Facebook must pay a €110 million (US$123 million) for misleading the European Commission during an investigation of its takeover of WhatsApp.
The fine is for telling the Commission it would not be possible to reliably match Facebook and WhatsApp accounts for the same user — something that would allow the company to better target advertising across the two platforms.
The move shows that enterprises need to be up front with regulators about their ability to process users’ personal information, and not try to play it down — especially when making acquisitions.
“Today’s decision sends a clear signal to companies that they must comply with all aspects of EU merger rules, including the obligation to provide correct information,” said European Commissioner for Competition Margrethe Vestager.
She described the fine — for hiding the company’s hypothetical ability to match up users’ activity on Facebook.com with their behavior elsewhere on line — as “proportionate”.
However, it’s 700 times greater than the record fine imposed by the French data protection authority, CNIL, earlier this week for actual breaches of privacy law involving such activity matching.
That’s because, for now at least, breaches of European Union privacy laws are pursued on a national basis, where the ability of data protection authorities to impose fines is limited, in part because it is intended to deter smaller, local companies.
When the EU’s General Data Protection Directive takes effect on May 25, 2018, however, it will raise the limit on such fines to €20 million ($22 million) or 4 percent of worldwide revenue.
In this case, the magnitude of the fine Facebook must pay is because it was found guilty of breaches of EU merger law, not privacy law.
After investigating, the Commission concluded that Facebook must have known of this possibility at the time of the merger, and thus mislead the Commission. However, it also decided that the information did not give reason to block or reverse the merger.