With this week’s announcement, it’s official: Facebook will automatically correlate and merge the personal data of users across its platforms. The announcement is not a surprise, but it will find resistance from both regulators and users — and rightly so. The announcement means that data sharing across the different platforms Facebook owns becomes a core part of the business. With this move, Zuckerberg is officially making cross-platform data sharing a legitimate interest of his business. It sounds like a change in the small print. But it is not. In practice, it means the user’s consent is no longer required each time the sharing happens, there’s no more opportunity for users to opt out, no more opportunity to be forgotten, and no more opportunity to remain in control over the data. From a user’s privacy perspective, this is a big loss, translating to less transparency, less choice, and less control.
For regulators — both data protection and competition authorities — it will pose many questions. Here is why: Back in May 2018, the EU’s Competition Commission fined Facebook for providing misleading information to the authorities when it took over WhatsApp in 2014. The core of the issues stemmed from the fact that Facebook officially denied that it would engage in activities aimed at linking WhatsApp communication data to Facebook identities, but soon after the acquisition, it did just that. Less than a month ago, the German competition authority found that Facebook’s practices of merging data from different sources — including its communication apps and other third parties — are against the rules. As part of that investigation, the authority also found that, through personal data collection and processing practices that undermine privacy rules, Facebook has established a position of dominance in the market, and it keeps exploiting it through the same unfair practices. As a result, consumers are worse off, with fewer options, higher prices (and this is not just a price tag!), and less convenient conditions available to them.
On the one hand, the new “privacy-focused vision” paradoxically suggests that Facebook is willing to engage further in these practices, forcing even stronger collaboration between data protection and competition authorities. And this is game-changing: With the GDPR, data protection authorities can impose high fines. But the power of antitrust remedies is much heavier and can really change the face of the market as we know it. On the other hand, it also suggests that Facebook is certainly going to fight back.
Concerns about Facebook privacy practices have been loud and persistent, but recently Facebook has finally acknowledged its issues and has started to make changes. It has grown its privacy team significantly, which is a step in the right direction, but the time has come for it to make much-needed improvements to its privacy governance. Facebook’s repeated promises and public commitment to improve its privacy practices and the continuous attention from regulators will hopefully inject some privacy wisdom as the teams put their heads down on attempting to implement their new vision.