Skip to main content

Andreas Mundt, president of Germany's Federal Cartel Office, in Bonn, Germany on April 17, 2018. Mr. Mundt has led the Bonn-based Bundeskartellamt, Germany’s competition watchdog, since 2009.

WOLFGANG RATTAY/X00227

Sitting in a sun-splashed office on the edge of the Rhine River that once belonged to West German presidents, Andreas Mundt leans his elbows on a table and nods to a yellow and blue experimental painting by the artist Maiken Bardeschi. It’s called Frei, he says – the German word for free. “I like that a lot,” he says. “Competition law is a lot about freedom. It’s about choice. And this matters a lot to me.”

Mr. Mundt has led the Bonn-based Bundeskartellamt, Germany’s competition watchdog, since 2009. Over the past decade, he has grown increasingly frustrated with the amount of power the Big Tech companies have accrued because of their mass collection of user data. Most recently, the Bundeskartellamt head had become especially exasperated with Facebook Inc. Specifically, he wanted to put an end to its practice of combining user data collected from its proprietary platforms – Facebook, Instagram and WhatsApp – as well as information from third-party websites to build eerily accurate profiles that help advertisers better target users. And he has taken his fight all the way to Germany’s highest court.

In Mr. Mundt’s mind, Facebook’s arsenal of digital data sources – not just the three largest social-media platforms in the world, but also countless other websites its 2.5 billion users visit that contain tracking codes that share data with Facebook – are unmatched and give the company enormous market power. And the granularity of the personal data the platform is able to accrue has the power to influence user behaviour on a mass scale through advertising. Sometimes it’s as obvious as an ad for a pair of shoes following you around the internet after you browsed for them on Amazon. But such power can also have serious consequences: Russian entities are suspected to have used Facebook ads to help swing the 2016 U.S. election in Donald Trump’s favour. The subsequent Cambridge Analytica scandal, in which the company used Facebook users’ profile data without their permission to target them with political ads, only enhanced mistrust in unchecked data aggregation.

Story continues below advertisement

As Silicon Valley’s data-collection capabilities have deepened over the past decade, plenty of jurisdictions have started scrutinizing the role Facebook and other platforms play in the lives of their citizens. But few countries have been as aggressive as Germany not just in calling them out, but in taking action to curb their Big Brother tendencies. While most recent antitrust rulings against data-driven players have focused on financial punishments (including the European Union’s €1.5-billion fine against Google last year for anticompetitive behaviour in online search advertising), Mr. Mundt didn’t think a mere fine sent a strong enough message. Instead, he wants Facebook to fundamentally change the business model that brings in tens of billions of dollars in ad revenue each year.

A poster promoting an anti-Google cafe is pictured in Berlin's Kreuzberg district on May 22, 2018.

TOBIAS SCHWARZ/AFP/Getty Images

In February, 2019, the Bundeskartellamt announced it would prohibit the social-media company from combining user data from multiple platforms. The case is now before the Bundesgerichtshof, Germany’s top court. If he succeeds, Mr. Mundt hopes it will lead to a fairer social internet, one that would give users more freedom and control over how private companies profit from their personal information.

“If we want to deal with the market power of these companies and deal with abuse that might be happening,” he says, “we have to answer the fundamental question of how to deal with these data issues.”

Germany’s fight has potentially huge implications not just for Facebook and its Big Data brethren, but for the billions of people who use their platforms every day. And its privacy-first ethos is spreading. Here in Canada, federal Privacy Commissioner Daniel Therrien is fighting for greater powers against data abusers. Canada also just spearheaded a move among global privacy commissions to call for greater collaboration with competition authorities to tackle data protection. Multiple U.S. states are building their own antitrust cases against the Silicon Valley giants, calling out their absolute control over consumers’ data (even as the companies themselves claim to face plenty of competition). Facebook’s home state of California has begun enforcing strict privacy laws of its own; New York is expected to follow suit.

The Umspannwerk building where U.S. tech company Google is to open a Google Campus for startups on April 6, 2018 in Berlin, Germany.

Sean Gallup/Getty Images

Mr. Mundt’s home country is still at the vanguard, however. “Germany is the leading privacy and data-protection country in the world,” says Ontario’s former privacy commissioner, Ann Cavoukian, who regularly liaised with the country’s privacy authorities during her three terms. “There’s nothing comparable to Germany."

And Mr. Mundt is certainly not alone. Everyone from German Chancellor Angela Merkel (who late last year urged the European Union to wrest back control of citizens’ personal information and manage it more directly) to grassroots activists to the country’s Berlin-centred startup sector are onside with his crusade.

“Maybe we have to restrict business in certain situations to respect the privacy of every person,” says Samuli Siren, managing director of Redstone VC in Berlin. “I’m totally okay when business is limited when it comes to values that are important to us. I’ll put it this way: Let’s not do business for any price.”

Story continues below advertisement


Germany’s fierce pro-privacy bent has deep roots.

It’s been just three decades since the fall of the Berlin Wall – 30 years since the East German domestic spy agency, the Stasi, controlled a web of 90,000 staff and nearly twice as many informants, who tracked citizens to silence dissidents and build paranoia across the country. That, coupled with the Nazi regime’s pervasive use of surveillance and record-keeping to track Jews and other targeted groups, has left many German people with a deep suspicion of mass data collection.

In 1970, the West German state of Hesse passed the world’s first data-protection law, prompting other states in the Federal Republic to do the same. National legislation requiring consent when a person’s data are processed followed in 1978. A subsequent court ruling that personal data should be constitutionally protected was later built into German law in time for reunification in 1990.

CASH IS KING

IN GERMANY, HARD-TO-TRACK CASH IS STILL

USED IN 80% OF POINT-OF-SALE TRANS-

ACTIONS, REDUCING PAPER TRAILS

CANADA 2018

21%

GERMANY 2017

80%

THE GLOBE AND MAIL,SOURCE:PAYMENTS

CANADA; ECB

CASH IS KING

IN GERMANY, HARD-TO-TRACK CASH IS STILL

USED IN 80% OF POINT-OF-SALE TRANSACTIONS,

REDUCING PAPER TRAILS

CANADA 2018

GERMANY 2017

21%

80%

THE GLOBE AND MAIL,SOURCE:PAYMENTS CANADA; ECB

CASH IS KING

IN GERMANY, HARD-TO-TRACK CASH IS STILL USED IN 80%

OF POINT-OF-SALE TRANSACTIONS, REDUCING PAPER TRAILS

CANADA 2018

GERMANY 2017

80%

21%

THE GLOBE AND MAIL,SOURCE:PAYMENTS CANADA; ECB

That legacy lives on. Germans still cling to cash, and few independent businesses accept credit or debit payments, wary of creating a digital trail. There’s less social-media penetration, too: While 53 per cent of Canadians actively used Facebook each month in 2019, only 32 per cent of Germans did, according to research firm eMarketer.

FEWER FACES BOOKED

GERMANS ARE LESS LIKELY TO USE

FACEBOOK THAN CANADIANS

CANADA

GERMANY

FACEBOOK USERS* (MILLIONS)

(% POPULATION)

18.3

2016

25.8

50.4%

31.6%

18.7

2017

26.5

51.2%

32.4%

19.3

2018

26.1

52.2%

31.9%

19.7

2019

25.9

52.8%

31.6%

19.9

2020

25.8

52.8%

31.5%

*Monthly, active

THE GLOBE AND MAIL, SOURCE: EMARKETER

FEWER FACES BOOKED

GERMANS ARE LESS LIKELY TO USE

FACEBOOK THAN CANADIANS

CANADA

GERMANY

FACEBOOK USERS* (MILLIONS)

(% POPULATION)

18.3

2016

25.8

50.4%

31.6%

18.7

2017

26.5

51.2%

32.4%

19.3

2018

26.1

52.2%

31.9%

19.7

2019

25.9

52.8%

31.6%

19.9

2020

25.8

52.8%

31.5%

*Monthly, active

THE GLOBE AND MAIL, SOURCE: EMARKETER

FEWER FACES BOOKED

GERMANS ARE LESS LIKELY TO USE FACEBOOK THAN CANADIANS

% POPULATION

FACEBOOK USERS* (MILLIONS)

CANADA

GERMANY

18.3

2016

25.8

50.4%

31.6%

18.7

2017

26.5

51.2%

32.4%

19.3

2018

26.1

52.2%

31.9%

19.7

2019

25.9

52.8%

31.6%

19.9

2020

25.8

52.8%

31.5%

THE GLOBE AND MAIL, SOURCE: EMARKETER

*Monthly, active

When the EU began exploring a broad data-use framework for the bloc earlier this decade, not only did Germany take a lead in designing it, but the country’s laws served in part as a blueprint, says Sontje Julia Hilberg, a partner with Deloitte Legal in Berlin who focuses on data-protection law. (It was also premised partly on “privacy by design,” a concept developed by Ms. Cavoukian in the 1990s that insists technology be built with privacy as a foremost consideration.) That framework became the General Data Protection Regulation, or GDPR, which went into effect in 2018 and applies to any company that does business in the EU.

Story continues below advertisement

GDPR grants EU citizens some of the world’s most extensive rights regarding data collection. People must be informed whenever their personal information is being collected by a website and give their express consent. (That stipulation has had ramifications for web users there and even worldwide, with a wave of consent requests about “cookies” popping up on virtually every site.) GDPR also gives Europeans extensive control over how their data are used. That includes the right to decide whether those data are processed in the first place and to ask for it to be erased.

Companies that violate the regulations – some of which Facebook lobbied against, according to a Guardian report – can be fined up to 4 per cent of their global revenue. France fined Google €50-million ($72-million) in January, 2019, for providing users with an insufficient consent policy and for not giving them enough control over their data. This past November, Germany fined the real estate firm Deutsche Wohnen €14.5-million over insufficient data-retention procedures.

Protesters make noise and hold a banner that reads: 'Stop the Google Campus, Self-determination Instead of Domination' outside the Umspannwerk building where U.S. tech company Google is to open a Google Campus for startups on April 6, 2018 in Berlin, Germany.

Sean Gallup/Getty Images

Privacy regulation isn’t the only front on which Europe is restricting data collection. The EU’s competition commission has served Google with billions of euros in fines because of concerns over the dominant position of its parent company, Alphabet Inc., in the search, app and ad-sales markets. More recently, the EU commission has been looking into the dominance of Facebook’s classified-ads division.

Although the fines have so far been minor (with annual revenue of US$137-billion in 2018, the EU levy was barely a slap on the wrist for Alphabet), the new regulations have brought the importance of data privacy into the public conversation and forced companies of all kinds to consider the value of data protection, Deloitte’s Ms. Hilberg says. “People are now more aware it,” she says, adding that its values are spreading beyond the EU: “It’s become a political instrument to make clear that data privacy should be a worldwide concern.”


Mr. Mundt has been obsessed with how the internet shifts market forces since he arrived at the Bundeskartellamt more than a decade ago. After first fighting resale price-fixing of products sold online, midway through the decade, he shifted focus to the accumulation of data, assigning an internal task force to examine its role in competition. By 2017, the agency had pushed legislators to update Germany’s competition act to factor in access to data when determining a company’s dominance. After all, the biggest digital giants – Facebook, Google, Amazon – built empires by learning all they could about their users. Even when consumers don’t directly pay to use Big Tech’s services, the Bundeskartellamt argued that data collection created a multisided market in which data creates power.

Story continues below advertisement

“If we assume that these are really powerful companies, then we have to deal with the question of: Is the gathering of the data done in an appropriate manner?” Mr. Mundt asks. “For us, this is of special importance, because we are one of the rare countries where this a parameter that is mentioned in the law.”

The Bundeskartellamt’s case argues that the California company’s user terms and conditions, which allow Facebook to aggregate data from its multitude of apps and third-party datasets, are anticompetitive. Because there is no alternative social network with Facebook’s reach, the German agency says, users who want to take part have no choice to agree to its terms. Mr. Mundt believes this could also contravene GDPR, given its strict rules around data collection and consent.

WORLD PRIVACY LEGISLATION

CANADA

The Liberal government keeps discussing moving Canada

toward a GDPR-like privacy regime, including updating the

decades-old PersonalInformation Protection and Electronic

Documents Act. But InnovationMinister Navdeep Bains

told The Globe this month that he expects delays in

delivering legislation because of his party’s minority in

Parliament. The federal privacy commissioner, meanwhile,

has long been asking for extended, European-style

powers.

EUROPEAN UNION

CALIFORNIA

GDPR grants EU citizens

some of the world’s most

extensive rights regarding

data collection, including

consent requirements when

data is collected, the ability

to decide whether their data

is processed, and to ask for

it to be erased.

The United States is home

to a hodgepodge of state

privacy legislation, but

the California Consumer

Privacy Act just came

into effect in the home

state of Silicon Valley. It

is comparable to GDPR

in spirit, but still contains

differences. For example,

CCPA limits Californians’

ability to request information

that has been collected about

them to only the past 12 months,

as opposed to more

extended access in the EU.

GERMANY

The world’s first data-protection law was passed in

Germany in 1970, and GDPR is partially modelled on

earlier German regulations. In November, it fined the

real estate firm Deutsche Wohnen €14.5-million over

insufficient data-retention procedures.

BERLIN

BONN

FRANKFURT

MUNICH

THE GLOBE AND MAIL

WORLD PRIVACY LEGISLATION

CANADA

The Liberal government keeps discussing moving Canada

toward a GDPR-like privacy regime, including updating the

decades-old PersonalInformation Protection and Electronic

Documents Act. But InnovationMinister Navdeep Bains

told The Globe this month that he expects delays in

delivering legislation because of his party’s minority in

Parliament. The federal privacy commissioner, meanwhile,

has long been asking for extended, European-style powers.

CALIFORNIA

EUROPEAN UNION

The United States is home

to a hodgepodge of state

privacy legislation, but

the California Consumer

Privacy Act just came

into effect in the home

state of Silicon Valley. It

is comparable to GDPR

in spirit, but still contains

differences. For example,

CCPA limits Californians’

ability to request information

that has been collected about

them to only the past 12 months,

as opposed to more

extended access in the EU.

GDPR grants EU citizens

some of the world’s most

extensive rights regarding

data collection, including

consent requirements when

data is collected, the ability

to decide whether their data

is processed, and to ask for

it to be erased.

GERMANY

The world’s first data-protection law was passed in

Germany in 1970, and GDPR is partially modelled on

earlier German regulations. In November, it fined the

real estate firm Deutsche Wohnen €14.5-million over

insufficient data-retention procedures.

BERLIN

BONN

FRANKFURT

MUNICH

THE GLOBE AND MAIL

WORLD PRIVACY LEGISLATION

CANADA

EUROPEAN UNION

GDPR grants EU citizens some of

the world’s most extensive rights

regarding data collection, including

consent requirements when data is

collected, the ability to decide

whether their data is processed,

and to ask for it to be erased.

The Liberal government keeps discussing moving Canada toward a

GDPR-like privacy regime, including updating the decades-old Personal

Information Protection and Electronic Documents Act. But Innovation

Minister Navdeep Bains told The Globe this month that he expects

delays in delivering legislation because of his party’s minority in

Parliament. The federal privacy commissioner, meanwhile, has long

been asking for extended, European-style powers.

CALIFORNIA

The United States is home

to a hodgepodge of state

privacy legislation, but

the California Consumer

Privacy Act just came

into effect in the home

state of Silicon Valley. It

is comparable to GDPR

in spirit, but still contains

differences. For example,

CCPA limits Californians’

ability to request information

that has been collected about

them to only the past 12 months,

as opposed to more

extended access in the EU.

BERLIN

GERMANY

BONN

The world’s first data-protection law was

passed in Germany in 1970, and GDPR is

partially modelled on earlier German

regulations. In November, it fined the real

estate firm Deutsche Wohnen €14.5-million

over insufficient data-retention procedures.

FRANKFURT

MUNICH

THE GLOBE AND MAIL

“If there were two social networks in terms of quality and network effects – one with privacy and one without – I have no doubt the consumer would choose the one with privacy,” he says.

In August, Facebook successfully appealed the Bundeskartellamt’s case in a regional court, prompting the competition office to take the matter straight to Germany’s highest court, from whom the parties now await a final decision.

Facebook declined to comment on the case, but said in a statement: “The Bundeskartellamt underestimates the fierce competition we face in Germany and the choices people have, misinterprets our compliance with GDPR and undermines the mechanisms European law provides for ensuring consistent data protection standards across the EU.” In short: Facebook believes consumers have plenty of choice – and warns that an EU country taking a standalone position on data runs against the spirit of GDPR.

The regional court also disagreed with Mr. Mundt’s argument that consumers have little choice but to agree with Facebook’s terms and data aggregation. Hamburg competition lawyer Stefan Horn, who has studied the decision, says the court found reasonable flaws in the Bundeskartellamt’s argument. “I would guess people agree with Facebook’s terms and conditions simply because they don’t care, and it does not have any negative impact on their economic freedom,” Mr. Horn said.

Story continues below advertisement

But freedom is the word Mr. Mundt has hitched both his career and his Supreme Court appeal to. Even if he loses, he hopes to at least clarify the role competition law can play in making Big Tech fairer for consumers. “It cannot be,” he says, “that all the laws we have worldwide for the protection of competition are not applicable vis-à-vis these companies.”


Like Mr. Mundt, Germany’s tech sector has been finding new ways to deal with data collection. Although the startup and investment community in Berlin – sometimes jokingly referred to as Silicon Allee – was the second-biggest in the EU last year by venture dollars deployed, behind London, it hasn’t exactly flourished this century. Both capital and public awareness still tends to focus on more traditional manufacturers such as Siemens and Bosch, along with its robust auto sector, which includes Volkswagen and Daimler.

German investors are wary of venture-capital investing, and funds sometimes have an easier time attracting U.S. capital than domestic. Until a few years ago, many of the country’s digital stars merely mimicked successes from other markets, often backed by prominent Berlin venture firm Rocket Internet SE.

But the country’s stringent data-collection regulations might actually be the key to boosting its startup sector. A new generation of digital firms is using Germany’s GDPR-backed, privacy-first mentality to its advantage. “Short-term, it appears like a disadvantage,” says Christian Nagel, managing partner at Earlybird Venture Capital in Berlin. But as more jurisdictions become privacy-minded, he says, “I think it’s a matter of time before it comes to every country.”

Xain AG – short for “the Expandable Artificial Intelligence Network” – is building its entire business around maximum privacy. Machine-learning algorithms are key tools of today’s AI technology, capable of studying large pools of data to help find patterns and develop innovations. To do this, data usually need to be centralized and, under GDPR, sufficiently stripped of identifying information before it can be analyzed. Bringing data to the algorithms is costly and time-consuming, and can result in whole datasets being cast away because they aren’t properly anonymized. Xain’s algorithms work on data at the source with a sophistication typically reserved for AI powerhouses such as Google. Leif-Nissen Lundbæk, Xain’s chief executive, calls the startup a “GDPR-compliant layer for machine learning.”

Story continues below advertisement

In his office a few blocks from Berlin’s Brandenburg Gate, he explains the technology through a familiar German lens: cars. Training autonomous vehicles requires studying an extraordinary amount of data about the environment around a car and the human decisions that guide it. But these kinds of data can expose a person’s home, their workplace, their neighbours and passersby, which means it all has to be de-identified. “The problem is that all this data is vastly privacy-sensitive, because we can learn everything about you from you driving around,“ Mr. Lundbæk says, adding that Xain has signed partnerships with both Porsche and Daimler (he declined to provide any details).

Xain has also developed an “accounting assistant” called ANDY that automates invoice processes while keeping data private. And the company hopes to integrate with all kinds of data-collecting technologies. As Xain product manager Lea Danschel puts it, “We could be the privacy backbone of every AI application.”


Another AI powerhouse – Google – is a looming presence in Berlin. The company’s local headquarters are here, and in 2016, it proposed building a startup hub in Kreuzberg, a bastion for artists, new immigrants, punks and anarchists just east of Berlin’s core. The proposed development, which would include workspaces, services and mentorship opportunities for local startups, was slated to occupy an abandoned electrical substation. But a local association called GloReiche quickly came out against the plan.

But the movement soon morphed from focusing on the gentrification of one of Berlin’s beloved affordable enclaves to a continuing protest of the power of Big Tech.

Smoking a hand-rolled cigarette last fall as he stood in front of the substation, GloReiche activist Stefan Klein proudly described the numerous demonstrations and sit-ins Kreuzberg’s eclectic residents have held to protest the campus. In October, 2018, the protesters got their wish: Google stepped back from the proposed redevelopment and said it would offer the substation to two social-focused organizations. The company declined to comment on the move, but it said in a statement that after “numerous discussions with initiatives and neighbours,” it had decided to cover rent and other costs for the organizations for five years.

Those two words – “five years” – make Mr. Klein uneasy. Google has a long-term lease on the space. He worries the company could march back in later, jack up rents, and begin to buy up Berlin-based talent and startups to populate its campus.

One activist, from a prominent faction of the anti-Google campaign composed of self-described nerds, spoke to The Globe and Mail about what the group sees as the company’s outsized power over the internet. (Their identity is being kept confidential because of potential professional retribution.) The activist said the group hopes to one day dismantle and decentralize that power, which Google accrued by amassing data about its users for nearly two decades across search, e-mail, mobile devices and more, fuelling one of the world’s most successful advertising programs.

The activist admitted it would be naïve to believe that stopping the Kreuzberg campus will solve the problems presented by powerful tech giants such as Google. But if nothing else, the protests have made those problems more obvious to everyone around them. Similar groups worldwide now turn to Berlin’s activists to discuss tactics – including Toronto’s #BlockSidewalk campaigners, who are hoping to cancel a “smart” community designed by Google affiliate Sidewalk Labs.


It’s not just activists who are starting to adopt Germany’s approach to Big Tech. In November, Amnesty International issued a report arguing that Google and Facebook’s data-collection terms constitute a “Faustian bargain.” In order to enjoy the vast swaths of the internet to which they provide access, users must sign away their privacy right, creating “a system predicated on human-rights abuse.”

In the United States, antitrust action against Big Tech players has ramped up in the months since the Bundeskartellamt took aim at Facebook, with dozens of states using competition law as grounds to keep better tabs on it and Google. California, home to so many juggernaut tech platforms, has passed a new Consumer Privacy Act with many parallels to GDPR. It came into force in January, and a California Department of Justice study estimates compliance will cost businesses US$55-billion.

“Everybody was scared when [GDPR] came up, because they thought, ‘Oh, we can’t exchange data anymore,' ” Berlin venture capitalist Christian Nagel says. “Long-term, I think it will be an advantage, because I think it’s a matter of time before it comes to every country. Because the nature of people is to want security. They want data protection. They want to be in charge."

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies