The turn of the New Year marks the end of a tumultuous year for Facebook who, once again, found itself on the receiving end of public backlash.
Facebook鈥檚 Data Use Headaches
In September, Frances Haugen, former Facebook product manager turned whistleblower, leaked internal documents demonstrating Facebook鈥檚 acknowledgement and apparent disregard of the platform鈥檚 harmful impacts on society. The so-called underline the lack of transparency surrounding the internal workings of a company that is increasingly seen to prioritize profit over the wellbeing of its consumers. As this story unfolded, rumors regarding plans to change the company鈥檚 name, a rebranding surely aimed at distancing itself from a long list of controversies, became reality. Welcome, . Interesting here is the timing, as this for the Facebook Group might or might not successfully divert public attention away from longer standing critiques of the company鈥檚 management of privacy and user data.
As a company with close to 3 billion monthly users, Facebook鈥檚 efforts to protect its public image are unsurprising. Its underlying is based on its ability to compile highly sophisticated data from its users, effectively turning user traffic into profit. Public outrage over Facebook鈥檚 more dubious practices would surely limit its consumer base and ability to profit off its most valuable asset: big data. Facebook鈥檚 main source of revenue is derived from targeted advertisements, using data points gathered from its users to sell targeted advertisement (鈥渁d鈥) space to third parties. In principle, this is not illegal. However, that is not to say Facebook鈥檚 use of data is always legitimate. There is a general lack of information surrounding Facebook鈥檚 data practices. Media attention has largely focused on privacy breaches; however, the lack of transparency may also impact market competition. Namely, by imposing conditions on access to other businesses and exploiting user preferences to obtain information that constitutes a competitive advantage on competitors, as , most recently appointed to chair the Federal Trade Commission (FTC), has consistently .
Facebook has repeatedly come under fire for mishandling consumer data. This was the case in the aftermath of the , in which Facebook was heavily faulted for its lack of privacy protections after improperly providing consumer data to third-party developers. At the time of the confidentiality breach, Facebook chose not to disclose it to the public, as it had done in previous instances. The risk posed to consumer privacy has steadily increased with Facebook鈥檚 growing ability to gather sophisticated data from its users. Through its dominance, Facebook has extended its services across , effectively acting as to millions of third-party developers and advertisers. With its complex network of algorithms and data flows, it connects users and service providers to its platforms within an intricate and opaque infrastructure.
The company鈥檚 management of user data constitutes one of the most widely discussed issues in relation to Facebook鈥檚 and other social media platforms鈥 seemingly unlimited ability to collect, store, process and share . With each corporate acquisition and the related expansion of social media platforms鈥 user bases the problem only continues to exacerbate. As Facebook continues to add to its platform and increases its number of users, other third-party advertisers become increasingly reliant on Facebook鈥檚 digital infrastructure to reach their target consumers. Facebook can then gather data from both sides of the customer-supplier relationship to obtain valuable insight into their respective behaviors. In the past, this has likely enabled Facebook to discern successful avenues for diversification into online commerce, dating and gaming. In turn, its data integration capacities may enable Facebook to obtain an undue advantage over its 鈥榥ew鈥 competitors. Regulatory failure to address these big data-based harms is partly attributed to the secrecy surrounding corporate data practices. Internet platform companies鈥 maintain whose complexities remain far removed from the public eye, thus remaining unexplainable and seemingly unchallengeable by regulators.
听
Facebook鈥檚 Acquisitions: Buy or Bury
Its most prominent acquisitions are Instagram and WhatsApp, bought in 2012 and 2014 respectively, but the company has also acquired a long list of smaller technology start-ups. Often these companies pose a competitive threat to Facebook, which the company might respond to by what is often referred to as a 鈥淏uy or Bury鈥 strategy. This means Facebook either systematically purchases competitors that threaten its dominance, or 鈥 a practice that insulates Facebook from competition. Some expect that an on-going FTC , initially launched in December 2020 and amended in August 2021, can bring more clarity to whether, and if so, how exactly the company has been resorting to 鈥楤uy or Bury鈥 schemes. What the FTC risks underestimating, however, is the level of data integration Facebook has been able to achieve through these acquisitions, namely due to the lack of transparency surrounding Facebook鈥檚 data practices. The still unfolding may offer additional insights.
Seeking to shed light on Facebook鈥檚 algorithms, the European Commission (EC) and the United Kingdoms鈥 Competition and Markets Authority (CMA) have opened concurrent antitrust investigations into Facebook 鈥淢arketplace鈥, an online trading platform which is part of Facebook with 1 Billion monthly users and, in April 2021, featured more than 250 million shops. Regulators from the European Union (EU) and the UK will look at whether Facebook uses data collected from competitors advertising their services on the platform. In its , the EC raises the possibility that Facebook obtains precise information on users鈥 preferences from its competitors鈥 advertisement activities and then applies said data to adapt Facebook Marketplace. If proven true, this would constitute that Facebook will have breached EU rules on anticompetitive agreements between companies and rules that prohibit the abuse of a dominant position (Article 101 & 102 of the Treaty on the Functioning of the European Union, respectively).
Facing (鈥榓lleged鈥) anti-competitive behavior, competing firms are less likely to succeed and forced to exit the market. As a result, both consumer choice and innovation are reduced. High network effects attached to the Facebook platform further limits competition. Network effects arise when the utility derived from a product or service grows with the . For example, if Facebook is the preferred means of connecting with friends and family, the cost of switching away from the platform increases. Therefore, exponential user growth cements Facebook鈥檚 competitive advantage, further limiting competitors from entering the market. Unhampered by market competition, Facebook can suppress product quality improvements and subject users to lower levels of privacy and data protections 鈥 ultimately producing the ideal parameters which reinforce its existing business model.
Thus far, it seems that the competitive advantage Facebook possesses over its competitors largely resists regulatory intervention. This might be mainly due to . As the by Judge James E. Boasberg of the U.S. District Court for the District of Columbia of 28 June 2021 reminded everyone, the finding of anticompetitive behavior is disproportionately based on purely economic factors such as price increases and output restrictions. Non-price effects are less likely to prompt regulatory action, such as impacts on innovation and privacy protection. Furthermore, these fixations on consumer welfare fail to capture the ability of dominant platforms to leverage their position against competitors, making it almost impossible to bring antitrust actions that are comparable to the EU鈥檚. In the same regard, U.S. privacy regimes fail to address the privacy violations caused by Facebook鈥檚 data use. These regulatory gaps contribute to the overall lack of transparency surrounding the Tech Giant鈥檚 data practices. In order to properly address these issues, regulators in the U.S. need to establish mechanisms that will constrain Facebook鈥檚 ability to utilize data unrestrictedly. Certain public officials have already taken a stand. Tim Wu, Special Assistant to President Biden for Technology and Competition Policy, has openly stated his intention to reform the tech sector, mainly by breaking up industry leaders like Facebook. Lina Khan is also a vocal critic of Big Tech鈥檚 anti-competitive tendencies. Her appointment as FTC chairperson marks a new era for antitrust law in the U.S. Under her guidance, the FTC amended its complaint against Facebook and is currently investigating Amazon. Amazon is .
听
Antitrust Law must be adapted to the economic particularities of social platforms
The FTC鈥檚 current lawsuit against Facebook will be a strong indicator of this supposed new chapter for antitrust enforcement. If Facebook is proven to be a monopoly, its ability to acquire data and cross-leverage it against competitors will be reviewed and limited. Furthermore, a pro-antitrust decision may force the company to sever ownership over its subsidiaries, substantially reigning in its data integration capabilities and sending a strong message to other online platform companies. However, adequate regulatory oversight over anti-competitive behavior, stemming from data misuse, will almost surely require significant antitrust reform. This would require moving away from the consumer welfare standard, which characterizes . By narrowly focusing on price and output metrics this standard is incapable of appreciating the source of internet platform鈥檚 anticompetitive power 鈥 rampant data exploitation & anticompetitive conflicts of interests, facilitated by the distribution of free products and services.
Furthermore, in order to properly address data misuses within the tech industry, the U.S. must enact a comprehensive Federal Privacy Law, imposing consumer control and transparency mechanisms on data use. Congress has failed to enact federal privacy legislation due to . Though a Reuter鈥檚 recent report, exposing how Amazon has 鈥 by successfully lobbying against privacy legislation, provides additional clarity on the current status quo.
The hope, if not expectation, is that more stringent privacy standards could help curb Facebook鈥檚 (and other industry leaders鈥) ability to peer into our daily lives and thereby limit these actors鈥 opportunities to engage in largely uncontrolled data accumulation. Looking to privacy laws in other jurisdictions, the U.S. might find inspiration in reviewing its own groundwork for legislative reform. For example, the EU鈥檚 (GDPR), introduced already in 2018, sets the standard for data protection and imposes a privacy by design standard on corporations, as well as robust consent and transparency mechanisms constraining corporate data use. Nevertheless, the GDPR has been criticized in the past for its 鈥榦ne stop shop鈥 provision, effectively providing jurisdiction over corporate compliance to Member states based on a company鈥檚 primary establishment. This has caused inconsistent enforcement across the EU, partly due to poor regulatory funding and limited staff resources. In limited occasions, the GDPR has enabled regulators to take against Big Tech through the imposition of substantial fines. However, these instances are sparse, with fines remaining relatively small compared to available penalties under the Act. Furthermore, compared to a transgressor鈥檚 revenue streams these fines might seem inconsequential and therefore unfit to provide an ultimately effective incentive to comply with GDPR obligations. But, fines have been on the rise as a from the first quarter of 2021 shows. Compliance will depend on the extent of pain felt by these fines. Low fines might be driven by a to seek harsher penalties for corporate non-compliance. Ireland, for example, even long after it became a Celtic Tiger in the mid-1990s, still offers a tax-haven economy for many of the big players in the tech industry (including Facebook, Microsoft, Dell, IBM, SAP or Twitter and Paypal). For fear of alienating foreign corporations, the Irish Data Protection Commission (DPC) may be less inclined to sanction corporate misconduct with larger fines. This would explain why the agency has developed a reputation for being that violate their GDPR obligations.
听
Meanwhile, dans la Belle Province鈥
As a forerunner in Canada, Qu茅bec鈥檚 recently adopted is modelled after the EU鈥檚 GDPR and enables provincial regulators to sanction any non-compliant companies that carry on a business in the province. Therefore, the Act not only applies to organizations based in the province, but also to all organizations collecting information in Qu茅bec, whether or not they are established there. Depending on whether regulators are endowed with the necessary funding and resources, this may better ensure consistent privacy protection by restricting the number of regulatory participants and limiting the parallel considerations of decision-makers that are incompatible with enforcement initiatives. In contrast to the EU鈥檚 governance and enforcement challenges across a multi-member constituency of sovereign states, Qu茅bec appears to have provided itself with jurisdiction over all causes of action under the act, thereby ensuring uniform enforcement, and the ability to resolve the issues that currently undermine the GDPR.
The Bill amends Qu茅bec鈥檚 Act respecting the protection of personal information in the private sector. In the past, the EC found that Qu茅bec failed to provide adequate privacy protection for cross-border data transfers. Bill 64 aligns Qu茅bec鈥檚 privacy regime with international privacy protection standards and is expected to 鈥.鈥 Most of its measures take effect in 2023 and are backed by rigid enforcement measures which come into force in 2024.
Importantly, the Act provides higher levels of transparency regarding the use of consumers鈥 personal information. Corporations are prescribed a number of obligations, including providing (i) the purposes for which personal information is collected, (ii) the means by which the information is collected, (iii) rights of access and rectification, (iv) the person鈥檚 right to withdraw consent to the communication or use of the information, (v) whether there is the possibility that the information may be communicated outside Qu茅bec, and (vi) the name of the person(s) for whom the information is being collected if it is being collected for a third person (section 8, , of the Act). These obligations constitute onerous burdens for corporations, particularly for a company like Facebook whose commercial enterprise is driven by the collection of personal data points and does not necessarily know the identities of third parties to whom it will inevitably communicate personal information to. The Act also provides increased consumer control over their data, incorporating meaningful consent mechanisms and the obligation to inform consumers of the purposes and means of data collection. In practice, this may limit the exploitation of sophisticated data accumulation.
Recognizing that the Act for privacy in Canada, Ontario鈥檚 white paper on modernizing privacy in the province cites Bill 64 in support of similar privacy protections. It is likely that other provinces will follow suit as they look to update their own private sector privacy legislation. In comparison, privacy in the U.S. can be considered deregulated territory. No comprehensive federal legislation addressing consumer data privacy protection exists. Instead, it relies on a patchwork of state level statutes. This has created substantial regulatory gaps, prompting that better reflects international privacy standards. Looking to Qu茅bec鈥檚 Bill 64, the U.S can take the necessary legislative steps to shine a light into the Blackbox that is Big Tech, ensuring consumers have enforceable privacy rights and control over their data.
听
Platform power is here to stay
Ultimately, the business model of a platform such as Meta aka Facebook rests on its ability to largely operate in mysterious, difficult to decipher ways as it continues to gather and use data from the public but removed from the public eye. Addressing regulatory gaps is becoming increasingly indispensable as Meta gains novel opportunities for data collection through its metaverse. Regulatory reform must be aimed at limiting platform power to gather data and at ensuring its data use practices are adequately monitored. Only through effective regulatory oversight can rights of both consumers and market participants be protected.
听