Italy's National Postal Service Scanned Every App on Your Phone—The Regulator Just Fined Them €12.5 Million

What Happened

Italy's Garante per la protezione dei dati personali, the national data protection authority, fined Poste Italiane SpA €6.6 million and its digital payments subsidiary Postepay SpA €5.9 million, for a combined penalty of €12.5 million ($14.7 million). The fine is one of the largest GDPR enforcement actions in Italy to date.

The violation centered on the BancoPosta and Postepay mobile apps for Android, which are used by millions of Italians for banking, bill payments, and digital transactions. Both apps required users to authorize monitoring of their mobile devices, including installed and running applications, as a condition of using the service.

Users who refused to grant this access were locked out of their accounts after three login attempts. In other words: let us scan your phone, or lose access to your money.

What the Apps Were Actually Collecting

The apps used ThreatMetrix, a third party anti fraud platform, to generate device risk profiles. The system collected:

• MD5 hashes of installed and running applications. While the companies argued they collected hashed identifiers rather than plaintext app names, the Garante noted that MD5 hashes can be reversed and matched against known app databases, effectively revealing the same information.
• App activity and behavior patterns. The system tracked how users interacted with their devices, creating behavioral profiles that went far beyond what any fraud detection system needs.
• Device integrity indicators. Information about whether the device was rooted, jailbroken, or running modified software.

The Garante found that this data could be linked to identifiable individuals and used to infer sensitive information about their finances, health conditions, political views, and personal interests, all based on which apps they had installed.

Why Knowing Your Installed Apps Is So Revealing

A list of installed applications is one of the most intimate data points a company can collect. Consider what a complete app inventory reveals about a person:

• Health: Mental health apps, fertility trackers, diabetes managers, HIV prevention tools.
• Finances: Trading platforms, debt management apps, cryptocurrency wallets, competitor banking apps.
• Politics: News apps, political party apps, protest organization tools.
• Personal life: Dating apps, messaging apps, VPN services, religious apps.

When a banking app scans your phone and sees a competitor's app installed, that is market intelligence. When it sees a VPN, that suggests privacy awareness. When it sees a health app, that is medical information collected without medical privacy protections. None of this has anything to do with detecting malware or preventing fraud.

The GDPR Violations

The Garante identified multiple violations of the General Data Protection Regulation:

• Disproportionate data collection. The anti fraud scanning was ruled "excessively intrusive and not strictly necessary" for its stated purpose. GDPR requires data minimization: collect only what you need for a specific, legitimate purpose.
• Inadequate privacy notices. Users were not given sufficiently clear information about what data was being collected, how it was processed, or who had access to it.
• Missing Data Protection Impact Assessment. Before deploying a system that monitors millions of users' devices, GDPR requires a formal assessment of the privacy risks. Poste Italiane and Postepay failed to conduct an adequate one.
• Excessive data retention. Backend systems retained collected data for up to 28 months in external analytics environments, substantially longer than what was initially disclosed to users.
• Coerced consent. Locking users out of their accounts after three refusals is not meaningful consent under GDPR. Consent must be freely given, and tying it to access to essential financial services violates that principle.

The "Security" Defense That Regulators Are Rejecting

Poste Italiane and Postepay argued that the EU's Payment Services Directive (PSD2) required them to implement strong customer authentication and fraud prevention measures. They claimed that scanning device apps was necessary to detect malware that could intercept banking transactions.

The Garante rejected this defense. While PSD2 does require fraud prevention, it does not authorize blanket device surveillance. The regulator stressed that security measures must still comply with GDPR's principles of data minimization, transparency, and proportionality. There are less intrusive ways to detect fraud, such as monitoring transaction patterns, that do not require cataloging every app on a user's phone.

This ruling is significant because the "we need it for security" argument is the same justification used by companies across industries to collect far more data than they need. From email tracking pixels that monitor when and where you open messages to apps that demand access to your contacts, camera, and location, the pattern is the same: collect everything, justify it later.

What This Means for Users Everywhere

The Poste Italiane case is not unique. Banking apps worldwide use similar device fingerprinting and app scanning technologies. ThreatMetrix, the platform used by Poste Italiane, is deployed by hundreds of financial institutions globally.

The difference is enforcement. Italy's regulator chose to investigate and fine. Most regulators have not. If your banking app asks for permissions that seem unrelated to banking, the same kind of data collection may be happening on your device right now.

The practical takeaway: review the permissions your banking and payment apps have been granted. On Android, check Settings > Apps > [App Name] > Permissions. Revoke anything that does not directly relate to the app's core function. If the app stops working without invasive permissions, that itself is a red flag worth reporting to your national data protection authority.