Italy

[IT] Italian DPA issues EUR 1 million fines against Facebook over Cambridge Analytica scandal

IRIS 2019-8:1/31

Ernesto Apa, Eleonora Curreli

Portolano Cavallo

On 14 June 2019 the Garante per la protezione dei dati personali(Italian Data Protection Authority – Garante) issued a EUR 1 million fine against Facebook Italy S.r.l. and Facebook Ireland (together “Facebook”) in relation to the Cambridge Analytica case.

Specifically, the Garante took action following the news that Facebook had communicated its users’ personal data to Cambridge Analytica, a third company providing analytics services. The Garante found that the personal data of 57 Italian users (who downloaded the app “Thisisyourdigitallife”) had been unlawfully communicated to Cambridge Analytica. For this reason, the Garante had already banned Facebook from processing the data of Italian users and sanctioned Facebook with a fine amounting to EUR 52,000 (by decisions issued on 10 January 2019 and on 28 March 2019).

In the decision of June 2019, the Garante found that Cambridge Analytics had the possibility to access the personal data of the Facebook contacts (“friends”) of the abovementioned users through the tool “Facebook login”. In fact, following the use of this tool by those 57 Italian users, Cambridge Analytica had received personal data (including sensitive data) regarding 214,077 users. The Garante found that such communication was unlawful, since: (i) the data subjects had not been properly informed of the possibility that, by adding a contact on Facebook, their data could be communicated to third parties following the use of the “Facebook login” function by their contact, and (ii) they had not had the possibility to express consent to such communication of data in the form of an "opt-in".

To calculate the amount of the sanction, the Garante considered that the conduct had amounted to a serious infringement, as it concerned a database of "particular significance" (since the database contained a considerable amount of up-to-date data constituting a representative part of the overall Italian population). The Garante also took into consideration Facebook’s economic size and the fact that Facebook had complied with the prescriptions provided by the Garante on January.

The Garante based its decision solely on the Italian Data Protection Code (Legislative Decree no 196/2003). Indeed, the facts underlying the fines took place before the enactment of the European General Data Protection Regulation n. 679/2916 (GDPR) and the entry into force of the implementation of Legislative Decree no. 101/2018, which accordingly are not applicable to the facts at hand.

The Garante affirmed its jurisdiction over the Cambridge Analytica case on the basis of the following arguments: (a) the activity of Facebook Ireland was directed at Italian users and was carried out through an Italian subsidiary (i.e. Facebook Italy); and (b) Facebook Italy S.r.l. is the controller of the data communicated to Cambridge Analytica, as it is a company that markets advertising space, and the collection of personal data of users is included in the marketing activities of third parties developing external apps.


References


This article has been published in IRIS Legal Observations of the European Audiovisual Observatory.