At its July 9 meeting, the Italian Data Protection Authority (“DPA”) assessed the findings of investigations regarding telephone operators Wind Tre and Iliad, following several customer complaints concerning, among other things, unlawful data processing activities for promotional purposes and irregular access to usage data. In both cases, the Authority detected systemic issues in the processing methods and measures of protection, which led to sanctions of approximately EUR 17 million against Wind Tre and EUR 800,000 against Iliad Italia.
Wind Tre: Unlawful data processing for marketing purposes
In the Wind Tre case,[1] the investigation developed due to a number of reports from users who complained of unsolicited promotional calls, text messages, emails, faxes, and automated calls. Several users also reported that they were unable to revoke consent for or object to the processing of their data for marketing purposes. Such requests were constantly ignored by the company, and some users even reported that the privacy notice provided inaccurate contact information, thus limiting consumers’ ability to exercise their rights.
One of the issues on which the DPA focused its attentions was the management of the consent of data subjects, which in many cases had been given more than twenty years prior (1998–1999). Although the processing was performed on the basis of consent that had been lawfully provided, the DPA reported an excessively long data retention period that was not supported by reiteration of consent. According to the findings, such processing is no longer adequate with respect to the current regulatory framework, as it does not document freely given, specific, and informed consent.
The investigation also revealed that the MyWind and My3 apps were set up in such a way as to oblige the user to provide a new set of authorizations each time they were accessed, in order to expand the purposes of the processing (from marketing to profiling to location tracking), and that consent could only be revoked at a later time. Another claim concerned the presence of a single “I accept” button, which was intended to cover both acceptance of the terms and conditions (T&C) of service and consent to different types of data processing. Considering that the application could not be accessed unless the T&C were accepted, this also resulted in considerable restriction of the freedom to consent to data processing.
Finally, with regard to the request for an identity document to trigger the procedure to withdraw from processing for marketing purposes, the DPA focused on the principle of proportionality, which links the control and identification protocols to the exercise of the protected right. The DPA stressed the importance of technical and organizational measures that are not unjustifiably complex and disproportionate with respect to the exercise of rights to withdraw and object, in accordance with Article 24 of the GDPR. This is particularly true when the request does not come from customers of the Company but from people who are contacted exclusively for marketing purposes.
Other potential unlawful acts on the part of Wind Tre concerned the request for consent acquired through illegal means, i.e., through call centers that were operating not only outside the procedures implemented by Wind Tre for telemarketing activities, but also in violation of data protection, tax and labor laws.
It is in this context that the DPA issued another injunction,[2] this one addressed to one of WindTre’s business partners. The Authority noted that Wind Tre improperly activated contracts through the company Merlini s.r.l., which in turn operated through various brokers throughout the country. In addition to operating without any agency, the brokers had not been indicated as data processors in relation to the data of Wind Tre customers and had not received any training or guidance about how to comply with privacy legislation. In light of the seriousness, duration, and extent (with over 500,000 people involved) of the violation, the DPA fined Merlini s.r.l. EUR 200.000 and imposed a ban on further processing of previously collected data.
Given the previous allegations and the Merlini s.r.l. case, the Italian DPA fined Wind Tre EUR 16,729,600 and prohibited it from processing any data acquired without consent. It also ordered it to adopt technical and organizational measures for effective control of the marketing “supply chain,” as well as to respect the wishes of users and to suspend all contact whenever it was asked to do so.
Iliad under the microscope of the DPA for the first time
With a different injunction issued on July 9, the DPA generally assessed the processing methods and the technical and organizational measures adopted by Iliad Italia, which until then had never been the subject of any investigations.[3]
Specifically, the issues brought to the attention of the DPA concerned the processing of customer data for the activation of SIM cards and the method of acquiring the related payment data, as well as processing for promotional purposes and irregular access to usage data.
First of all, the DPA reported an inconsistency between the request for consent for marketing purposes (confirmed by the information notice) and the statements of the Company, which denied carrying out any marketing, telemarketing, or user profiling activities that would have been planned in the future. The practice of collecting consent for “future” and/or “potential” data processing activities has been widespread in Italy among companies: this marks the first time that the DPA has highlighted its unlawfulness and declared this practice to be against the principles of transparency and fairness.
Moreover, as in the case of Wind Tre, Iliad was reported for merging acceptance of its T&C with acceptance of the privacy policy so that both were combined under a single button. Following assessment of the issue at stake, the DPA focused on the nature of the “acceptance” of the privacy policy, to be understood not as a mandatory step where the user must give consent in order to use the service, but rather as an acknowledgment of the methods and purposes underlying the processing. Using the correct terminology is essential to ensuring compliance with the principles of correctness and transparency cited in Art. 5 of the GDPR.
Other concerns arose with regard to the use of “Simboxes” that customers could use to complete a purchase independently, entering their data and ending the procedure by scanning a document and recording a video message providing their consent to the finalization of the contract. According to the authority, such “Simboxes” do not guarantee sufficient confidentiality to either the customer entering into the contract, who has to provide data (name and surname) by speaking them aloud in often crowded places, or to the people who are in the surrounding area and whose images may fall into the video capture area.
Finally, the DPA established that articles 123, 132, and 132-ter of the Italian Data Protection Code had been violated; these center on steps to be taken in storing usage data, in relation to the authorization of the persons in charge and the purposes of the processing. These measures require compliance with minimum security requirements in relation to the existing risk, as indicated by the general ruling of the Authority of January 17, 2008 (as amended on July 24, 2008).
Following the order, Iliad Italia issued a statement in which it expressed astonishment at the decision of the Italian DPA and claimed that no data or rights of users had been violated, and that it had no connection to any marketing or teleselling activities. Iliad Italia’s spokesperson also indicated that the company may file an appeal.
Remarks of the DPA
The attention paid by the DPA to this sector and the considerable penalties imposed are not completely new to companies carrying out unlawful processing for marketing purposes. Indeed, the first substantial penalty after the GDPR became applicable in 2018 (EUR 11 million) was imposed on Eni Gas & Luce for unsolicited promotional calls.[4] Aggressive marketing techniques in the telecommunications sector have received particular attention from the Authority, which by the beginning of 2020 had already sanctioned Tim in the amount of EUR 27 million and 800,000.[5] The reasoning behind the size of the sanctions lies not only in the strategic importance of the telco sector, but also in the sensitivity of the personal data that are processed in this context, specifically data relating to phone usage.
In this regard, with these recent decisions the DPA did not limit itself to reporting the unlawful aspects of the processing carried out by the sanctioned companies, but also added a number of recommendations and best practices aimed at operators in the telco sector. In particular, the DPA has offered important remarks on the issue of the appointment of processors and sub-processors pursuant to Art. 28 and 29 GDPR, in part due to an express principle of joint liability between the controller and the processor for promotional activities entrusted to third party call centers (Art. 1 paragraph 11, Law no. 5/2018).
The DPA has also extensively examined the principles of accountability and privacy by design, set forth in Articles 5, paragraph 2; 24, paragraph 1; and 25, paragraph 1 of the GDPR. In fact, the Wind Tre order points out that the entire system of the GDPR relies upon the accountability of the data controller, who therefore must have full control over the “supply chain” of marketing activities, ensuring that the contracts and activations recorded in its systems originate from agreements made in full compliance with the provisions on the protection of personal data, in particular those cited in Articles 5, 6, and 7 of the GDPR. The correct implementation of such measures involves not only keeping a register of contacts with the person in charge, but also providing a contractual penalty for those processors who do not comply with instructions. The application of these provisions, as the DPA reiterated, also applies when clients are judicial persons, pursuant to Art. 130 paragraphs 3 and 3-bis of the Italian Data Protection Code.
The above-mentioned decisions – while significantly different from pre-GDPR decisions in terms of the amount of the sanctions imposed (which are significantly higher than in the past) – do not mark any big changes in terms of industry focus, as telecommunication operators, utilities suppliers, and telemarketing have historically been the main areas in which the Italian DPA has been active. It will be interesting to see whether these will remain the focus of the DPA in the near future, or whether the DPA will shift its enforcement focus to other industries.
[1] Order no. 143, of July 9, 2020, available in Italian at https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9435753.
[2] Order no. 144 of July 9, 2020, available in Italian at https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9435774.
[3] Order no. 138 of July 9, 2020, available in Italian at https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9435807.
[4] Order no. 231 of December 11, 2019, available in Italian at https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9244358.
[5] Order no. 7 of January 15, 2020, available in Italian at https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9256486.