zimhacks: Link Facebook and Whatsapp

Optimised just now

https://www.twobirds.com/en/news/articles/2017/global/automatic-linking-of-facebook-and-whatsapp-accounts

View original

Site Navigation

Main Content

Automatic linking of Facebook and WhatsApp accounts: how did this become a competition law question?

By Efstathia Pantopoulou

05-2017

Tweet this

Share on LinkedIn

Bird & Bird | News Centre | Automatic linking of Facebook and WhatsApp accounts: how did this become a competition law question?

WhatsApp's decision of August 2016 to change its privacy policy and to link data from its accounts with data from Facebook accounts has taken a new – and unexpected – turn. It led the European Commission (DG COMP) to conclude that Facebook had provided it with "misleading information" during its review of the WhatsApp acquisition in 2014. On 18 May 2017, the Commission sanctioned this with a EUR 110 million fine on Facebook under the EU Merger Control Regulation (EUMR). In setting the level of the fine the Commission took into account the company’s cooperation during the inquiry. In light of the EU General Data Protection Regulation (GDPR) entering into force as from May 2018 (with fining powers influenced by competition law), this is also an example for companies handling personal data in the EU of the scale of potential fines under the GDPR. Facebook pointed out it has consistently acted in good faith in its interactions with the Commission and the errors were not intentional. The Commission has confirmed the decision to allow the Facebook-WhatsApp merger is unaffected.

When Facebook acquired WhatsApp in February 2014 for more than USD 19 billion, the transaction faced concerns from various regulators, mainly privacy authorities. At the time it appears that Facebook and WhatsApp had told users and authorities that they would not link user data associated with their respective accounts – unless with users' prior opt-in consent.

However, in August 2016, WhatsApp announced a change of its privacy policy. It would link its WhatsApp user data to Facebook profiles for targeted advertising and other purposes. This process would be automatic unless users opt-out within 30 days.

The Commission took the view that this meant the information provided during the merger control review of the acquisition of WhatsApp in 2014 was "misleading" and so has fined Facebook EUR 110 million. In setting the level of the fine the Commission took into account the company's cooperation in the inquiry.

2014 clearance decision

Given WhatsApp's limited turnover, the Commission did not originally have jurisdiction to review Facebook's takeover of WhatsApp. Because the merger would have been reviewed by the national competition authorities of three EU Member States, Facebook chose to refer the case to the Commission for a single review. The Commission ultimately concluded that the transaction would not give rise to serious competition concerns, and it issued a clearance decision on 3 October 2014 (Case COMP/M.7217).

Among the different elements that the Commission analysed, it examined whether the combination of the two networks would increase Facebook's competitive advantage through the so-called "network effects" (the bigger a network, the more valuable).

The Commission dismissed these concerns. It held that, due to certain market characteristics (e.g. the sector is fast-moving, consumers tend to use several apps simultaneously, the parties do not control essential parts of the networks or any mobile operating system), network effects would not increase the merged entity's power on the market for consumer communication services.

This would have been sufficient to dismiss the concerns on network effects. However, the Commission went one step further by adding another argument "for the sake of completeness" (para. 136 of the Commission decision). It held that the transaction would not significantly strengthen the network effects. Based on information provided by Facebook (and against claims from third parties), the Commission concluded that this would not happen because the transaction would give rise to limited integration. The Commission relied on Facebook's information that integration between both networks would face significant technical difficulties. Facebook had said that matching WhatsApp users' profile with their Facebook profile would be complicated because they used separate unique user identifiers (Facebook ID and mobile phone number respectively). The Commission stated that "Facebook would be unable to automatically and reliably associate a Facebook ID with a valid phone number used by a user on WhatsApp" (para. 138 of the Commission decision) (emphasis added).

2017 Commission decision

In August 2016, Facebook began to integrate both networks. It decided to do so with an opt-out system. This was only possible if Facebook was able to automatically and reliably link both profiles.

The Commission examined whether the possibility to automatically link the profiles already existed in 2014. It took the view that the possibility existed at the time of the notification and that Facebook staff were aware of such possibility. The Commission therefore adopted its decision finding that the information provided was "misleading", and it imposed a EUR 110 million fine (COMP/M.8228).

Commission's power to impose fines for misleading information and to reassess a cleared transaction

Article 14 EUMR gives the Commission extensive fining powers in merger control. In particular, the Commission can impose fines of up to 1% of the total group worldwide turnover when the party provides "intentionally or negligently…incorrect or misleading information".

In addition, Article 6(3) EUMR also provides that "[t]he Commission may revoke the decision it took… where the decision is based on incorrect information for which one of the undertakings is responsible or where it has been obtained by deceit". The Commission may therefore reassess a transaction even (two or more years) after a clearance decision and has done so in the past. However, because it relied on the "misleading" information only in an "even if" argument, it concluded that its assessment of Facebook's takeover would not have changed and so did not revoke the clearance decision.

On the setting of the fines, the EUMR provides that the Commission must take into account the "nature, gravity and duration of the infringement", and that the fine cannot exceed 1% of turnover achieved the group in the previous financial year (which was of almost USD 28 billion for Facebook in 2016). In its press release, the Commission explained that it took into account mitigating factors to reduce the fine, in particular Facebook's cooperation in the proceedings (i.e., Facebook decided not to contest that there had been an infringement and waived all its procedural rights, such as the right to have access to the file and the right to an oral hearing). The Commission said that, given the facts of the case, a EUR 110 million fine was both proportionate and deterrent.

In fact, this is the first time that the Commission has imposed such fines under the EUMR. The Commission has previously imposed such fines in five cases between 1999 and 2004 and under the previous merger control regulation. Because such fines were capped at EUR 50,000 per infringement, the highest fine ever imposed was EUR 100,000 (for which the Commission took into account that misleading information was provided twice). This is the Commission's common practice as it may consider the provision of incorrect or misleading information in the notification form and in a response to a request for information as two separate infringements. In addition, the Commission has imposed fines in separate decisions, and it has also revoked a clearance decision (and issued subsequently a new clearance decision).

With the Facebook decision, the Commission seems to have started a new cycle of cases sanctioning the provision of information which it subsequently considers "incorrect or misleading". The Commission explained that, given the tight deadlines that apply in merger control review, it does not have the time to conduct a thorough investigation. It must be able to rely on the information provided by the parties. The Commission appears ready to open more investigations if this is necessary to ensure that it receives accurate information. In fact, similar investigations have been reported to be pending for alleged provision of inaccurate information to the Commission.

These cases raise a number of questions for clarification, including the following:

Whether it could make sense for companies to spontaneously contact the Commission if they become aware they risk being considered to have provided, intentionally or negligently, misleading information in the context of a merger control review;

Whether the Commission will accept complaints from third parties to reopen merger clearance decisions which have relied upon information deemed to be misleading or incorrect – especially when such third parties consider they provided accurate information during the first market investigation. In the Facebook case, the Commission seems to have relied on public sources to reopen the case. However, several of the cases dating back to 1999-2004 started with doubts that the Commission had during its merger control review or with complaints from third parties, which indicates that the Commission may also accept – and maybe encourage – complaints in the future;

Whether the Commission will also extend this scrutiny to the information provided by third parties. In principle, the EUMR does not allow the Commission to fine third parties which provided incorrect or misleading information on their own initiative. However, the Commission has the power to impose fines to addressees of requests for information for supplying incomplete or misleading information, and it has imposed such fines to third parties that failed to assist the Commission in its merger review tasks.

Conclusion

The Facebook decision is a clear reminder of the Commission's ability to levy fines under the EUMR in such cases. It also gives companies handling personal data in the EU an example of the scale of potential fines available under the GDPR. Whereas the fines imposed by data protection authorities have been quite limited so far – in comparison with competition law fines – this will significantly change on 25 May 2018, when the GDPR enters into force. The GDPR will give data protection authorities fining powers that are largely influenced by EU competition law. In particular, it will provide them with the ability to impose fines capped at 2% or 4% of the total group worldwide turnover.

Authors

Efstathia Pantopoulou

Associate
Belgium

Call me on: +32 (0)2 282 6000

vCard

Location

WANT TO FIND MORE NEWS ARTICLES?

You can search by keyword, sector or practice area and then optionally filter by a location

SectorAerospace, Defence & Security Unmanned Aircraft SystemsAutomotiveAviation Aircraft FinanceEnergy & Utilities Energy Digitalisation Mining and Minerals Energy Network and Transmission Nuclear Oil & GasFinancial ServicesRetail and Consumer Luxury, Fashion and Retail Food & Beverage Regulatory Food & Beverage Regulatory Digest Hotels & Leisure Food & Beverage WellnessLife Sciences and Healthcare Life Sciences HealthcareTechnology & Communications Communications Devices and Components Digital Technology Solutions, Internet Services and eCommerce Software and Services Data Centres Postal Satellite and Space activitiesMedia, Entertainment and Sport Broadcasting Gambling Games Marketing Music Social Sport

Practice AreaBanking & FinanceProduct compliance and liabilityPublic AffairsTransformational Projects How transformational is your project? Understanding your challengesCommercialCorporate Mergers & AcquisitionsRestructuring and InsolvencyDispute Resolution Commercial Disputes International ArbitrationCompetition & EU LawFranchising International EducationIntellectual Property Brands Copyright & related rights Patents Product design Transactional IPInternational HR Services Employment Employee Incentives and Benefits Business ImmigrationOutsourcingPrivacy and Data Protection Data breach and Security Incidents E-Privacy Directive GDPR EU-US Privacy ShieldPublic Projects and ProcurementReal Estate Construction and engineeringRegulatory and AdministrativeTax Business Tax Advisory Services and Transfer Pricing Indirect Tax Personal Tax Tax DisputesTrade and Customs Customs EU Trade Defence Export Controls, Sanctions and Embargoes Trade Regulatory

In FocusThe Internet of Things5GAustralia's Notifiable Data Breach SchemeAutonomous DrivingBrexit EU Legislation Tracker Glossary of terms used in relation to BrexitCloud ComputingCompliance & InvestigationsCybersecurityElectronics Patent LitigationEsportsFinTechGeneral Data Protection RegulationGeo-BlockingGuide to IP rights in the UKIn focusMedical DevicesMobile HealthNavigating Hong Kong's Competition LawReports of Trade Mark Cases for CIPA JournalShale GasThe EU Trade Mark Reform - The biggest change to trade mark law for 20 yearsTrade SecretsThe Unitary Patent and the Unified Patent CourtUnmanned Aerial Systems

LocationAustraliaBelgiumCentral and Eastern EuropeChinaCzech Republic & SlovakiaDenmarkFinlandFranceGermanyHungaryIndiaIsraelItalyJapanLatin AmericaLuxembourgMiddle EastNetherlandsNordic RegionNorth AmericaPolandRussia and the CISSingaporeSoutheast Europe and TurkeySpainSwedenSwitzerland and AustriaUKUnited Arab EmiratesUnited StatesWestern Europe

Looking for news over 5 years old?

LATEST TWEETS @twobirds

Today we boost our Energy & Utilities sector group with the appointment of Conrad Purcell as partner in London…https://t.co/7iCnkJoDfn

19 hours ago 07/11/2018

Sensitive personal data in HR functions: climbing the ladder of legal bases - Sam Rayner explores further in an art… https://t.co/zR6274UZSG

1 days ago 06/11/2018

Careers

Business Services

Experienced Lawyers

Graduates

Community

Bird & Bird in the Community