Share This Article
The Court of Rome cancelled the GDPR fine of EUR 26.5 million issued by the Italian data protection authority against ENEL, one of the largest energy companies in the world because it was issued too late, after the expiry of the procedural terms.
The Italian case for a GDPR fine issue too late
The proceedings before the Court of Rome began with the appeal brought by the energy company, ENEL, against the GDPR fine of EUR 26.5 million issued by the Italian data protection authority, the Garante, for 15 violations of the GDPR.
The Garante had began its investigation in late 2018, following numerous complaints received at different times, which were amalgamated and ‘cumulated’ by the Italian data protection authority into four groups (or, as called by the Garante and the Court itself, into four “CUMs”), for which the Garante sent to the company requests for information.
However, it was not until more than two years after the requests referred to in the first CUMs that the Garante initiated the sanction proceedings, notifying the company.
According to the Garante, the initiation of the sanction proceedings would have occurred on time because:
- the Italian data protection authority avails itself of the derogatory rule set forth in Art. 2, para. 5, of Law 241/1990, which remits to the authorities the power to establish themselves the terms of their own proceedings (in the case of the Garante it is 120 days);
- the dies a quo (i.e., the moment from which the terms run) runs from the moment when the Authority’s assessment of the facts is concluded; and
- in any case, the time limit is not peremptory, but rather, ordinatory, in the absence of an express provision of law, being a time limit derived from internal regulations of the Authority itself.
The principles of law addressed by the Court
The Court affirms that, as a general rule, the certainty of the time within which the authority must begin and then conclude the proceedings is a requirement for respect for the right of defence, for legal certainty, and for the so-called rule of law (which does not tolerate arbitrary spaces of authority).
In light of this, the deadlines for concluding a proceeding, even if dictated by the Guarantor himself on the basis of the derogatory rule in Art. 2, para. 5, of Law 241/1990, cannot but be considered peremptory, as this is an inalienable prerequisite for the effective respect of the fundamental principles of the system. As the Court states, an uncertainty with respect to these terms opens “the door wide to arbitrariness and disparity of treatment”. The dies a quo cannot be determined at the moment when the Authority’s assessment of the facts is concluded, as the Garante asserts. This is because such assessments are formed “in the secrecy of its internal deliberations” and are therefore not calculable (since they cannot be defined as a “deadline“).
According to the Court, the dies a quo should instead be identified as the date on which:
- the Garante receives responses to its requests for information, and if necessary, further clarifications;
- in the case of silence on the part of the data controller, the period allotted to the data controller to provide a response expires.
The Conclusions on the late GDPR fine issued by the Italian data protection authority
For the above reasons, the Court finds that the Garante’s challenge to the company’s violations occurred well beyond the 120-day period that the Italian data protection authority should have complied with with respect to the various CUMs, and therefore this challenge should be deemed unlawful and should be annulled.
What the Court ordered is certainly a turning point to be taken into account when receiving requests for information from the Garante: failure to comply with the 120-day deadline from the owner’s responses to contest the violation, therefore leads to the illegitimacy of the act, since it should be considered late.
On a similar topic, the following article may be of interest: “New criteria for GDPR fines determined by the CJEU”.