Facebook’s failed Italian appeal confirms data’s economic value
An Italian court has rejected an appeal by Facebook against €10 million in fines it received from the country’s competition watchdog, saying consumer protection laws also apply to the processing of personal data because of its economic value.
In a 10 January judgment, the regional administrative court for Lazio in Rome said that an approach to personal data protection based only on an individuals’ fundamental rights is incomplete: consumer protection laws also apply, as Facebook commercialises the data it collects.
Facebook had appealed against two €5 million fines issued by the country’s competition watchdog in December 2018.
The watchdog – which also has consumer protection enforcement powers – said the social media giant misled users and failed to make it sufficiently clear that users’ data would be used for commercial purposes. It also said Facebook was engaged in an “aggressive commercial practice” encouraging users to permit data sharing between Facebook and third parties, and vice versa, for commercial purposes.
Facebook appealed against the decision on the grounds that the matter was one for privacy – rather than competition – regulators.
But the court rejected Facebook’s arguments, saying that the economic nature of the personal data collected by Facebook means consumer protection laws apply as well as those governing privacy.
It said the behaviours examined by each authority was different, one being the protection of personal data as a fundamental right and the other being the provision of the correct information required for a consumer to make an informed choice.
Massimiliano Pappalardo, a partner at Ughi e Nunziante Studio Legale in Milan, told GDR the ruling could have “substantial consequences” and could affect many businesses offering purportedly “free” services online. He said it was noteworthy that the court outlined and analysed the “capitalisation of personal data”, something typical in new digital economies.
Pappalardo said the ruling might have an effect on the scope of the one-stop-shop mechanism set out by the GDPR by allowing regulators other than data protection authorities jurisdiction over the processing of personal data. For cases involving cross-border data processing, the one-stop-shop allows companies to benefit from having to deal with just one European data regulator in the country of their main European establishment.
Rocco Panetta, a partner at Panetta & Associati in Rome, told GDR that while the ruling confirms the position of the courts that the provision of social network services like Facebook is offset against the collection of personal data, the decision is “way too case-specific and brief to shed light upon an extremely hot topic”.
However, Panetta said it was possible – given that many big tech companies provide services for “free” in exchange for data – that “similar local decisions may trigger a ripple effect” and force new European legislation on the issue.
Panetta also said the court has made it clear that multiple regulators can be involved in similar matters “without necessarily violating the general legal principle of “not twice against the same thing””.
A Facebook spokesperson told GDR that the company is reviewing the court’s decision and hopes to work with the competition watchdog to resolve remaining concerns. “Last year we made our terms and policies clearer to help people understand how we use data and how our business works. We also made our privacy settings easier to find and use, and we're continuing to improve them. People own and control their personal information on Facebook," they said.
Counsel to Facebook
Partner Andrea Cicala and of counsel Riccardo Pennisi and Francesco Goisis in Milan and partner Luca Pescatore in Rome are assisted by Davide Coppola