CdS - 202102630

From GDPRhub
CdS - 202102630
Courts logo1.png
Court: CdS (Italy)
Jurisdiction: Italy
Relevant Law: Article 4(2) GDPR
Directive 2005/29
Decided: 18.02.2021
Published: 29.03.2021
Parties: Facebook Inc.
Autorità Garante della Concorrenza e del Mercato
National Case Number/Name: 202102630
European Case Law Identifier: ECLI:IT:CDS:2021:2630SENT
Appeal from: TAR del Lazio (Italy)
202000261
Appeal to:
Original Language(s): Italian
Original Source: Giustizia Amministrativa (in Italian)
Initial Contributor: n/a

The Italian Council of State found that Facebook failed to provide its users with transparent information concerning the commercial exploitation of their personal data. At the same time, it found that the opt-out approach used for registering users to the platform did not constitute an aggressive conduct.

English Summary

Facts

On the 29th of November 2018, following a complaint filed by three consumer associations, the Italian Competition Authority (Autorità Garante della Concorrenza e del Mercato – AGCM) adopted a decision against Facebook Inc. and Facebook Ireland. The Authority found that Facebook engaged in an unfair commercial practice towards its users by failing to inform them adequately and immediately about the commercial nature of the processing of their personal data, while emphasizing that registering to the platform was free of charge. For this reason, Facebook Inc. received a fine of € 5,000,000. The AGCM also found that Facebook engaged in an aggressive commercial practice towards its users by unduly influencing its users’ preference concerning the processing of data for commercial purposes. This was done by pre-selecting the option to consent to sharing data with third parties, while presenting them with the prospect of significant limitations in case they de-select such options. For this reason, Facebook Ireland received a fine of € 5,000,000.

On the 18th of December 2019, the Regional Administrative Tribunal (Tribunale Amministrativo Regionale – TAR) of Lazio partially upheld two separate appeals brought by Facebook Inc. and Facebook Ireland. On the one hand, the TAR agreed with AGCM findings that Facebook misled its users into registering to the Facebook platform “for free”, without providing adequate and timely information about the commercial use of their personal data. On the other hand, the Tribunal found that the pre-selected options provided to Facebook’s users during their registration does not actually gather their consent to the transfer of data to third parties. This actually occurs at a later stage and on a granular level. Moreover, the TAR found that the AGCM failed in properly demonstrating the aggressive nature of such practice, and how it influenced the choices of the users.

Dispute

Both Facebook and the AGCM appealed against the TAR decision.

Among others, Facebook presented the following arguments:

  • That the AGCM had no authority to impose a fine against the company. According to Facebook since there was no monetary price to be paid to subscribe to its services, hence there was no commercial activity at all, and consumer law could not be applied. Moreover, Facebook held that personal data cannot be considered a commodity that the user trades in exchange for the social networking services. To support this statement, the platform referred to Recital 24 of Directive 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services, which “fully [recognises] that the protection of personal data is a fundamental right and that therefore personal data cannot be considered as a commodity (…)”; and the EPDS opinion on the proposal for the same Directive (Opinion n. 4, 2017).
  • That there was an absolute lack of jurisdiction ratione materiae with regard to the AGCM. According to the platform, which referred to Articles 3 and 4 of Directive 2005/29 (the “Unfair Commercial Practices Directive”), only the GDPR could be applied to the practices addressed by the decision according to the principles of speciality and harmonisation of EU law. Moreover, the informative practices were indeed relevant to information obligations related to profiling and that are specifically regulated by the GDPR.
  • That there was a violation of Article 288(2) TFUE, since applying the national consumer law would impair the application of the GDPR and partially amend it.
  • That there was a violation of the principle of speciality concerning fines: if indeed there was an illicit conduct concerning the use of users’ personal data, that conduct is liable to be sanctioned according to GDPR rules, and not according to the more general rules of consumer law.
  • That there was a violation of Article 56 GDPR, according to which the Irish DPA is the only authority who can supervise Facebook’s processing activities in the EU.
  • The absence of any unfair commercial practice. Facebook contested that the term “free” is true to the fact that no monetary price is requested, and that the average user is well aware that the income from targeted advertising is at the core of the business model of any online free services. Moreover, Facebook argued that it used a layered approach in providing information to its users, in line with Article 12(7) GDPR and the Article 29 Working Party Guidelines on Automated individual decision-making and profiling (paragraph 35).

The appeal brought by the AGCM focused on the part of the TAR’s decision concerning Facebook’s alleged aggressive commercial practice. According to the Authority, its initial findings were accurate, and the aggressive nature of those practices is evident from the continuous use of pre-selected options by Facebook, in several stages of users’ registration process. The text of the appeal referred to by the Council of State reads: “the mechanism of multiple pre-activations undoubtedly deprives the consumer of the possibility of choosing, by means of the positive action also required at European level, whether and what to transfer to third parties, placing – contrary to the approach of the rules set out in the Consumer Code – this prerogative of the user in the hands of Facebook (i.e. the professional)”.

Holding

Concerning the overlap between consumer and data protection law, the Council of State held that because of Article 4(2) GDPR, data protection laws provides for a very broad scope of application, which might very well extend to any human activity. However, it is not possible to conclude, given the content of the GDPR and the case law from the Court of Justice of the EU, that “that the scope of application of the special and exclusive discipline (also in the sense that it excludes the application of other disciplines) can be «absolute».” This would be “unreasonable”, according to the Council, as any human activity, as well as any field of law, involves the processing of personal data. Hence, an “absolute speciality” of data protection law would mean the inapplicability of any other legislation. On the contrary, when the processing of personal data is involved, the legal system is meant to avoid “any expropriation of the application of other sectoral disciplines, such as, in the case in point, consumer protection, to reduce the protections guaranteed to natural persons.”

According to the Council of State there is also no overlap between the two systems of penalties. While GDPR penalties apply to the violation of data protection rules, which are not relevant in the present case, consumer law is concerned with “the conditioning of the awareness of the user who, in order to obtain benefits described as free of charge, must give up personal data which will not be used exclusively to obtain the services which he is seeking, but will constitute a tool for profiling the user for commercial purposes, in the absence of adequate prior information for the consumer.”

And indeed, the information provided in Facebook’s privacy and cookie policy are, according to the Council, “general and unspecific” and the stress is on the free nature of the services, rather than the actual use of personal data. On the other hand, the user is presented with “intimidating” information about the consequences of opting out to the use of personal data for commercial purposes. Hence, the “user remains convinced that the achievement of the advantages associated with access to the platform is free, not being able […] to recognise and realise that in return for the advantage there is automatic profiling for commercial use, not clearly and immediately indicated at the time of first access, as an inevitable consequence of the provision of the data.”

The Council hence agreed with the AGCM and the TAR in sanctioning Facebook’s informative practices as unfair commercial practice, among others for the following reasons:

  • Facebook did not give to its users information that is critical for the informed decision of the consumer concerning a commercial act such as registering to Facebook;
  • The information given was neither clear nor immediate;
  • The information was “general and incomplete”, and did not distinguish between the use of data for the purpose of customizing the service and for the purpose of providing with targeted advertising;
  • In the same way, the commercial and “cultural” purposes related to the use of the services were not clearly distinguishable for users;
  • Before the claim “Facebook helps you to connect and stay in touch with the people in your life”, there was a “lack of an adequate alert informing users, immediately and effectively, about the centrality of the commercial value of their data with respect to the social networking service offered”.

Concerning the alleged aggressive commercial practice, the Council of State upheld the first instance decision and stated that, according to the information and statements gathered from Facebook, there is no reason to consider that the opt-out mechanism “would prevent the user from understanding how and for what purpose the data collected as a result of cross-platform integration is used, both by third parties and by Facebook.” Indeed, the “pre-selection” of certain options does not involve any direct and immediate data sharing with third parties, and “it is followed by a further series of necessary steps, in which the user is asked to decide whether and which of his or her data he or she wishes to share in order to enable integration between the platforms.” Moreover, the commercial practice does not constitute, according to the Council, a “concrete manipulation”, a coercion of the behaviour, and hence freedom of choice, of the user, so that it cannot be considered aggressive according to consumer law.

Eventually, the Council of State rejected both appeals on the grounds that the arguments presented were not well-founded, and hence upheld the first instance decision adopted by the TAR of Lazio.

Comment

Along with this decision, the Italian Council of State adopted an almost identical decision concerning an appeal brought by the daughter company Facebook Ireland. The only differences concern an argument raised by Facebook Inc. concerning the application of the principle of parental liability, which is absent in the appeal brought by Facebook Ireland. In any event, this argument was not included in this summary as it is not related to the processing of personal data. For reference see CdS - 202102631.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.