Key-words: data breaches - Cambridge analytica - data protection – facebook

On June 14th,2019, the Italian Data Protection Authority (DPA) fined Facebook 1 million Euro on account of breaches committed within the legal case ‘Cambridge Analytica’. Cambridge Analytica started in 2013 as an offshoot of the SCL Group and was a British political consulting company which combined data mining, data brokerage, and data analysis with strategic communication during the electoral processes. More precisely it is the company that had accessed data on 87 million users via Thisisyourdigitallife, a psychological testing app, and had used such data to influence the US presidential elections in 2016. The company closed in 2018 in the course of the Facebook–Cambridge Analytica legal case, although most of the key figures seem to have moved into Emerdata, which is a new company with a similar task. The fine was imposed to Facebook on the basis of the former Italian Privacy Code (compliant with the Directive 95/46/EC), because the General Data Protection Regulation (Reg. 2016/679, which repealed the Directive 95/46/EC and modified the Privacy Code, was applicable only from 25 May 2018). The injunction of the Italian DPA follows up to the decision issued by the same authority last January 10thto ban Facebook from further processing the data related to Italian users. Indeed, the Italian DPA could establish that 57 Italians Facebook users had downloaded the Thisisyourdigitallife app and that, thanks to the sharing of data relating to ‘Facebook friends’, the app had subsequently acquired personal data relating to additional 214,077 Italian Facebook users who had not downloaded the app. These users had not been informed of the sharing of their data and had not given their consent to such sharing of their personal data. For this reason, the Italian DPA stated that Facebook had disclosed the personal data of its users to the Thisisyourdigitallifeapp in breach of data protection legislation, even though Facebook had not directly transmitted the data to Cambridge Analytica. In March of this year, Facebook had been served by theItalian DPA with a notice of commission of infringements regarding non-compliance with information, lack of consent to the processing of 2 personal data and lack of reply adequately to the DPA’s request for obtaining information and documents. Regarding this notice, Facebook chose the possibility to pay a reduced amount fine of Euro 52,000. However, with the injunction of June 14th, 1 million Euro fine was also imposed by the DPA to Facebook because the infringements had been committed in respect of an especially large amount of data subject, in which case no reduced amount fine may be allowed. In calculating the amount of the fine, Italian DPA have taken account of the size of users’ database and the number of its users both worldwide and especially in Italy as well as Facebook’s economic status.

Source: Italian Data Protection Authority

Link: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9121506

To read the PDF click here.