At the top of the latest news on data protection there is a wide-ranging sanctioning initiative of the Italian data protection authority. The Garante, Italy's data protection authority, has issued the five highest sanctions in its history, in fact, the highest fine ever issued in Europe, reacting against an organized money transfer system in which personal data were used as tools to unlawfully avoid the application of money laundering provisions. 

Investigations carried out by the Italian financial police department, in association with Garante, have revealed gross violations of both money laundering and data protection legislation in the context of money transfers to China.

One multinational and four agent companies split money transfers to remain sub-threshold under a money laundering perspective. In doing so, a massive and unlawful processing of personal data of unaware individuals — senders of the payments — was performed.  

Moreover, some of the records scrutinized appeared to be filed by deceased or individuals who never existed; in other cases, the forms were left unsigned or partially filled in.

Given the number of deliberate violations of data protection provisions and the width of the time span involved, the Garante decided to flex its muscles and went well beyond the limit of 2,400,000 euros previously considered the maximum to be imposed by the Italian Privacy Code.

It is not the first time that the Garante has been noticed for its “tough approach." Back in 2013, the highest single sanction ever (1,000,000 euros) was issued in the Google Street view case for the breach of data protection law principles.

From a legal point of view, such an impressive total amount of sanctions (5,880,000 euros for the multinational company and 1,590,000, 1,430,000, 1,260,000 and 850,000 euros for the agent companies, a total sum of almost 11,000,000 euros) has been reached relying on the principle of tot crimina to poenae. For instance, the sanction of 5.8 million euro represents 583 single sanctions of 10,000 euros for the breach of Art. 162.2-bis of the Code plus 50,000 euro for the breach of Art. 164-bis.2. 

The lack of a legitimate legal ground for the processing (i.e. the consent of the data subject ex. Art. 23 of the Privacy Code) has triggered the sanctioning response of the DPA. Considered the relevant number of violations as multiplier, the Garante decided to issue the minimum prescribed per sanction (10,000 euro), adding a single 50,000 euro sanction to the total due to the dimension of the database involved.

There is a chance that such an intense action has been underpinned by the severity of the behavior under a civil a criminal law perspective; in any case, it represents a considerable crackdown on unlawful processing and should encourage companies and individual data controllers to accelerate their compliance run toward May 2018. 

Bearing in mind that the continuity between the current and the future legal frameworks will reconnect poor consideration for data protection obligations to harsh penalties (up to four percent of the global turnover).

photo credit: Images_of_Money Euros Isolated on White Background via photopin (license)