Alerts
Google and Apple are fined by Brazilian body of consumer protection (Procon/SP) for violation of consumers’ personal information
The Brazilian body of consumer protection in São Paulo (Procon/SP) has imposed a R$9,9 million fine to Google and a R$7,7 million fine to Apple, for allegedly violating consumers’ data protection rights with regards to FaceApp, which was made available to consumers through the companies’ online stores. Procon’s decision should be interpreted not only as a warning to publishers and to all companies which provide third-parties’ applications for download in Brazil, but it should also be seen as an indication of the new approach Brazilian entities are taking regarding data protection in the territory.
Procon/SP has argued that FaceApp’s privacy policy is provided to consumers only in English, which would make it impossible for Brazilian consumers to acknowledge its content. Thus, such document would not comply with Brazilian Consumers’ Defence Code (CDC), which enshrines a right for consumers to obtain clear, adequate information in Portuguese.
Since FaceApp is made available for download through Google Play Store and App Store, Google and Apple are considered providers in light of CDC’s provisions. Hence, they are jointly liable for the lack of adequate and clear information on FaceApp’s personal data processing operations.
The amount of the fines imposed by Procon/SP are the maximum ones foreseen by CDC. For the imposition of such amount, Procon/SP has stated it took into consideration additional factors , such as (i) the alleged existence of abusive clauses in the app’s privacy policy, for example, limitation and exemption of liability for the services provided, choice of US law to govern the agreement, and compulsory arbitration in Santa Clara/California; (ii) unlawful data sharing, in disregard to the Brazilian Framework for the Internet’s provisions; and (iii) international data transfer to countries which do not have the same levels of protection for privacy and data as Brazil, which would imply in a waiver to consumers’ rights.
We highlight that the fines were imposed considering only CDC’s provisions and without regards to any concrete provision of the General Data protection Law (LGPD), which will only come into force next August. Both companies can still appeal to the Courts to overturn the sanctions.
