In the broader context of an investigation by the Public Prosecutor of Rome into money-laundering offences by five companies which operate in the money transfer field, on March 10th the Italian Data Protection Authority ordered such companies to pay fines for illicit processing of personal data totaling more than 11 million euros. This total figure is one of the highest ever imposed by a European Data Protection Authority.
Five money transfer companies were involved in the scheme whereby they collected and transferred to China sums of money coming from Chinese businessmen, not only in violation of the anti money-laundering laws but also the data protection laws. In order to circumvent the anti-money laundering rules, the companies split the sums of money into small amounts just below the threshold allowed for such transfers and transferred them in the names of more than one thousand other customers, who were totally unaware that their personal data was being put to such use. These customers had clearly not been informed nor given their consent, so such use was totally illegal and contrary to sections 162, para 2 bis and 167 of the Italian Data Protection Code (Illegal processing of personal data), while the violation was particularly grave in view of the size of the data bases used (and in some cases in view of the economic size of the offending company), so as to attract fines of at least 50,000 euros for each single violation, in accordance with section 164 bis, para 2 of the Code. Multiplied by the numbers of violations, the total fines reached more than 11 million euros.
There has been attention in the press recently concerning the allegedly enormous sums illegally transferred to China in the last few years, but it is apparently the first time the investigations have given rise to fines for the money transfer companies by the Data Protection Authority.