The digital enforcement policy of the AGCM in 2021 and outlook for 2022: Increasing focus on the protection of SMEs and consumers

This article was first published on Competition & Antitrust 2022 Expert Guide by CorporateLiveWire

In 2021, the Italian Competition Authority (AGCM or “ICA”) has further boosted its enforcement action in the digital environment by levying more than €1.3 billion in fines (plus remedies) against “gatekeepers” and other significant digital players active in Italy. Interestingly, in addition to antitrust, the ICA has sanctioned digital platforms like Apple and Google with the maximum possible fine for unfair commercial practices in relation with the collection and use of consumers’ data.

From the purely antitrust standpoint, the ICA has displayed determination in using innovative theories of harm under Article 102 TFEU against gatekeepers with respect to disputed categories of conduct like tying, self-preferencing and refusal to deal. Notably, in addition to record fines (more than €1.2 billion), it has imposed unprecedented remedies on Amazon (A538 – Amazon FBA) and Google (A529 – Enel X),) prescribing to interoperate with competitors at reasonable and non-discriminatory terms, or to provide same-level access services and develop tailored technical solutions to that end. This approach in enforcing Article 102 leverages on the European Commission’s Google Shopping decision and on the General Court’s endorsement of the notion of “quasi-essential facility”, which is tailored to gatekeepers. However, the ICA did not shy away from bringing this notion to the extreme consequences and testing the boundaries of Article 102, imposing a set of articulated remedies that seem to anticipate the implementation of the Digital Markets Act (DMA). In the context of Article 101, the ICA has fined Apple and Amazon more than €173 million (I842 – Sales of Apple products on Amazon) for agreeing to ban certain official and unofficial distributors of Apple and Beats branded products from the Amazon marketplace. The ICA found that the agreement consisted in a selective platform ban based on discriminatory and non-transparent criteria, in breach of the conditions established by the ECJ in Metro and Coty. It therefore recalled that the ECJ in Pierre Fabre established that disproportionate or discriminatory bans on online sales constitute a by object infringement of Article 101, but the ICA also carried out an analysis of anticompetitive effects based on the market shares of the undertakings involved in the conduct.

From the standpoint of consumer protection, in a few notable cases (PS11171 – Telepass; PS11147 – Google; PS11150 – Apple) the ICA has deemed certain conduct relating to the collection and use of users’ data as essential or relevant part of alleged unfair commercial practices – in ways that apparently overlap, or interfere, with the data protection legislation and the privacy authorities’ jurisdiction. This strain of enforcement actions in the consumer protection field deserves special attention as it has relevant jurisdictional as well as substantive implications in the digital enforcement policy, calling into question the role of national privacy authorities in the field of data protection. Indeed, such approach may affect a much wider number of digital platforms than gatekeepers, and may broaden the remit of the ICA in terms of enforcement policy over the processing of data in the digital environment. This is all the more true considering that the national legislation on consumer protection enforcement is being amended soon to increase the sanctioning powers of the ICA to up to four per cent of the undertaking’s national turnover (though Directive 2019/2161 has not yet been implemented in Italy).

Apple and Google fined €10 million each for unfair practices in processing users’ data

In November 2021, with two distinct decisions, the ICA sanctioned Google Ireland Ltd (Google) and Apple Distribution International Limited (Apple) each for the maximum amount prescribed in accordance with current legislation on unfair commercial practices against consumers (i.e. €5 million per infringement). The ICA ascertained for each undertaking two violations of the Italian Consumer Code (and Directive 2005/29/CE), one for deficient information and another for aggressive practices in relation with the collection and use of consumer data for commercial purposes.

In the contexts of Google and Apple’s economic activities and services, the ICA considered that, even in the absence of monetary disbursement, the monetisation of data provided by users – either through the sale of advertising services or via improving the sale of own products – represents the consideration for the services offered to consumers. As a result, there is a consumer relationship between the users and the two operators that makes consumer law applicable to a conduct relating to the processing of users’ data for commercial purposes, which is capable of conditioning the choice of the consumers about the service. According to the ICA, there is no conflict or incompatibility between consumer legislation and data protection legislation. In stating this, the ICA relies on recent judgements of the Italian administrative courts that partially confirmed a similar fine of the ICA levied in 2018 against Facebook. The fine was partially annulled by the top court but confirmed on the concept that data may represent an economic consideration for the service and that directive 2005/29/CE may apply to an explicit claim of “gratuity” of the social network. According to this case law, the two legislative frameworks have different scopes and pursue complementary objectives with a view to achieve a “multilevel” protection of the rights and interests of consumers. Privacy legislation, in particular, pursues the objective of protecting personal data as fundamental rights, while the consumer legislation on unfair practices protects consumers from economic conduct induced by misleading or aggressive practices of businesses. Therefore, the reasoning goes, there would be no conflict or overlap of jurisdictions because the competence of the ICA would not deprive the privacy authority’s jurisdiction to enforce its own separate obligations.

Specifically, the ICA found that both Google and Apple, either during the registration phase or when starting using the service, did not provide consumers with clear and immediate information on the acquisition and use of data also for commercial purposes. However, the ICA did not contest an infringement of privacy legislation on consent and transparency and seems to acknowledge that this information is contained in the privacy policy and in the terms and conditions of the platforms. The fact that the information is provided in a separate web page accessible through links to the “privacy policy” or “additional information” is not sufficient to adequately inform the consumers of the economic consequences of using the services, according to the ICA. The consumers’ commercial choice to accept to use the service would therefore be unfairly conditioned by the lack of clear and prompt information provided by the operator. Similarly, Apple, both when creating the Apple ID and when accessing the Apple digital stores, does not immediately and explicitly provide users with clear indication on the commercial use of their personal information, emphasising only that the collection of data is necessary to improve the consumer experience and the use of services.

In addition, the Authority has found that the two companies have engaged in an aggressive commercial practice by setting a default opt-out system of pre-selected consent to the transfer to third parties and commercial use of data. In particular, during the account creation phase, Google pre-flags the user’s acceptance to allow the transfer and commercial use of their personal information, once they are generated, without requiring the user to run through other steps to confirm or modify from time to time the choice pre-set by the company. Again, the fact that the consumer may choose whether to authorise the transfer or commercial use of their data by clicking on the link “other options”, even assuming compliance with the GDPR requirements, is not relevant to change the ICA’s stance. In the case of Apple, despite being undisputed that it does not transfer data directly to third parties without previous explicit users’ consent, the ICA held that consent is already preselected in the account creation phase in relation to certain targeted promotions and email marketing activity. These are used by Apple to improve sales of its own or third party products via its digital stores. Therefore, the ICA held that the consumer is constrained in the choice of consumption and is subjected to the transfer and commercial use of personal information despite Apple could have managed the processing of data and the related information or consent in alternative ways.

Previously, in March 2021, the ICA had fined Telepass – a leading provider of toll and payment services for highways and other transport infrastructures in Italy – €2 million on similar accusations. Like in the cases against Google and Apple, the ICA did not contest the lack of information in the provider’s privacy policy on the use and sharing of data, and for what purposes; however, it found that the information on the use of personal data – that Telepass denied had commercial purposes and argued was strictly indispensable for the service – was not clearly and immediately provided to consumer at the first contact with the offering. Notably, the capability of the information on the processing of the data in question to condition the choice of the consumer about using the service is unexplored in the decision: the ICA assumes such capability as inherent in the economic value of the data exchanged with the provider.

What to expect in 2022

The matter of the interplay between data protection and competition legislation characterises the EU debate around public enforcement policy in the digital space (see the Italy chapter of the previous 2021 Competition & Antitrust Law Expert Guide for examples of pro-privacy conduct of digital gatekeepers that are being investigated by antitrust authorities as potentially anti-competitive in the online advertising markets). The matter invests the substantive assessment of a conduct as well as important procedural issues, which are crucially intertwined with defining clear principles for the partition of competence between privacy and antitrust authorities. Strictly connected with this is whether both authorities may investigate and sanction the same conduct of the same companies without coordinating and without breaching the no-double jeopardise principle (or ne bis in idem) enshrined in Article 50 of the European Chart of Fundamental Rights.

However, the applicability of pure antitrust legislation to the processing of data seems confined to peculiar cases or conduct of gatekeepers that may be construed as abusive under Article 102. Further, the implementation of the DMA over the next two to three years may overtake most of the opportunities for national competition authorities to investigate and sanction Article 102 breaches by gatekeepers. By contrast, the interplay between consumer protection and data protection is less explored but may have greater and more durable implications in the digital enforcement policy.

In the cases described above the ICA has affirmed a stance under which potentially any conduct relating to the processing of data by any digital platform or website might be subject to ICA’s fines for failure to comply with additional informative and consent obligations created by the same ICA, and which are not prescribed by the GDPR. As a result, privacy authorities in the EU may lose the leading role in determining how information on the use of data must be conveyed to consumers in the digital fields. A lack of coordination between the privacy watchdog and the ICA in applying consumer protection rules to data-related conduct in the digital field risks therefore to generate a jurisdictional (and institutional) conflict and harm businesses’ fundamental rights. Indeed, the distinction between the public interest protected by privacy legislation and that addressed by consumer protection legislation may be very blurred. Some experts argue that the GDPR also protects economic interests of consumers in the use of personal data and the Italian courts may have not properly circumscribed the general jurisdiction of the ICA in this respect. It has to be seen whether possible appeals against such fines will provide more guidance or refer preliminary questions to the ECJ on such matters.

On a side note, it is worth noting that the Italian Parliament is discussing a draft competition bill which, inter alia, provides for increasing ICA’s powers in merger control to allow ex-post scrutiny of transactions up to six months following completion, on condition that (a) at least one of the two turnover thresholds established for mandatory notification in Italy (or a worldwide cumulative turnover of €5 billion) is exceeded and (b) the transaction raises actual competitive risks, taking into account effects on innovative SMEs. Further, the same draft bill provides for a presumption of “economic dependence” of business users from online gatekeepers or similarly defined platforms, triggering default application of the national law on abuse of economic dependence, which is also publicly enforced by the ICA. These legislative developments, if approved, will significantly support a continuous aggressive enforcement policy of the ICA in digital markets, even following implementation of the DMA.

Seguici su