Privacy: Facebook's Data Sharing Practices before the Lazio Regional Administrative Court (TAR)

A very interesting decision published by the Lazio Regional Administrative Court (TAR) on Friday, 10th of January, accessible in ???? at giustizia-amministrativa.it, scrutinising Provision no. 27432 of Italy's Antitrust Agency (AGCM) on Facebook's Data Sharing Practices, reported to me by Luis Alberto Montezuma. After talking shop yesterday with my Italian colleague Avv. Alessandro Rossini, who has published an Italian version of this article, we would like to share some of our thoughts on this decision.

Facebook is not "free and always will be"

Everyone knew about it, it has been repeatedly mentioned—yet some commentators feel that the concept has not been fully understood. Claiming that a service is free implies that it really is; otherwise, if we collect users' personal data to resell them or run a business model on their further processing (notwithstanding its lawfulness), we ought to explicitly state it ... This is called transparency and enables us to take informed decisions!

Personal data are economic assets

For those who believe it is somewhat "unethical" to talk about money when it comes to personal data, we believe it is even less ethical to bury your head in the sand and ignore the reality we live in.

Personal data have become an economic asset being bought and sold by companies for many years now—a "feast" everyone should enjoy, except the effective providers of such data: Data subjects. The above mentioned judgment seems to take the economic value of personal data for granted, while incidentally recalling that in addition to the existence of a market for such assets between traders in the tech sector (e.g. Facebook, other companies operating in the social media sector and Big Tech, yet more and more companies are selling their users' personal data in legitimate ways for economic reasons), there is also a purchase and sale of data between market players and data subjects.

The Lazio TAR judges have provided the following reasoning:

While personal data is protected as an expression of an individual's right to privacy, and as such is subject to specific and inalienable safeguards, such as the right to revoke consent, access, rectification, erasure, there is also a different scope of protection of the said data, understood as a possible object of sale and purchase, put in place both between market players as well as between them and data subjects.

To us, this position appears to be complementary to what the European Data Protection Board (EDPB) has made clear in its Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. Indeed, the EDPB states that "Considering that data protection is a fundamental right guaranteed by Article 8 of the Charter of Fundamental Rights, and taking into account that one of the main purposes of the GDPR is to provide data subjects with control over information relating to them, personal data cannot be considered as a tradeable commodity. Even if the data subject can agree to the processing of personal data, they cannot trade away their fundamental rights through this agreement." (?54)

Personal data are neither numerical, comparable nor countable items and therefore not considered as merchandise (the English Guidelines speak of "tradeable commodities"); nevertheless, they may be subject to economic exploitation. Moreover, only fundamental rights, such as the right to the protection of personal data, not personal data itself, may be inalienable. This means, for example, that if one cannot revoke consent to the processing of his or her data, this does not mean that one cannot transfer his or her personal data to third parties in exchange for an advantage (such as access to a social network).

There is still a lot of confusion on this point and we don't have a crystal ball to tell you the right answer: Generally, it seems easy to mistake the purchase and sale of one's fundamental rights (the right to privacy) with that of personal data (as the object of the right to privacy) by playing on this blurred boundary to justify the trading of personal data between data controllers while excluding data subjects from the market, i.e. the natural persons "producing" the item being sold and purchased.

Unwanted Dark Pattern

Apart from that, we were a bit uncomfortable to read the following passage in the judgment without taking a closer look at its implications:

It should be noted, further, that the opinion about the alleged "aggressive" nature of the wording used to discourage users from deactivating the platform is inadequately reasoned or deepened, as well as partially contradictory, as there are actually negative consequences in the event of deactivation. Facebook's use of sometimes doubtful expressions in relation to possible limitations in using the "app" of third parties in the case of deactivation of this integration is justified by the fact that the data in question are, in fact, stored and processed by third parties.

We think that respect for users and the transparency they are entitled to can no longer be separated from the analysis of so-called dark patterns, i.e. "a user interface that has been carefully crafted to trick users into doing things", to make it more difficult to perform other actions or to hide information.

Making the user doubt without providing precise information could result, in fact, in indirectly limiting their ability to make choices: On the one hand, it is certain what happens if I keep data sharing with third party services active—on the other hand, it could have unforeseen repercussions if I block it and nobody wants to tell me what those repercussions are.

Can we really justify using doubtful expressions about potential consequences just because we do not know them or they are out of our control? Rather than saying "The apps and websites you've logged into with Facebook may delete your accounts and activities", it would be better to remind users when deactivating data sharing, for example, to change their login and contact data of such apps and websites before continuing, so that they can continue to access them without running into errors.

Fortunately, there is a new focus on this issue—albeit mostly on UX Dark Pattern—and we should be paying greater attention to it, both from users and service providers, as well as authorities and judges who will have to take a position on such behaviour that restricts consumers' free decision making.

Different Authorities: Cooperation, not substitution

Another important point emerges from the Lazio Regional Administrative Court's decision:

It should also be noted that any disputes about the inappropriateness or excess of the user's data processing with respect to the purpose of the processing would fall within the competence of the Italian Data Protection Authority, since these profiles do not affect the consumer's freedom of choice.

It is particularly clear that any duplication of effort and conflict over their respective powers between antitrust and data protection authorities should be avoided—also because the European antitrust authorities do not meet the GDPR's requirements as a supervisory authority.

The antitrust authorities in Italy (AGCM) and Germany (BKartA), which have now suddenly discovered the recently reformed data protection legislation as their new favourite toy (or so it seems), do neither participate in the cooperation and consistency procedures (Articles 60 et seqq. GDPR), nor have a seat on the European Data Protection Board (EDPB). By allowing other actors to enforce data protection legislation, the harmonisation process of European data protection law, including the fragile One-Stop Shop principle (Art. 56 and 60 GDPR) would be trampled underfoot.

The ???? Düsseldorf Higher Regional Court, virtually blind to this problem, adopted the diametrically opposed position in its decision dated 26 August 2019, ordering the suspensive effect of Facebook's appeal against an order by the German Federal Antitrust Office (Decision in German; Unofficial English Translation):

There is no objectively justified reason not to leave unlawful contractual terms to private prosecution or to the supervision of the respective specialised authority—as in the case of a breach of data protection law—, but, in addition, to subject them to abuse control by the antitrust authorities if the contractual term has been provided or agreed by a dominant undertaking.

All actors should be reminded that a clear division of competences is an imperative of the rule of law and that the different authorities should be mutually cooperative rather than just looking in their own backyard, lamenting the lack of staff instead of combining the different resources they have.

________________________