The Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) has this month imposed fines of more than €11 million on five companies operating in the money transfers sector for unlawful processing of personal data. This is the largest fine ever imposed by a European Data Protection Authority.
Sigue Global Service Limited, a UK web-based money transfer firm, and four companies operating as its agents in Italy, were found to have transferred large amounts of money to Chinese entrepreneurs in breach of Italian money laundering regulations and the provisions of the Legislative Decree 30 June 2003 no. 196 (Codice per la protezione dei dati personali, Italian Privacy Code).
Evidence collected by the Italian financial police showed that the transfers were made through multiple smaller operations that did not reach anti-money laundering thresholds and were therefore not detectable. These transfers were attributed to persons other than the actual senders to avoid linking their real names to the transactions.
The names and other personal data used to carry out such transfers were collected from a wide database created by one of the companies without providing any information to, or securing consent from, data subjects involved, who were unaware of the whole operation.
The size of the fines imposed on March 10 to the five companies involved reflects the significant number of data subjects who were impacted (more than a thousand people). In this respect, the case has similarities with the 2014 Google cars case, in which Google was fined €1 million for unlawfully processing a large amount of data to be pooled into a substantial database set up by Google in connection with its Street View service.
However, despite this obvious similarity, the cases represent two different applications of the same criterion. Besides the nature and gravity of the offense, the personality of the offender and its economic conditions, another crucial criterion generally taken into account by the Garante in determining the actual sanction is how cooperative the offender is in mitigating the consequences of its infringing behavior.
While in the Google case the Garante was positively influenced by Google’s prompt cooperation to redress its misconducts, in the cases involving Sigue and its agents the latter did not show any will to cooperate in the proceeding or remedy their misconducts. This attitude was reflected in the harsh sanctions (respectively, € 5,880,000 for Sigue and € 1,590,000, € 1,430,000, € 1,260,000 and € 850,000 for the agent companies, all such amounts being the sum of the single applicable sanctions for each data subject whose rights were violated).
This case at issue is very significant, as it confirms a trend of increasing data protection enforcement, in line with the new regime set forth by the General Data Protection Regulation becoming effective from May 2018. There is a clear message in view of the upcoming implementation of the GDPR: privacy compliance can no longer be taken lightly.