Greetings from Fontainebleau, France!

Facebook continues to be confronted by the wave of data protection authority investigations into its privacy practices. Indeed, it has become a regular media headline occurrence where one or other tech giant is being probed or ruled upon by a European regulator. This week, it was the turn of Italy, the latest DPA to join the European trail of national authorities seeking to assert their jurisdiction over the company.

The case is an interesting one where Italy’s DPA has ordered Facebook to turn over to an Italian user all the data it has on him, including the personal information, photos and posts of a separate fake account set up in that person's name by somebody else.

Here’s a story of trolling nastiness, one which highlights the harm and potential distress that can be the result of open social networking; users be warned. The user in question — the victim — “efriended" another user on the network who attempted to extort money from him; when the demands were not met the “friend” set up a fake account using the complainant’s personal information and started posting and messaging defamatory content to his contacts under the fake account, which the victim claims resulted in reputational damage.

The case was lodged by the Italian user with the national DPA citing an "unsatisfactory" response in obtaining complete copies of the data in question from the social media company following an initial complaint about the abuse. The Italian watchdog, in-turn, sided with the plaintiff, stating that under local Italian law, personal data pertaining to both accounts, real and fake, must be sent to the victim. In addition, the Italian DPA said that the social network must provide details of how the personal data was used, including whom it was sent to or who might have obtained knowledge about it. Privacy quagmire you might say. Just how many data subjects do you think might be implicated in this particular case? A few I’ll bet, and what of their privacy rights in this story?

They went further, too, asking Facebook to not destroy any of the data related to the fake account, stating that local authorities could possibly use the data in a criminal investigation.

The Italian data protection authority's ruling is particularly significant in establishing what rights EU citizens have to the personal data of fake accounts purporting to be theirs. As stated earlier, Facebook is not the only tech giant facing the wrath of users and courts. Search engine giant Google recently faced off against the European Union Court of Justice, resulting in two substantial rulings from the latter. The two cases, one referred to as the Weltimmo case in Hungary, and the other as the Google Spain (RTBF), stated that if a company has established operations in any EU country, it is subject to the local laws and regulations.

In the present case, the ruling would seem to indicate that even though it was Facebook International registered in Ireland that carried out the processing of the personal data of the two accounts, the Italian data protection authority was competent to find that Italian privacy laws had been broken. The new European GDPR, which finally passed this last month, brings into play a pan-EU approach that will change the privacy landscape in meaningful ways, and possibly well beyond the borders of the EU. This will not be easy with the multitude of jurisdictions involved. More cases of this kind will most likely be needed to test, establish and frame the legal parameters of this new world. The next years will no doubt be colorful. Privacy and data protection professionals will certainly be in demand.