The proceedings before the Garante originated from the criminal investigations carried out by the Rome public prosecutor for infringements of Italian anti-money laundering law provisions.
According to the outcome of such investigations, the UK company Sigue Global Service Limited (‘Sigue’ – which operates in Italy through a local branch) – jointly with another four companies acting as Sigue’s agents – carried out activities that are commonly known as ‘fractionation.’ Such practice consists of scattering large transactions amongst several accounts to circumvent the anti-money laundering rules that set forth the thresholds for allowed moneytransfers. In the case at hand, the public prosecutor found that large monetary transfers to China were split and attributed to more than 1,000 individuals distinct from the actual senders.
Moreover, the identification data used were collected from the Centralised Computer Archive (Archivio Unico Informatico), which is a database that financial intermediaries are required to keep for the purposes of counter-terrorism compliance and anti-money laundering.
The reasoning of the Garante
In parallel with the Rome public prosecutor investigations, the Garante started autonomous proceedings to understand whether the described criminal offences could also amount to data protection infringements. Eventually, the Garante found that, while fractioning the transactions in different accounts, the companies involved unlawfully processed the personal data of the account holders used to split the amounts that were sent to China, in contrast to the general rule provided by the Italian Data Protection Code (Legislative Decree no. 196/2003) under Section 23.
In particular, according to the Garante, the holders of the accounts to whom the relevant transactions were attributed did not consent to the use of their personal data for these purposes. The Garante inferred the absence of the account holders’ consent from the following factual circumstances: (i) the account holders never coincided with the actual senders, (ii) the payment orders were not subscribed or, on some occasions, they referred to either fake or deceased individuals, and (iii) the money transfers were operated within a narrow range of time, for amounts that were almost equal to the prohibited threshold and they were addressed to a sole recipient.
In addition to the above, the Garante found that the infringements were especially harsh, considering that:
In light of the above, the Garante fined the involved companies for unlawfully processing the personal data of some of their clients and issued Sigue a sanction amounting to €5,880,000, the other companies acting as agents for Sigue were fined with sanctions amounting respectively to €1 million and €590,000, €1 million and €430,000, €1 million and €260,000 and €850,000.
The fines issued by the Garante on this occasion are among the largest ever issued by a European data protection authority and the decision at hand might constitute a turning point in the authority’s approach on the level of fines. The above is particularly true considering that the fine issued in the past by the Garante against Google in the Street View case – which amounted to €1 million – was the highest fine imposed by a European data protection authority before 2017.
In terms of the level of fines, the decision might be viewed as in anticipation of the GDPR in order that the shift from the currently-in-force national data protection law to the GDPR is smoother when the latter becomes directly applicable in 2018. Indeed, the GDPR provides for relevant sanctions, i.e. fines up to the greater of €20 million or 4% of a business group’s annual worldwide gross revenues. Such amounts are largely higher than those provided by Member States’ data protection laws that are currently in force, including those provided by the Italian Data Protection Code. The decision by the Garante in this case could thus be seen as a signal aimed at companies and designed to stimulate awareness in connection to the economic risks arising from noncompliance with data protection rules.
The decision is also a warning to the industry in general. Financial services providers should be aware of the specific data protection risks related to the provision of their services. In other words, compliance with the financial statutory and regulatory framework will not be the only issue at stake for such providers.
Traditional providers but also FinTechs are and will be more and more impacted in the future by the need to fully comply with data protection regulations. The large amounts of data available to FinTechs coming from different sources does not imply that such data are freely usable absent the specific and informed consent of the data subjects. Awareness in terms of data protection compliance should be an aim for the industry and decisions like the one briefly analysed above might help to increase such awareness.
This article was first published on the 4th issue of Payments & FinTech Lawyer.