8 minute read | December.11.2023
In this Essential Guide, which is part of Orrick’s Cybersecurity & Privacy Compass Series, we will provide insight into the potential fines that companies may face for violating the General Data Protection Regulation ("GDPR"), specifically when infringements are deemed negligent or wilful, as outlined in the ruling by the European Court of Justice for the European Union ("CJEU"). The Cybersecurity & Privacy Compass is your global guide to constant cybersecurity and privacy change.
Data-protection authorities in Europe can fine companies for violating the General Data Protection Regulation ("GDPR") only if the infringements are negligent or wilful, the European Court of Justice for the European Union ("CJEU") has ruled. The judgment C-807/21 (Deutsche Wohnen) rejects strict liability and provides legal clarity to companies in Germany and around Europe.
The CJEU has already ruled in another case this year regarding liability for damages. This decision provides further clarity by setting the conditions under which national data protection authorities may impose administrative fines on one or more data controllers for an infringement of the GDPR.
In particular, the CJEU holds that authorities can impose fines only in cases of negligent or wilful conduct, i.e., the authorities cannot impose fines for 'no-fault,' meaning there is no 'strict liability.'
However, there is an open and ongoing legal debate on the court's decision as it has not been explicitly clear on whether the faulty behaviour must have occurred at the management level or whether a wrongful behaviour of any person or party engaged by the controller is sufficient.
The case stems from a fine the Berlin Data Protection Authority imposed on Deutsche Wohnen SE ("Deutsche Wohnen"), a major German real estate company. Authorities fined the company EUR 14.5 million for failing to delete tenant data despite a request to do so.
According to a special feature of the German law on administrative offenses applicable to the imposition of fines, authorities must prove fault on the part of a company's board members or representatives to fine that company.
This requires a culpable act or omission from someone acting on behalf of the company. Such a culpable omission is, for example, when a company lacks an adequate compliance organization. The fining authority must prove culpability, which is often difficult in practice.
With regard to the GDPR, which is European law, it has been disputed whether this German regulation is applicable, whether culpability is required at all, or whether any breach of the GDPR can lead to a fine.
Deutsche Wohnen challenged the fines before the Regional Court of Berlin (Landgericht Berlin), which ruled that there had to be a culpable act by a natural person for authorities to issue a fine. The decision was appealed to the Higher Regional Court, Berlin (Kammergericht Berlin) which referred the case to the CJEU, with the following two questions for a preliminary ruling:
According to the CJEU, there is no impediment under EU law to consider legal persons to be the perpetrator of the infringement and the party liable for the penalty. Indeed, it is one of the key mechanisms under the GDPR's effectiveness for imposing a penalty directly on a legal person. According to the CJEU, the GDPR allows for imposing administrative fines on legal persons directly.
With respect to the question of whether it is first necessary to impute an infringement to a natural person, the CJEU clarified that there is no rule that the liability of a natural person must first be established before a legal person can be held liable.
National legislation requiring to first bring proceedings against a natural person to issue a fine against a legal person violates the GDPR and is thus invalid.
The CJEU ruled that legal persons must bear the consequences, in terms of penalties of GDPR infringements in its name. The GDPR conclusively defines the powers of data protection authorities, in particular regarding remedial measures such as fines. There is no room for Member State regulation. The material requirements for fines are therefore not subject to national regulations. Member States may only determine the actual procedure for imposing fines. This is required by the principle that the GDPR aims to create a uniform level of data protection across the Member States. Moreover, the Member States are obliged not to impede the direct applicability inherent in regulations, which would conceal the nature and consequences of EU law to persons concerned.
The CJEU stated that legal persons are liable not only for infringements committed by their representatives, directors, or managers but also by any other person acting in the course of the business of those legal persons and on their behalf. The court stated further that where the controller is a legal person, it should also be clarified that, for Article 83 of the GDPR to apply, it is not necessary for there to have been action by or even knowledge on the part of the management body of that legal person. Following the decision, a legal debate regarding the statements of the CJEU ignited around the requirements for culpability of representatives and management.
The CJEU rules that the term 'undertaking' and its interpretation (within the meaning of Art. 101 and 102 TFEU) is not relevant for the imposition of fines. These are conclusively regulated in the GDPR. However, the interpretation of the term 'undertaking' is relevant for determining the amount of the fine. The CJEU notes that the term 'undertaking' used in Art. 83 of the GDPR, for determining the total annual turnover should be based on the concept of 'economic unit' (Judgment C‑882/19, paragraph 41 and the case law cited). Such, in its understanding, it means any entity engaged in an economic activity, irrespective of its legal status and the way in which it is financed.
Culpability is required, i.e., either intentional or negligent behaviour must be present for a fine to be imposed. In other words – the CJEU has ruled there is no strict liability. Art. 83 (2) of the GDPR lists the criteria that the data protection authority takes into account when imposing a fine on the controller. According to letter b of this provision, these criteria include the "intentional or negligent nature of the infringement." The CJEU also highlights that GDPR does not mention any possibility that the controller will incur liability in the absence of wrongful conduct on its part.
The CJEU additionally uses the systematic structure of the GDPR, and the concept mentioned under question one that the GDPR must be applied uniformly throughout the Union. This also means that data protection authorities must have equivalent powers for ensuring compliance with the GDPR and for imposing equivalent fines. It further argues that it could harm competition within the European Union if some states were to introduce strict liability and thus adopt stricter liability rules than others.
As far as the standard applied to negligence is concerned, the CJEU ruled that, at a minimum, a data controller can be sanctioned for conduct even if it was unaware of the unlawfulness of its conduct, regardless of whether it was aware that it was in breach of the provisions of the GDPR.
The decision will initially have a direct impact in Germany, where the provisions of the Administrative Offenses Act (Ordnungswidrigkeitengesetz) will have to be applied in line with the CJEU's interpretation of the GDPR.
On the other hand, the ruling provides some welcome clarification across Europe. For example, the CJEU has rejected the interpretation of some Member States, which considered strict liability to be permissible. The CJEU also comments on the question of the extent to which Member States may impose material regulations on the powers of data protection authorities, including fines—namely not at all. Finally, the CJEU comments, albeit only marginally, on the question of when negligence exists.