The Italian Data Protection Authority has concluded the investigation (docweb 9080914) started against Facebook into the case “Cambridge Analytics”. At the end of the investigations done it is the result that italian citizens acquired by the app “Thisisyourdigitalife” (the personality test realized in order to recollect personal information which are object of profiling) although they have not been transmitted to Cambridge Analytica, they have nevertheless been processed in an unlawful manner, in the absence of appropriate information and specific consent. Therefore, the Italian DPA prohibited its further treatment and reserved the right to initiate a separate sanction procedure.
During the same investigation, a specific processing of personal data of Italian citizens acquired during the general elections of 4 March 2018 has also emerged through a product, called “Candidates”, installed on the social network platform.
This product allowed voters who provided their postal address to have information about candidates in their constituency and their plans. Facebook, while stating that it does not record information on how users have oriented to such profiles, kept log files of their actions for a period of 90 days, and then extract “aggregated matrices” not better defined.
In addition, on the day of the elections a message appeared on the newsfeed of Facebook users urging the sharing of whether or not they had gone to the vote and to express opinions on the importance of the same.
The Italian Data Protection Authority noted that these two functions of Facebook, specifically designed and aimed at Italian citizens in the run-up to the elections, are not included among the purposes indicated in the “data policy” of the platform.
Personal data may be collected for specific and explicit purposes and subsequently processed in a manner compatible with those purposes.
Even more so the purposes of the processing must be described very well when sensitive data are collected, such as those potentially capable of revealing political opinions, in such a way as to allow users to express their free and informed consent.
And “sensitive” data are, for example, information on whether or not you went to the polls or statements in favor of the vote (remain visible on the platform even if, according to Facebook, not monitored).
At the conclusion of the investigation, the Italian DPA therefore considered illegitimate the processing of data carried out by Facebook as based on a generic consent given by the user at the time of registration to the platform after reading a completely unsuitable information.
For these reasons, Facebook has prohibited the processing of any data collected through these methods and the assessments expressed by users following the message that urged sharing.
In this case too, the Authority reserved the objection of administrative penalties for the unlawful processing of data found.
The measure was transmitted to the Data Protection Authority of Ireland, the country where Facebook’s main establishment in Europe is located, for assessments of competence, in cooperation with the Italian DPA.
Source: Garante Privacy