Italy: Fine for Facebook
In 2015, the public found out that the company Cambridge Analytica had collected and processed data from Facebook Users without their consent. It used an App with Facebook Login for this.
The collected data was, for example, used to manipulated the US presidential election. The App did not only collect data from its users. It also collected data from all of their Facebook friends, without the approval or knowledge of said friends. This is a major violation of privacy . Even though Cambridge Analyticas main audience was in the US, it also had 57 Italian users. Using the access to the data of the friends of these users, data about 214.077 Italian citizens has been collected. The victims, whose data were collected without their permission, knew nothing.
The Italian data protection authority issued a fine of one million Euros. The old data protection law was the foundation of the fine, as the GDPR went active in 2018, nearly three years later. The fine could have been much higher, if the GDPR was active at this time. Because of the size of Facebooks databases and their number of Italian users, the Italian data protection authority declined the offering to pay a smaller fee in exchange to stops the investigation.
The authority underlined, that no data of the App users friends were send to Cambridge Analytica. Facebook claimed to have removed the problematic feature. They also said, that they now pay closer attention to privacy. The public found out later, that a few selected companies still had access to said feature.
Type of Issue:
Illegal data processing
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
14. Information to be provided where personal data have not been obtained from the data subject
5. Principles relating to personal data processing
6. Lawfulness of processing
7. Conditions for consent