Italy's Garante fined Poste Italiane €12.5M for mandatory device surveillance in banking apps. What the ruling means for KYC operators.
Italy’s Garante per la protezione dei dati personali is the GDPR authority that fined Poste Italiane and its subsidiary Postepay a combined €12.5 million on April 17, 2026, for embedding LexisNexis ThreatMetrix in banking apps and requiring users to authorize device surveillance to keep account access (Decision 237/2026, Doc-Web 10241537). The PSD2 fraud-prevention defense failed the GDPR necessity test. Every platform collecting device-level behavioral data under a security justification now has a documented precedent to benchmark against.
Poste Italiane’s banking apps sent a pop-up. Users had to tap “authorize.” If they didn’t, the apps locked down after three refusals. The Garante found that 303,880 users had their accounts restricted for refusing to authorize device surveillance. That’s coercive consent under GDPR Article 7(4), full stop.
Poste Italiane Made Refusing the Surveillance Prompt a Service Disruption
The BancoPosta and PostePay Android apps ran LexisNexis ThreatMetrix on every session. The SDK scanned all installed applications, all running applications, MD5 hashes per app, device fingerprints, OS version, hardware and advertising IDs, VPN indicators, IP addresses, mobile network identifiers, and geolocation data. That’s not a device integrity check. It’s a behavioral profile built on every app you’ve ever installed.
The Garante’s decision states that an installed-app inventory can infer health conditions, religious beliefs, political orientation, and financial status. Think about what that means in practice. A user with mental health apps, prayer apps, or political party apps on their phone is disclosing all of that every time they open a banking app. They don’t know it’s happening, they can’t opt out, and the only alternative is losing account access.
Between both apps, ThreatMetrix ran across 14.5 million Android installations: 5,969,456 for BancoPosta, 8,596,350 for PostePay. Poste retained that data for 28 months. They’d declared a 24-month maximum. The four-month overage was justified internally as “analytics.” The Garante rejected that justification.
Nine GDPR Violations, One Root Cause: the Data Collection Wasn’t Strictly Necessary
Poste’s defense was PSD2. Payment Services Directive 2 requires secure transaction monitoring, so the company argued ThreatMetrix was mandatory. The Garante didn’t buy it. ThreatMetrix was a discretionary implementation choice. Less invasive fraud-prevention alternatives existed. And after seven months of operation, the system showed no greater fraud detection efficiency than those alternatives. The PSD2 argument failed on the facts, not just the law.
The decision found violations across eight GDPR articles: Article 5 (data minimisation, transparency, storage limitation), Article 6 (no valid lawful basis), Article 13 (users not told what was collected), Article 25 (no privacy by design), Articles 26 and 28 (controller and processor irregularities), Article 32 (single-factor authentication on sensitive systems), and Article 35 (no DPIA despite high-risk processing). Article 122 of Italy’s Privacy Code added a ninth violation for the device access itself.
Poste’s appeal cites a February 2026 TAR Lazio ruling that annulled an AGCM (competition authority) fine over the same system. Don’t conflate the two. The TAR Lazio annulled the AGCM fine on procedural grounds: the competition authority had exceeded its statutory investigation deadline. That’s not a ruling on whether ThreatMetrix was lawful. The AGCM enforces competition law. The Garante enforces GDPR. Different frameworks, different proceedings, different outcomes.
Clearview, Worldcoin, and Uber Were Fined for the Same Architecture
The Dutch DPA fined Clearview AI €30.5 million in 2024 for building a 30-billion-face biometric database without consent. Spain’s AEPD banned Worldcoin for collecting iris scans without adequate safeguards; Germany’s BayLDA found in 2024 that Worldcoin stored biometric iris codes in plaintext, a direct Article 32 violation. The Dutch DPA fined Uber €290 million for transferring driver identity data to US servers without adequate safeguards. Italy’s Garante had already fined Clearview €20 million in 2022 and OpenAI €15 million in December 2024.
According to the EDPB’s 2025 Annual Report, EU authorities issued €1,145,760,374 in fines that year. The pattern across every case is the same: a centralized repository of behavioral or identity data, retained beyond necessity, with inadequate controls on scope and deletion. The architecture is the liability, not the configuration.
The Fine Ceiling Was €500 Million. The Garante Issued €12.5 Million.
GDPR Article 83(5) allows fines up to €20 million or 4% of global annual turnover. Poste Italiane’s annual revenue exceeds €12.5 billion. Its maximum GDPR exposure was over €500 million. The €12.5 million reflects the facts of this case, not the ceiling. Italian operators also face Article 122 of Italy’s Privacy Code separately from GDPR: device-level data access triggers both the e-Privacy regime and GDPR, and PSD2 compliance doesn’t satisfy either.
The downstream controller liability question matters most for compliance officers who use third-party SDKs. Under GDPR Article 28, you’re responsible for what your processor collects. If your Data Processing Agreement doesn’t specify retention periods, sub-processor arrangements, and deletion procedures, you’re already non-compliant, whether or not your vendor has been investigated. The consequences of KYC compliance failures include full controller-level GDPR liability for your vendor’s processing choices.
Three Questions to Answer Before Your Next SDK Review Becomes a Regulator’s Exhibit
Does each data point pass the necessity test individually? The Garante confirmed that fraud prevention doesn’t override GDPR Article 5(1)© data minimisation. ThreatMetrix failed because less invasive alternatives existed. For every data point your fraud stack collects, ask: what’s the minimum data needed to produce this fraud signal? If a device integrity score achieves the same result as a full installed-app inventory, the inventory fails the test. That’s true even with a legitimate fraud-prevention objective in place.
Is your consent architecture coercive? If users can’t access your service without authorizing data collection, you have an Article 7(4) problem. “We need this for fraud prevention” doesn’t protect you. The Garante’s finding applies to a €12.5 billion company with PSD2 statutory obligations. The framing that service access is conditional on surveillance consent doesn’t create a carve-out. It creates the violation. Review Zyphe’s analysis of GDPR enforcement trends in 2026 for how regulators are applying this standard.
Have you run a DPIA for this processing, and is it current? Processing that uses new technology, involves large-scale profiling, or can infer sensitive characteristics from behavioral data requires a Data Protection Impact Assessment under GDPR Article 35 before it starts. The Garante cited the absent DPIA as a separate violation in Decision 237/2026, not a secondary finding. If your DPIA predates your current SDK configuration, it doesn’t cover your current risk. That gap is an independent enforcement surface, and the identity breach epidemic of 2026 documents what happens when it compounds with retention failures.
Frequently Asked Questions
Why did Italy’s Garante fine Poste Italiane?
Italy’s Garante fined Poste Italiane €6.6 million and Postepay €5.9 million on April 17, 2026, for embedding LexisNexis ThreatMetrix in banking apps and requiring users to authorize device surveillance as a condition of account access. The apps scanned all installed applications, running processes, device fingerprints, and location data on every session. The Garante found nine violations across GDPR and Italy’s Privacy Code, and explicitly rejected Poste’s PSD2 fraud-prevention defense because less invasive alternatives existed and the system showed no measurable fraud detection improvement.
Does fraud prevention justify collecting device data under GDPR?
No, not automatically. Decision 237/2026 confirmed that a legitimate fraud-prevention objective doesn’t override GDPR Article 5(1)©'s data minimisation requirement. Each data point must be strictly necessary for the stated purpose. Not generally useful. Not defensively convenient. Strictly necessary. Poste’s defense failed because ThreatMetrix showed no greater fraud detection efficiency than less invasive alternatives after seven months of operation. The necessity test applies to each individual data type, not to the fraud-prevention category as a whole.
What happens to companies using ThreatMetrix or similar device-intelligence SDKs?
If your app uses ThreatMetrix or any equivalent SDK, you’re the data controller under GDPR. GDPR Article 28 requires a Data Processing Agreement specifying what the SDK collects, retains, sub-processes, and deletes. Your DPIA must cover the SDK’s scope and your privacy notice must accurately describe its collection. The Poste decision establishes that “our vendor handles compliance” isn’t a defense. If the SDK collects more than is strictly necessary for your stated purpose, the liability lands with you.
What Remains Unclear
As of April 27, 2026, three facts remain unconfirmed. First, whether ThreatMetrix data was accessed by malicious actors during the period of alleged unlawful retention: Poste hasn’t disclosed this and the Garante hasn’t confirmed it. Second, whether the Rome Court of First Instance will grant a stay of enforcement pending Poste’s appeal. Third, whether the Garante’s separately ongoing inspection of SPID identity managers (Poste Italiane manages 41.5 million active SPID identities) will produce a related enforcement action. Operators managing digital identity at scale in Italy should monitor all three.
If you’re building identity or fraud-prevention infrastructure that depends on retaining device behavioral data, Zyphe’s verify-then-shred architecture is designed to eliminate this category of liability from the design layer. Book a demo.