Personal data as currency
The administrative court of Lazio (“TAR Lazio”), the Italian region surrounding Rome, has recently issued a widely discussed decision (partly) upholding a 5-million sanction imposed to Facebook by the Italian Competiton and Market Authority (“AGCM”).
The following is very synthetic overview of some relevant issues debated during the case, which covered further aspects not commented here.
The facts
The AGCM contested that until april 2018, when new users registered an account on Facebook, they were confronted with a claim stating “It’s free and it will always be”. At the same time, users were not provided with an adequate notice about the processing of their data. Such notice was not precise: in particular it didn’t disclose clearly that Facebook would “sell” personal data gathered via its platform.
Facebook defended itself stating that the AGCM wasn’t even competent to impose sanctions in this case because, on one hand, Facebook’s services were “free” and therefore do not represent a “commercial practice” and, on the other hand, the issue revolved exclusively around the processing of personal data. Therefore, the only competent authority would be the Irish Data Protection Commission, since Facebook is based in Ireland.
The decision
TAR Lazio upheld the sanctions imposed by AGCM for two reasons:
1- There is a clear contradiction between stating that a service “is free and will always be” and exploiting the users’ personal data commercially, as Facebook does. The fact that the “price” of the service is not paid in a standard currency, but in personal data, doesn’t make it less a commercial transaction. Personal data as such are valuable and Facebook’s service cannot be seen as “free” (as in “free beer”) because users “pay” for it by making available their data.
2- An issue revolving around the protection of personal data is not automatically irrelevant with respect to other branches of law. A data protection issue may very well have negative consequences in terms of the protection of consumers, in particular if data is treated as a “currency” to purchase certain services. The protection of personal data resulting from personal data legislation doesn’t exclude that other branches of law - such as consumer law - award a different protection to scenarios that involve the processing of personal data. Different legal protections may coexist.
Takeaways
Considering personal data as a sort of “currency” to pay for services may seem odd at first sight, but it actually corresponds to a reality that’s not even new any more. In this respect, data-based business model cannot be considered free (as in “free beer”).
If that much is true, it triggers the applicability of a whole bunch of provisions that apply to commercial transactions, including those about unfair commercial practices or consumer protection, which would not be applicable if the business model were to be considered free of charge. From a data protection perspective, the reasoning couldn’t be more convincing: treating Facebook-like business models as “free” would otherwise result in a paradoxically lower protection of data subjects precisely in a context of massive personal data exploitation.
And yet, were this approach confirmed, it would have far-reaching consequences for any similar business model, for instance in terms of liability and guarantees (which are considerably higher if the service is provided against payment), consumer law compliance (just think of the right of withdrawal, to name one) etc.
On the other hand, it introduces a new variable in the data protection environment: so far, we know that personal data may be processed according to one of the lawful bases set foth in art. 6 GDPR. None of them mentions personal data as “currency” and, at least at first sight, none of the current lawful bases really apply to this specific scenario.
Paying with personal data belongs to normality nowadays: it’s therefore (already) time to rethink the respective legal framework.