Facebook Inc and its Brazilian subsidiary fined BRL 6.6 million

Essentials

Date of enforcement action:
30/Dec/2019
Jurisdiction: Fine imposed:
Brazil Flag for Brazil, which is the jurisdiction taking enforcement action BRL 6,600,000 (US$1,600,000)
Defendant company or entity: Industry segment:
Facebook Inc, Facebook Serviços Online do Brasil Ltda Technology /

Case summary

The Ministry of Justice and Public Safety, through the Department of Consumer Protection and Defense (DPDC) of the National Secretariat of Consumer (SENACON), decided to apply a fine of R$ 6.6 million to the companies Facebook Inc. and Facebook Serviços Online do Brasil Ltda.

The penalty was applied in administrative proceedings due to improper sharing of user data.

The case began to be investigated after media reports on April 4, 2018 that Facebook users in the country may have suffered from data misuse by the political marketing consulting firm Cambridge Analytica.

The administrative process investigated whether there had been a violation of the personal data of consumers who had signed on to the Facebook platform, as well as whether someone had obtained improper access to that data, taking into account the user’s form of consent, where the default is automatic sharing of data with application developers from that user’s friends.

The decision highlights the consumer relationship configuration in the case under review, in which Facebook Inc. and Facebook Serviços Online do Brasil Ltda. are considered providers under article 2 of the Consumer Protection Code, “to the extent that they make available to Brazilian consumers the services and products associated with the Facebook platform, being those, a priori, final recipients of such services and products, although the latter are not remunerated by consumers.

DPDC concluded that Facebook Inc. and Facebook Serviços Online do Brasil Ltda. According to the decision, “it remains evident that data from the approximately four hundred and forty-three thousand users of the platform were in undue disposition by the developers of the application thisisyourdigitallife for at least questionable purposes, and without the represented companies being able to demonstrate any modifying fact that such number was actually lower.

The decision also stated that companies, due to the automatic sharing of user friends/friends’ data with the applications, “should take much greater care in managing this data, since the consent model adopted had relevant implications for the number of people with exposed data (which is certainly much greater than if an opt-in model were adopted for such data sharing). In this regard, it should be considered that such logic was part (at least within the period in which the conduct was ascertained) of the platform’s business model and, as such, the represented companies should also bear the risks resulting from it with regard to the protection of the personality rights and privacy of their users. Still with regard to the facts under analysis, the Respondents failed to offer the corresponding protection”.

In addition, there has been a failure by Facebook Inc. and Facebook Serviços Online do Brasil Ltda. to provide adequate information to their users regarding the consequences of the privacy setting standard, especially regarding the data of the friends/friends of users’ friends and the relationship with data shared with application developers that such friends may use.

After the decision of the process, the companies will be summoned about the possibility of filing an appeal, within ten days, as well as the collection of the amount of the fine, within 30 days.

(Ministry of Justice, PT release)

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Brazilian Ministry of Justice and Public Safety Flag for Brazil, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Yes (can be appealed within 10 days)

Cite this fine in your work

Data Privacy Fines Index. (2020-01-03 05:14) Facebook Inc and its Brazilian subsidiary fined BRL 6.6 million. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/facebook-tech-company-fined-brl-6-6-million/

Entry last updated: 2020-01-12 01:26 GMT.