This blog has given much coverage to the forthcoming General Data Protection Regulation. What changes will it bring? How will the fines jump? Will Brexit affect it becoming enforceable in the UK? Earlier this year, the Italian Data Protection Authority fined a UK web-based money transfer firm €5,880,000. The current maximum fine imposed by the UK Information Commissioner is £400,000 against TalkTalk. To find out what this was all about, we spoke to Ilaria Carli, a specialist lawyer at Milan firm Legalitax Studio Legale e Tributario.
In February 2017, the Italian DPA fined, Sigue Global Service, a UK web-based money transfer firm, €5,880,000. It also fined four Italian companies, operating as Sigue’s Italian agents, €5,130,000. In total, it imposed over €11 million in fines on five companies operating in the money transfer sector.
The fine levied on Sigue is the largest ever publicly disclosed fine imposed by an EU data protection authority. In fact, these penalties are high even for the Italian market. According to the Italian DPA’s 2015 report, the total amount of fines paid as a result of enforcement proceedings in Italy stood at €3,345,515.
These fines are more in line with those that data protection authorities are permitted to impose under the EU’s General Data Protection Regulation, which is not due to become enforceable until May 2018. The Italian DPA doled out these fines in accordance within the current regulatory framework.
As a result of an investigation carried out by the Prosecutor of the Court of Rome, Sigue and its Italian agents were found to have facilitated the transfer of large amounts of money to Chinese entrepreneurs in breach of Italian money laundering regulations and to have carried out unlawful processing of personal data in breach of the Italian Data Protection Code.
According to the Italian financial police, Sigue and its four agents attempted to camouflage these transfers by splitting the sums into smaller amounts, each of which was calculated to fall below the threshold set out in the money laundering regulations. Moreover, in order hide the identities of guilty parties, the transfers were falsely attributed to others. Sigue created a database containing the names and personal data of over 1,000 individuals without informing or obtaining consents from the owners of that data. A number of the transfers were executed with forms that were unsigned or with forged signatures of deceased individuals.
The Italian DPA found that Sigue and its agents had processed personal data without the necessary consents in violation of Italian Data Protection Code. It fined Sigue €10,000 for each of the 583 individuals whose data consent rights were violated, amounting to a total of €5,830,000. Furthermore, in consideration of the number of individuals in the database used by the money transfer companies and the seriousness of the violations, the Italian DPA levied an additional fine of €50,000.
The regulator found that, between July 2010 and July 2013, Sigue had transferred approximately €1,006,000,000 to China using the database amounting to 785,088 operations.
These fines were imposed under the current data protection laws in Italy and surely convey the clear message that the Italian data protection authority is prepared to impose steep penalties. The fines could be much higher under GDPR.
UPDATE 19/04/17: Ilaria has confirmed that these fines were issued by the Italian DPA for data breaches. Any fines for money laundering offences are handled by a separate agency the equivalent of the UK’s FCA.
If you can read Italian, the judgments are here: Sigue, Yume, Marc 1, Sirama, Euro Comunication System. If you want further information about this or require assistance with Italian law, email Ilaria direct.