By Luca Tosoni and Dan Cooper

On 2 February 2017, the Italian DPA (“Garante”) imposed a record fine of 5,880,000 Euros on a UK company operating in Italy for its violation of the data privacy consent rules contained in Italian law.  This is the largest data privacy fine ever issued by a European data protection authority for a breach of the EU’s data protection framework.

The Garante imposed the fine on a company that allegedly made money transfers to China on behalf of individuals without their knowledge or agreement, and therefore did not obtain the individuals’ consent to the processing of their data.

The size of the fine reflects, in part, the fact that a significant number of data subjects were impacted by the breach.  In fact, the Garante concluded that the company had committed a separate privacy violation for each data subject whose data was used without consent.  The fine therefore reflects the sum total obtained from adding up the fine for each individual breach committed by the company.

Background

Following a criminal investigation into five companies responsible for conducting international money transfers, the “Guardia di Finanza” (i.e., an Italian law enforcement authority primarily handling financial crimes) determined that the companies in question sent money to China by using the personal data of individuals without their knowledge.

According to the Italian authorities, the companies split large money transfers into smaller transfers to avoid detection, and then attributed the transfers to data subjects who were unaware of this.  The personal data of these individuals was obtained from a database set up by one of the companies.  This allegedly was done in order to circumvent applicable Italian anti-money laundering rules and to avoid disclosing the names of the real parties transferring the money.

Garante Fining Decisions

The Garante, in turn, determined that the companies infringed Italian privacy rules because they processed data of individuals without their knowledge or consent.  In addition, the DPA found that the violations were committed “in connection with a database of considerable size and importance,” which is specifically sanctioned by the Italian Data Privacy Code.

The Garante imposed heavy fines on each of the companies involved in the money transfer scheme, amounting to 5,880,000, 1,590,000, 1,430,000, 1,260,000 and 850,000 Euros, for a total of over 11 million Euros.

The Garante calculated the fines as follows: (i) it applied a 10,000 Euros fine for each data subject whose rights were violated (i.e., the minimum fine for a violation of the consent rules); and (ii) it applied an additional 50,000 Euros fine because of the size and importance of the database.  As one of the companies was found to process data of 583 data subjects without their consent, the Garante imposed on this company a fine of 5,880,000 Euros (i.e., 10,000 Euros, multiplied by 583 victims, plus a further 50,000 Euros).

This decision is interesting, insofar as it demonstrates the willingness of at least one EU data protection agency to levy fines that appear more consistent with the sanctions regime arising under the General Data Protection Regulation (GDPR), although that statute is not yet in force.  Under the GDPR, companies may be sanctioned with fines up to 20 million Euro or 4% of their annual worldwide turnover.  The companies’ specific malfeasance and attempts to evade Italy’s anti-money laundering regime undoubtedly also was a strong contributing factor to the Garante’s assessment and behaviour.