In recent years, social media and technology companies have faced investigations initiated by competition and data protection authorities worldwide for violating data protection rules. It seems that competition and data protection enforcers are less hesitant to impose administrative fines, when it is believed that data protection or competition rules are violated by companies that utilize data as a part of their entrepreneurial activities1. In this respect, on 29 November 2018, Italian Competition Authority, Autorità Garante Della Concorrenza E Del Mercato ("AGCM") imposed an administrative fine against both Facebook Ireland Ltd. and its parent company Facebook Inc. (hereinafter referred to as "Facebook" collectively), on the grounds that the firm had undertaken misleading and aggressive practices affecting its users2.
AGCM launched the probe leading to a hefty fine against Facebook in April, 2018 based on the concerns that articles 21, 22, 24 and 25 of the Italian Consumer Code ("Consumer Code") had been breached3. As per the assessments made through the course of the investigation, ACGM explains that Facebook was fined due to the its conducts listed below, which are alleged to be in contradiction with the said articles of the Consumer Code:
- Misleading the users in the sign-up process via a failure to explicitly indicate the purpose of data collection and specifying that the collected items would be utilized for commercial means by Facebook.
- Incentivizing the users to make decisions of a commercial nature without being granted access to the full facts, namely the profitable ends that could be achieved by Facebook via providing social network services to users.
- Undertaking an aggressive practice on registered users of Facebook by transmitting their data from the network to third parties and vice versa for achieving commercial purposes.
With regards to the concerns about Article 21 and 22 of the Consumer Code, AGCM focuses on Facebook's misleading conduct against its users during the account creation phase. AGCM points out that while the data required from Facebook users for the sign-up process is used for commercial purposes, Facebook do not provide adequate and immediate information to its users in relation with this purpose. Accordingly, AGCM sets forth that Facebook places an emphasis on the free nature of the services to induce its users to make a commercial decision that they would not have made otherwise, instead of revealing to the customers the commercial objectives underlying the provision of social network services. More specifically, Facebook's practice of emphasizing the "free of charge" nature of the social network services, is deemed as a misleading conduct that manipulates user decisions. Furthermore, AGCM has established that information provided by Facebook do not include a distinction per the functionality of the data collected and that it is incomplete. For instance, it is noted that Facebook do not inform its users whether the data would be used to personalize the network services or for advertising campaigns aimed at specific targets.
In relation with the assessment made on Articles 24 and 25 of the Consumer Code, AGCM focuses on Facebook's conduct which is described as "aggressive practices", directed towards the registered consumers. Within this scope, AGCM expresses that the data obtained from the registered customers were being transmitted to third party websites or apps and vice versa for commercial purposes, without obtaining express and prior consent. Hence, by making its "active platform" function default, Facebook pre-sets its users' ability to access websites and external apps that use their Facebook accounts without their express consent. Accordingly, Facebook repeats the pre-selection mechanism whenever the user accesses a third-party website or an app, which is integrated with his or her Facebook account and merely provides an opt-out option. Considering the nature of this mechanism, AGCM indicated that Facebook's conduct induces unconscious and automatic consumer choice, on the ground that customers are not required to give an express and prior consent for data transmission.
In further assessment, such conduct is characterized as an "undue influence", which stems from the pre-selection mechanism that ensures the broadest consumer consent to data sharing. AGCM ultimately establishes that, although registered consumers may limit their consent regarding the scope of data sharing, they are exposed to significant restrictions concerning the use of the social network, third-party websites and apps in a way that disincentivizes any potential variations of the pre-selected choice.
Considering the foregoing, AGCM published a press release notifying that the investigation is concluded on 29 November 2018. In the press release it is declared that Facebook was fined 10 million Euros by AGCM for data misuse and that it was obliged to publish a correction statement on its app and website4.
It is noteworthy to mention that it is not the first time that Facebook got in trouble with data protection rules. The company has previously been exposed to investigations in Ireland and the UK, with concerns regarding data protection rules. On 24 September 2018, Facebook engineers discovered that hackers were able to take over users' accounts and this led to a major scandal affecting nearly 50 million Facebook accounts. Consequently, the Irish Data Protection Commission initiated an investigation to examine whether Facebook complies with its obligations under General Data Protection Regulation ("GDPR")5.
Facebook stated in its press releases that they were cooperating with the Irish Data Protection Commission since they realized such a security attack, the company has also been conducting an internal investigation and "continued to take remedial actions to mitigate the potential risks to users". In the wake of the Irish Data Protection Commission's announcement concerning the investigation, the Spanish Data Protection Agency stated that it would collaborate on the investigation for the rights of the Spanish citizens6.
According to the GDPR, companies who fail to adequately protect relevant data could be fined for 20 million Euros or 4% of their global annual revenue from prior year, depending on which amount is greater. However, companies who notify the violation within three days will benefit from a reduction amounting to 2% of their global revenue. In this regard, the Irish Data Protection Commission reported that Facebook notified the breach on time to benefit from such reduction7. The investigation is not concluded yet and the potential fine that Facebook might face is estimated as $1.63bn, which is a considerable amount. The investigation is also crucial as it is considered as the first major test of Europe's new rules8.
In the UK, Facebook was fined for 500.000 GBP on 25 October 2018, when old data privacy rules of the EU were still in force, which allowed for a maximum amount of fine of 500,000 GBP by Information Commissioner's Office ("ICO"). In the UK case, Facebook was penalized for unlawfully processing personal information of its users between 2007 and 2014, without obtaining sufficiently clear and informed consent. The fine imposed by ICO was also justified by Facebook's failure to keep its users' personal information secure, which meant that the personal data of 87 million Facebook users located in the UK, US and other countries were shared with a third-party company named GSR. It was determined that GSR later shared a subset of the data with other organizations, including SCL Group, the parent company of Cambridge Analytica – a company involved in political campaigning in the United States. Within this context, ICO established that Facebook had failed to take adequate and timely remedial action, involving deletion, despite the fact that it discovered such misuse of data in 2015 and it did not suspend the company from its platform until the year of 2018.
To wrap up, AGCM's recent decision on Facebook appears to be the latest indicator that signifies competition and data protection enforcers' tendency to scrutinize big technology companies over data-related conducts. Thus, it seems that the big-tech companies have much to expect and learn from competition and data protection authorities all over the world.
1 As is known, Italian Competition Authority, Autorità Garante Della Concorrenza E Del Mercato ("AGCM"), had imposed a 3 million-euro fine on Whatsapp on 11 May 2017, for having forced its users to share their personal data with Facebook.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.