Facebook and Cambridge Analytica: Facebook’s data processing is unlawful according to the Italian Supervisory Authority

With a recent decision (you can find the abstract here), the Italian Supervisory Authority (Garante per la protezione dei dati personali) found that the data processing by Facebook, concerning information submitted by its users by means of the apps available on the web platform and through certain software products developed during Italy’s 2018 elections, was unlawful. The grounds for the ruling were the lack of adequate information and specific consent for the data processing at issue.

The dispute arose from the well-known US case ‘Cambridge Analytica’, regarding the use of data provided by Facebook’s users for profiling activities targeted for political and electoral purposes. In fact, the social network’s users were able to have access to third-party apps on the web platform simply by entering the credentials of ‘Facebook Login’, thus leading such applications to have access to various profile information such as name, email address, age, gender, and residence. Despite the fact that sharing data acquired by the apps with third parties is forbidden under Facebook’s terms and conditions of use, an application named “Thisisyourdigitallife” transferred US users’ data to Cambridge Analytica, a research company which subsequently used them to develop a highly personalised advertising campaign with the presumed aim of influencing the vote in the US 2016 general election.

Following this case, the Garante asked Facebook to clarify whether the data of Italian users, provided through ‘Facebook Login’ and by means of certain software products created for the Italian 2018 election campaign, have been communicated to third parties for profiling activities targeted for political and electoral purposes. With the explanation provided, the social network admitted to having transmitted to “Thisisyourdigitallife” personal data of 214,077 Italian users. It has not been proved that the same data were subsequently transmitted to Cambridge Analytica. However, Facebook pointed out that the data collected corresponded to those identified in the privacy policy accepted during the sign-up process, where explicit reference was made to the possibility that users’ public information could be seen by third parties.

First of all, the Garante ascertained that the communication to “Thisisyourdigitallife” of the data collected through ‘Facebook Login’ occurred in breach of articles 13 and 23 of the Legislative Decree no. 196/2003 (the Italian Privacy Code preceding the application of the GDPR, applicable to the cases at issue). In fact, users gave consent to transfer their data to the app by accepting an information notice and consent form  – provided during the sign-up process to the social network – with an “all-encompassing, generic and difficult to reconstruct” content, and therefore not suitable to inform them adequately about the implications deriving from their consent. In other words, users were not actually made aware of the possibility that their data would be collected from third-party apps. Furthermore, the Authority recalled that – under Article 23 of the Privacy Code – consent is “validly provided only if it is expressed freely and with specific reference to a clearly identified processing“. On the contrary, the information notice and consent form provided to the users prevented them from opposing the communication of their profile data to third-party apps, with the result that the acceptance of this data processing was essential in order to sign-up.

As regards the software products created for the Italian 2018 general election, Facebook stated that they were aimed at encouraging information and civic participation. For example, by means of the product named “Candidates”, users could get information about candidates of their own constituency by providing their address, while on 4 March (the date of the vote) users could share their vote experience in the News Feed. Recalling that personal data shall only be collected for “specific, explicit and legitimate purposes” and must be processed in accordance with the same purposes (Article 11 of the then applicable Privacy Code), the Garante found the data processing at issue to be unlawful. Firstly, in fact, the purposes of the processing of the data collected through the aforementioned products – exclusively addressed to Italian citizens and offered only during the election campaign – could not be included in those covered by the information notice provided during sign-up, which concerned, instead, all the activities carried out normally by the social network: in other words, “Facebook performed an activity hardly attributable to its own purposes“. Furthermore, since potentially sensitive data were involved, the information notice should have described the purposes of the related processing with the necessary accuracy: users’ voting experiences, as well as the interest shown for certain candidates, could reveal the political opinion of users, and Facebook should have provided adequate information concerning the risks and consequences deriving from the consent given for the related data processing.

Having acknowledged that the data collected had already been removed, the Garante forbade any further processing and reserved the right to initiate a separate procedure to impose an administrative fine on Facebook.