Your Phone Data and Poste Italiane: What Italy's €12.5M Privacy Battle Means for Banking Users

Poste Italiane and its subsidiary Postepay face a combined penalty of €12.5M from Italy's Data Protection Authority for what regulators describe as unlawful monitoring of millions of customers' smartphones. The state-controlled postal and banking giant has vowed to challenge the sanction through legal appeal, citing procedural defects and noting a recent court victory that validated its anti-fraud technology.

Why This Matters

• App users affected: Millions of BancoPosta and Postepay customers on Android devices were required to grant intrusive permissions or lose access to mobile banking services.

• Privacy vs. security debate: The case tests where Italy draws the line between legitimate fraud prevention and excessive data collection.

• Financial impact: The €6.6M fine for Poste Italiane and €5.9M penalty for Postepay add to a growing list of regulatory sanctions totaling over €20M between 2025 and early 2026.

• Ongoing legal battle: Poste Italiane cites a February 2026 administrative court ruling that sided with the company on similar anti-fraud measures.

What the Privacy Watchdog Found

The investigation by the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) began in April 2024 after a wave of complaints from users who felt coerced into surrendering device access. According to the regulator's findings, the BancoPosta and Postepay mobile applications demanded mandatory authorization to monitor a sweeping range of data stored on smartphones—including which apps were installed and running, how frequently they were used, mobile traffic patterns, device settings, and even the user's telecom operator.

The Authority concluded this surveillance constituted an "excessively invasive interference" in users' private lives, going far beyond what is strictly necessary for fraud prevention. The apps effectively blocked access for Android users who refused to grant these permissions, a tactic regulators deemed both aggressive and disproportionate. Only in February 2025 did Poste Italiane remove the forced consent mechanism, allowing the apps to function without granting full data access.

In addition to the invasive data collection, investigators found significant procedural shortcomings: inadequate disclosure to users about what data was being collected, the absence of a proper Data Protection Impact Assessment (DPIA), and insufficient policies governing how long the collected information would be retained. The combined penalties—€6,624,000 for Poste Italiane and €5,877,000 for Postepay—reflect both the scale of the user base affected and the severity of the compliance failures.

Poste Italiane's Defense and Court Win

The postal and banking conglomerate has expressed "surprise" at the Privacy Authority's decision and announced it will pursue legal remedies, arguing that the penalty is flawed on both substantive and procedural grounds. Specifically, Poste Italiane contends there are timing issues related to when the ruling was issued that could form the basis of a challenge under Italian administrative law.

More significantly, the company points to a February 2, 2026 ruling by the Lazio Regional Administrative Court (TAR Lazio) that annulled a separate sanction from Italy's Competition Authority (Antitrust) related to the same anti-fraud device. In that earlier case, regulators had accused Poste Italiane of unfair commercial practices by forcing users to consent to data access. The TAR judges, however, ruled the anti-fraud system was fully legitimate and lacked any commercial intent, effectively validating the technical approach the company had taken.

Poste Italiane maintains that its data access practices comply with the European Union's Payment Services Directive 2 (PSD2), which mandates strong security measures for digital payments, and that the system has been recognized by the Bank of Italy. The company argues the device monitoring is solely intended to activate anti-fraud and anti-malware defenses, using a technology called ThreatMetrix (also known as Trust Defender) to create a digital fingerprint of each device. According to Poste, identifiers are anonymized and irreversibly encoded, meaning sensitive data is not accessed in plaintext.

Impact on Residents and App Users

For the millions of Italians who rely on BancoPosta and Postepay for everyday banking, bill payments, and government benefits, the case raises practical questions about the trade-off between security and privacy. While the forced consent mechanism was removed in February 2025, users may still be asked to grant optional permissions that enable enhanced fraud protection.

What changed: As of early 2025, Android users can now decline data access requests and still use core banking functions, though Poste Italiane warns that fraud detection capabilities may be reduced. iOS users were largely unaffected throughout, as Apple's operating system structure limits the type of surveillance that was possible on Android.

What to expect next: If Poste Italiane succeeds in its appeal, the fines could be reduced or overturned entirely, setting a precedent for how Italian regulators interpret "necessity" under the GDPR when it comes to fraud prevention. If the penalties stand, the case will likely prompt other Italian banks and fintech operators to review their own app permission structures to avoid similar sanctions.

For consumers, the broader lesson is one of awareness: even state-controlled institutions are not immune to privacy violations, and regulatory bodies are increasingly willing to impose substantial fines when data collection overreaches. Users should regularly audit app permissions on their devices and decline access to information that seems unrelated to the service being provided.

A Pattern of Regulatory Trouble

This latest sanction is far from an isolated incident for Poste Italiane. The company has faced multiple regulatory penalties in recent years related to data handling and consumer protection practices. A subsidiary, Poste Vita, the group's insurance arm, was hit with an €80,000 fine in September 2025 for a data breach in which a customer's sensitive policy information was improperly disclosed to an unauthorized third party and subsequently used in legal proceedings. The Privacy Authority found that Poste Vita employees had failed to verify email addresses before responding to data requests, highlighting organizational lapses in data security.

Cumulatively, Poste Italiane and its affiliates have faced more than €20M in regulatory sanctions between 2025 and early 2026, a figure that underscores mounting tension between the company's digital transformation strategy and compliance with European data protection standards.

How European Banks Balance Fraud and Privacy—And What Poste Italiane Missed

Across the European Union, financial institutions are navigating a similar tightrope between robust fraud prevention and strict privacy safeguards. The GDPR permits data processing for fraud prevention under the legal basis of "legitimate interest," but it requires that such processing be "strictly necessary" and proportionate. Crucially, companies must conduct a balancing test that weighs their security needs against users' fundamental rights.

The PSD2 directive complements the GDPR by mandating Strong Customer Authentication (SCA)—a two-factor verification process using at least two independent elements (something you know, something you have, something you are)—for most online transactions. This framework has significantly reduced technical fraud without requiring blanket access to device data.

Leading European banks typically rely on behavioral analytics and artificial intelligence to detect suspicious transactions in real time, analyzing patterns such as login location, transaction velocity, and device reputation. Importantly, they apply the principle of data minimization, collecting only the information directly relevant to flagging anomalies. For example, checking whether a device has known malware may be justified, but scanning the full list of installed apps generally is not—a distinction the Italian Privacy Authority clearly emphasized in its findings against Poste Italiane.

Italy's regulatory stance aligns with broader European enforcement trends. In July 2025, the Italian Privacy Authority fined a company €420,000 for using employees' private Facebook and WhatsApp messages in disciplinary proceedings, reinforcing the principle that even passively received communications enjoy privacy protections. Similarly, a marketing firm was penalized €300,000 in May 2023 for using "dark patterns"—manipulative design tactics—to trick users into consenting to data collection.

What Comes Next

Poste Italiane's appeal will be closely watched by Italy's banking and fintech sectors, as the outcome could clarify the permissible boundaries of mobile app surveillance in the name of security. The company has a credible legal argument: if the TAR Lazio already found the anti-fraud mechanism legitimate in a Competition Authority case, why should the Privacy Authority reach the opposite conclusion on substantially the same facts?

The Privacy Authority, for its part, will likely argue that the two cases involved different legal frameworks—consumer protection law versus data protection law—and that the GDPR's strict necessity test is more demanding than competition rules. The timing and procedural arguments could also prove pivotal if defects in the regulatory process can be demonstrated.

For now, the €12.5M penalty stands, and Poste Italiane must either pay or seek a judicial suspension pending appeal. The company operates a 24-hour Fraud Prevention Center staffed by over 100 specialists and claims to have blocked millions of euros in attempted fraud annually, a track record it will undoubtedly emphasize in court.

Whether fraud prevention justifies deep device surveillance remains one of the defining privacy questions of the digital banking age—and Italy is now at the center of that debate.