The ghost of GDPR caught up with Google last month through a 50m Euro fine from CNIL in France, which it is appealing against -- and today we have news that Germany's competition watchdog the FCO has rapped Facebook over the knuckles for its use of customer data across platforms.
Now, the first point to note is that this is Germany's competition watchdog, not its data privacy body.
The point the German authorities are making is that Facebook has used its scale -- its phenomenal reach -- to abuse an individual's right to have control over their personal information. That is the first defence Facebook and its supporters make.
A competition watchdog should have no place making decisions about data use. The German authorities beg to differ.
So what has Facebook done? Well, those with a good memory will recall that Facebook has already been fined 110m Euros for misleading the EU when it said it would not link together Facebook and Whatsapp accounts. As soon as it was given the green light to merge the two, that is exactly what it did. Hence the fine.
Then, just a couple of weeks ago, Facebook announced that it wanted to combine data from both services as well as Instagram and Messenger to form one massive pool of customer information.
Germany is essentially calling Facebook out on this, as well as its habit of collecting data from third-party sites. The issue the FCO raises is one we have all kind of been wondering about since GDPR, if we are being honest.
Remember the tick box "I agree" exercise to keep on receiving pictures of our friends' cats and boastful pictures of their kids' exam results? Well, it didn't really offer any choice, did it? It was a kind of take it or leave it, wasn't it?
And was there any mention of sharing data between Facebook, Instagram, Messenger and WhatsApp? I don't recall it? Was it hidden away somewhere in a lengthy privacy notice no mere mortal can be bothered to read because it's in legal jargon? Possibly.
However, if Facebook, WhatsApp, Messenger and Instagram users were to ask themselves if they remember giving a free choice to explicitly consent to the share of that data, as required by GDPR, I doubt if many would agree that's what they were given.
Unfortunately for Facebook, that is the letter of the GDPR, and I predicted the moment it became law the tech giants would be taken to task over, what some call, "forced" consents.
You can read what the Bunderskartellamt (Federal Cartel Organisation, FCO) had to say here. This is the important quote, however.
"Facebook-owned services like WhatsApp and Instagram can continue to collect data. However, assigning the data to Facebook user accounts will only be possible subject to the users’ voluntary consent. Where consent is not given, the data must remain with the respective service and cannot be processed in combination with Facebook data."
It's pretty clear cut, isn't it -- if people give their permission, then all is fine. If they don't, Facebook has to stop collating the data.
Facebook may believe it is being harshly treated by the wrong organisation, a competition watchdog rather than a data organisation.
However, anyone with a very basic understanding of GDPR will know the FCO has a very good point. If Facebook cannot demonstrate freely given, informed consent for each use of a consumer's data, it simply has to stop the practice until it gets that consent. It really is as simple as that.