Summary: 1. Introduction. – 2. The challenged AGCM decision. –3. The Administrative Court ruling. –4. The obligation to inform the data subject between Consumer Code and GDPR. –5. Looking for boundaries: the ne bis in idem principle.
Tar Lazio, sez. I, 18 dicembre 2019, 260; Tar Lazio, sez. I, 18 dicembre 2019, 261.
Abstract
In light of the economic relevance of personal data as an asset in digital markets, in the relative commercial transactions envisaging personal data as a non-monetary consideration, the undertakings shall provide the consumers with clear, complete and non-deceptive information in compliance with the applicable consumer law. Accordingly, the consumer shall be made aware of the actual commercial terms of the transaction entailing the provision of a service against personal data.
There is no incompatibility or antinomy between data protection and consumer laws, since they are complementary, imposing specific information obligations in relation to their respective protection purposes. On the one hand, data protection rules aim to protect personal data as a fundamental right of the individual; on the other hand, consumer rules ensure that correct information is provided to consumers in order to adopt informed economic choices.
For the same reasons, it can be excluded the risk of “a multi-sanctional effect” against the same conduct by the same undertaking. Indeed, data protection and consumer Authorities scrutinise different conducts of the undertaking, relating in the first case to the correct processing of personal data pursuant to data protection law, and in the second case to the clarity and completeness of the information about the exploitation of the data for commercial purposes pursuant to consumer law.
- Introduction
By twin judgments released on 10 January 2020[1], the Lazio Regional Administrative Court[2] partly overturned the decision No 27432/2018[3] of the Italian Competition and Consumer Authority (Autorità Garante della Concorrenza e del Mercato, AGCM), which fined Facebook Inc. and its Irish subsidiary Facebook Ireland Ltd. for €10 million[4] for two unfair commercial practices against the Social Network’s Italian users. At the time of writing, Facebook has appealed the judgments before the Italian Supreme Administrative Court (Consiglio di Stato), which will have the final say on the matter.
Although still subject to final judicial review, the first instance ruling is remarkable since it highlights crucial issues with regard to personal data processing and the enforcement of consumer and data protection laws. As it will pointed out in the following, the Regional Administrative Court confirmed that, when exploited for commercial purposes, personal data correspond both to a personal right of the data subject protected by the General Data Protection Regulation (GDPR)[5], and to an economic asset amounting to a contractual consideration subject to the Italian Consumer Code[6]. The envisaged “double nature” triggers the risk of convergent proceedings and double fines issued by both the Data Protection and the Consumer Authorities against the same commercial practice of the same undertaking scrutinised from different angles.
In order to avoid that the potential convergent enforcement causes legal uncertainty and an excessive compliance burden to the detriment of undertakings, innovation and ultimately consumer welfare, we would argue that the need of more precise boundaries between applicable rules should be considered pursuant to the ne bis in idem principle.
- The challenged AGCM decision
By decision No 27342/2018, the AGCM found that Facebook engaged in a first misleading commercial practice, prohibited by Articles 21 and 22 of the Italian Consumer Code. The conduct consisted of the insufficient information provided to the Italian users during their first registration to the Platform. In that phase, by means of the claim «Sign up, it’s free and it will be forever», Facebook highlighted the free nature of the service without specifying that the personal data collected would have been processed for commercial purposes. According to AGCM, the lack of information was not overcome by the link to the data protection notice available on the registration page, since «the absence of an alert on a relevant element of the contract such as the commercial use of user data, determines a serious information incompleteness that cannot be remedied by a mere references to further details»[7].
The AGCM has also ascertained a second aggressive practice, prohibited by Articles 24 and 25 of the Italian Consumer Code. According to the evidence gathered by the Authority, Facebook automatically pre-set the transmission of the user data, for profiling and commercial purposes, from the Social Platform to third party websites/apps and vice versa without the prior express consent of the data subject. The latter had a mere opting-out option, which was discouraged by Facebook by alleging consequent difficulties in the use of the services.
In the course of the proceedings, Facebook argued that the provision of “free” services, in the absence of monetary compensation, does not constitute a relevant economic activity within the meaning of the Consumer Code. In addition, according to Facebook, AGCM acted «beyond its competence in so far as it uses consumer protection rules to analyse conduct that should be assessed on the basis of privacy and data protection legislation»[8]. Hence, the case pertained to the competent Data Protection Authority pursuant to GDPR, namely the Irish Data Protection Commission (in view of the EU State of establishment of Facebook’s subsidiary), rather than AGCM.
In rejecting both arguments, in line with the conclusions reached in the 2017 WhatsApp case[9], the AGCM first confirmed that the processing of user data for marketing purposes entails a «consumer relationship […], even in the absence of a monetary compensation», since user data are in effect a «non-monetary consideration»[10].
In addition, AGCM confirmed its competence on the case, clarifying that «the fact that the company’s conduct is subject to privacy law does not exempt it from complying with the rules on unfair business practices». While the enforcement of data protection law pertains to the Data Protection Authority, the Consumer Code has a different scope, which is to protect the consumer from economic choices induced by misleading and aggressive practices that are not covered by other specific regulations. According to AGCM, therefore, «the two legal frameworks have a different material scope of application and pursue different interests. Consequently, there is no conflict between the two set of rules, but rather they complement each other»[11].
- The Administrative Court ruling
By the twin judgments released on 10 January 2020, the Lazio Regional Administrative Court annulled the AGCM decision No 27342/2018 as regards the second aggressive conduct relating to the alleged data sharing without the user’ express consent. The Court found that, in light of the evidence provided by Facebook, the envisaged data sharing mechanism correctly required the user’s express consent “on a granular basis” for each individual third party app/website.
The Court confirmed the first unfair commercial practice relating to the insufficient information provided to the consumer at the time of the first registration to the Social Network. This conclusion was reached by the Court by providing useful compliance clarifications, applicable to all offers apparently provided “for free” in the absence of a monetary compensation.
First, the Court confirmed that personal data might have a “double nature”. Indeed, they are the object of a fundamental right of the individual fulfilled by data protection laws, but they can also be an exploitable economic asset amounting to a contractual compensation. Accordingly, economic services provided against user data must comply with the Consumer Code as regards the duty to provide clear, complete and non-deceptive information on the actual commercial use of the personal data. Such information shall be available to the users from the first phase of registration to the platform, and shall effectively enable them to understand the terms of the agreement.
The Court confirmed also that, as pointed out by the AGCM, the mere link to Facebook’s Data Policy, Terms of Use and Cookie Policy (available on the registration page) is not an effective remedy, since the information accessible through links is «neither clearly nor immediately perceived» by the consumer.
In any case, the undertakings cannot claim that the economic relevance of personal data is something new. Indeed, in addition to the aforementioned WhatsApp case of 2017, this principle is recognised in the 2016 Guidelines for the implementation/application of Directive 2005/29/EC, where the European Commission points out that «personal data, consumer preferences and other user-generated content have a ‘de facto’ economic value»[12].
The “dual nature” of personal data has further consequences for companies under a compliance point of view. Indeed, depending on the business model of the undertaking concerned, the data protection policy pursuant to Article 13 GDPR may result not sufficient in order to avoid further responsibilities regarding the commercial exploitation of their personal data pursuant to the Consumer Code. In other terms, personal data processing triggers the risk of two concurrent (or convergent) sanctions for the same data processing activity: one for any violation of the GDPR (with penalties up to 4% of the annual turnover)[13], and another for breach of the Consumer Code (with penalties that, currently in Italy[14], are up to €5million for each unfair conduct ascertained by AGCM).
Taking into account the different scope of data protection and consumer regulations, in the judgements at hand the Regional Administrative Court expressly excluded the risk that such an approach could lead to “a multi-sanctional effect” (“effetto pluri-sanzionatorio”) against the same conduct by the same undertaking. Indeed, according to the Court, the Italian Data Protection Authority and the AGCM would scrutinise «different conducts of the undertaking, relating in the first case to the correct processing of personal data for the purposes of using the platform, and in the second case to the clarity and completeness of the information about the exploitation of the data for commercial purposes»[15].
- The obligation to inform the data subject between the Consumer Code and GDPR
At the time of the 2018 AGCM decision, Facebook’s registration page displayed the claim «Sign up, it’s free and it will be forever».
Subsequently, in light of the AGCM’s remarks, Facebook changed the wording in «It’s fast and simple», thus eliminating any reference to the free nature of the service provided. When accessing the registration page where this further claim was displayed, after having filled-in certain identification data, users were informed by a general notice that, by clicking on «Sign up», they were going to accept Facebook’s Terms and Conditions. The same notice provided a link to the Data Policy, inviting the users to find out how Facebook collected, used and shared their information; a further link was provided to the Cookies Policy[16]. In other words, by clicking on «Sign up», by means of a single action on the part of the users, they were going to accept the Terms and Conditions as well as the Data and Cookie Policies.
According to the AGCM decision and Court ruling at hand, in conjunction with a first claim inviting to join the service and in any case before signing up a contract, the consumers shall be provided with two distinct sets of information: according to the Consumer Code, the consumer shall understand the economic relationship between the services received and the personal data to be processed; in addition, they should be provided with the information listed by Article 13 GDPR.
The existence of two distinct informative obligations (one pursuant to the Consumer Code and one pursuant to GDPR) seems to have been confirmed by a more recent proceedings initiated by AGCM against Facebook for non-compliance with the decision No 27342/2018, with respect to the first unfair practice upheld by the Court. In this further proceeding, AGCM stated that the removal of the claim «It’s free» is not sufficient to comply with the Consumer Code. Indeed, according to the Authority, the consumer who wants to register to the Social Network is still not informed clearly and immediately about the commercial purposes of their data exploitation[17].
- Looking for boundaries: the ne bis in idem principle
A question arises: what is the impact of the aforementioned potential convergent enforcement of consumer and data protection rules?
On the one hand, for big players such as Facebook, the convergent enforcement does not prove particularly effective due to the fragmented and lengthy procedures launched at national level and the relatively limited amount of the fines. This first shortcoming is going to be addressed by the new Directive (EU) 2019/2161[18] that requires Member State to increase the sanctions applicable from 2022 to infringements with an EU dimension, pursuant to Regulation (EU) 2017/2394 on cooperation between EU National Consumer Authorities[19].
On the other hand, the convergent interventions by data protection and consumer authorities may enhance legal uncertainty and the related compliance costs (especially for small and medium-sized enterprises), to the detriment of economic development, innovation and ultimately consumer welfare. To avoid this second shortcoming, the need of more precise boundaries between the applicable rules should be considered pursuant to the ne bis in idem principle, enshrined by Article 4 of Protocol No. 7 to the Convention for the Protection of Human Rights and Fundamental Freedoms and by Article 50 of the Charter of Fundamental Rights of the European Union[20]. As clarified by the European Court of Human Rights (ECHR), the ne bis in idem principle applies to the administrative Authorities, such as the Italian AGCM and Data Protection Authority, which may issue administrative fines that, although not formally “criminal” under national law, have a substantial punitive nature with both preventive and repressive functions[21].
The ne bis in idem principle does not preclude national legal systems from providing for complementary repressive responses, by different autonomous authorities, in relation to the same conduct that infringes different legal provisions[22]. On the contrary, as clarified by the ECHR, the imposition, by different authorities, of different sanctions on the same conduct is compatible with the ne bis in idem principle if certain conditions are met. In particular, the different proceedings shall pursue complementary objectives not only in an abstract sense, but also in concrete terms, i.e. having regard to the different aspects that are the object of the investigation with regard to the illegal conduct in question[23].
To comply with this criterion, in the decision to start an enforcement proceeding, each Authority should therefore clearly provide not only in abstracto but also in concreto the factual elements that underpin its action and its competence according to the law. In conclusion, in this respect, a substantial compliance with the duty to state reasons, subject to effective judicial review, confirms to be crucial to set more precise boundaries between convergent interventions and responsibilities on personal data processing.
[1] Tar Lazio, sez. I, 18 dicembre 2019, 260; Tar Lazio, sez. I, 18 dicembre 2019, 261.
[2] Under Italian law, the Lazio Regional Administrative Court (based in Rome) holds exclusive competence to reviewing AGCM’s decisions in first instance.
[3] AGCM, decision No 27432 of 29 November 2018, PS11112 – Facebook – Condivisione dati con terzi, in Boll. 46/2018.
[4] Pursuant to the Italian Consumer Code, AGCM is allowed to issue administrative fines up to €5 million for each envisaged unfair commercial practice realised by an undertaking against consumers. In the case under review, therefore, AGCM issued the highest fine allowed by Italian law in respect of the two commercial practices ascribed to Facebook. Please note that by means of the new Directive (EU) 2019/2161, the European Union requests Member States to increase to at least 4% of the annual turnover of the undertaking concerned, the administrative fines to be issued starting from 2022 for unfair practices with an EU dimension (i.e. affecting more than one Member State). In this respect, see Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernisation of Union consumer protection rules, OJ L 328, 18.12.2019, 7–28.
[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, 1–88.
[6] Legislative Decree No 206/2005 that implemented in Italy Directive 2005/29/EC on unfair commercial B2C practices to the detriment of consumers.
[7] AGCM decision No 27432/2018, point 56. Unofficial translation from the Italian official text.
[8] Ibid., point 34. Unofficial translation from the Italian official text.
[9] AGCM, decision No 26597 of 11 May 2017, PS10601 – WhatsApp – Trasferimento dati a Facebook, in Boll. 18/2017. In that proceedings, AGCM sanctioned WhatsApp €3 million for an unfair commercial practice of an aggressive nature pursuant to Articles 20, 24 and 25 of the Italian Consumer Code, concerning the modification of the general terms and conditions. AGCM confirmed that WhatsApp’s conduct amounted to an unfair commercial practice due to the economic value of the users personal data, which constitute a “non-pecuniary consideration”.
[10] AGCM decision No 27342/2018, point 54. Unofficial translation from the Italian official text.
[11] Ibid., point 46. Unofficial translation from the Italian official text.
[12] European Commission, Staff working document, Guidelines for the implementation/application of Directive 2005/29/EC on unfair commercial practices, 25.05.2016, SWD(2016) 163 final. In this respect, we could also note that the economic relevance of personal data has been codified, for instance, by Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services, OJ L 136, 22.5.2019, 1–27. Directive (EU) 2019/770 expressly protects consumers in those contractual relationships where a digital content/service is provided against user data (see Article 3 of Directive (EU) 2019/770: «This Directive shall apply to any contract where the trader supplies or undertakes to supply digital content or a digital service to the consumer and the consumer pays or undertakes to pay a price. This Directive shall also apply where the trader supplies or undertakes to supply digital content or a digital service to the consumer, and the consumer provides or undertakes to provide personal data to the trader, except where the personal data provided by the consumer are exclusively processed by the trader for the purpose of supplying the digital content or digital service in accordance with this Directive or for allowing the trader to comply with legal requirements to which the trader is subject, and the trader does not process those data for any other purpose»).
[13] See Article 83 GDPR.
[14] See Article 27 of the Italian Consumer Code.
[15] Tar Lazio, judgements 260-261. Unofficial translation from the Italian official version.
[16] Source: https://it-it.facebook.com/ accessed on 31 January 2020. The Italian wording said: “[c]liccando su Iscriviti, accetti le nostre Condizioni. Scopri in che modo raccogliamo, usiamo e condividiamo i tuoi dati nella nostra Normativa sui dati e in che modo usiamo cookie e tecnologie simili nella nostra Normativa sui cookie. Potresti ricevere notifiche tramite SMS da noi, ma puoi disattivarle in qualsiasi momento”.
[17]AGCM, decision No 28072 of 21 January 2020, IP330 – Facebook-Raccolta utilizzo dati degli utenti, in Boll. 4/2020, spec. point 7: «[c]on particolare riferimento all’unica modifica attuata in relazione alla pagina di registrazione al social network, ossia la rimozione del claim di gratuità, si osserva come essa non sia sufficiente a rimuovere gli accertati profili di illegittimità. Il consumatore che si voglia registrare al social network continua a non essere informato con chiarezza e immediatezza in merito alle finalità commerciali della raccolta e utilizzo dei suoi dati da parte della società».
[18] See footnote No 4.
[19] Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004, OJ L 345, 27.12.2017, 1–26.
[20] Article 50 (Right not to be tried or punished twice in criminal proceedings for the same criminal offence): «No one shall be liable to be tried or punished again in criminal proceedings for an offence for which he or she has already been finally acquitted or convicted within the Union in accordance with the law».
[21] ECHR, A. Menarini Diagnostics Srl c. Italia, appl. 43509/08 [2011].
[22] ECHR, A and B v Norway, appl. 24130/11 and appl. 29758/11 [2016] 121: «In the view of the Court, States should be able legitimately to choose complementary legal responses to socially offensive conduct (such as non-compliance with road-traffic regulations or non-payment/evasion of taxes) through different procedures forming a coherent whole so as to address different aspects of the social problem involved, provided that the accumulated legal responses do not represent an excessive burden for the individual concerned».
[23] A and B v Norway, 131-132: «As regards the conditions to be satisfied in order for dual criminal and administrative proceedings to be regarded as sufficiently connected in substance and in time and thus compatible with the ne bis in idem criterion in Article 4 of Protocol No. 7, the relevant considerations deriving from the Court’s case-law, as discussed above, may be summarised as follows. Material factors for determining whether there is a sufficiently close connection in substance include: (i) whether the different proceedings pursue complementary purposes and thus address, not only in abstracto but also in concreto, different aspects of the social misconduct involved; (ii) whether the duality of proceedings concerned is a foreseeable consequence, both in law and in practice, of the same impugned conduct (idem); (iii) whether the relevant sets of proceedings are conducted in such a manner as to avoid as far as possible any duplication in the collection as well as the assessment of the evidence, notably through adequate interaction between the various competent authorities to bring about that the establishment of facts in one set is also used in the other set; (iv) and, above all, whether the sanction imposed in the proceedings which become final first is taken into account in those which become final last, so as to prevent that the individual concerned is in the end made to bear an excessive burden, this latter risk being least likely to be present where there is in place an offsetting mechanism designed to ensure that the overall amount of any penalties imposed is proportionate».