Italian Competition Authority Imposes Fines for Misuse of Personal Data:
 The Fall of Boundaries Between Consumer and Data Protection?

By Laura Liguori, Enzo Marasà & Irene Picciano1


With a recent decision,2 the Italian Competition Authority (“AGCM” or “ICA”) brought renewed focus to the increasing intersection between consumer protection and personal data protection rules. Specifically, the ICA fined Telepass (a company providing payment systems and toll services to drivers) and its subsidiary, Telepass Broker, EUR 2 million for having received information about users from car insurance companies and brokers without adequately informing users about the methods employed to collect and use their data, including for commercial purposes. Furthermore, according to the ICA, the companies did not provide information on the criteria used to select the quotations for car insurance services they provide to drivers upon request — information the ICA believes consumers need in order to be able to make informed decisions.

This is not the first time the AGCM has sanctioned conduct that falls within the realm of privacy regulations as an unfair commercial practice that is harming consumers.3 As long as the data-related conduct in question constitutes a privacy violation and may also influence consumers’ commercial decisions the regulations on unfair commercial practices are applicable4. Indeed, by definition, a conduct constitutes an unfair practice subject to AGCM sanction if it is capable of causing consumers to take commercial decisions that they otherwise would not.

Clearly, the determination that a practice runs contrary to professional diligence may be based on its noncompliance with any rules applicable to professional activity, including privacy norms. The possible overlap between the two sets of regulations, and the risk of multiple sanctions applicable to the same conduct and undertakings, has been addressed in a recent judgement of the Council of State (which is the supreme administrative Court in Italy).5 That ruling confirmed the January 10, 2020 judgement of a lower court 6(the Regional Administrative Court of Lazio, which the ICA itself cited in the decision), based on which privacy regulations and consumer protection regulations complement each other, “imposing, in relation to their respective protective purposes, specific informational obligations, in one case in service of the protection of personal data, understood as a fundamental personality right, and in the other in service of the idea that correct information ought to be provided to the consumer in order that the consumer may make an informed economic decision.” The Council of State clarified that privacy protection and consumer protection are not “wholly distinct areas of protection,” but instead are part of a system of “multilevel protection” that is capable of “increasing the level of guarantees provided to the rights of physical personas, even when a highly personal right is ‘exploited’ for commercial purposes, independently from the will of the interested user/consumer.”

Indeed, the line between the purposes of the two sets of regulations tends to grow very blurry – if not to disappear completely – in the context of digital markets and services where data handling is closely linked to the service rendered to the user. In any case, even without wading into a discussion of whether the two sets of regulations overlap and share some of the same purposes (and the related risk of violation of the ne bis in idem principle), a finding of unfairness of a commercial conduct of a trader still requires — from the standpoint of consumer protection — to substantiate a causal link between such conduct and the economic decision a consumer makes regarding the offered services.

In the case sanctioned by the ICA, this distinction is very cloudy, if not completely absent.

The scenario considered by the ICA regards the provision of quotations for, and distribution of, car insurance policies via the Telepass app. Telepass acquires certain personal data from users (specifically data regarding the expiration of existing policies and risk profiles) from insurance companies, or from a shared database of their making created and used to assess insurance risk profiles. The ICA contested the lack of information about said sharing, which the user learned about “only” in the privacy policy referenced at the beginning of the process of seeking a quotation. However, it remains very unclear how Telepass violated professional diligence, given that there is no suggestion that the information wasn’t provided in the privacy policy, nor any suggestion that it failed to clarify that certain data is provided by insurance companies for the purpose of drawing up quotations. Nor does the ICA clarify in which phase of the quote-seeking process this information should be provided based on professional diligence. Above all, the ICA does not explain why said information is relevant for consumers making a commercial decision about obtaining quotes and potentially purchasing car insurance.

In outlining the unfair conduct, the ICA seems to be relying upon the principle (enshrined in the judgements mentioned above) that a digital service can be characterized as being for-pay (as opposed to gratuitous) even if the consideration for the service only consists of the use of user data for commercial purposes. However, in this case Telepass receives personal data from third parties (insurance companies, which are in the first place subject to the obligation to inform interested parties about the use of their data) for the purposes of drawing up quotes and entering into insurance contracts, something users are informed of via the privacy policy and that in any case is indispensable to provide the quotation service.

In addition to this lack of clarity regarding the alleged unfairness of the conduct, there are doubts about how effectively such a practice might influence a user’s commercial decision. The question is whether this information can have an impact on a decision made by a consumer seeking a quote for car insurance, since if the user decided not to submit this type of request to Telepass in order to avoid having that data shared, the party would still have to accept it when turning to another party equipped to provide a quote for this type of policy.

Furthermore, the ICA claimed Telepass was less than clear regarding the criteria under which quotes for various insurance policies are submitted to the interested parties. Regarding this second form of conduct, the argument goes that Telepass should have informed consumers of its criteria for selecting quotations. However, the ICA does not contest the logic of the algorithm employed to present users with the quotes (meaning those with the lowest prices are selected) but seems instead simply to contest the use of it absent prior clarification of how it works. In practice, it seems as though the authority sees the mere fact of not providing an explanation to the user of how the algorithm works as being in and of itself a form of “misleading” the consumer. Still, it is unclear why the absence of information about the algorithm in this case is likely to influence consumer choice, given that it is undisputed in the decision that the algorithm selects the quote that offers the consumer the lowest price.

In our opinion, this decision signals the breach of a further boundary in the delicate balance between privacy and consumer protection regulations. Indeed, not only does it seem undeniable at this point that both set of rules are relevant in evaluating the lawfulness of same conduct towards consumers, but in this case it seems possible even to draw the conclusion that compliance with privacy regulations is not sufficient to avoid possibly acting unfairly with regard to commercial practices. This would not in itself be a completely novel principle, but, in addition, the decision at issue also seems to consider that data handling itself can always be deemed a commercial practice, regardless of the reason underlying data collection or the type of link it has to a specific service offered to consumers. If this principle were to pass, and following it to its logical conclusion, in the digital sector the ICA would end up gaining wide-ranging and unlimited jurisdiction over any conduct related to personal data and would thus de facto become a new source of interpretation and application of privacy norms, independent of the Garante Privacy and not bound by the dictates of the GDPR.

Click here for a PDF version of the article

1 Partner and Counsels, Portolano Cavallo.

2 AGCM Decision of 8 March 2021 n. 28601, PS11710 – TELEPASS / ACCORDO PRIMA ASSICURAZIONI (press release available here in English).

3 AGCM Decision of May 11, 2017, n. 26597, PS10601 – WHATSAPP-TRASFERIMENTO DATI A FACEBOOK; AGCM Decision of November 29, 2018, n. 27432, PS11112 – FACEBOOK-CONDIVISIONE DATI CON TERZI.

4 If the very same conduct the same firm may be subject to separate independent investigations or fines from public authorities is an issue to be assessed under the ne bis idem principle (no double jeopardy). Note that a few cases are pending before the Court of Justice of the European Union on the requisites for application of this principle in competition law cases, which should apply to consumer protection and data protection cases as well (cfr. Opinion of AG Wahl of 29 November 2018 in Case C-617/17, Powszechny Zakład Ubezpieczeń na Życie S.A. w Warszawie

vs Prezes Urzędu Ochrony Konkurencji i Konsumentów; Case C-252/21, Facebook and Others, pending preliminary referral from the Düsseldorf Higher Regional Court.

5 Judgement of the Council of State of March 29, 2021 n. 2631, Facebook / AGCM.

6 Judgement of TAR Lazio of January 10, 2020 n. 260, Facebook / AGCM.