Court of Rome: Italian Data Protection Authority's fines void if served after 120 days.

The judgement of the Court of Rome, 18th civil section, no. 2615/2023 filed on 13/1/2024, in the case that saw the judge annul a fine of more than 26 million imposed on Enel Energia S.p.A. for unsolicited commercial telephone calls, is constructed with great argumentative logic (also very severe towards the Italian Data Protection Authority) and contains important principles on the nature and commencement of the terms that the Authority has to legitimately impose a sanction for data protection violations, pursuant to Article 166 of the Privacy Code and the Garante's Internal Regulation no. 2/2019 by which the Garante itself has identified the terms of its proceedings, including that for the imposition of sanctions (120 days from the ascertainment of the breach, a term which - the judge noted - already exceeds by many those provided for by the applicable L. 241/1990, 3 Article 14 of L. 689/1981). While the Garante argued in court that the term is ordinary and runs from the time when the Authority has carried out all the evaluations and in-depth studies of the case (also by sending requests for clarifications), the judge completely disavowed these positions, considering that the term is peremptory, to guarantee the certainty of the right of defence, especially in matters of sanctions (all the more so, says the judge, considering that the Garante, as allowed by L. 214/1990, has in its Reg. 2/2019 considerably extended the deadline to 120 days compared to Laws 241/90 3 689/81). Moreover, with regard to the need to identify a certain initial starting date of the 120 days (in order to avoid "opening the doors wide to arbitrariness" due to the "unknowable secrecy of internal deliberations", while allowing the "strict predictability of tasks, actions, prerogatives and limits to the imposing authority") the court lays down the principle that the 120 days run from the date of receipt by the Garante of the last reply to the request for clarification or - in the event of failure on the part of the data controller or the person responsible - from the deadline set by the Garante in the last request for clarification to provide the reply, which was then not received. The Garante, once it has sent a request for clarification with a deadline for a reply, still has 120 days to notify the breach or possibly request further clarification, and the request for further clarification even in the case of unsatisfactory replies, says the judge, cannot lead to the peremptory deadline being exceeded. Within the same peremptory term of 120 days, the Garante may also cumulate several reports received at different times. If the Garante does not respect the deadline, the sanction imposed must be cancelled, as in the ENEL case (the last request for clarification had come seven months after the previous one, while the sanction imposed on 16 December 2021 concluded a proceeding initiated in 2018).