Facebook faces its second privacy-related fine in Europe, with the most recent action taken by the Italian Competition Authority. On Friday, Facebook was hit with two fines, totaling 10 million Euros (about $11.3 million), for violating Italy’s Consumer Code.
The Italian Competition Authority (ICA) found that Facebook violated several articles of the statute by misleading consumers about how their data would be used. These include Articles 21 and 22. The ICA found that Facebook doesn’t explicitly inform people when they register that their information will be used for commercial purposes.
“Facebook emphasizes the free nature of the service but not the commercial objectives that underlie the provision of the social network service, thus inducing users into making a transactional decision that they would not have taken otherwise,” the ICA said in a notice on Friday. “The information provided is in fact general and incomplete and does not adequately make a distinction between the use of data to personalize the service (in order to connect ‘consumer’ users with each other) and the use of data to carry out advertising campaigns aimed at specific targets.”
The authority also found that Facebook, in violation of Articles 24 and 25, actively sends consumer data to third-party websites and apps for commercial purposes, by default and without express consent. Additionally, when users decide to limit their consent, they are faced with significant restrictions on the use of the social network. Inducing users to “maintain the pre-selected choice” represents “undue influence,” according to the ICA, and prevents users from being able to make a free, informed choice.
“In the wake of European data privacy laws that were fairly generic in nature, rulings such as this one will provide vital precedent and context to companies and hopefully push them to adhere to data privacy both in practice and in spirit,” Abhishek Iyer, technical marketing manager at Demisto, told Threatpost. He added, “In the future, regulators should move to buttress existing law frameworks with more specific and detailed requirements of what information companies should make explicit to their users. Users should also be allowed to revoke the sharing of their data at any time and should be aware of any third parties that their data is being shared with. The more transparent this information is, the less the chance of ‘dark pattern’ user experiences that bank on users not being aware of where their data is going.”
Second European Fine
The action is the second fine that the social network has faced across the pond. In October, The UK fined Facebook $645,000 over Cambridge Analytica’s data harvesting practices, which exploited the data of 87 million users.
Both sets of fines represent a gnat bite for the tech giant, which generated $5.1 billion in net profit in the second quarter of the year. However, the amounts reflect the fact that the investigations were opened before the EU’s General Data Protection Regulation (GDPR) went into effect; that happened in May.
“But for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty,” noted the UK’s Information Commissioner’s Office (ICO).
It’s safe to say that Facebook has thus far dodged a bullet: The GDPR stipulates a maximum fine of 4 percent of annual global turnover (approximately $1.6 billion in Facebook’s case). However, the increased scrutiny is notable in and of itself.
“2018 has been the year that privacy hit a sore spot with consumers, and the various internet properties that monetize data no longer have a free reign,” David Ginsburg, vice president of marketing at Cavirin, told Threatpost. “Though the EU has taken the lead with GDPR and other regulations such as Italy’s Consumer Code, the U.S. is following suit with regulations such as the California Consumer Privacy Act and parallel regulations on the national level expected in 2019. The specific description of Facebook’s breaches is very telling and should be closely read by others operating in the EU as to their own exposure.”