Italy’s competition regulator announced on Friday that it’s fining Facebook €10m (USD $11m, £8.9m) for laying it on thick when it comes to the service being “free” to users but keeping quiet about how the company’s making money off their data.
The fines come out of an investigation the Italian Competition Authority (ICA) wrapped up on 29 November. Opened last April, it looked into alleged violations of the Consumer Code by Facebook Ireland Ltd. and its parent company, Facebook Inc.
Here’s what the ICA had to say about it:
Facebook emphasizes the free nature of the service but not the commercial objectives that underlie the provision of the social network service, thus inducing users into making a transactional decision that they would not have taken otherwise (i.e., to register in the social network and to continue using it). The information provided is in fact general and incomplete and does not adequately make a distinction between the use of data to personalize the service (in order to connect “consumer” users with each other) and the use of data to carry out advertising campaigns aimed at specific targets.
Four Consumer Code violations
Facebook violated four of the Consumer Code articles, the ICA concluded: by misleading consumers into “registering without adequately and immediately informing them during the creation of the account that the data they provide will be used for commercial purposes,” it’s violated articles 21 and 22.
The ICA also found that Facebook has violated articles 24 and 25 with “aggressive” business practices, as it “exerts undue influence on registered consumers,” it said.
Those users are hurt by Facebook’s failure to give them “express and prior consent,” leading to transmission of their data “unconsciously and automatically” to third-party websites and apps for commercial purposes, and vice versa.
The undue influence is caused by the pre-selection by Facebook of the broadest consent to data sharing. When users decide to limit their consent, they are faced with significant restrictions on the use of the social network and third-party websites/apps, which induce users to maintain the pre-selected choice.
Specifically, Facebook pre-selects the “Active Platform” function, which pre-sets the users’ ability to access websites and external apps using their accounts, thus enabling transmission of their data without users’ express consent, the ICA said.
Facebook regularly uses “opt-out” instead of “opt-in” in other data-sharing scenarios, the ICA said, including “whenever users access third-party websites/apps, including games, using their Facebook accounts.”
In this case also, users can in fact only deselect the pre-setting operated by Facebook, without being able to make a free, informed choice.
Besides the fines, the ICA has ordered Facebook to publish an apology on its site and on its app.
Facebook said in a statement that it’s thinking it over:
We are reviewing the Authority’s decision and hope to work with them to resolve their concerns. This year we made our terms and policies clearer to help people understand how we use data and how our business works. We also made our privacy settings easier to find and use, and we’re continuing to improve them. You own and control your personal information on Facebook.
This is the second fine that regulators have slapped on Facebook since the Cambridge Analytica data-sharing scandal, and it’s highly unlikely that it will be the last. In October, the UK’s data protection watchdog, the UK’s Information Commissioner’s Office (ICO), fined the company £500k (about $640k).
The Guardian reports that other regulators have been expressing interest in Facebook’s practices: Ireland, California, and the US Federal Trade Commission.
The Irish Data Protection Commission has opened a formal investigation into a data breach that Facebook discovered in September and which affected nearly 50m accounts. The Irish investigation could result in a fine of up to $1.63bn.
The Irish penalty probably won’t turn out all that stiff: the Guardian quoted Rowenna Fielding, a senior data protection lead at Protecture, who noted that the amount was “a ceiling, not a stipulation”.
Source : Naked Security