The German Antitrust Authority's Interpretation of GDPR Consent - Facebook Decision
The German Bundeskartellamt (Federal Antitrust Authority) has published and translated “background information” on its Facebook decision (Bundeskartellamt, "Bundeskartellamt prohibits Facebook from combining user data from different sources", PR of 7 February 2019). The “background information” reveals that the decision is based on a rather eclectic interpretation of the GDPR. The fact that a federal authority not responsible for data protection goes out on a limb with its own version of GDPR interpretation is not welcomed by everybody in Germany.
Bundeskartellamt's Approach
Germany faces a particularly difficult administrative challenge implementing GDPR: Whereas other EU Member States have one single national Data Protection Authority (DPA) only, Germany maintains 18 different national DPAs: 17 at state level (2 in Bavaria) plus 1 at federal level. In this concert of 18 DPAs, interpreting GDPR and developing practical Guidelines with one voice creates quite a challenge. Although these 18 DPAs are progressing in their harmonisation of GDPR interpretation, their efforts are now bypassed by the Bundekartellamt offering its own unique understanding of "consent":
According to the Bundeskartellamt, Facebook is allowed to operate its present services in their current shape only if its users have given their "free consent" to Facebooks data processing.
Factual Background
The Bundeskartellamt's Facebook decision focusses on Facebook's practice of combining Facebook data with data collected through other services and apps like Instagram, WhatsApp or Facebook’s “like button”. According to Facebook’s privacy policy, the combination of such data is necessary for enabling Facebook to offer its services in their current shape. As legal basis for this practice, Facebook could rely on necessary contract performance (Art. 6 (1) lit. b GDPR) as well as on legitimate interests (Art. 6 (1) lit. f GDPR). Since GDPR became applicable, Facebook has ceased requesting consent (Art. 6 (1) lit a GDPR).
Concept of Freely Given Consent in Practice
Many data protection experts tend to advise enterprises not to rely on "consent" as legal basis for their processing of personal data because GDPR's conditions for a valid "consent" are often hard to meet and sometimes impossible to realise. According to Recital 43 of the GDPR, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a „clear imbalance“ between the data subject and the controller. Moreover, it is highly disputed whether Recital 43 suggests that consent is not “freely given” and valid when the contract performance is conditional on consent to the processing of data that is not necessary for the performance of that contract, Art. 7 (4) GDPR).
Preferred Legal Basis for Processing of "Unnecessary" Data
If Art. 7 (4) GDPR is to be interpreted strictly, consent will always be invalid when it extends to data “unnecessary” for the contract performance. However, the GDPR does not limit a controller to "consent" as legal ground for processing data not “necessary” for the performance of the contract. Consequently, many data protection experts recommend in such scenarios not to rely on "consent" as legal ground in an effort to minimise legal risk. There are also DPAs sharing this view. The UK's Information Commissioner's Office (ICO) explicitly recommends using "consent" only when there is “no other lawful basis” for data processing (ICO, “When is consent appropriate?”).
The Big Surprise
Against the backdrop of this serious debate about the concept of "consent" within the data protection community, the Bundeskartellamt in its capacity as Federal Antitrust Authority in Germany has blended out GDPR's notion of contract performance conditional on consent to processing of "unnecessary" data and taken the view that Facebook may only combine data collected for its services such as WhatsApp or Instagram and assign them to a Facebook user account
"if users give their voluntary consent to this practice" (Bundeskartellamt, "Bundeskartellamt prohibits Facebook from combining user data from different sources", PR of 7 February 2019, page 1 last paragraph).
In Short
The Bundeskartellamt has introduced a most peculiar interpretation of GDPR's requirements, which many German data protection experts will not find convincing.