A social media network was fined for abusive terms in its Privacy Policy
The Consumer Protection Authority analyzed the Privacy Policy and Terms of Service of a renowned social media network and concluded that some of its terms were abusive.
As a part of a complaint, the National Authority for Consumer Protection and Consumer Arbitration (the “Authority”) reviewed some amendments made to the Terms and Conditions regarding the Privacy Policy and the Terms of Service of an instant messaging platform. The Authority stated that if a service is provided in Argentina, then it must comply with the local Argentine legislation.
Although the analysis made by the Authority focuses mainly on the Terms and Conditions from the perspective of the Consumer Protection Law No. 24,240 and complimentary regulations, the Authority also evaluated some aspects related to compliance with the Data Protection Law No. 25,326 (“DPL”).
As far as the Privacy Policy is concerned, we highlight the following points:
• Gathering information from the address book of a user is considered abusive if the service provider has the exclusive right to interpret its scope, thus attributing himself the power to request from the users, in addition to their telephone numbers, the contact list from their address book, even if the contacts are not users of the service, without determining its purpose or extent.
• Sharing and/or transferring personal data of users with/to companies of the group in a generic way for marketing purposes breaches article 5 of the DPL, since the consent granted by the users would not be free, express, and informed.
• Transferring users’ data in a generic way to the service provider’s affiliates, successor entities, or new owner -in the event of a merger, acquisition, restructuring, or sale of assets- constitutes a breach of article 11 of the DPL since it establishes that personal data may only be transferred with the prior consent of the data subject, who must be informed of the purpose of the transfer and identity of the transferee.
The Authority also emphasized that the DPL was enacted to safeguard the data subject’s self-determination against uncontrolled or dysfunctional use of its data.
In addition, to process and transfer of personal data, the DPL requires the free, express, and informed consent of the data subject, which cannot be attained with the insertion of clauses that merely state that the data will be transferred automatically, without giving notice in case such transfer is carried out, leaving the consumer without the possibility to revaluate its consent or exercise its right conferred by the DPL.
Finally, the Authority pointed out that the information can be considered a commodity, as it has intrinsic value due to its content and meaning. The fine is not final yet.
This insight is a brief comment on legal news in Argentina; it does not purport to be an exhaustive analysis or to provide legal advice.