country cannot be considered as valid consent under data protection law, as the travelling passengers have no choice if they want to visit this country. If such data are to be transferred lawfully, another legal basis than consent is required: most likely a special law. 87
This example seems actually entirely applicable to the situation being presently assessed if the airline is simply replaced by Facebook. This being the case, an agreement conveyed by users to Facebook that the company hands over personal data to advertising firms cannot be viewed as lawful consent under the GDPR, as the users have no choice if they like to access Facebook’s services. In order for such data to be validly disclosed, another legal basis than consent is consequently necessary. According to the example, this other legal basis most likely consists in a particular law.
The prerequisite for this finding is the service being ‘sufficiently important’. And also in this respect, airline services are fairly comparable to the services provided for by Facebook, as airlines meet people’s needs for physical mobility with their services in today’s globally networked world, while the use of Facebook’s services enables social participation and virtual mobility in the so-connected society. Thus, Facebook’s services must also be considered as being ‘sufficiently important’ in the FRA’s view. It should be observed as well, that more than one airline service exists on the corresponding market. The criterion of market concentration seems therefore not to play a decisive role here. Overall, it can be noted that the FRA takes the same position as this thesis regarding the interpretation of the condition of freely given consent.
ibid, 58-59 87
cc) European Commission
The European Commission has, apart from minor exceptions, the exclusive right to submit proposals for EU legislation. The Union institution is also responsible to exercise this right of 88
initiative in the field of data protection. Therefore, it needs the relevant views and information on 89
the subject. For this purpose, inter alia the WP29 and the FRA advise the European Commission on this matter. Furthermore, the institution regularly conducts its own research. In preparation of the proposal for the GDPR, it requested in particular the largest survey ever conducted in respect of the behaviour and attitudes of the EU citizens regarding data protection and privacy. 90
The Special Eurobarometer 359 conducted from November to December 2010 found that ‘74% of the Europeans see disclosing personal information as an increasing part of modern life’ while ‘[t]he most important reason for disclosure is to access an online service, for both social networking and sharing site users (61%)’ and ‘[j]ust over a quarter of social network users (26%) and even fewer online shoppers (18%) feel in complete control’ over their personal data. 91
The European Commission, in 2011, was therefore aware of a social situation similar to that described above in section 2. In the Commission’s final proposal for the GDPR, the fact that ‘consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller’ was found in Article 7(4) until it was 92
finally placed in Recital (43) during the legislative procedure. This suggests that the Commission actually wanted to attribute more significance to the circumstance since the relocation from the operative part of the Regulation to the recital section constitutes a legislative downgrade, for recitals do not possess the normative status of the enacting articles. The European Parliament’s Committee 93
on the Internal Market and Consumer Protection argued that terminology such as ‘significant imbalance’ would be likely to induce legal uncertainty and that it would also be unnecessary due to
Article 294(2) Consolidated Version of the Treaty on the Functioning of the European Union [2012] OJ C 88
326/47 [hereinafter TFEU] Article 16 TFEU
89
European Commission, Special Eurobarometer 359 ‘Attitudes on Data Protection and Electronic Identity 90
in the European Union’ [2011] 1 <http://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/ResultDoc/ download/DocumentKy/56044> accessed 8 January 2018
ibid, 1-2 91
European Commission, Proposal for a regulation of the European Parliament and of the Council on the 92
protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 25 January 2012, COM(2012) 11 final – 2012/0011 (COD) CELEX:52012PC0011
Llio Humphreys et al, ‘Mapping Recitals to Normative Provisions in EU Legislation to Assist Legal 93
sufficient equivalent safeguards in consumer protection law. Nonetheless, the downgrade does not 94
touch upon the validity of the assessment in section 2, for recitals constitute an essential component in legal interpretation regularly used by the CJEU. 95
Four years later, the Commission repeated the survey. The Special Eurobarometer 431 from 2015 found that ‘[a] large majority of people (71%) still say that providing personal information is an increasing part of modern life and accept that there is no alternative other than to provide it if they want to obtain products of services’. As well, according to the survey ‘[a] majority of people 96
are uncomfortable about Internet companies using information about their online activity to tailor advertisements’ and ‘[o]nly a minority (15%) feel they have complete control over the information they provide online’. 97
These findings confirm the social situation described above in section 2 and show that the European Commission is also well aware of its exacerbation. However, in its new proposal for a Regulation on Privacy and Electronic Communications, the institution states in Recital (18) that ‘[b]asic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy’ and ‘[c]onsent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment’. 98
Although the proposal includes the extension of the Regulation’s scope to Over-the-Top communications services like WhatsApp and Facebook Messenger, it misses the circumstance 99
described above that especially for younger generations basic broadband internet access and voice
European Parliament, Report on the proposal for a regulation of the European Parliament and of the 94
Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), A7-0402/2013 [2013] 444 <www.europarl.europa.eu/document/activities/cont/201403/20140306ATT80606/20140306ATT80606 EN.pdf> accessed 8 January 2018
Llio Humphreys et al, ‘Mapping Recitals to Normative Provisions in EU Legislation to Assist Legal 95
Interpretation’ [2015] 1 <http://icr.uni.lu/leonvandertorre/papers/jurix2015.pdf> accessed 8 January 2018 European Commission, Special Eurobarometer 431 ‘Data protection’ [2015] 6 <http://ec.europa.eu/ 96
commfrontoffice/publicopinion/index.cfm/ResultDoc/download/DocumentKy/66372> accessed 8 January 2018
ibid 97
European Commission, Proposal for a regulation of the European Parliament and of the Council 98
concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), Brussels, 10 January 2017, COM/2017/010 final – 2017/03 (COD) CELEX:52017PC0010
ibid, Recital (11) 99
communications services may not be enough for social participation. Thus, despite awareness of the issue at hand, the European Commission does not act pursuant to the conclusions advanced here.
b) CJEU Case Law
The CJEU has not decided on the present issue yet. In Schwarz, the applicant brought an action 100
before a German court to get a passport issued without his fingerprints being taken. The German 101
court referred the question to the CJEU which stated in regard to consent that ‘it is essential for citizens of the Union to own a passport in order, for example, to travel to non-member countries and that that document must contain fingerprints’ and ‘[t]herefore, citizens of the Union wishing to make such journeys are not free to object to the processing of their fingerprints. In those circumstances, persons applying for passports cannot be deemed to have consented to that processing’. 102
The situation of the case is similar to the one discussed here, but it obviously involves a different level of intensity. For Schwarz had to disclose personal data, namely his fingerprints, to be able to socially participate in a globalised world, namely travel to non-member countries, and this situation is equivalent to EU citizens disclosing personal data, namely their digital fingerprints, in order to use the services of Facebook. Also, a person does not necessarily need to travel. Possibly, he or she does it for a job, in order to visit friends or just for personal cultural enrichment. This means, that the Court recognises that social participation can be a compelling factor.
However, the CJEU assessed a different level of intensity in the case, as Schwarz had absolutely no other option to be issued a passport than to provide his fingerprints, since his Member State was the only issuer. The pressure to conform was therefore at 100% in this regard. Applied to the presently discussed issue, it would thus firstly depend on how close the amount of pressure would need to come to these 100% in order for the CJEU considering it sufficient to interpret consent as not freely given. Secondly, it would depend on whether the CJEU, along with the view advanced here, would assess the present social pressure, described above in section 2, high enough to meet this threshold.
In general, the CJEU uses a balancing model in data protection law decisions. The Court balances the fundamental rights to privacy and data protection against other rights, like the right to
See for an overview of the recent case law OLAF, ‘Summaries of EU Court Decisions Relating to Data 100
Protection 2000-2015’ [2016] <https://ec.europa.eu/anti-fraud/sites/antifraud/files/caselaw_2001_2015 _en.pdf> accessed 8 January 2018
Case C-291/12 Michael Schwarz v Stadt Bochum [2013] ECLI:EU:C:2013:670, para 2 101
ibid, para 32 102
property or freedom of expression. In particular after the Charter of Fundamental Rights of the 103 104
European Union became legally binding on the EU, the CJEU granted the rights to privacy and data protection increasingly more weight, concurrently with the growing significance of personal data flows and processing. This development is especially reflected in the Court’s landmark decisions 105
Google Spain and Schrems.
In Google Spain, the CJEU states that the objective of Directive 95/46/EC consists ‘of ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy’. When balancing the interests of the parties, the 106
Court, assessing the interests of the data subject, emphasises that ‘the interference with those rights of the data subject is heightened on account of the important role played by the internet and search engines in modern society’. When assessing the interests of the search engine company, the 107
CJEU adds that ‘[i]n the light of the potential seriousness of that interference, it is clear that it cannot be justified by merely the economic interest which the operator of such an engine has in that processing’. 108
In Schrems, the applicant filed a complaint against Facebook with the Irish data protection authority in order to prohibit Facebook from further transmitting his personal data in the United States of America. The CJEU firstly further enhances its interpretation of the objective of 109
Directive 95/46/EC holding that ‘that directive seeks to ensure not only effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the fundamental right to respect for private life with regard to the processing of personal data, but also a high level of protection of those fundamental rights and freedoms’. Secondly, the Court emphasises that in 110
view of ‘the large number of persons whose fundamental rights are liable to be infringed where
Case C-461/10 Bonnier Audio AB and Others v Perfect Communication Sweden AB [2012] ECLI:EU:C: 103
2012:219
Case C-101/01 Criminal proceedings against Bodil Lindqvist [2003] ECLI:EU:C:2003:596 104
Kristina Irion, ‘A Special Regard: The Court of Justice and the Fundamental Rights to Privacy and Data 105
Protection’ in U Faber and others (eds), Gesellschaftliche Bewegungen - Recht unter Beobachtung und in Aktion (Nomos 2016) 873-90
Case C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) 106
and Mario Costeja González [2014] ECLI:EU:C:2014:317, para 53 ibid, para 80
107
ibid, para 81 108
Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650, para 109
2
ibid, para 39 110
personal data is transferred to a third country not ensuring an adequate level of protection, the Commission’s discretion as to the adequacy of the level of protection ensured by a third country is reduced’. 111
Overall, when balancing in the present issue, it should first be noted that the weight of the fundamental rights to privacy and data protection has generally increased in the case law of the CJEU and the GDPR ensures a high level of protection of digital privacy in the view of the Court. The CJEU can thus be expected to set a relatively low threshold for the presence of a clear imbalance between the data subject and the data controller. The same applies to the presence of social detriments of the data subject. In respect of the existence of a genuine and free choice of the data subject, the CJEU can in turn be expected to apply a stricter standard when assessing the presence of an alternative. Secondly, the Court takes into account that the interference with the right to digital privacy is heightened on account of the important role played by the internet in modern society. As seen above in section 2, this dynamic is particularly true in the present issue. The greater need for protection of the data subject in such a situation would thus be considered in its favour by the CJEU. Thirdly, the amount of data subjects liable to be infringed in their fundamental rights by the processing of their personal data is of significant importance in the balancing. In regard to the huge number of EU citizens using Facebook’s services, this circumstance adds decisive weight in favour of the protection of their rights and places particularly high demands on the interests of the company to be significant enough in order to outweigh those rights. Furthermore, mere economic interests of the data controller cannot justify the processing in this situation. Thus, when weighing Facebook’s fundamental right to conduct a business, it has to be noted that the company’s 112
business model is not even dependent on the collection of personal data. For it could still sell advertising places on its services and due to millions of possible daily viewers, namely Facebook’s enormous user base, these places would still be in high demand. The collection of personal data, which just provides for more effective and therefore more valuable targeted-advertising, merely increases the company’s profits and hence constitutes a mere economic interest without being necessary for the company in order to conduct its business. In conclusion, it is therefore likely that the CJEU would adopt the view put forward here.
ibid, para 78 111
Article 16 Charter of Fundamental Rights of the European Union 112
c) Legal Literature
In the literature, the present issue is partially appreciated in social sciences, but not legally 113
assessed. The reason may be that in the legal literature another focus on the matter is preferred. This approach provides for the same results as presented here, since consent is equally interpreted as not freely given. However, the reason for it is mainly seen in an informational power asymmetry between the data subject and the data controller. It is argued that in the recently strengthened era of big data, access to information and understanding of it more and more diverge. The access to big data sets remains only useful to the few big data barons possessing the instruments to analyse and potentially benefit from them. The normal citizen, in lack of high-tech analysing tools, is unable to grasp the meaning of its personal data when it is integrated in these enormous sets. Often, not even the big data controllers currently know what value the data they gather will hold for them in the future when their analysing software is refined enough to bring unpredicted economic benefits to light. Against this background, it is reasoned that consent cannot be freely given, simply cause one cannot consent to something that one cannot understand. 114
4. Competition Law
Considering the high market penetration of Facebook as seen above, ultimately the question arises whether the company has a dominant position on the relevant market in EU competition law terms. As soon as a company holds such a dominant position and additionally its market activities consist mostly of processing personal data, the behaviour of that company also becomes relevant for the competition authorities. These circumstances provide for an intersection between competition and data protection law. The competition authorities tackle the situation from an angle that the data protection authorities are not able to, namely within the economical context which differs from the GDPR’s more isolated and technical assessment of the concrete processing activity. Although, competition and data protection law constitute separate fields of law allowing for different legal implications, they rely on similar principles here, namely that big market power can lead to
Tuukka Lehtiniemi, Yki Kortesniemi, ‘Can the obstacles to privacy self-management be overcome? 113
Exploring the consent intermediary approach’ [2017] Big Data & Society 4-5 <https://doi.org/10.1177/20539 51717721935> accessed 8 January 2018
Alessandro Mantelero, ‘The future of consumer data protection in the E.U. Re-thinking the “notice and 114
consent” paradigm in the new era of predictive analytics’ (2014) 30 Computer Law & Security Review 643; Bert-Jaap Koops, ‘The trouble with European data protection law’ (2014) 4 International Data Privacy Law 250, 251-52
restrictions of the company’s behaviour. Hence, the present issue should finally be looked upon 115
from a competition law perspective.
Any abuse by an undertaking of a dominant position within the internal market or in a substantial part of it shall be prohibited as incompatible with the internal market in so far as it may affect trade between Member States. Regarding the wide popularity of Facebook in all EU 116
Member States, the question is in particular whether the company holds a dominant position and, provided that this is the case, abuses it. Under EU law, dominance is defined as an undertaking’s position of economic strength which allows it to prevent effective competition being sustained on a relevant market by granting it the power to act to an appreciable extent independently of its competitors, its customers and ultimately of consumers. Insofar, market shares offer a useful first 117
indication but they have to be interpreted in the light of the relevant market conditions and dynamics. Holding a dominant position then confers special responsibilities on the undertaking 118
concerned. An abuse of such a position may, in particular, consist in imposing unfair 119
conditions. 120
While a detailed assessment of Article 102 TFEU would go beyond the scope of this thesis and the presently available information may not even be sufficient to define the relevant market in that respect, the recent findings of the investigations by the German Federal Cartel Office (GFCO) on the matter might be used. The GFCO is obviously not an EU body. However, the national competition authority cooperates closely with the European Commission through the European Competition Network. This is in particular the case where an undertaking’s abuse of its dominant 121
position within the meaning of Article 102 TFEU is in question. The GFCO has initiated 122
German Federal Cartel Office, ‘Background information on the Facebook proceeding’ [2017] 2 115
<www.bundeskartellamt.de/SharedDocs/Publikation/EN/Diskussions_Hintergrundpapiere/2017/Hintergrund papier_Facebook.docx?__blob=publicationFile&v=5> accessed 8 January 2018
Article 102 TFEU 116
Case 27/76 United Brands Company and United Brands Continentaal v Commission [1978] ECLI:EU:C: 117
1978:22, para 65
European Commission, Guidance on the Commission’s enforcement priorities in applying Article 82 of 118
the EC Treaty to abusive exclusionary conduct by dominant undertakings [2009] OJ C 45/7, point 13 ibid, point 9
119
Article 102(a) TFEU 120
Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on 121
competition laid down in Articles 81 and 82 of the Treaty [2002] OJ L 1/1, Recital (15) ibid, Recital (16); note in this regard that Article 102 TFEU was then Article 82 EC Treaty 122
