Businesses should be aware of a new atmosphere of increasing regulatory enforcement within the EU in the run up to the introduction of the General Data Protection Regulation (GDPR). Both Italian and UK authorities have recently imposed large fines on companies in relation to regulatory offences.
The Italian Data Protection Authority has issued a sanction of over €11 million in aggregate to five companies operating in the money transfer industry for illegally using the personal data of more than a thousand people without their knowledge or consent. This sanction represents the largest sanction issued in the European Union for a breach of data protection legislation to date.
In order to prevent the application of anti-money laundering legislation these companies were splitting up large transactions and attributing the transactions to more than a thousand customers. The transactions were attributed to these customers without their consent, or any other legitimate basis for processing, and the processing was an illegal use of their data.
As a result of this illegal processing the Italian Data Protection Authority issued a fine of almost €6 million on a multinational company while issuing fines of between €1 and €2 million on four Italian companies.
The previous 'record' was also held by the Italian Data Protection Authority for the €1 million fine it imposed on Google in 2014.
In related news, the UK's Information Commissioner's Office issued a fine of £270,000 on a company which made 22 million nuisance calls.
The increasing regulatory enforcement within the EU should be noted by businesses as the General Data Protection Regulation (GDPR) will result in data protection authorities being able to impose fines of up to €20 million or 4% of worldwide annual turnover.