Italy’s Data Protection Authority has ordered Facebook (FB) to turn over to a user the data it has on him—and on someone who set up a fake account to impersonate and discredit him.
The case is notable partly because it’s yet another example of a European national authority asserting jurisdiction over the company, which insists it only has to answer to Irish data protection authorities within the EU.
The user in question had been the victim of an extortion attempt by the other person, who had befriended him on Facebook. When he refused to give in, a phony account was set up using his personal information and photo, which started sending pictures and video montages to his contacts that were designed to discredit him.
Get Data Sheet, Fortune’s technology newsletter.
The victim asked Facebook to hand over all the relevant information that it holds on him—data, photographs and so on—and to take down the fake account. According to official documents, Facebook then sent him an email explaining how he could download his personal data using the standard tool.
He wasn’t satisfied, claiming that he couldn’t understand the data in the downloaded format, and pointing out that it didn’t include anything on his tormentor. Facebook said it had taken steps to delete the fake account, but the victim still wanted the information on the person who had set it up, and took the matter to the authorities.
Italy’s data watchdog agreed with him, ordering Facebook to turn over the data on the person who set up the fake account in his name (which obviously meant not deleting it, for one thing).
What’s particularly interesting about this case, other than the idea of exposing a troll, is that the order asserted the jurisdiction of the Italian data protection authority over Facebook.
For more on Facebook, watch:
Facebook regularly claims that it is only answerable to the privacy watchdog in Ireland, where it has its European headquarters—this claim is based on guidance given once upon a time by the EU’s data protection authorities.
However, recent case law has pointed the other way, most notably the “Google Spain” decision at the European Court of Justice (ECJ) that applied the “right to be forgotten” to the search firm, but also the ECJ’s “Weltimmo” decision, which also said companies are subject to the data protection laws in the countries where they operate.
Facebook has recently also been on the losing side of jurisdiction fights in France and Belgium. On this issue, it truly cannot catch a break.
