The first GDPR fine was issued in Italy by the Garante for the lack of implementation of privacy security measures following a data breach on the so-called Rousseau platform operating the websites of the Movimento 5 Stelle party.
The fact of the case relating to the Rousseau platform
Several websites affiliated to the Italian political party Movimento 5 Stelle are run, through a data processor, through the platform named Rousseau. The platform had suffered a data breach during summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of many security measures, in addition to the obligation to update the privacy information notice to give additional transparency to the data processing activities performed.
The lack of privacy-related security measures challenged
While they timely updated the privacy information notice, the Italian data protection authority raised its concerns as to the lack of implementation on the Rousseau platform of some of the following GDPR related security measures:
- a vulnerability assessment to be periodically repeated which was performed on the platform, but according to the Garante left issues around the usage of an old software which was no longer updated by the supplier so that the implementation of patches was complicated and time-consuming;
- a system aimed at strengthening passwords to be used for the creation of the accounts and to avoid the risk of brute force attacks which was adopted on the platform;
- secure protocols and digital certificates to protect data during their transit and reduce the risk for users to be attracted by fake sites which are measures put in place on Rousseau platform;
- solutions aimed at increasing the level of security of the storage of passwords due to the weak cryptographic algorithms which no longer became an issue for the majority of users;
- auditing measures obliging to keep the recording of the accesses and operations completed (the so-called logs) on the database of the Rousseau system to guarantee the integrity of data and at least the ex-post control of the activities carried out on the system which remained an unsolved issue.
In particular, the lack of adoption of measures relating to the storage of log files regarding the activities performed by the IT support personnel of the platform was the most relevant matter of the dispute. There was a tracking of the access by the IT support personnel of the platform to only some pages could be tracked. Also, no recording of performed operations occurred.
Additionally, the Garante challenged that system administrators were using shared accounts with quite large privileges in the operation of the platform. Such circumstance was an issue, also in the light of the possibility for such system administrators to access to special categories of personal data, such as those on political opinion.
Finally, also the security measures aimed at anonymizing the activities performed through the e-voting system were considered to be not adequate.
The first GDPR fine issued in Italy
Due to the challenged indicated above, the Garante held that there was the breach of article 32 of the GDPR for the lack of appropriate technical and organizational measures on the Rousseau platform and it issued a € 50,000 fine.
Interestingly, the fine was not against the Movimento 5 Stelle that is the data controller of the platform but against the Rousseau association that is the data processor. For the first time, the data protection authority did not consider that the data controller is liable for whatever performed by the data processor and recognized that there could be a liability of the data processor, without liability of the data controller. You can read on the same topic the articles “New risks for tech suppliers with the GDPR?” and “Are privacy fines massive under the GDPR?“.
Also, the decision is interesting as it gives a more precise understanding of the security measures that privacy authorities expect to have in place regarding a platform processing large amounts of personal data. Indeed, while the Italian privacy code was quite specific on the required minimum security measures, the GDPR requires an assessment as to the adequacy of the security measures adopted by the data controller in the light of the accountability principle.
Finally, it is worth it to mention that the proceeding initiated before May 2018, but the Italian data protection authority issued a fine under the GDPR since the Rousseau platform had not adopted security measures required through an order issued after the 25th of May 2018. As a consequence, also pending proceedings might lead to following up fines under the EU General Data Protection Regulation.
My top 3 best practices from the first GDPR fine in ItalyThe best practices that can arise from this case are the following in my view:
- Operating as a data processor is no longer a protection against fines and liabilities under the GDPR and the correct qualification of the parties needs to be based on a review of the specific circumstances of the case;
- The implementation of adequate technical standards requires a case-by-case assessment whose performance shall be proven and is not a mere formality; and
- Privacy fines can really become a risk for companies and data protection compliance cannot be overlooked.
On the matter above, you may find interesting the article “Top 5 immediate actions to get ready for Italian privacy dawn raids” and in the video below as part of my video blog “Diritto al Digitale“