Italy’s Largest GDPR Fine Against ENEL Highlights Flaws in DPAs’ Enforcement Procedures

The Garante issued the largest ever GDPR fine in Italy against ENEL Energia, which, however, shows deficiencies in the enforcement procedures that should be improved to benefit privacy-related values across Europe. 

The Italian data protection authority, the Garante, issued the largest ever GDPR fine in Italy, equal to more than EUR 79 million, against ENEL Energia for misconduct relating to their telemarketing practices.

This dispute emerges after a fine of EUR 26.5 million against the same entity was canceled by the Court of Rome because it was issued too late, after the expiry of the procedural terms (Read on the topic: Italian € 26.5 M GDPR Fine Cancelled by Court As Issued Too Late).

The Garante challenged ENEL Energia the lack of compliance with technical and organizational measures aimed at limiting the potential abuses by agencies that unlawfully performed telemarketing activities. What stroke me on this dispute is the following:

1. The dispute pertains to the same matter that led to the EUR mentioned above 26.5 million fine that the Court of Rome canceled. The Garante argues that the breach continued but then acknowledges that ENEL Energia has implemented not only a two-factor authentication but also an additional measure preventing the simultaneous usage of the same credentials from different locations by its agencies;
2. ENEL Energia was the victim of abuses by these agencies, and indeed, among the mitigating factors it considered that the company lost more contracts than those that it gained (9,300 contracts gained vs. 20,456 lost) because of these unlawful practices by telemarketing agencies that work for multiple competing operators and get a commission whenever a new contract is signed;
3. The Italian Data Protection Authority deems that ENEL Energia has a higher level of responsibility and obligations since it is one of the largest energy companies in Italy, which might be an additional reason for cooperating with them to identify suitable solutions that meet the interests of all the parties involved.

Apart from the merits of the case, whenever we deal with a GDPR-related challenge, I am surprised that some EU data protection authorities do not consider settling with the investigated party, which might lead to a higher level of protection of individuals rather than a mere punitive fine. If the potential harm for individuals is not relevant (i.e., it affected only 9,300 contracts) and, as in this case, the investigated entity is actually a victim of the unlawful conduct of third parties and has already implemented corrective measures to limit such practice, the Garante might have offered ENEL to file some commitments relating to improvement actions that once agreed would avoid the largest GDPR fine ever in Italy to be issued.

This practice is often followed by the French data protection authority, the CNIL, which applies the same GDPR rules enforced by the Italian privacy authority. Commitments are agreed and a time limit for their implementation is concurred, once the CNIL verifies their implementation, a fine is not issued. Conversely, I always recommend my clients to show in their defensive briefs the improvement actions implemented following the challenge by the Garante. However, the Italian data protection authority only considers them as mitigating actions that do not avoid a fine.

This practice is quite frequent in procedures managed by the Italian competition authority relating to antitrust and unfair commercial practices. Since the control over data is exponentially becoming a source of potential anti-competitive practices, there is a risk of different outcomes in disputes relating to the same conduct by two different authorities. Besides, a potential settlement following the validation of commitments undertaken by the investigated party would benefit the relevant data subjects whose privacy would be better protected. On the contrary, huge companies might still consider a fine an acceptable cost compared to the potential benefits of their misconduct.

As such, a change in the enforcement procedure of the Italian data protection authority and of other EU authorities that do not follow the approach set out above might be in the general public interest of both companies and individuals, and hopefully, this aspect will be considered in the coming months as part of improvement actions to be undertaken. 

On the same topic, you can find interesting the following article “Infographic on the Italian privacy code of conduct on telemarketing and teleselling“.