It is no exaggeration to say that the greatest threat to the global order in my lifetime has been enabled by internet platforms.

— Roger McNamee, Zucked

In Chapter 11 we discussed how Facebook accumulates and uses data within the interface of its website. Facebook as a service creates a self-sustaining ecosystem of personal data exchange for a multitude of economic motivators. In this chapter, we examine how the company operates in the new GDPR regime, how it has complied, and what actions it will likely face in the future.

12.1 The Lead Supervisory Authority

Under GDPR, a corporate group which operates across jurisdictions is responsible to one Lead Supervisory Authority (LSA) over its processing.¹ When multiple competencies overlap between Supervisory Authorities, an LSA is designated based on where the Controller has its main establishment of business.² Currently pending GDPR investigations into FB fall under the authority of the Irish Data Protection Commissioner, who has been assigned as an LSA to investigate the company’s behavior-monitoring and data-collection practices.³

12.2 Facebook nicht spricht Deutsch

Recently, German antitrust regulators ordered the FB Group to reduce and restrict their data sharing activities with third parties. In doing so, the regulator recognized Facebook as a dominant social media company in the market. As a dominant player, the consent policies of the company are subject to greater scrutiny on grounds of adhesion ...