-- By EmilieSchou - 13 Mar 2022

The legislative gap on federal level concerning data protection

WhatsApp? ’s privacy policy as a recent example of misuse of personal data

In January 2021, Facebook (now Meta) announced an “update” to its privacy policy with respect to wholly-owned messaging service WhatsApp? . The update would allow WhatsApp? to share data pertaining to users’ interactions with businesses on WhatsApp? to target ads across its platforms, including Facebook and Instagram. The update was met with strong criticism from members of the general public in light of the far-reaching implications with respect to users’ right to privacy (see here).

This form of data sharing between WhatsApp? and Facebook is by no means new and has in fact been the status quo since WhatsApp? was acquired by and integrated into Facebook in 2014 (see here), despite such practices running counter to Facebook’s pledge at the time to leave WhatsApp? ’s user data policy, which pre-acquisition had been based on a commitment not to collect user data for advertising revenue, untouched.

Facebook contends that the breach of users’ right to privacy is limited to the extent that Facebook is only collecting metadata, e.g. phone numbers linked to the WhatsApp? account and general profile information, whereas the content of personal messages sent between WhatsApp? users is protected by end-to-end encryption and therefore inaccessible by Facebook or advertisers. Metadata, however, is arguably just as important and valuable, if not more, than data relating to the content of personal messages, and by sharing such information freely with the advertisement-funded Facebook platform and, by extension, third parties, users’ right to privacy are unquestionably violated.

The limitations of the FTC in preventing misuse of personal data

In the U.S., in the absence of a nation-wide data protection law, tech companies have tended to resort to self-regulating over the years, with only one obvious legal avenue, at least on federal level, available to contest their conduct. The Federal Trade Commission (“FTC”) is tasked, as per Section 5 of the FTC Act, with investigating and punishing “unfair or deceptive acts or practices in or affecting commerce” under the broader consumer protection umbrella, which the FTC has interpreted broadly to hold businesses to fair and transparent privacy standards. For example, the FTC has held Facebook accountable on several accounts for privacy breaches although arguably with limited success, at the very least with respect to the data harvesting that followed Facebook’s acquisition of WhatsApp? . This was explicitly recognised by one of the FTC commissioners that voted against the FTC’s most recent (2019) settlement with Facebook.

The FTC in its current form is, however, not particularly well-equipped for dealing with issues touching on privacy breaches for a number of reasons. First, the FTC has not been given a clear mandate to handle privacy-related claims, which has translated into a lack of resources and technical expertise to do so. Because of this lack of resources, the FTC is also more likely to settle with privacy-infringing companies and for sums that, while facially significant, represent a drop in the ocean for companies like Meta and may therefore not have the same deterring effect as a court-ordered injunction. The 2019 settlement, for example, entailed a penalty of $5 billion, which represents but 4% of Meta’s total turnover in 2021.

Could antitrust laws help fill the gap?

Against this background and barring legislative changes to introduce federal data protection laws or further empowering the FTC, a possibly more compelling and less obvious legal avenue presents itself through antitrust enforcement. Misuse of personal data could, in theory, be treated as unlawful monopolization as prohibited by Section 2 of the Sherman Act or could be taken into account as a consideration in either prohibiting a merger ex ante or contesting it ex post on the basis of Section 7 of the Clayton Act.

Section 2 of the Sherman Act prohibits companies with market power from engaging in wrongful conduct. Provided harm to consumers or to the market can be shown and Facebook’s market power can be established, this provision could then be relied upon to condemn the data transfer from WhatsApp? to Facebook. Section 7 of the Clayton Act prohibits mergers where the effect may be substantially to lessen competition, or to tend to create a monopoly. This provision could then be relied upon to contest the merger which led to the data transfer and related misuses of personal data.

The benefits of opting for an antitrust approach compared to the Section 5 FTC Act approach can be summarized as follows. First, antitrust investigations can be brought not only by the FTC, but also by the Department of Justice (“DoJ”) and even State Attorney-Generals for violations of federal (as well as State) antitrust law. Thus, the sheer number of agencies empowered to take action against potentially infringing companies is greater. Their combined resources relative to the FTC’s consumer protection department also tend to be greater. In addition, these agencies tend to not only be more experienced in pursuing potentially infringing companies in court, but have moreover become well-versed in the complexities of data markets over the years and arguably more so than the FTC’s consumer protection department.

Consequently, to the extent that data protection and antitrust law both strive towards the same goal of safeguarding consumer protection, misuse of personal data may be best addressed by antitrust law until such a time where federal data protection legislation is enacted.

---

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

• #Set ALLOWTOPICVIEW = TWikiAdminGroup, EmilieSchou
• #Set DENYTOPICVIEW = TWikiGuest

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.