General Data Protection Regulation Fines and Penalties – Italy
One year after GDPR entered into force, it is possible to observe first penalties and fines imposed by different Data Protection Authorities to several undertakings and institutions. This brief analysis is useful to provide insights and clarifications over possible misapplications of GDPR and related consequences.
Country: Italy | Industry: Media | Company/Institution: Facebook Italy S.r.l. | Non-Compliance: Lack of consent – Misuse of personal data –
The Italian Data Protection Authority (“Garante della Privacy”) has issued Facebook Italy S.r.l. with a €1 Million fine for the infringement of Italian Privacy Laws in relation to the infamous Cambridge Analytica case.
Cambridge Analytica was a British consulting firm involved in data mining, data brokerage, and data analysis. In 2018, media have reported Cambridge Analytica business practices displaying that the company had acquired and exploited personal data of Facebook users obtained from an external application who told Facebook it was collecting it for academic purposes. The personal data of around 87 Million of Facebook users were acquired using a third-party app called “This is your digital life”. In particular, users who gave the app the permission to acquire their data also gave the app access to information of all users’ friends network.
Such infringement took place prior to Europe new GDPR. Subsequently, the fine has been imposed based on the former Italian Privacy Code. More precisely, it has been found that Facebook Ireland and Facebook Italy have infringed art. 4, section I (F) and article 28 of Privacy Code.
The Garante established that 57 Italians downloaded “This is your digital life” app via Facebook login feature thanks to which the app the app acquired data relating to further 214,077 Italian Users that:
- Did not download the app in question;
- Had not been informed of the sharing of their data;
- Had not given any consent to such sharing.
Facebook opted to pay a reduced amount of €52.000 hoping to settle the matter. However, considering the scale of violation of personal data and related consent, the Garante has disqualified the case for a reduced payment.