By Rocco Panetta
The Italian Data Protection Authority, the Garante, has ordered Facebook to provide a number of clarifications by July 20 on personal data processing in considerations of a recent bug and events affecting security of processing which have caused an unauthorized dissemination of third parties’ personal data. It seems that circa six million contacts in users’ address books have been not properly transmitted.
Facebook has already assured that the unwanted data processing has occurred due to a mere technical bug. Notwithstanding company’s representation, the Garante has required the following elements and confirmation:
- An estimate of number of Italian users involved, irrespective to their quality as Facebook direct users/members or not;
- Timeframe and duration of the event;
- Remedies and measures adopted to solve the issue and to prevent new similar events;
- If and how users have been notified about the event;
- If the bug and the event has affected nonusers of Facebook and if such nonusers have been properly informed that some of their personal data can be processed by Facebook if retained in the address book of a third party;
- If rights provided for by Article 10 of the Italian Data Protection Code are guaranteed.
This is an important and revolutionary request of information coming from the Garante, as the authority seems to require detailed information aimed at ascertaining role, function and liability of Facebook in the Internet data processing for social networking purposes. In addition, the Garante seems to extend indirectly security data breach notification obligations—which in Italy are at the moment prescribed to telecom operators only—also to social network players.
This request may become a milestone in the relationship between the Italian DPA and the world of social networks. We are very much looking forward to reading outcomes of the Garante proceeding.
Rocco Panetta is an Italian lawyer and partner of Panetta & Associati Studio Legale in Rome. He is the former head of legal at the Italian Data Protection Authority and a member of the IAPP Europe Advisory Board.