Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Facebook and the EU: a compliance failure or skirting around the truth?

Paul Hodgson | May 31, 2017

With its third fine of the week in Europe, Facebook’s record of complying with EU data and merger regulations is not looking good.  With the third fine, it appears that not only did the social networking company fail to comply with merger regulations, it also appears that it was “economical with the truth.”

The first fine came from Italy’s antitrust authority, Autorità Garante della Concorrenza e del Mercato, on 11 May, when it closed two investigations about alleged infringements of Italy’s Consumer Code by WhatsApp. The authority fined WhatsApp €3 million for allegedly forcing users to share their personal data with its parent, Facebook.

Then, on 16 May, France’s Commission Nationale de l'Informatique et des Libertés (CNIL) fined Facebook €150,000 over six infringements of the French Data Protection Act; an act it had been ordered to comply with within three months of January this year. The decision follows the work carried out in collaboration with the data protection authorities of Belgium, Germany, Spain, and the Netherlands. In fact, all of the 28 European Union data protection authorities asked WhatsApp to stop sharing users’ data with Facebook because of concerns over whether users had given consent.

Today's decision sends a clear signal to companies that they must comply with all aspects of EU merger rules, including the obligation to provide correct information. And it imposes a proportionate and deterrent fine on Facebook. The Commission must be able to take decisions about mergers' effects on competition in full knowledge of accurate facts.

EC Commissioner Margrethe Vestager, in charge of competition policy

And then the last of the three, the European Commission fined Facebook €110 million for providing incorrect or misleading information during the Commission’s 2014 investigation under the EU Merger Regulation of Facebook’s acquisition of WhatsApp. Facebook told the Commission that it would be “unable to establish reliable automated matching between Facebook users’ accounts and WhatsApp users’ accounts.” It stated this twice, first in the notification form and second in a reply to a request for information from the Commission. This turned out not to be true, as the release states: “the technical possibility of automatically matching Facebook and WhatsApp users’ identities already existed in 2014 and that Facebook staff were aware of such a possibility.”

CNIL findings

FACEBOOK Inc. and FACEBOOK Ireland:

  • Proceed to a compilation of all the information it has on account holders to display targeted advertising without having a legal basis. If the users have means to control the display of targeted advertising, they do not consent to the massive compilation of their data and cannot object to this compilation when creating account or a posteriori.
  • Proceed to an unfair tracking of internet users via the “datr” cookie. The cookie banner and the mention of information collected "on and outside Facebook” does not allow them to clearly understand that their data are systematically collected as soon as they navigate on a third site including a social plug in. Therefore, the massive data collection carried out via the “datr” cookie, is unfair due to the lack of clear and precise information.

Concerning other infringements, the Restricted Committee considers that the companies:

  • Do not provide direct information to internet users concerning their rights and the use that will be made of their data, in particular on registration form;
  • Collect sensitive data of the users without obtaining their explicit consent. Indeed, no specific information on the sensitive nature of the data is provided to users when they complete their profiles with such data;
  • By using the web browser settings, do not allow users to validly oppose to cookies placed on their terminal equipment;
  • Do not demonstrate the need to retain the entirety of IP addresses of users all along the life of their account.

Under EU merger law, the obligation to provide information applies regardless of whether the information would lead to approval or disapproval of the merger. In fact, as the press release announcing the fine says: “With respect to all three services the Commission carried out its competitive assessment also assuming a scenario where automated user matching would be possible. It concluded that, even in this scenario, its conclusions as to the lack of anti-competitive effects of the proposed transaction would stand.” At the time of the merger, the Commission also carried out an “even if” assessment that assumed user matching as a possibility, but decided that this would not affect its approval of the merger. Thus, even had it admitted this possibility, Facebook would have been able to merge with WhatsApp. The fine and the infraction were unnecessary.

The Commission noted that its decision was unrelated to “either ongoing national antitrust procedures or privacy, data protection, or consumer protection issues, which may arise following the August 2016 update of WhatsApp terms of service and privacy policy.”

The Commission can impose fines over such an infraction of up to 1 percent of the aggregated turnover of companies. That could have meant a fine of around €2.5 million, based on Facebook’s 2016 turnover. Since Facebook cooperated with the Commission during the proceedings and acknowledged its infringement of the rules, as well as waiving its procedural rights to an oral hearing, however, the Commission reduced the fine.

A new EU data protection law will come into force in 2018 that could fine companies up to 4 percent of their global turnover.