Italian Data Protection Authority recently fined Facebook for €1M over Cambridge Analytics
After the scandal around Facebook and Cambridge Analytica broke in the first half of 2018, another data protection authority has fined Facebook for personal data misuse. The Italian Data Protection Authority fined Facebook for €1M for violating the provisions of national privacy laws by misusing personal data of Italian citizens.
Cambridge Analytica was a consulting and data analytics company that used data to profile and target individual voters with the intention to predict and influence their decisions at elections. According to the investigations of the Guardians and the New York Times, not only the 2016 US campaign was affected by the scandal, but the Brexit campaign in the UK was also concerned. Facebook later admitted, that the data misuse affected around 87 million users whose personal data was shared.
As a result of the scandal, the UK Information Commissioner’s Office (ICO) conducted an investigation and fined Facebook for £500,000 for breaching the UK’s data protection laws. However, the scandal was not limited to the UK and US, further countries and data protection authorities have examined the data processing of Facebook and Cambridge Analytica.
In April 2018, the Italian Data Protection Authority and the Antitrust Authority started an investigation in order to find out what happened with the personal data of Italian citizens. According to the Italian Data Protection Authority, 57 Italians downloaded a personality test app which is called “Thisisyourdigitallife”. The app was used by Facebook to collect information, not only on the users who downloaded this app, but also on their Facebook friends. Finally, the app provided and transferred the aforementioned personal data to Cambridge Analytica.
As a result of the above, with the personality test, more than 200.000 Italian citizens’ personal information and data was collected without their consent. The Italian DPA declared, that the transfer of personal data from Facebook to a third party, without the consent of the data subjects is not compatible with the Italian privacy regulations.
Due to the fact, that the breach happened before the GDPR entered into force in May 2018, the Italian PDA could not apply the provisions of the GDPR relating to the amount of the fines in case of a data breach (possibility to issue fines of up to 4 percent of a company’s global revenue). However, it seems that the case is not terminated as the investigation of US authorities is still pending and it was reported that Facebook expects to be fined up to $5 billion by the Federal Trade Commission for privacy violations, which would be a record fine imposed by the FTC against a technology company.