The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) recently issued the first significant sanctions against two utility companies, Eni Gas e Luce (energy) and TIM (telco), for alleged violations of the EU General Data Protection Regulation.
We can translate “significant” into numbers: the Italian DPA fined Eni Gas e Luce EUR11.5 million on account of unsolicited telemarketing and contracts on December 11, 2019, and fined TIM EUR27,802,496 on account of several instances of unlawful processing for marketing purposes on January 15, 2020.
The above cases have a lot in common: both were grounded on the “accountability” principle, since both Eni and TIM were proven to be insufficiently familiar with fundamental features of the processing activities they performed.
The TIM and Eni Gas e Luce cases: from the processing of (personal) data come great responsibilities
With specific reference to the TIM case, the Italian DPA estimated millions of individuals had been affected by illicit marketing practices; those individuals filed several complaints with the authority for promotional phone calls without consent by the telco company. Indeed, the claimants either had their numbers in the public opt-out register or had previously opted out of receiving phone calls from TIM.
In addition to the fine, the Italian DPA imposed 20 corrective measures on TIM, including both prohibitions and injunctions, such as banning TIM from using, for marketing purposes, the data of the users who had denied their consent to marketing calls when contacted by call centers, of the users included on blacklists, and of the “non-customers” who had not given their consent; and obligating TIM to check consistency of their blacklists and to acquire those put together by call centers in a timely manner so as to update their own blacklists.
Moving onto the Eni case, the Italian DPA issued a first fine of EUR8.5 million for unlawful processing in connection with telemarketing and teleselling activities, and a second fine of EUR3 million for unsolicited contracts for the supply of electricity and gas under “free market” (mercato libero) conditions.
Regarding the first fine, inspections performed by the Italian DPA revealed systematic noncompliant conduct by Eni, and the DPA criticized the overall general processing of data at the company. Specifically, Eni conducted marketing calls without proper consent or regardless of customers’ previous refusals to receive marketing calls and did not implement appropriate technical and organizational measures for consent management or any other appropriate solutions for recording data subjects’ communication preferences and without consulting the public opt-out register. Last but not least, Eni purchased data of potential customers from list providers without any consent for the disclosure of those data sets.
The “smaller” fine was issued for unsolicited contracts in the free market (mercato libero) for the supply of energy and gas. There were 7,200 affected individuals, who complained that they learned of the stipulation of a new contract only upon receiving the former supplier’s letter of cancellation or the first invoice issued by Eni.
In particular, in the Italian DPA’s words, “The […] investigations revealed that the conduct adopted by Eni in the acquisition of new customers through some external agencies operating on its behalf, due to organizational and management methods, resulted in processing not compliant with the EU Regulation, as they are contrary to the principles of correctness, accuracy, and updating of data.”
As for the TIM case, the Italian DPA imposed several corrective measures on Eni, such as, inter alia, the prohibition from using the data made available by list providers if the latter had not obtained specific consent for the communication of such data to Eni; the DPA also ordered Eni to put in place procedures and systems to verify the consent of the individuals included in the contact lists prior to the start of promotional campaigns.
Some takeaways for M&A lawyers
Some of the takeaways from these two decisions (although they do not concern M&A transactions specifically) clearly show that transactional and M&A lawyers, when dealing with a transaction involving a business with a strong focus on data, need to conduct a more in-depth analysis of privacy issues during due diligence and (if assisting the buyer) understand what the buyer will do with the database after closing.
The first thing that catches the eye is the increasing degree of detail and complexity of Italian DPA investigations into these types of matters, especially under the “accountability” principle perspective.
As a matter of fact, the Italian “Garante” has increased the number of issues under its review, which include the following: (i) operators’ internal procedures in their entirety; (ii) degree of awareness of internal and external flows of the personal data processed by the operators; (iii) effective control exercised over entities qualified as data processors; and (iv) existence of documented organizational and technical measures proving GDPR compliance.
This means that, when (as occurred in the Eni case) buying a company with strong retail activity that includes telemarketing activities or entering into an asset deal involving lists of data or other relevant assets under a GDPR perspective, lawyers should run a more sophisticated and structured data-protection due diligence (DPDD) to verify how the data were collected, the source of the database, and whether any databases were purchased legitimately with all the necessary consent so that the target company can keep using the databases after the purchase.
Both decisions confirm that it would be a big mistake to look at a target company privacy program as simply a program based on documents or standard operating procedures. Instead, internal procedures must be created by design: although they are neither provided nor required by law, they are still policies needed in relation to the risks connected to business run by the company and in order to avoid sanctions. In light of these rulings, it would be at least unwise for anyone to continue to consider privacy compliance a rote process, or a process that exists only on paper.
This means that, in practical terms, when conducting DPDD, investigations shall not be limited to the existence of the consent for the use of data, but must take into consideration the concrete and effective use of those data that will be made by the potential buyer: this is because consent given to the target for a certain use related to the target’s business might not be valid anymore when the same consent is transferred to the buyer or the data are used in a different way by the target after closing.
The above also has direct consequences in the drafting/negotiation phase.
As an example, consider a transaction where a company purchases personal data lists from third parties, as a result, or part, of an asset deal. According to GDPR/Italian Privacy rules, it is not sufficient simply to provide a contractual guarantee that the third party transferring the data has obtained the data subjects’ consent to have their personal data communicated to third parties for—for example—marketing purposes. Therefore, it is even clearer now that if personal data lists are not purchased from the data controller that obtained consent, but instead from an intermediary, it is necessary to ensure that the latter has obtained additional consent for the data to be communicated to third parties. In other words, in principle, consent for the communication of personal data to third parties does not cover all subsequent communication, but instead covers only the first instance of communication.
The above has immediate impact on the liabilities of the potential buyer in an M&A transaction having these kinds of assets as a target of the acquisition—though the same liability cannot be excluded even in a share deal scenario—since the fact that a company becomes the new shareholder of a target that owns a database (for which it obtained certain consents) does not allow that target to change the use of those data as it prefers, exceeding the purposes for which those consents were given at the time, or to have the data transferred to the buyer since it is part of the same group.