Detail of a high rise in Montreal. By Phil Deforges at https://unsplash.com/photos/ow1mML1sOi0

Once upon a time, in a Harvard dorm room…: Facebook, Meta and What is Next for Social Platforms, their competitors and their users?

2021 marks a year of significant ups and downs for Facebook. The Tech Giant once again exemplified its knack for creating public relations disasters. However, similar to past episodes, this has not stopped Facebook from exercising monopolistic control over the social media and tech sector. Given its $10 billion bid on the metaverse, addressing regulatory gaps related to its data misuse and anti-competitive behavior is becoming increasingly indispensable. The ongoing antitrust lawsuit against the social media platform before the U.S. Federal Trade Commission underlines the difficult questions regarding the company’s collection and management of user data. The same can be said for the anti-competitive actions currently being championed by EU and UK regulators. Meanwhile, Québec’s new data protection law, adopted on 21 September 2021, is an important forerunner for North America to strengthen both public scrutiny and enforcement of privacy violations.

The turn of the New Year marks the end of a tumultuous year for Facebook who, once again, found itself on the receiving end of public backlash.

Facebook’s Data Use Headaches

In September, Frances Haugen, former Facebook product manager turned whistleblower, leaked internal documents demonstrating Facebook’s acknowledgement and apparent disregard of the platform’s harmful impacts on society. The so-called Facebook Papers underline the lack of transparency surrounding the internal workings of a company that is increasingly seen to prioritize profit over the wellbeing of its consumers. As this story unfolded, rumors regarding plans to change the company’s name, a rebranding surely aimed at distancing itself from a long list of controversies, became reality. Welcome, Meta. Interesting here is the timing, as this rebirth for the Facebook Group might or might not successfully divert public attention away from longer standing critiques of the company’s management of privacy and user data.

As a company with close to 3 billion monthly users, Facebook’s efforts to protect its public image are unsurprising. Its underlying business model is based on its ability to compile highly sophisticated data from its users, effectively turning user traffic into profit. Public outrage over Facebook’s more dubious practices would surely limit its consumer base and ability to profit off its most valuable asset: big data. Facebook’s main source of revenue is derived from targeted advertisements, using data points gathered from its users to sell targeted advertisement (“ad”) space to third parties. In principle, this is not illegal. However, that is not to say Facebook’s use of data is always legitimate. There is a general lack of information surrounding Facebook’s data practices. Media attention has largely focused on privacy breaches; however, the lack of transparency may also impact market competition. Namely, by imposing conditions on access to other businesses and exploiting user preferences to obtain information that constitutes a competitive advantage on competitors, as Lina Khan, most recently appointed to chair the Federal Trade Commission (FTC), has consistently argued.

Facebook has repeatedly come under fire for mishandling consumer data. This was the case in the aftermath of the Cambridge Analytica Scandal, in which Facebook was heavily faulted for its lack of privacy protections after improperly providing consumer data to third-party developers. At the time of the confidentiality breach, Facebook chose not to disclose it to the public, as it had done in previous instances. The risk posed to consumer privacy has steadily increased with Facebook’s growing ability to gather sophisticated data from its users. Through its dominance, Facebook has extended its services across eight different products and services, effectively acting as a landlord to millions of third-party developers and advertisers. With its complex network of algorithms and data flows, it connects users and service providers to its platforms within an intricate and opaque infrastructure.

The company’s management of user data constitutes one of the most widely discussed issues in relation to Facebook’s and other social media platforms’ seemingly unlimited ability to collect, store, process and share user data. With each corporate acquisition and the related expansion of social media platforms’ user bases the problem only continues to exacerbate. As Facebook continues to add to its platform and increases its number of users, other third-party advertisers become increasingly reliant on Facebook’s digital infrastructure to reach their target consumers. Facebook can then gather data from both sides of the customer-supplier relationship to obtain valuable insight into their respective behaviors. In the past, this has likely enabled Facebook to discern successful avenues for diversification into online commerce, dating and gaming. In turn, its data integration capacities may enable Facebook to obtain an undue advantage over its ‘new’ competitors. Regulatory failure to address these big data-based harms is partly attributed to the secrecy surrounding corporate data practices. Internet platform companies’ maintain black-box algorithms whose complexities remain far removed from the public eye, thus remaining unexplainable and seemingly unchallengeable by regulators.

 

Facebook’s Acquisitions: Buy or Bury

Its most prominent acquisitions are Instagram and WhatsApp, bought in 2012 and 2014 respectively, but the company has also acquired a long list of smaller technology start-ups. Often these companies pose a competitive threat to Facebook, which the company might respond to by what is often referred to as a “Buy or Bury” strategy. This means Facebook either systematically purchases competitors that threaten its dominance, or renders third-party products and services obsolete by thwarting their access to its platforms – a practice that insulates Facebook from competition. Some expect that an on-going FTC antitrust lawsuit, initially launched in December 2020 and amended in August 2021, can bring more clarity to whether, and if so, how exactly the company has been resorting to ‘Buy or Bury’ schemes. What the FTC risks underestimating, however, is the level of data integration Facebook has been able to achieve through these acquisitions, namely due to the lack of transparency surrounding Facebook’s data practices. The still unfolding “Phhhoto” saga may offer additional insights.

Seeking to shed light on Facebook’s algorithms, the European Commission (EC) and the United Kingdoms’ Competition and Markets Authority (CMA) have opened concurrent antitrust investigations into Facebook “Marketplace”, an online trading platform which is part of Facebook with 1 Billion monthly users and, in April 2021, featured more than 250 million shops. Regulators from the European Union (EU) and the UK will look at whether Facebook uses data collected from competitors advertising their services on the platform. In its press release, the EC raises the possibility that Facebook obtains precise information on users’ preferences from its competitors’ advertisement activities and then applies said data to adapt Facebook Marketplace. If proven true, this would constitute that Facebook will have breached EU rules on anticompetitive agreements between companies and rules that prohibit the abuse of a dominant position (Article 101 & 102 of the Treaty on the Functioning of the European Union, respectively).

Facing (‘alleged’) anti-competitive behavior, competing firms are less likely to succeed and forced to exit the market. As a result, both consumer choice and innovation are reduced. High network effects attached to the Facebook platform further limits competition. Network effects arise when the utility derived from a product or service grows with the user base. For example, if Facebook is the preferred means of connecting with friends and family, the cost of switching away from the platform increases. Therefore, exponential user growth cements Facebook’s competitive advantage, further limiting competitors from entering the market. Unhampered by market competition, Facebook can suppress product quality improvements and subject users to lower levels of privacy and data protections – ultimately producing the ideal parameters which reinforce its existing business model.

Thus far, it seems that the competitive advantage Facebook possesses over its competitors largely resists regulatory intervention. This might be mainly due to current American antitrust law. As the decision by Judge James E. Boasberg of the U.S. District Court for the District of Columbia of 28 June 2021 reminded everyone, the finding of anticompetitive behavior is disproportionately based on purely economic factors such as price increases and output restrictions. Non-price effects are less likely to prompt regulatory action, such as impacts on innovation and privacy protection. Furthermore, these fixations on consumer welfare fail to capture the ability of dominant platforms to leverage their position against competitors, making it almost impossible to bring antitrust actions that are comparable to the EU’s. In the same regard, U.S. privacy regimes fail to address the privacy violations caused by Facebook’s data use. These regulatory gaps contribute to the overall lack of transparency surrounding the Tech Giant’s data practices. In order to properly address these issues, regulators in the U.S. need to establish mechanisms that will constrain Facebook’s ability to utilize data unrestrictedly. Certain public officials have already taken a stand. Tim Wu, Special Assistant to President Biden for Technology and Competition Policy, has openly stated his intention to reform the tech sector, mainly by breaking up industry leaders like Facebook. Lina Khan is also a vocal critic of Big Tech’s anti-competitive tendencies. Her appointment as FTC chairperson marks a new era for antitrust law in the U.S. Under her guidance, the FTC amended its complaint against Facebook and is currently investigating Amazon. Amazon is not happy.

 

Antitrust Law must be adapted to the economic particularities of social platforms

The FTC’s current lawsuit against Facebook will be a strong indicator of this supposed new chapter for antitrust enforcement. If Facebook is proven to be a monopoly, its ability to acquire data and cross-leverage it against competitors will be reviewed and limited. Furthermore, a pro-antitrust decision may force the company to sever ownership over its subsidiaries, substantially reigning in its data integration capabilities and sending a strong message to other online platform companies. However, adequate regulatory oversight over anti-competitive behavior, stemming from data misuse, will almost surely require significant antitrust reform. This would require moving away from the consumer welfare standard, which characterizes antitrust precedence since the 1970s. By narrowly focusing on price and output metrics this standard is incapable of appreciating the source of internet platform’s anticompetitive power – rampant data exploitation & anticompetitive conflicts of interests, facilitated by the distribution of free products and services.

Furthermore, in order to properly address data misuses within the tech industry, the U.S. must enact a comprehensive Federal Privacy Law, imposing consumer control and transparency mechanisms on data use. Congress has failed to enact federal privacy legislation due to deadlock. Though a Reuter’s recent report, exposing how Amazon has “wag[ed] war on American’s privacy” by successfully lobbying against privacy legislation, provides additional clarity on the current status quo.

The hope, if not expectation, is that more stringent privacy standards could help curb Facebook’s (and other industry leaders’) ability to peer into our daily lives and thereby limit these actors’ opportunities to engage in largely uncontrolled data accumulation. Looking to privacy laws in other jurisdictions, the U.S. might find inspiration in reviewing its own groundwork for legislative reform. For example, the EU’s General Data Protection Regulation (GDPR), introduced already in 2018, sets the standard for data protection and imposes a privacy by design standard on corporations, as well as robust consent and transparency mechanisms constraining corporate data use. Nevertheless, the GDPR has been criticized in the past for its ‘one stop shop’ provision, effectively providing jurisdiction over corporate compliance to Member states based on a company’s primary establishment. This has caused inconsistent enforcement across the EU, partly due to poor regulatory funding and limited staff resources. In limited occasions, the GDPR has enabled regulators to take unprecedented action against Big Tech through the imposition of substantial fines. However, these instances are sparse, with fines remaining relatively small compared to available penalties under the Act. Furthermore, compared to a transgressor’s revenue streams these fines might seem inconsequential and therefore unfit to provide an ultimately effective incentive to comply with GDPR obligations. But, fines have been on the rise as a report from the first quarter of 2021 shows. Compliance will depend on the extent of pain felt by these fines. Low fines might be driven by a regulator’s unwillingness to seek harsher penalties for corporate non-compliance. Ireland, for example, even long after it became a Celtic Tiger in the mid-1990s, still offers a tax-haven economy for many of the big players in the tech industry (including Facebook, Microsoft, Dell, IBM, SAP or Twitter and Paypal). For fear of alienating foreign corporations, the Irish Data Protection Commission (DPC) may be less inclined to sanction corporate misconduct with larger fines. This would explain why the agency has developed a reputation for being overly lenient with foreign tech companies that violate their GDPR obligations.

 

Meanwhile, dans la Belle Province…

As a forerunner in Canada, Québec’s recently adopted Bill 64 is modelled after the EU’s GDPR and enables provincial regulators to sanction any non-compliant companies that carry on a business in the province. Therefore, the Act not only applies to organizations based in the province, but also to all organizations collecting information in Québec, whether or not they are established there. Depending on whether regulators are endowed with the necessary funding and resources, this may better ensure consistent privacy protection by restricting the number of regulatory participants and limiting the parallel considerations of decision-makers that are incompatible with enforcement initiatives. In contrast to the EU’s governance and enforcement challenges across a multi-member constituency of sovereign states, Québec appears to have provided itself with jurisdiction over all causes of action under the act, thereby ensuring uniform enforcement, and the ability to resolve the issues that currently undermine the GDPR.

The Bill amends Québec’s Act respecting the protection of personal information in the private sector. In the past, the EC found that Québec failed to provide adequate privacy protection for cross-border data transfers. Bill 64 aligns Québec’s privacy regime with international privacy protection standards and is expected to “obtain ‘adequacy’ status, allowing for the unfettered transmission of data between Québec and Europe.” Most of its measures take effect in 2023 and are backed by rigid enforcement measures which come into force in 2024.

Importantly, the Act provides higher levels of transparency regarding the use of consumers’ personal information. Corporations are prescribed a number of obligations, including providing (i) the purposes for which personal information is collected, (ii) the means by which the information is collected, (iii) rights of access and rectification, (iv) the person’s right to withdraw consent to the communication or use of the information, (v) whether there is the possibility that the information may be communicated outside Québec, and (vi) the name of the person(s) for whom the information is being collected if it is being collected for a third person (section 8, forthcoming, of the Act). These obligations constitute onerous burdens for corporations, particularly for a company like Facebook whose commercial enterprise is driven by the collection of personal data points and does not necessarily know the identities of third parties to whom it will inevitably communicate personal information to. The Act also provides increased consumer control over their data, incorporating meaningful consent mechanisms and the obligation to inform consumers of the purposes and means of data collection. In practice, this may limit the exploitation of sophisticated data accumulation.

Recognizing that the Act sets a new precedent for privacy in Canada, Ontario’s white paper on modernizing privacy in the province cites Bill 64 in support of similar privacy protections. It is likely that other provinces will follow suit as they look to update their own private sector privacy legislation. In comparison, privacy in the U.S. can be considered deregulated territory. No comprehensive federal legislation addressing consumer data privacy protection exists. Instead, it relies on a patchwork of state level statutes. This has created substantial regulatory gaps, prompting calls for federal reform that better reflects international privacy standards. Looking to Québec’s Bill 64, the U.S can take the necessary legislative steps to shine a light into the Blackbox that is Big Tech, ensuring consumers have enforceable privacy rights and control over their data.

 

Platform power is here to stay

Ultimately, the business model of a platform such as Meta aka Facebook rests on its ability to largely operate in mysterious, difficult to decipher ways as it continues to gather and use data from the public but removed from the public eye. Addressing regulatory gaps is becoming increasingly indispensable as Meta gains novel opportunities for data collection through its metaverse. Regulatory reform must be aimed at limiting platform power to gather data and at ensuring its data use practices are adequately monitored. Only through effective regulatory oversight can rights of both consumers and market participants be protected.

 

Back to top