EU: CJEU proceedings on GDPR fines
When will companies face fines for data breaches? Recently, opinions of Advocates General at the Court of Justice of the European Union (CJEU) were published in two landmark cases on the imposition of fines under the EU's General Data Protection Regulation (GDPR). According to the opinions, data protection authorities (DPAs) should not be able to impose fines on companies regardless of fault. Data protection fines can be imposed directly on companies. However, this would require proof of an intentional or negligent act by an employee.
Valentino Halim, Senior Associate at WilmerHale, unpacks the recent Advocate General opinions in two landmark cases on GDPR fines before the CJEU, providing insight into key practical implications.
Open questions relating to GDPR fines
Under what conditions, and on what basis, fines can be imposed on companies for data protection violations under the GDPR is of outstanding practical relevance. Although some time has passed since its entry into force in May 2018, key issues relating to fines under the GDPR are controversial and have not yet been clarified by the highest courts. Among other things, it is questionable whether fines can be imposed on companies directly and independently of proven fault and which turnover can be taken into account in the assessment of the fine.
The CJEU has now heard some fundamental aspects for the determination of GDPR fines in the preliminary ruling cases Deutsche Wohnen SE (C-807/21) and Nacionalinis visuomenės sveikatos centras (NVSC) (C-683/21). The recently published opinions of the respective Advocates General now give a first indication of how the CJEU might rule on these issues.
Liability concept: attribution requirement vs. strict liability
When imposing fines on companies for violations of GDPR requirements, the first question that is generally crucial is which concept of liability applies. This is because it is a question of the conditions under which DPAs can impose a fine on companies in the first place.
The liability concept under the German Administrative Offences Act (OWiG) only provides for a fine for legal persons if a management person has committed a negligent or intentional act that can be attributed to the company (see Section 30 of the OWiG on the so-called legal entity principle, Rechtsträgerprinzip). According to the first-instance decision of the Berlin Regional Court in Deutsche Wohnen SE (decision of February 18, 2021, 526 OWi LG 212 Js-OWi 1/20), this principle should also apply under the GDPR. Due to the requirement of at least negligent action at the management level, it is much more difficult to impose fines.
In contrast, the German DPAs and the Bonn Regional Court (ruling of November 11, 2020, 29 OWi 1/20) instead want to apply the principles of EU competition law by analogy to fines under the GDPR. According to this, an objective violation of data protection law should be sufficient, and fines can be imposed directly on the responsible company (the so-called functional unit principle, Funktionsträgerprinzip). On this basis, a kind of special fine law with lower requirements would apply in the case of data protection violations, in which the DPAs would neither have to prove a breach of duty by a management person of the company nor an attribution of such breach to the company.
Benchmark for maximum fine: legal vs. functional understanding of the concept of an undertaking
Similarly, it has been unclear for years how to interpret the concept of an undertaking in the context of setting GDPR fines. This can be extremely important for determining the amount of the fine. This is because, according to Articles 83(4), 83(5), and 83(6) of the GDPR, if the fined entity is an undertaking, the maximum amount of the fine is €10 or 20 million, or 2 or 4% of the previous year's turnover, whichever is higher.
Undertaking in this sense could be understood as the (single) legal entity acting as a data controller under the GDPR. Article 4(18) of the GDPR defines an undertaking as any natural or legal person or partnership engaged in an economic activity, irrespective of its legal form. In this case, only the turnover of the legal entity concerned would be relevant for the determination of the GDPR fine.
The European Data Protection Board (EDPB) in its Guidelines 04/2022 on the calculation of administrative fines under the GDPR (version 2.0), adopted on May 24, 2023, and some national DPAs, on the other hand, want to apply the concept of undertaking from EU competition law to GDPR fines by analogy. There, the concept of an undertaking is understood in a functional way and includes any entity that carries out an economic activity. This also includes groups consisting of different legal entities, such as parent companies and subsidiaries. If this broad understanding is applied to violations under the GDPR, the consequence would be that potential fines would be calculated on the basis of the turnover of the entire group of companies.
Questions referred to the CJEU for a preliminary ruling
In Deutsche Wohnen SE, the Court of Appeal (Kammergericht) Berlin (order of December 6, 2021, 3 Ws 250/21) has referred two key questions on the interpretation of Articles 83(4) to 83(6) of the GDPR to the CJEU for a preliminary ruling. Essentially, the Kammergericht Berlin wanted to know from the CJEU whether:
- companies can be the addressees of fines without the infringement of a natural person having to be attributed to the company; and
- the violation must be intentional or negligent, or whether a purely objective violation of a requirement of the GDPR is sufficient.
Similarly, in the NVSC preliminary ruling, the CJEU had to answer the question of whether a fine can be imposed under Article 83 of the GDPR on a controller who has not intentionally or negligently infringed the provisions of the GDPR on the basis of 'strict liability.'
Opinions of the Advocates General
In his opinion in Deutsche Wohnen SE, Advocate General Campos Sánchez-Bordona concluded that there is no 'strict liability' under the GDPR. As a result, he advocates a conciliatory approach. It should be possible to impose fines directly on a company. However, a purely objective violation of data protection law - irrespective of any fault - should not be sufficient to impose a fine. Advocate General Emiliou also concluded in his opinion in NVSC that Article 83 of the GDPR does not establish a system of fines that is independent of fault.
Companies can be addressees of GDPR fines
Companies can be direct addressees of fines, according to the Advocate General. This is not only provided for in several provisions of the GDPR, but is also, according to the Advocate General, one of the key mechanisms to ensure the effectiveness of the GDPR. To this end, he relies on the wording of certain provisions of the GDPR. In particular, Articles 4, 58, and 83 of the GDPR suggest that sanctions - especially fines - can be imposed directly on legal persons. In his view, undertakings must bear the consequences of violations of the GDPR not only where they were committed by representatives, agents, managers, or directors, but also where they are based on the conduct of employees in the broader sense. Such conduct by employees who are under the supervision of the management bodies is due to insufficient control and supervision and is therefore already attributable to the company.
Proof of fault required
However, a fine can only be imposed if the underlying violation was committed intentionally or negligently. However, the unlawful conduct of an individual employee is sufficient to impose a corresponding fine on the company. In the view of the Advocate General, concrete evidence of a breach of supervisory duties is also required in order for the culpable conduct of an employee below the management level to be imputed to the management bodies at all and thus sanctioned. The Advocate General explains this as follows:
"In short, these are natural persons who, without themselves being representatives of a legal person, act under the authority of persons who, as representatives of the legal person, have failed to exercise supervision or control over them. Finally, imputability ultimately leads to the legal person itself, since an infringement committed by an employee acting under the authority of its managing bodies is a failure in the control and supervision system, for which those managing bodies are directly responsible" (opinion in Deutsche Wohnen SE, paragraph 59).
At the same time, the Advocate General rejects the question raised as to whether an objective breach of duty is sufficient to impose a fine. DPAs should not be able to impose fines on undertakings irrespective of fault, since a fine must always be preceded by imputable fault. It is therefore necessary that, in the context of the fine procedure, the supervisory authorities must at least establish and, if necessary, prove fault. In that regard. In that regard, the Advocate General states:
"As regards the obligations laid down by the GDPR - including those governing the processing of data (Article 5) and the lawfulness of such processing (Article 6) - the assessment of whether they have been complied with involves a complex process of evaluation and examination going beyond the mere finding of a formal breach" (opinion in Deutsche Wohnen SE, paragraph 80).
Functional concept of undertaking analogous to EU competition law
The question of whether the concept of undertaking within the meaning of Articles 83(4) to 83(6) of the GDPR should be interpreted as a 'single economic unit' or as the formal legal entity formal legal personality of a company was not relevant in the Deutsche Wohnen SE case. Nevertheless, the Advocate General made clear his preference for the functional concept of an undertaking and the 'single economic unit' as defined by EU competition law.
Admittedly, the Advocate General expressly emphasizes that this should only apply to the determination of the amount of the fine. Whether such an isolated consideration is possible solely by reference to a legally non-binding recital, which creates conflicts with the binding part of the GDPR remains highly questionable. The view that the general principles for sanctions in EU competition law should be applied 'by analogy' to breaches of data protection rules is also questionable in the case of criminal law-like sanctions, such as GDPR fines. This is likely to be the subject of a further referral to the CJEU.
Impact in practice
If the CJEU were to follow the Advocate General's opinion in its judgment, this would have a significant impact on future fine proceedings and directly on companies. Without strict liability, future fine proceedings will have to address the question of fault in each individual case.
Practically low standard for establishing fault
Even if this legal standard deprives DPAs of the ability to impose fines regardless of fault for non-culpable breaches of duty, in practice, it is likely to provide only limited relief to companies.
In most cases, the existence of at least negligent fault on the part of an employee can be established. In this respect, the Advocate General expressly points out that it is not always possible to draw a clear line between the various forms of fault and objective responsibility. For example, the failure to comply with a legal provision could already constitute negligence if the person acting should have known what they were required to do. This suggests a broad understanding of the concept of fault. Despite the rejection of a blanket 'strict liability,' the Advocate General does not believe that excessively high standards should be applied in determining fault (in particular negligence). In fact, unawareness or misapplication of a rule (so-called legal error) can only very rarely be excused.
Further, in NVSC, the Advocate General considers the threshold for the (at least) required negligence to be (extremely) low when he states "[...] that the threshold for a negligent breach of the GDPR [...] is so low that it is difficult to imagine situations in which the imposition of a fine is impossible solely because that element is not met" (paragraph 80). Finally, this is also confirmed by looking at EU competition law - to be used by analogy according to the Advocate General - where there are hardly any situations where the case law recognizes that there is no negligence.
In practice, the only noticeable difference resulting from the approach proposed by the Advocate General is the additional effort that the DPAs would have to expend in the course of the procedure to assess fault. As a result, the limits of negligence could be so low that it would de facto come close to strict liability. This would significantly increase the overall liability risks for companies.
Exculpation through compliance efforts?
To counter accusations of negligence, companies could continue to invest further in data protection compliance. The Advocate General's imputation standard seems to provide a defense for companies that have been fined in this respect. However, as the imputation of data protection breaches by individual employees below the management level should only occur in the event of a deficiency in the control and monitoring system, the company's management may be able to counter an imputation by implementing an effective data protection management system if this system should be overcome by employees in individual cases. The implementation of a comprehensive data protection concept is therefore becoming increasingly important and more and more a 'must have.'
Conclusion and outlook
Although the CJEU has not yet delivered its judgment, it is clear that it could have a significant impact on the practice of imposing fines by supervisory authorities in Germany and other EU/EEA member states. The Advocate General's opinion shows an initial trend as to how the CJEU might rule on key aspects of the imposition of GDPR fines on companies and is causing tensions to rise - in companies and among data protection advisors.
Statistically, the CJEU follows the opinion of the respective Advocate General in the (vast) majority of cases. However, the opinions are not binding on the judges of the CJEU. It, therefore, remains to be seen whether the CJEU will follow the line of the Advocates General and, if so, what the CJEU will actually decide in the judgments.
Should the CJEU indeed follow the Advocate General's opinion, DPAs would no longer be able to impose fines on the basis of the principle of 'strict liability' regardless of fault. Only the future practice of DPAs in imposing GDPR fines will show whether the determination of fault will indeed be a significant hurdle in practice.
Valentino Halim Senior Associate