The Italian Antitrust Authority (Autorità Garante della Concorrenza e del Mercato, AGCM) announced on June 5, 2024, that it has imposed a total administrative fine of 3.5 million euros on Meta. The AGCM's investigation found that Meta's social platforms, Facebook and Instagram, engaged in illegal collection of user data. The AGCM believes that these violations contravene Articles 20, 21, and 22 of the Italian Consumer Code (Codice del consumo). Consequently, it fined Meta and prohibited it from continuing these illegal commercial practices.
Case Background
In the internet era, social media platforms have become an indispensable part of people's lives. As a leader in the global social media industry, Meta, through its platforms like Facebook and Instagram, influences the information access and social interactions of billions of users. With its vast global user base, Meta's ability to collect and analyze user data enables advertisers to target users precisely, thereby personalizing advertisements and other commercial information. While this business model, based on analyzing user behavior and preferences, brings efficiency to advertisers, it also raises concerns about personal privacy. Following some complaints, the AGCM conducted an in-depth investigation into Meta's improper business practices and found multiple violations by Meta.
The AGCM's investigation revealed that Meta failed to clearly and promptly inform users during Instagram registration that their personal data would be used for commercial purposes, such as delivering personalized advertisements. Although the registration process included terms of data use, this information was not presented prominently, nor did it clearly state the commercial use of the data. This lack of transparency violates users' right to be informed, potentially leading them to consent to the commercial use of their data without being fully aware. Additionally, Meta failed to provide sufficient advance notice and reasonable explanations when temporarily or permanently closing user accounts, nor did it offer appropriate dispute resolution channels. The AGCM found that Meta failed to provide effective account recovery support in the event of hacker attacks or other authentication issues. This not only affects users' social media experience but also highlights Meta's deficiencies in account security and user support. The AGCM believes these actions violate the Italian Consumer Protection Law regarding information transparency, consumer rights protection, and contractual fairness.
Given the above circumstances, the AGCM found Meta in violation of Articles 20, 21, and 22 of the Italian Consumer Code and imposed a fine of 3.5 million euros. This penalty decision has negatively impacted Meta's business in Italy, with some Italian users expressing that they will consider reducing their use of Meta's products and services.
Legal Analysis
In addition to the EU-wide GDPR, the legislative framework for personal data protection in Italy is based on the Italian Constitution, the Data Protection Law, and the Personal Data Protection Code, which collectively form the foundation of Italy's personal data protection legal system. Other sectoral laws, such as the E-Commerce Law and the Consumer Code, provide specific regulations for personal data protection in different scenarios. The Consumer Code, as part of the sectoral law, primarily aims to protect consumer rights and can be specifically applied to personal data protection in the context of consumer rights. Articles 20, 21, and 22 of the Italian Consumer Code stipulate provisions against unfair commercial practices, deceptive practices, and misleading omissions, respectively, and explicitly prohibit companies from engaging in these practices in their commercial activities.
(a) Unfair Commercial Practices
Article 20 of the Consumer Code clearly states that if a commercial practice violates the principles of professional diligence and constitutes false actions or may significantly mislead consumer behavior, it is deemed an unfair commercial practice. Unfair commercial practices include misleading actions (as described in Articles 21, 22, and 23) and aggressive actions (as described in Articles 24, 25, and 26). The law prohibits companies from engaging in unfair commercial practices.
The AGCM believes Meta's unfair commercial practices mainly manifest in two aspects: first, the failure to clearly inform users of the purpose of data use during Instagram registration, which violates professional diligence and may lead consumers to make registration decisions without being fully informed. Second, in cases where users are unable to access their accounts, Meta does not provide sufficient and effective assistance to recover the accounts, which may prevent consumers from adequately protecting their rights.
(b) Deceptive Practices
Article 21 of the Consumer Code defines deceptive practices as commercial practices that contain false information or in any way mislead consumers, causing them to misunderstand the nature, characteristics, etc., of products or services, thereby making decisions they would not ordinarily make. Whether a commercial practice constitutes deception depends not only on the truthfulness of the information but also on how the information is presented and the context. Even if the information is materially true, if its presentation is enough to mislead consumers, it may be deemed deceptive.
Meta's failure to adequately disclose the commercial purpose of data during new user registration on Instagram may lead consumers to misunderstand how their data is used and its impact on personal privacy, thereby making decisions different from those they would have made with full information. The AGCM believes Meta's actions constitute deceptive practices as defined in Article 21.
(c) Misleading Omissions
Article 22 of the Consumer Code states that if a commercial practice fails to provide relevant information that an average consumer needs to make an informed commercial decision in a specific context, it constitutes a misleading omission. This relevant information includes, but is not limited to, the main characteristics of the product, price, consumers' right of withdrawal or contract termination, and any other important information affecting consumer decisions.
In addition to the failure to adequately disclose the commercial purpose of data mentioned earlier, the AGCM believes Meta failed to provide sufficient information when closing accounts, including reasons for the interruption, duration, and possible appeal channels for users. This omission may prevent consumers from exercising their rights, thereby constituting a misleading omission.
Compliance Recommendations
Although the AGCM's penalty on Meta is based on consumer protection clauses, the substantive content of these clauses is related to the requirements for corporate data privacy compliance, such as the principle of transparency and the effectiveness of user consent. This highlights the importance of privacy compliance and personal data protection for consumers in the digital and globalized business environment. This case also reminds us that because data rights are a form of consumer rights, non-compliance by companies may face enforcement from multiple angles. When building a data compliance system, companies need to pay attention not only to specific data legislation (such as GDPR) but also to laws related to consumer rights protection. Furthermore, since data rights are a type of rights enjoyed by consumers, the provisions of different sectoral laws on data rights are essentially interconnected. This means that as long as companies strictly adhere to the core requirements of privacy compliance, they can meet multiple compliance requirements simultaneously.
When building a data compliance system, companies should not only focus on specific data protection regulations but also consider relevant laws involving consumer rights protection. Companies should continuously monitor and correct their business practices to adapt to changes in laws and regulations, ensuring global compliance. The Meta case also reminds us that compliance is not just a way to avoid penalties but also a key to winning market and consumer trust.
Kaamel's Assistance
Kaamel is always at the forefront of privacy protection. We believe in helping companies identify and address privacy compliance risks through technology-driven methods.
Our innovative Kaamel AI detection engine relies on mainstream regulations and regulatory precedents to help companies quickly and comprehensively identify their privacy compliance risks. Kaamel also provides comprehensive privacy compliance solutions to help companies effectively address regulatory and user needs in international business operations, reducing privacy risks and compliance concerns, and building trust in the global market.