Mar 302017

Italian DPA Imposes Largest Ever Fine Imposed by a European Data Protection Authority: UK Payments Company Found to Have Breached Consent and Other Rules

William RM Long, Vishnu Shankar, Michele Tagliaferri and Fran Faircloth
, , , ,

On February 2, the Italian Data Protection Authority, known as the “Garante,” imposed a fine of EUR 5,880,000 on a UK money transfer company that it found to be in violation of Italian data privacy rules. This is the largest ever publicly-known fine imposed by an EU data protection authority, and it approaches the level of fines that are likely to be imposed under the EU’s General Data Protection Regulation (“GDPR”) that will come into force in May 2018. Although the GDPR is not yet in force, the Garante’s enforcement action shows that European data protection authorities are willing to levy the kind of fines allowed by the GDPR.

According to the Garante, Sigue Global Service Limited (“Sigue”), which is registered in the UK but has a branch in Rome, worked with other companies to split large monetary transfers to China in order to evade anti-money laundering rules.  The Italian regulators found that Sigue attributed money transfers to over one thousand individuals, using their personal data obtained from a database of photo identification, even though those individuals did not consent to the processing of their data, or even know about the transfers.  Some of the transfers were executed through forms that were not signed, or signed by deceased or non-existent individuals.  The Garante found a separate privacy violation by Sigue with regard to each of the more than one thousand privacy code violations.

The Garante found that the database used to carry out the violations was of sufficient size and importance to trigger Italian data privacy sanctions. Five companies were fined for their involvement in this arrangement.  The fine imposed on each company reflects all the violations in which the company played a role.

The Garante fined the companies EUR 10,000 for each data subject whose data consent rights were violated and applied an additional EUR 50,000 fine because of the database size and importance. For Sigue, which processed the data of 583 data subjects without their consent, this accumulated to EUR 5,880,000, the largest fine ever imposed by a European data protection authority. Total fines for all five companies exceeded EUR 11 million.

The Garante’s enforcement action demonstrates the willingness of European data protection authorities to impose large fines for breaches of data privacy requirements, even under the current EU data protection framework, which is generally less onerous than the GDPR, and is indicative of the approach that European data protection authorities could adopt under the GDPR. The GDPR allows for fines of up to the greater of 20 million Euros or 4% of a business group’s annual worldwide gross revenues to be imposed for certain breaches of the GDPR. To avoid such fines, it is critical to put in place a robust GDPR implementation plan in advance of the GDPR coming into force in 2018.

William RM Long

London

wlong@sidley.com

Vishnu Shankar

vshankar@sidley.com

Michele Tagliaferri

Brussels

mtagliaferri@sidley.com

Fran Faircloth

ffaircloth@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.