A statement by the South Africa Information Regulator (IR) on March 3, 2021 set tough conditions to WhatsApp for sharing user information with other Facebook companies.
“Accordingly, WhatsApp cannot without obtaining prior authorisation from the IR in terms of section 57 of Protection of Personal Information Act (POPIA), process any contact information of its users for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking that information jointly with information processed by other Facebook companies,” said the statement.
This followed the notice by WhatsApp indicating its intention to continue sharing information with the other Facebook Companies. WhatsApp’s privacy policy indicates that it shares information with Facebook companies to, among other things, help operate, improve and understand its services.
In another case, Germany’s Federal Cartel Office (FCO) won an appeal against Facebook in the Federal Court of Justice, upholding its earlier decision requiring Facebook to stop combining user data without voluntary consent.
Rupprecht Podszun, a Chair for Civil Law, German and European Competition Law at Heinrich Heine University, stated, “The FCO can now demand from Facebook to submit a plan within four months how to stop the merging of data into so-called ‘super profiles’.”
He noted that “Facebook merges data from the group’s own services such as Facebook, WhatsApp and Instagram with other data collected on the net via so-called Facebook Business Tools.”
The commencement of Facebook’s data policy states, in part: “This policy describes the information we process to support Facebook, Instagram, Messenger and other products and features offered by Facebook”. I
n the section titled, “How do the Facebook companies work together?”, it is expressly stated that information about a user is processed across the companies with the justification being that they share infrastructure, systems and technology so as to provide innovative, relevant, consistent and safe experience across the products.
The two interventions by the South African and German supervisory authorities illustrate a phenomenon that scholars Daniele Condorelli and Jorge Padilla refer to as ‘privacy-policy tying’. It occurs when a service is offered on the condition that one subscribes to privacy-policy that gives way to bundling of user data across all sources. They contend that the privacy policy limits the choices for users (forcing them to accept or leave the platform) and has the effect of limiting competition.
Through their August 2020 published paper titled “Data-driven Envelopment with Privacy-Policy Tying”, they posit that combining data across different markets has the effect of erecting barriers to entry that shield the core business of a company, a concept known as platform envelopment.
Platform envelopment occurs when a provider in one platform market enters another platform market by taking advantage of its functionality and the one existing in the new market in order to leverage on shared user relationships.
It occurs when, say, a messaging (primary market) platform such as WhatsApp decides to venture into payments as it is happening in Brazil or Safaricom venturing into taxi ride hailing as they did with Little Cab in 2016.
They do this not to necessarily improve their products but increase their advertising pool and eventually dominate. For a while now, big tech companies have used privacy as a good PR message but this has not been reflected in their privacy policies.
Despite the simplicity and brevity of today’s privacy policies, they still amount to contracts of adhesion, with take-it-or-leave-it terms imposed on their users. It is for this reason that Condorelli and Padilla are calling for competition authorities to demand privacy-tying companies to prove that their conduct paves the way for greater efficiencies “that will outweigh any anticompetitive effects to consumers”.
Their research further concludes that part of the reason why these dominant companies are able to join secondary markets with ease is because of their ability to invest in capacity, learning by doing and R&D. With this, they are able to offer free products and services so as to compete with the dominant player in the secondary market.
In the Facebook case, apart from just acquiring Instagram through a ‘killer acquisition’, they are now tying the privacy policies in order to justify sharing of user data across not just Facebook and Instagram, but also among the other Facebook companies. Calls for the regulation of privacy-policy tying are not meant to stifle innovation by big tech companies, but to give upcoming innovators and startups a chance to compete.
Having reviewed privacy policies by some ecommerce platforms here in Kenya that are part of a group of companies, the situation is no different. I specifically looked at food and alcohol delivery platforms and the story is no different from what the Facebook companies are doing.
They know that people rarely take time to read the privacy policies. It would seem that companies intending to share data with secondary markets, will get into arrangements where they become part of a group of companies for purposes of what appears to be unlawful sharing of personal data through privacy-policy tying.
Companies without first mover advantage will be locked out of these markets as they will not have the data-driven envelopment. Imagine a scenario where an advertising agency acquires a food delivery company or vice versa and in turn they develop a uniform privacy policy that allows data sharing among the two entities, all because they have a similar holding company?
The Office of the Data Protection Commissioner and the Competition Authority of Kenya will have to keenly interrogate multiple privacy policies in place. The former has the mandate of determining whether various platforms are legally processing and sharing personal data among their affiliates. The latter has to determine whether such practices are anti-competitive.
Karanja is a data protection compliance & commercial law practitioner
PAYE Tax Calculator
Note: The results are not exact but very close to the actual.
