Whether this is the beginning of a real era of strict controls on the application of privacy regulations we can’t tell you, but almost two months before the fateful 25 May 2018 (the day on which companies managing the personal data of their customers will have to prove they are in line with the GDPR) the sanction issued by the Privacy Guarantor against the Rousseau association makes us think that perhaps something is moving… Our suppositions are still suppositions because, like many other operators in the ICT sector, we have been struggling with the new legislation for months, trying to understand it and provide effective services that comply with the regulation itself.
Returning to the case, it is the 5 Star Movement, through the aforementioned Rousseau association, which is responsible for the data processing of the party’s website, that has come under the spotlight of the Italian Data Protection Authority. The fine, amounting to 32 thousand euros, is the result of an investigation opened last August, when the blog of the M5s had suffered some hacker attacks. The association had reported the incident to the postal police and the Guarantor has taken the opportunity to order investigations into the processing of data of people accessing the blog. On 21 December last year, the first measure was issued, reporting the failure to designate the companies Wind Tre Spa and Itnet Srl as responsible for the processing of personal data of users of various sites related to the M5s and this failure constituted unlawful processing itself because of the communication of data to third parties, without the consent of those concerned. This alleged violation gave rise to a debate on the web about the responsibility of the parties involved: those who manage the housing services – Aruba or Wind in this case – do not access the personal data of the individual platforms they host.
Currently, the lawyers of the Rousseau association are considering whether to challenge the measure and appeal on the grounds of a lack of clarity resulting from the various privacy regulations: when subscribing to a blog, it is almost never indicated who manages the housing services.