A recent decision of an Italian court faced a very interesting case in the area of intersection between privacy and consumer laws. On Jan. 10, the Administrative Tribunal of the Lazio rejected the appeal filed by Facebook against a million-dollar fine issued by the Italian Competition Authority to sanction a misleading practice in accordance with the Italian Consumer Code. The fine was over the lack of transparency of a message the service provider used for users, aimed at presenting access to the social media platform as free.
Such a ruling addressed the thorny issue of "capitalization" of personal data, typical of the new digital economies, recently tackled by the EU Commission with the presentation of the legislative package “A New Deal for Consumers” and by the European Data Protection Supervisor in its the Opinion 8/2018.
The Italian Court goes beyond the assumption that personal data as the expression of personality rights, subject to specific and not renounceable forms of protection cannot be treated at the same time as an economic asset when they are collected and processed by an organization to extract economic value.
In such a context, if the provision of personal data is required to allow the access to a service, it cannot be presented as free because the personal data of the user has an economic value for the service provider and, as a consequence, has to be considered as the price of the service.
According to the court, the service provider should have made the consumers aware that the information that could be extracted from such personal data would have been exploited for commercial purposes that go beyond the strict needs to allow the use of the social network.
The court rejected the argument that, since the processing of personal data is specifically regulated by the EU General Data Protection Regulation, the consumer law would not be applicable. It said that privacy laws protect personal data as personality rights, while consumer laws protect individuals to help them to make a conscious choice regarding their economic interests that may involve also their personal data.
Therefore, according to the decision at issue, the two sets of laws have a different scope and shall have to be jointly applied.
What are the consequences that such overlapping of laws may involve for privacy pros?
First, whenever the collection of personal data is aimed at monetization purposes, the duty of transparency in relation to the processing of personal data has to be considered not solely from the perspective of Articles 13 and 14 of the GDPR, but also according to the provisions of national consumer laws.
Moreover, as far as the Italian courts confirm the principle that personal data can be treated by the data subject as a merchantable good, such a case law may affect the meaning of freedom of the data subject’s consent. Indeed, it could be considered acceptable to the practice of a company that allows its customers to pay for a service, with money or, alternately, authorizing the company to process their personal data for marketing and/or profiling purposes. To sum up, it would be possible for a company to “buy” the privacy consent of the data subjects.
It goes without saying that, as stressed by the EDPS in the Opinion 8/2018, such an approach aimed at providing broad consumer protection involves possible risks of inconsistencies with the EU commitment to fully protect personal data as a fundamental right laid down in the GDPR.
This being stated, if the approach of the Administrative Tribunal of the Lazio will be adopted by other courts, it may have substantial consequences, provided that it would not regard solely Facebook but could affect all the operators providing online services presented as “free” but with a business model based on the exploitation of the users’ personal data for commercial purposes.
Finally, it is worth pointing out the implications for multinational organizations. Indeed, the ruling at issue may have an impact also on the scope of the one-stop-shop mechanism set out by the GDPR, provided that, according to the Italian court, the Italian Competition Authority may have competence over legal issues regarding the modalities whereby personal data are processed that, according to the GDPR, may be under the exclusive competence of a lead data protection authority based in a different EU country.
Photo by Omid Armin on Unsplash