On February 6, 2019, the German antitrust agency, the Federal Cartel Office (“FCO”), imposed limitations on Facebook’s current practice of collecting and processing user data and prohibited using the related terms of service. After an almost three-year long investigation, the FCO found that some of Facebook’s business practices amounted to an abuse of a dominant position. For the first time, the FCO based its abuse-of-dominance analysis also on whether the dominant company complied with the GDPR – throwing compliance with the GDPR into their competition law assessment.
Under Facebook’s current terms of service, users can only join the social network if they also agree to Facebook’s collection of user data obtained from sources other than Facebook’s core platform and combine them with the users’ existing Facebook profiles. These other data sources include not only Facebook-owned platforms like WhatsApp and Instagram, but also third-party websites and apps with embedded Facebook interfaces, such as “like” or “share” buttons, “Facebook logins”, or “Facebook Analytics”. These websites and apps may share user data with Facebook even when a user does not actively click on those buttons or has disabled the browser’s or mobile device’s tracking features.
The FCO found that Facebook had a share of more than 90 percent in the German market for social networks, providing Facebook with access to large amounts of competitively relevant data. Therefore, and in light of strong network effects and high barriers to entry for competitors, the FCO considered Facebook to have a dominant position. The FCO also found that requesting a user’s consent for far-reaching data collection and processing in exchange for access to Facebook’s social network was abusive and harmed users, who lost control over what personal data was collected from which sources for which purpose.
While this may be indicative of a trend, novel is the FCO’s inclusion of data protection law compliance in their analysis. According to the FCO, Facebook’s data collection/processing practices violate the GDPR: the FCO concluded a lack of alternative comparable social networks so that users desiring to join a social network had to either agree to the data collection/processing practice or refrain from using Facebook entirely. In this situation, the user’s consent could not be viewed as freely-given, a requirement for its validity under the GDPR. The FCO further found that the amount of data Facebook collected from the multitude of sources and combined into user profiles is neither necessary for the performance of any contractual obligation to the user nor do Facebook’s legitimate interests outweigh the user’s interests in protecting his or her data.
Facebook now has 12 months to discontinue its conduct and four months to develop remedies in line with what the FCO’s decision outlines: going forward, Facebook may continue to collect user data from its own services (including WhatsApp and Instagram), but may only combine data from its different platforms if a user has provided their freely-given consent. In relation to data stemming from third-party websites, freely-given user consent must not only cover the data processing, but also their collection. In line with rulings of data protection authorities, the FCO defines freely-given consent as implying that a user’s Facebook membership cannot be dependent on consenting to Facebook’s current personal data collection and processing practices. The FCO ordered Facebook to adjust its terms of services to limit the scope of user data it can legally collect from third-party websites accordingly. As per the FCO’s suggestions, such adjustments could, for example, include restrictions on the amount of data collected, the purpose for which they can be used, giving users additional control options, or limitations on how long data will be stored for. Adjustments will be subject to the FCO’s review.
 Already back in 2014, then-European Data Protection Supervisor Peter Hustinx advocated that data protection considerations should play a more important role in the assessment of whether a company was dominant or engaged in anti-competitive conduct and pointed to the fact that consumers may be harmed if their freedom of choice and control over their personal information was restricted by a dominant undertaking. See Preliminary Opinion of the European Data Protection Supervisor, “Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy”, March 2014, paras. 61, 70, available online.
 In addition, the FCO found that these practices help Facebook improve its services, leading to ever increasing network and lock-in effects to the detriment of competitors. In the FCO’s view, refining user profiles also allows Facebook to improve its targeted advertising offerings, thereby becoming indispensable for advertisers and gaining a dominant position in the field of online advertisement.
 The US FTC also seems to take greater notice of data profiles in the data collection of technology platforms. See Prepared Remarks of Federal Trade Commissioner Rohit Chopra at the Silicon Flatirons Conference in Boulder, Colorado, February 10, 2019, available online.
 The FCO requested that these remedies apply to private users based in Germany.
 For instance, the French data protection authority found, in a formal notice served to WhatsApp in December 2017, that data transfer from WhatsApp to Facebook had no legal basis, in part because user consent was not freely-given as “the only way to refuse the data transfer for ‘business intelligence’ purpose is to uninstall the application.” See CNIL, “Data transfer from WHATSAPP to FACEBOOK: CNIL publicly serves formal notice for lack of legal basis”, December 18, 2017, available online.
 In general, the FCO may impose fines of up to 10% of a company’s annual turnover to sanction anti-competitive conduct. To enforce its decision, the FCO may impose a penalty of up to EUR 10 million on Facebook.