After the scandal around Facebook and Cambridge Analytica broke in the first half of 2018 (when Cambridge Analytica used data to profile and target individual voters for the purpose to predict and influence their decisions at elections), another data protection authority has fined Facebook for personal data misuse.
The Italian Data Protection Authority (DPA) fined Facebook for €1M for violating the provisions of national privacy laws by misusing personal data of Italian citizens. According to the Italian Data Protection Authority, 57 Italians downloaded a personality test app which is called “Thisisyourdigitallife”. The app was used by Facebook to collect information, not only on the users who downloaded this app, but also on their Facebook friends. Finally, the app provided and transferred the aforementioned personal data to Cambridge Analytica, a consulting and data analytics company.
As a result of the above, with the personality test, more than 200,000 Italian citizens’ personal information and data was collected without their consent. The Italian DPA declared that the transfer of personal data from Facebook to a third party, without the consent of the data subjects, is not compatible with the Italian privacy regulations.
Due to the fact that the breach happened before the GDPR entered into force in May 2018, the Italian DPA could not apply the provisions of the GDPR on the amount of the fines in case of a data breach (i.e. the possibility to issue fines of up to 4% of the company’s global revenue). However, it seems that the case is not terminated as the investigation of US authorities is still pending and it was reported that Facebook expects to be fined up to $5 billion by the Federal Trade Commission for privacy violations, which would be a record fine imposed by the FTC against a technology company.