Facebook fined €110 million for misleading EU over WhatsApp takeover
After months of deliberation, the European Commission has ruled that Facebook intentionally mislead officials over its ability to utilize data following its acquisition of WhatsApp in 2014. As a result, the social network has been fined €110 million ($122 million or £94 million) and becomes the first company to be penalized under the Commission’s Merger Regulation law since it was introduced in 2004.
The case, which was opened in December 2016, focused on Facebook’s admission that it would be unable to reliably automate the sharing of data between a user’s Facebook and WhatsApp accounts. However, in August 2016 — nearly two years after the companies had merged — Facebook announced an update to its terms of service, noting that it could link WhatsApp users’ phone numbers to their Facebook profile. The Commission filed a Statement of Objections three months later.
According to today’s statement, Facebook was judged to have lied on two occasions. The first was when it submitted documentation immediately after it asked the Commission (and competing companies) to investigate the deal. The second came in its response to Statement of Objections filed in December.
“Today’s decision sends a clear signal to companies that they must comply with all aspects of EU merger rules, including the obligation to provide correct information. And it imposes a proportionate and deterrent fine on Facebook,” said Commissioner Margrethe Vestager. “The Commission must be able to take decisions about mergers’ effects on competition in full knowledge of accurate facts.”
It believes Facebook employees “were aware of the user matching possibility” and knew that the Commission would critique its data-handling processes as part of the Merger Regulation. “The technical possibility of automatically matching Facebook and WhatsApp users’ identities already existed in 2014, and that Facebook staff were aware of such a possibility,” the Commission states. “Therefore, Facebook’s breach of procedural obligations was at least negligent.”
Yesterday, authorities in France and the Netherlands announced separate rulings on Facebook’s privacy practices. The French Commission Nationale de l’Informatique et des Libertés (CNIL) imposed a 150,000-euro fine (about $164,000) fine for not giving users enough control over their data and collecting information via partners without prior consent. The Dutch watchdog didn’t levy a penalty at all, but may do so in the future.
Under EU rules, the Commission can impose a fine of up to one percent of the aggregated turnover of companies that “intentionally or negligently provide incorrect or misleading information.” However, it did note that Facebook admitted its guilt and waived its rights to access the case and to have an oral hearing, assisting officials where possible. The company also halted data-sharing across Europe, pledging to make it opt-in rather than requiring users to manually remove themselves from data harvesting.
Facebook responded to the ruling with the following statement: “We’ve acted in good faith since our very first interactions with the Commission and we’ve sought to provide accurate information at every turn. The errors we made in our 2014 filings were not intentional and the Commission has confirmed that they did not impact the outcome of the merger review. Today’s announcement brings this matter to a close.”
Because it was able to conduct its investigation “more efficiently,” the Commission decided that the €110 million levy is “both proportionate and deterrent.”