With a decision published on December 7th 2018, following an investigation launched in April 2018, the Italian Competition Authority has fined Facebook Ireland Ltd., and its parent company Facebook Inc., for engaging in two unfair commercial practices in violation of the Italian Consumer Code.

The commercial practices fined by the Italian Competition Authority

The first of the two behaviors challenged by the Authority concerns the way Facebook presents its social network service to the prospect users who are in the process of registering in the service. The Authority alleges that Facebook misleads consumers into registering in the social network service by emphasizing the free nature of the service, without properly informing them about the fact that Facebook will collect, process and use their personal data for commercial purposes. The Authority claims that the information provided in this regard to consumers at the time of registering in the service is incomplete and unclear. In the Authority’s view, this conduct is in violation of Articles 21 and 22 of the Italian Consumer Code, which prohibit any actions or omissions of the professional that deceive, or are likely to deceive, the average consumer and cause, or are likely to cause, him to take a transactional decision that he would not have taken otherwise.

The second commercial behavior that the Authority found to be unfair consists in Facebook’s transmission of registered users’ data, without their prior express consent, from the social network platform to third party websites/apps and vice versa, for the use of such data for profiling and commercial purposes. The Authority alleges that Facebook applies a mere opt-out mechanism for enabling the integration between its platform and third-party websites/apps, by setting up the reciprocal exchange of user’s data with other websites/apps, through the pre-selection of the “Piattaforma attiva” function. In the Authority’s view this mechanism is in violation of Articles 24 and 25 of the Italian Consumer Code, prohibiting the adoption of aggressive commercial practices by the professional, because the mechanism may, through undue influence, significantly impair the average consumer’s freedom of choice, thus causing him to take a transactional decision he would not have taken otherwise.

At the end of the investigation the Authority has imposed on Facebook two administrative fines of 5 million euro for each of the two commercial practices charged and ordered Facebook to cease and desist from such practices. Facebook shall have to inform the Authority, within 90 days from the notification of the decision, about the initiatives taken in compliance with such order.

The main issues tackled by the decision of the Italian Competition Authority

With its decision the Authority rejected Facebook’s preliminary objection that the Competition Authority lacks of jurisdiction to investigate into such behaviors, as they should be regarded as falling within the exclusive jurisdiction of the Data Protection Authority.

The Italian Competition Authority affirmed its jurisdiction observing that the fact that data protection laws apply does not exempt professionals from complying with consumer protection laws as well, having the two sets of rules separate fields of application and different purposes, since data protection laws are aimed at protecting personal data while consumer protection laws are aimed at protecting the consumers from misleading and aggressive practices which may distort consumers market choices when buying goods or services from a professional.

Facebook’s argued that there is no relevant consumer relationship between itself and the users, since the provision of personal data does not constitute, from a legal point of view, a consideration for the use of the social network service. The Authority rejected this argument noting that what is relevant is that the data provided by the users have an economic value for the business run by Facebook. The users data that Facebook collects and uses have the nature of non-monetary consideration, as already stated by the European Commission in the merger review case no. COMP / M.7217 – Facebook/Whatsapp.

This decision is likely to open a debate about the relationship between data protection laws and consumer protection laws and how far the Competition Authorities can go in scrutinizing business models based on the processing and profiling of personal data. What is clear is that the Competition Authorities want to play a role in the digital economy and that firms operating in the market should combine compliance with data protection laws and compliance with competition and consumer protection laws.