The data protection authority in Italy sanctioned Facebook due to the breach of privacy laws following the Cambridge Analytica scandal.
The Cambridge Analytica scandal and the privacy investigation against Facebook in Italy
In March 2018, news had emerged that an English research company, Cambridge Analytica, had used the data of 87 million Facebook users to analyze their personalities, through psychological profiling, with the alleged aim of influencing the 2016 American elections.
This news was followed by a request for information from the Italian Privacy Authority to Facebook to understand the possible processing of personal data of users located in Italy by Cambridge Analytica. The investigation showed that, through the application called Thisisyourdigitallife made available on Facebook, it was possible to collect users’ data then shared – through the Facebook login function – with Cambridge Analytica for purposes of psychological profiling of users and subsequent processing of highly personalized promotional campaigns, by means of a quiz managed by the company GSR-Global Science Research.
The investigations carried out by the Italian data protection authority showed that 57 Italian users had downloaded the application and that, because of the possibility allowed by the Facebook login to share the data of “friends”, this application had acquired and shared with Cambridge Analytica the data of 214,077 Italian users.
The proceeding of the Italian data protection authority
The Guarantor had already issued in January 2019 a decision against Facebook for this conduct. The new decision has only the purpose of quantifying the potential sanction due by Facebook for the alleged conduct.
In particular, the challenges raised against Facebook concern the failure to provide a privacy compliant information notice and the failure to obtain consent to the communication of data to Cambridge Analytica of 214,077 Italian users who were “friends” on the social media of users who had downloaded the application. This misconduct was performed with the aggravating circumstance that everything had impacted a database of significant size.
According to the privacy authority, the 214,077 users had not received any detailed information about how their personal data was processed and had not given any specific consent to their communication. Therefore, they could not imagine that when granting their “friendship” on Facebook, their data would be transferred to third parties.
But Facebook’s conduct was also challenged with regard to the product “Ballot” (also called “Candidati”) which was a service used during the Italian elections of March 4, 2018, to allow users to share the news of going to the vote. This information, together with the user’s comment in sharing the news that accompanied the explanation of vote, involved – according to the privacy authority – the collection of sensitive data such as information on political opinions.
The Italian privacy fine against Facebook for the Cambridge Analytica events
Following the above challenges, Facebook Ireland had already paid the fines for which payment could be made in a reduced amount, if it was waived the right to object to the challenge. Therefore, the new decision of the Italian privacy authority concerns only the aggravating circumstance of the performed violation referred to a database of particular relevance and size for which the reduced payment is not allowed.
However, according to the data protection authority’s opinion, the same reduced payment precluded Facebook from challenging the validity of the violations, as it represented an acknowledgment of them. The main argument raised by Facebook concerned the lack of jurisdiction of the privacy authority on Facebook Ireland since it is based in Ireland. The Italian authority considered instead to have jurisdiction also because the challenged activity concerned Italian users. Such approach anticipates in some way the principle of the so-called “targeting”, now expressly provided for by the GDPR, also in light of the activities of promotion of the social network carried out by Facebook Italy (Read on the topic “To which entities is the GDPR applicable? What is the territorial scope?“).
For the reasons set out above, the authority issued a fine of € 250,000 which was quadrupled to reach € 1 million, in light of the economic conditions of Facebook that would otherwise have made the penalty ineffective.
What would have the fine against Facebook been under the GDPR?
The amount of the fine may seem considerably low if compared to the extent of the violation and the economic conditions of Facebook. However, the breach occurred before May 25, 2018. Therefore the applicable sanctions were those provided for by the Italian Privacy Code, before the beginning of the effectiveness of the GDPR.
If the same violation had occurred during the applicability of the European Privacy Regulation, Facebook would have risked a penalty of more than € 2 billion, taking into account that the penalties can reach 4% of the turnover of the year prior to the violation (Read on the topic “Are privacy fines really massive under the GDPR?“).
My main takeaways
The lessons learned from this decision are in my view:
- The Italian data protection authority is following a strict approach, and the restart of their dawn raids confirms this (Read on the topic “Top 5 immediate actions to get ready for Italian privacy dawn raids“);
- A generic privacy information notice making reference to broad categories of data processing is not considered compliant and the same applies to consents that do not need to be pre-ticked and have to be specific; and
- It is necessary to take a long term strategy in a privacy dispute, taking into account, among others, the consequences of a decision made on a dispute (e.g., the payment of a reduced penalty) to connected challenges. This matter is exponentially going to be a significant issue since the privacy authority in Italy is issuing two separate decision, one on the challenged violations and the second on the applicable penalty.