Italy’s first GDPR fine has been issued by the Garante, the Italian Data Protection Authority. Action was taken due to the failure to implement privacy security measures in the aftermath of a data breach on the “Rousseau” platform. The platform operates the websites of the Movimento 5 Stelle (Five Star Movement) political party.
A number of websites that are affiliated to Movimento 5 Stelle are run, via a data processor, through the Rousseau platform. Following a previous data breach during the summer of 2017, the Garante demanded that numerous security measures be implemented. This was in addition to the obligation to bring the privacy information notice up to date so as to provide additional transparency to the data processing that was being carried out.
In its report, the Garante noted its concerns regarding the Rousseau platform’s performance in implementing the following GDPR compliance measures:
A vulnerability assessment was periodically performed on the platform, however there were issues concerning the use of a software which was no longer being updated by its supplier. This meant that the implementation of patches was proving to be both complicated and time-consuming.
A lack of an adequate system designed at reinforcing passwords to be used in the creation of accounts and to avoid the risk of brute force attacks.
A need for secure protocols and digital certificates to safeguard data during its transit and minimise the risk of users being drawn to bogus sites sites.
Solutions aimed at improving the level of security of the storage of passwords were needed. This was because of the weak cryptographic algorithms.
A requirement for auditing measures which would obligate the retention of the recording of the accesses and logs on the database of the Rousseau system to ensure the integrity of data.
The most relevant matter of the dispute appears to have been the failure to adopt adequate measures regulating the storage of log files concerning the activities performed by the platform’s IT support personnel. Some tracking of said activities was possible but it was incomplete and inadequate. Additionally, there was no system of recording of the operations in place.
Moreover, the Garante objected to the fact that system administrators had been using shared accounts with significant privileges in their operation of the platform. This allowed for the administrators to access special categories of private personal data, e.g. those on political opinion.
Finally, the Garante also ruled that the security measures designed to anonymize the activities performed through the e-voting system were inadequate.
Based on these findings, the Garante held that there had been a breach of article 32 of the GDPR on the Rousseau platform and it issued a €50,000 fine.
Interestingly, the fine was not issued against Movimento 5 Stelle, the data controller of the platform, but rather against the Rousseau association which is the data processor. In a break with precedent, the data protection authority did not find the data controller liable for the actions performed by the data processor. The judgement recognized that the data processor could be solely liable.
It is important to mention that the proceedings began before the introduction of the GDPR in May 2018. Nonetheless, the Italian data protection authority issued a fine under the GDPR given that the Rousseau platform had failed to adopt the security measures required under an order that had been issued after the 25th May 2018. Consequently, similar pending proceedings might face fines under the European Union’s General Data Protection Regulation.