On 5 December 2023, in cases C-683/21 and C-807/21, the Court of Justice of the European Union ("CJEU") rejected the application of strict liability for administrative fines under the GDPR. The CJEU confirmed that organisations can only be subject to administrative fines for breaches of the GDPR, if it can be shown that their infringement was committed intentionally or negligently.
These decisions provide some welcome clarification on the scope of organisations' liability for administrative fines for GDPR violations. As the CJEU itself acknowledged, Article 83 GDPR does not expressly state that a violation can only be punished by an administrative fine if it was committed "intentionally or negligently". Albeit the CJEU has now interpreted the wording of that provision as requiring same, noting that "the general scheme and purpose of the GDPR support such a reading".
The CJEU found that whilst the GDPR affords a wide range of powers to supervisory authorities to address infringements, the EU legislature did not intend to provide for the imposition of administrative fines in the absence of fault. These decisions effectively limit the scope for administrative fines being imposed where an organisation has acted in good faith and used its best efforts to ensure appropriate GDPR compliance measures and procedures are in place. However, it is worth noting that fines may still be imposed where an organisation should have been aware that it had committed a breach, whether or not it did so. In addition, the CJEU confirmed that a fine may be imposed on a controller in respect of operations performed by a processor, to the extent that the controller may be held responsible for such operations.
The CJEU further confirmed with regard to the calculation of fines, that where fines are to be imposed on organisations that are part of a wider corporate group, the fine should be calculated by reference to the entire group's worldwide financial turnover, in the preceding business year.
Background
The two matters were preliminary references to the CJEU by the Lithuanian and German Courts. The underlying proceedings concerned challenges brought by the respective data controllers, who were a German real estate company and a Lithuanian app developer.
The Lithuanian controller, a public body, was fined €12,000 for illegal processing of personal data and failure to implement proper technical and organisational measures, in the context of the creation, with the assistance of a private undertaking, of a mobile application for registering and monitoring the data of persons exposed to Covid-19.
The German controller was fined €14.5 million by Berlin's supervisory authority for allegedly failing to implement measures to enable regular deletion of personal data relating to tenants, that was no longer needed.
Decision in Lithuanian Referral
Preliminary findings on Joint Controllers
The CJEU first ruled on a number of questions, posed by the Lithuanian court, as to whether a contractual relationship to develop a mobile application could result in both parties being deemed joint controllers and jointly liable for an GDPR violations, despite the fact that the public procurement contract had not been concluded by the parties.
The CJEU found that Article 4(7) GDPR (definition of "Controller") and Article 26 GDPR (obligations of "Joint Controllers") must be interpreted as meaning that the classification of two entities as being joint controllers of the processing does not require either the existence of an agreement between these entities on the determination of the purposes and means of the processing of personal data in question, nor the existence of an agreement which sets the conditions relating to joint responsibility for processing. Rather joint control by two or more entities arises solely from the fact that those entities have participated in the determination of the purposes and means of processing. However, where there are in fact joint controllers, they have an obligation under Article 26(1) GDPR to determine their respective responsibilities by means of an arrangement between them.
Rejection of application of Strict Liability to Administrative Fines
The CJEU then examined whether Article 83 of the GDPR must be interpreted as meaning that an administrative fine can only be imposed if it is established that the relevant controller has "intentionally or negligently" committed an infringement of the GDPR.
The CJEU held that Article 83 GDPR only allows for the imposition of such fines where a controller is shown to have acted "intentionally or negligently" in committing the infringement. It noted that, whilst the GDPR affords a wide range of powers to supervisory authorities to address infringements, the EU legislature did not intend to 'provide for the imposition of administrative fines in the absence of fault'.
The CJEU further noted thatthe power to impose administrative fines is solely a matter for EU law, with no margin of discretion being afforded to EU Member States, since the conditions for imposing fines are laid down, in detail in Article 83(1) to (6) GDPR The CJEU stated that Article 83(2) GDPR, in particular, lists the factors to which the supervisory authority is to have regard when imposing an administrative fine on the controller. Those factors include, in Article 83(2)(b), "the intentional or negligent character of the infringement". By contrast, none of the factors listed in Article 83(2) GDPR mentions any possibility that the controller will incur liability in the absence of wrongful conduct on its part.
In addition, the CJEU found that Article 83(2) GDPR must be read in conjunction with Article 83(3) thereof, the purpose of which is to lay down the consequences of cumulative infringements of the GDPR, according to which "if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement". Accordingly, the CJEU found that it follows from the wording of Article 83(2) GDPR that only infringements of the provisions of the GDPR committed wrongfully by the controller, that is to say those committed "intentionally or negligently", can result in a fine being imposed on the controller.
Administrative fine may be imposed where management does not have knowledge of infringement
The CJEU found, however, that there is no requirement, when imposing a fine, that the controller is explicitly aware that it is committing an infringement of the GDPR – merely that the infringing conduct is intentionally or negligently committed by the controller. Where the controller is a legal entity, there is no requirement that the management body of the entity who acts as a controller endorses, or is even aware, of this infringing conduct.
Whether a fine may be imposed on a controller for processing operations performed by a processor
In addition, the CJEU was asked to consider whether a fine may be imposed on a controller in respect of unlawful processing operations performed by a processor on behalf of that controller. The CJEU confirmed that controllers are liable not only for any processing of personal data which it carries out itself, but also for any such processing carried out on its behalf. However, the CJEU held that controllers will not be liable where processors act contrary to the controller's instructions and cause an infringement, or where they act outside of the scope of the data processing framework in place between them. In accordance with Article 28(10) GDPR, the processor will, in such a case, be considered as being responsible for such processing.
Decision in German Referral
Do infringements have to be attributable to a natural person?
The German Court posed two questions to the CJEU. The CJEU first considered whether the GDPR precludes national laws which only provide for administrative sanctions to be imposed against legal persons where, in the first instance, a finding has been made that an identifiable natural person has breached the GDPR. German law only allows for infringements to be attributable to legal persons where they are first attributed to identified natural persons.
The CJEU found that the GDPR precludes such national legislation. In examining Article 4(7) of the GDPR, and its previous jurisprudence, the CJEU held that both natural and legal persons are controllers where they determine the purposes and means of processing of personal data. The CJEU noted that controllers – both legal and natural persons – may be directly liable for infringements of the GDPR which are committed by them or on their behalf. The CJEU further noted that legal persons may be deemed to be directly liable for infringements carried out by their representatives, directors, managers, or any other person acting in the course of their respective business or on their behalf. As such, national law could not impose procedural requirements which effectively removed direct liability for legal persons acting as controllers absent a finding that a natural person infringed the provisions of the GDPR.
Accordingly, the imposition of an administrative fine on a legal entity cannot be subject to a previous finding that the infringement was committed by an identified natural person.
Calculation of fines & interpretation of "undertaking"
In addition, in view of the court's first question above, the CJEU noted that the concept of an "undertaking" has no bearing on whether and under what conditions an administrative fine may be imposed under Article 83 of the GDPR on a controller. Rather, that concept is relevant only for the purposes of calculating the amount of the administrative fine to be imposed.
In that respect, the CJEU noted that, where the addressee is or forms part of an undertaking, a supervisory authority must take as its basis the concept of an "undertaking" under competition law. Therefore, the CJEU confirmed that the maximum amount of the fine must be calculated on the basis of a percentage of the total worldwide annual turnover of the undertaking concerned, taken as a whole, in the preceding business year.
Findings on strict liability
Secondly, the CJEU considered whether Article 83 of the GDPR allows for findings of strict liability on the part of a controller. In a similar manner to the Lithuanian referral, the CJEU found that the GDPR does not allow for the imposition of administrative fines absent wrongdoing – whether intentional or negligent – on the part of the controller, that gave rise to the infringement. The CJEU noted that the conditions under which a supervisory authority may impose an administrative sanction under the GDPR are solely a matter for EU law, and not national law.
Comment
Organisations will welcome clarification of the rules for issuing administrative fines under the GDPR. The requirement to demonstrate that infringements were carried out intentionally or negligently effectively confirms that there is no 'strict liability' on the part of organisations for infringements of the GDPR. This may limit the liability of organisations who, for example, fall victim to cyberattacks. However, it is still open to supervisory authorities to seek to impose sanctions on those organisations who were exposed to a cyberattack due to their failure to implement technical and organisational measures appropriate to the risk profile of the compromised personal data. In such cases, it will likely be difficult for a controller to argue that the failure to implement such measures was not, at least, negligent.
These decisions also importantly confirm that an administrative fine may be imposed on a controller where it could not have been unaware of the infringing nature of its conduct, regardless of whether or not it was aware that it was infringing the GDPR. In addition, it is clear that there is no requirement to show that the management of a controller caused, or knew of, the infringement, in order for a fine to be imposed. The decisions are demonstrative of the need for controllers to exercise their best efforts to ensure that data protection polices and compliance measures are up-to-date, and in line with regulatory guidance, supervisory authority decisions and CJEU case-law. Organisations should also ensure that they have processes in place to regularly verify the robustness of their organisational and technical security measures to protect personal data against unauthorised access or disclosure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
