A bewildered Italian stares at his mailbox, pulling out a bill from Eni Gas e Luce—a company he’s never called, never signed up with.
That’s the moment thousands lived through. On January 17, 2020, Italy’s data watchdog, the Supervisory Authority (ISA), dropped two fines totaling €11.5 million on Eni Gas e Luce (EGL), the electricity and gas arm of oil major Eni. €8.5 million for bombarding opted-out customers with marketing calls. €3 million for sneaking into contracts with over 7,000 unsuspecting households.
Eni Gas e Luce GDPR violations. There, said it. This saga peels back how a legacy energy player thought it could hustle like it’s the pre-GDPR Wild West.
How Did the Spam Calls Slip Through?
Look, EGL didn’t just accidentally dial no-call list numbers. They ignored Italy’s public opt-out register entirely—skipping the verification steps GDPR demands under Articles 6 and 13. Article 6? That’s lawful basis for processing data. They had none. Article 13? Failing to inform people upfront.
The ISA called it straight: illegal processing. EGL bought leads from shady third-party list providers, no consent proof required. And now? Banned from those lists forever. Forced to build consent-check systems before every promo ping.
“EGL was found to be illegally processing personal data by making marketing calls to individuals that had opted out of receiving such promotional calls.”
That’s from the ISA’s ruling. Chilling in its simplicity.
But here’s my angle—the one the press releases gloss over. Energy firms like EGL digitized their sales pipelines aggressively after GDPR hit in 2018, piping offline tactics into automated dialers and lead-gen bots. They figured regulators wouldn’t chase analog sins. Wrong. This fine signals a architectural shift: GDPR’s tentacles wrapping around every data touchpoint, online or off.
Shorter para. Brutal.
Why Did 7,000 Italians Wake Up to Surprise Bills?
Unsolicited contracts. EGL’s external agencies scooped expiring deals from rivals, slapped EGL’s name on them, faked details where needed. Boom—new customers. Folks only clocked it when the bill dropped.
Violations galore: Article 5 on data accuracy and fairness. Article 7 on unambiguous consent. Forged info? That’s fraud-adjacent, data-wise.
ISA’s fix: overhaul contract processes, add anomaly detectors. No more ghost sign-ups.
The Offline Data Blind Spot That’s Costing Millions
Everyone obsesses over cookies and trackers. Fair. But EGL proves GDPR doesn’t care if your violation’s pen-and-paper or pixelated. They routed third-party data straight into billing systems without a whisper of consent. Historical parallel? Think 1990s US telemarketing do-not-call lists—fines piled up until tech forced compliance. EGL’s mess echoes that: companies dragging feet on data hygiene as sales go digital.
Bold prediction: expect a fine wave hitting utilities and telcos next. These dinosaurs are ripe for it, their CRM stacks bloated with unvetted legacy data. EGL’s PR spin? Probably mumbling ‘isolated incidents.’ Nah. Systemic.
And the third-party angle—agencies farming leads like it’s 1999. Companies, audit your vendors yesterday. One bad list, and you’re EGL 2.0.
What Does Italy’s Watchdog Want Fixed?
Processes, baby. EGL must verify consent pre-call, pre-contract. No third-party data without ironclad proof. Checks for fakes. It’s remedial school for a €11.5M truant.
But why now? Post-GDPR, complaints spiked. ISA’s probing deeper, cross-referencing registers with call logs. Tech’s enabling that scrutiny—AI pattern-matching complaints to billing data. (Yeah, even here, legal AI tools could flag these anomalies before fines fly.)
This isn’t hype. EGL’s cut-and-dry guilt underscores a truth: privacy laws demand end-to-end accountability. Offline hustles digitized without safeguards? Recipe for regulatory smackdown.
Companies worldwide—review your data flows. Especially if you’re outsourcing leads.
🧬 Related Insights
- Read more: States Are Rushing Into AI Without Guardrails. Here’s What That Actually Costs.
- Read more: Cindy Cohn Drops Truth Bombs on The Daily Show: EFF’s Endless Privacy Siege Against Big Tech’s Data Gravy Train
Frequently Asked Questions
What caused Eni Gas e Luce’s €11.5 million GDPR fine? Eni Gas e Luce (EGL) was fined for illegal marketing calls to opted-out customers and signing over 7,000 people to unsolicited energy contracts using inaccurate or forged data.
Does GDPR apply to offline data like phone calls and contracts? Absolutely—GDPR covers all personal data processing, digital or not, as long as it’s identifiable info handled without proper consent or basis.
How can companies avoid similar GDPR fines? Verify opt-out registers religiously, demand consent proof from third parties, and implement automated checks for data accuracy in contracts and marketing.
