Italy's Postal Service Turned Banking Apps Into Spyware and Got Fined $15M for It

Key Takeaways

• Italy's Garante fined Poste Italiane €6.6 million and its payments subsidiary Postepay €5.9 million for illegally processing millions of users' personal data.
• The BancoPosta and Postepay apps made invasive device monitoring mandatory as a condition of service, scanning all installed and running apps on users' phones.
• The regulator found the monitoring was disproportionate to its stated fraud-prevention purpose, with user data retained in backend systems for up to 28 months.
• The investigation also found no adequate Data Protection Impact Assessment, insufficient security measures, and unclear privacy notices.
• Poste Italiane plans to appeal, citing a February 2026 TAR Lazio ruling that annulled a prior Antitrust fine over a similar anti-fraud tool.

Fraud Prevention Was the Cover Story

Italy's Garante privacy fined Poste Italiane €6.6 million and its digital payments arm Postepay €5.9 million on April 20, 2026, capping an investigation that had been running since April 2024 after a wave of user complaints about the BancoPosta and Postepay apps. The charge: illegally processing the personal data of millions of users by making invasive device monitoring a non-negotiable condition of access.

The companies claimed the monitoring was necessary to detect malware, protect transactions, and comply with payment services regulations, even pointing to guidance from Banca d'Italia recognizing the legitimacy of anti-fraud device checks. What the Garante actually found is that the monitoring went considerably further than any of that required.

The apps collected hashed MD5 identifiers of every installed and running application on a user's device, data that the regulator noted could still be linked to identifiable individuals and reveal sensitive behavioral patterns across health, financial habits, and personal interests. That gap between "we needed this for fraud prevention" and "we were scanning the entire contents of your phone" is exactly the kind of gap that makes a regulator's job easy.

It's also a reminder that device-level surveillance doesn't require sophisticated spyware to do real damage. Italy has already seen what targeted phone hacking looks like when it's aimed at journalists and dissidents. What Poste Italiane built is a blunter instrument, but the underlying capability, a live map of everything running on millions of users' devices retained for years, isn't categorically different in what it enables.

Five Violations for the Price of One Fine

The Garante didn't limit its findings to the disproportionate monitoring. The investigation uncovered a cascade of additional GDPR failures that together paint a picture of companies that weren't just aggressive in their data collection but careless with it once they had it.

No Data Protection Impact Assessment was conducted before the system was deployed. User privacy notices were inadequate, meaning people couldn't meaningfully understand what was being collected or why. Data security measures were insufficient. And perhaps most striking: backend analytics systems retained transaction and device data for up to 28 months, significantly longer than anything disclosed to users.

There were also irregularities in how third-party data processors were designated and managed. Alongside the financial penalties, the Garante ordered both companies to cease the contested processing where still ongoing and to bring their data retention practices into compliance, with a requirement to report back to the authority once done.

Poste Italiane Plans to Fight It, Which Is Not Actually a Defense

Poste Italiane wasted no time announcing it would appeal, calling the ruling "surprising" and claiming it was procedurally flawed on the grounds that the fine was issued past the legal deadline. The company also invoked a February 2026 TAR Lazio ruling that annulled a prior Antitrust sanction related to the same anti-fraud tool, where the court found no commercial intent.

The problem with leaning on that ruling is that it addressed a different legal question in a different regulatory context. Competition law and GDPR are not the same framework, and "no commercial intent" is not a defense against disproportionate data collection, inadequate disclosure, or a missing impact assessment. The appeal doesn't actually contest that the monitoring happened, that users weren't properly informed, or that data was held for 28 months beyond what was disclosed. It contests the procedure.

I find it telling that Poste Italiane's argument is essentially that the timing of being held accountable is the problem, not the conduct itself. There's a meaningful difference between a company pushing back against a genuinely overreaching enforcement system, the way Cloudflare challenged Italy's piracy blocking on legitimate grounds, and a company that got caught collecting 28 months of undisclosed behavioral data and is now arguing that the fine arrived too late. One of those appeals is principled, and the other is just hoping the clock saves them.

What Poste Italiane will need to argue on appeal is that demanding access to every app on a user's device as a mandatory condition of banking access was strictly necessary and proportionate. That is a difficult case to make, and they know it.