The Garante issued the sanction for data breaches related to the Cambridge Analytica scandal.

Background: In 2018, the Cambridge Analytica (CA) scandal revealed that several applications running on Facebook’s platform could obtain data of Facebook users without their consent. In particular, CA had accessed data on 87 million users via a psychological testing app and had used such data to try and influence the US presidential elections in 2016. This triggered investigations of several data protection authorities in Europe.

The Italian fine: The Garante imposed the fine on the basis of the former Privacy Code. This is due to the time when the violation was committed, before GDPR came into force. The Garante found that 57 Italians had used CA’s app (“Thisisyourdigitallife”); thanks to the sharing of data relating to ‘friends’ enabled by that function, the app had subsequently acquired data relating to additional 214k Italian users who had not downloaded the app, had not been informed of the sharing of their data, and had not given their consent to such sharing. Accordingly, the Garante found that Facebook was in breach of privacy legislation.

Why is the fine so high? In March 2019, the Garante gave Facebook a notice of commission of infringements, namely the failure to provide information, obtain consent, and reply adequately to the Garante’s request for information. Regarding those infringements, Facebook had the possibility to terminate the procedure by paying a reduced fine of €52k. However, the infringements related to an especially large, important database; this led the Garante to conclude the reduced amount does not apply. In calculating the amount of the fine, account was taken of the size of the database as well as of Facebook’s economic status and the number of its users both worldwide and in Italy.