Sector inquiry into messenger and video services

In May 2023 the Bundeskartellamt published the final report on its sector inquiry into messenger and video services. The sector inquiry found that some services were likely to violate consumer law provisions regarding functions which are particularly important to users.

• GDPR violations when synchronising contacts

When users synchronise their contacts, the data of those contacts that have so far not registered with the service that is being used are also collected. In the Bundeskartellamt’s view, this practice may violate the GDPR if it is employed on a permanent basis. This also applies if the telephone numbers are shown in encrypted form.

• GDPR violations when transferring and storing data

Some messenger and video services are also not in compliance with the law when transferring and storing data. Personal data of German and European consumers may only be transferred to and stored in countries where the level of data protection is similar to that ensured by the European GDPR. Under current law, the transfer of data to and their storage in the United States, in particular, is not permissible.

• Room for improvement when it comes to data security

 According to the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG), consumers must also be given truthful information on how the security of their correspondence is ensured, for example through data encryption. In the Bundeskartellamt’s assessment, the way in which many services currently handle this issue should be improved.

Encryption is only one of several criteria which together determine a service’s level of data security. The authority’s investigations have shown that there is still a great deal to be done also in the area of data security. In consultation with the Federal Office for Information Security (BSI), the Bundeskartellamt has compiled a checklist outlining the essential criteria which ensure data security and compliance with the law.

Privacy checklist for messenger and video services

• State-of-the-art protocol and end-to-end encryption
• Service is based on international standards
• Accessible source code/(security audit)
• Two-factor authentication
• Servers located within the EU (where the GDPR applies)
• No contact synchronisation
• Privacy-friendly business model

Interoperability between messenger and video services

 Based on the European Digital Markets Act, which entered into force in November 2022, certain large online platforms (referred to as designated gatekeepers) will be obliged to ensure interoperability with other messenger services. It is expected, among other things, that interoperability will make it easier to switch between different providers and improve chances for newcomers who rely on access to the established systems.

The Bundeskartellamt’s inquiry makes it clear that this process also has to take into account that standardisation, which will be necessary to make interoperability possible, can also have negative effects on the willingness to innovate and thus on competition between the various providers. There are also challenges around the issues of data security, data monitoring and who controls the data, as well as around the question of how to ensure transparency with regard to these factors.