Google enhances data control post German antitrust probe
Posted: October 23, 2023
Germany’s competition regulator, the Bundeskartellamt, has obtained a set of commitments from Google to stop combining certain data from across different platforms without consent. The commitments conclude a long-running dispute under German antitrust law.
Google’s significant market share in several sectors allegedly gives the tech giant an unfair advantage, as the company can glean unique insights into consumers’ behaviour based on data points collected across many unrelated contexts.
This article provides an overview of the Bundeskartellemant’s findings and Google’s commitment to offering users greater choices around the use of their data.
Terms and Conditions
The Bundeskartellamt’s decision originates from a 2021 investigation into Alphabet, Google’s parent company, under the German Competition Act.
The regulator found that when creating a Google account and accepting Google’s terms of service, users are required to agree with “extensive data processing” involving data from across different Google services.
Google’s privacy policy provides some insight into Google’s purposes for using personal data, including:
- Providing its services
- Maintaining and improving its services
- Developing new services
- Personalizing content and ads
- Measuring performance
- Communicating with users
- Protecting Google, its users and the public
The policy also explains Google’s data-combining practices to users:
“We may combine the information we collect among our services and across your devices for the purposes described above. For example, if you watch videos of guitar players on YouTube, you might see an ad for guitar lessons on a site that uses our ad products. Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.”
Google can combine data about individuals whether or not they are signed into a Google account. The company uses several identifiers to uniquely identify users in different contexts, including the Google account ID, cookies, and device information such as the user’s IP address.
Google’s Privacy Controls
Google offers users some control over how their data is used, but some are provided on an “opt-out” basis.
On account creation, Google users can opt to “manually” personalize their accounts, or they can choose “express” personalization and let Google pick their settings.
Users selecting “manual personalization” will see further choices, including options to stop Google storing their “Web & App Activity” and to receive either “personalized” and “generic” (contextual) ads.
Despite these customizations, the Bundeskartellamt found that:
- Access to Google’s services is, to some extent, conditional on allowing Google to combine data from across its platforms.
- Users are not offered enough choices regarding how Google uses their data.
- Google could not justify data-combining activities on the basis of users’ freedom of information or expression.
The combined effect of these practices allegedly gave Google an unfair advantage over its smaller competitors.
GDPR Guide
Here’s what you’ll find in this guide:
- GDPR Overview: Gain a clear understanding of GDPR and its significance in safeguarding personal data.
- GDPR Requirements: Learn about the specific obligations and responsibilities organizations must adhere to under GDPR.
- The Challenges and Opportunities of GDPR: Explore the potential hurdles and advantages that GDPR presents for businesses and individuals.
- GDPR Application: Discover how GDPR is applied in real-world scenarios and how it impacts different sectors.
The Digital Markets Act
Between the start of the Bundekartellamt’s investigation and its final decision, the EU’s Digital Markets Act (DMA) came into force.
The DMA regulates the internet’s “gatekeepers”. A gatekeeper is an online service that fulfills the following criteria:
- It has a significant impact on the EU market.
- It provides a “core platform service” which is an important gateway for business users to reach end users.
- It has, or likely will have, an “entrenched and durable” market position.
Alphabet has been designated a gatekeeper under the DMA, along with Amazon, Apple, ByteDance, Meta, and Microsoft.
The DMA applies to Google’s “core platform services”, which, according to the Commission, include the following:
- Google Maps
- Google Play
- Google Shopping
- YouTube
- Google Search
- Chrome
- Google Android
- Google’s advertising services (including Google Analytics, to the extent that the platform can be used for advertising)
Under Article 5(2) of the DMA, Google and other gatekeepers may not combine personal data from a core platform service with data obtained via other first or third-party services, or “cross-use” data collected via one service within another service (among other obligations).
These obligations accord with the desired outcome of the Bundeskartellamt’s enforcement action. As such, because the Google services listed above are already regulated under the DMA, they are excluded from Google’s commitments to the Bundeskartellamt.
Fitness tracker Fitbit, purchased by Google in 2021, is also excluded from the Bundeskartellamt decision. Fitbit is excluded because the European Commission already imposed conditions on Google’s use of Fitbit data following a merger investigation.
Google’s commitments
Following the Bundeskartellamt’s investigation, Google has committed:
- Not to combine data about users gathered from across its platforms or third-party services.
- Not to use data collected via one of its services in any other of its separate services.
The commitments cover all Google services, with over one million monthly active users (MAU) in Germany—except those within the scope of the DMA. The Bundeskartellamt may impose conditions on growing Google services as they approach this threshold.
Google’s commitments apply for an initial five-year period beginning September 2024. Throughout this period, Google may still combine data as before but must seek consent from each user before doing so.
When requesting to combine a user’s data, Google must adhere to the EU General Data Protection Regulation (GDPR)’s strict conditions for consent.
Obtaining GDPR-grade consent means getting specific, informed, unambiguous, freely-given permission before using personal data about a user in this way. Users must also be able to easily withdraw their consent without detriment.