14 December 2018
On 29 November 2018 the Italian Competition Authority (ICA) handed Facebook a fine of EUR 10m for misleading consumers and breaching Italian consumer and data protection laws.
Interestingly the scope of the investigation was initially aimed at unfair commercial practices adopted by Facebook, but in handing down the fine the ICA noted numerous breaches of Italian privacy law and the GDPR by Facebook. The ICA were clear in their investigations that ‘personal data, consumer preferences and other user generated content, have a “de facto” economic value’. It was alleged that Facebook exploited the personal data they held in order to gain a commercial benefit.
On review of Facebook’s terms and conditions for users, the ICA decided that the terms were grounded in unfair practices and data breaches for the following reasons:
- Facebook did not inform users when they registered for Facebook that their personal data would be used for commercial purposes. The ICO was critical of the fact that Facebook marketed itself as a free service to users but at no point did Facebook flag the fact that they sold their users personal data and preferences. The ICO decided Facebook was misleading towards the data subjects in breach of the GDPR, as Facebook didn’t properly inform the users as to what data was collected to personalise Facebook for the user, and what data was collected to be sold to third parties.
- Facebook only allowed users to opt-out of the data sharing policies they had in place with third parties. The default position on the Facebook site was that users were opted in to sharing their usage data with third parties. This wasn’t made clear to users at any point and the settings to opt-out of the data sharing arrangement were not easily accessible to users. If users did opt-out of these data sharing arrangements, they often found their use of Facebook was extremely limited, and if they wanted to use certain features they had to opt-back in to the data sharing options. The ICO was critical that this left users in such a catch 22 situation. In a fairly damning judgment, the ICA labelled this as an aggressive practice which exerted undue influence on the Facebook users.
Facebook have since commented that they are reviewing their data policies to make them clearer and to ‘help people understand how we use data and how our business works.’
Costanza De Porcellinis, Secondee (firstname.lastname@example.org)
Thomas Edwards, Trainee Solicitor (email@example.com)