In a decision that is likely to be broadly welcomed by many organisations, the Court of Justice of the European Union (the "CJEU") has held that a Data Protection Authority's ("DPA") is not obliged to exercise corrective powers, such as the imposition of an administrative fine, where an infringement of the GDPR occurred. However, privacy campaigners are likely to take encouragement from the Court's finding that a DPA is obliged, when an infringement of the GDPR is established, to take measures which are 'appropriate, necessary and proportionate' in the circumstances to remedy the infringement and ensure that the GDPR is fully enforced.
Background
In November 2019, a German savings bank reported a personal data breach, in accordance with Article 33 of the GDPR, to the Hessen Commissioner for Data Protection and Freedom of Information, Germany (the "HBDI"), after an employee had unlawfully consulted a customer's (the "data subject") personal data on several occasions. The savings bank did not inform the data subject of the breach under Article 34 of the GDPR, as its data protection officer took the view that it was not likely to result in a high risk for the data subject. The savings bank took a number of measures to remedy the breach, including:
(a) disciplinary measures against the employee concerned;
(b) the employee confirming in writing that she had neither copied nor retained the data, that she had not transferred them to third parties and that she would not do so in the future; and
(c) the savings bank confirming to the HBDI that it would review the length of time for which record access logs were retained.
The data subject later discovered the breach and filed a complaint with the HBDI, complaining he was not notified of the breach and criticizing the short retention period for the savings bank's access logs. Following investigation, the HBDI concluded that the bank's assessment that it was not required to notify the personal data breach to the data subject was not manifestly incorrect and decided not to impose corrective measures on the savings bank under Article 58(2) of the GDPR.
The data subject then lodged an action against the decision of the HBDI with the Verwaltungsgericht Wiesbaden (the "Referring Court"), arguing that the HBDI failed to handle his complaint in accordance with the requirements of the GDPR and should have imposed a fine on the savings bank, in light of the savings bank's infringements of the GDPR. The data subject argued that where a breach of the GDPR is established, the HBDI did not have the discretion to decide whether or not to act, and its discretion only extended to which corrective measures to adopt.
The Question Referred
The Referring Court referred the following question to the Court of Justice for preliminary ruling:
"Are Article 57(1)(a) and (f), Article 58(2)(a) to (j) and Article 77(1) [of the GDPR], to be understood as meaning that, where the supervisory authority finds that data processing has infringed the data subject's rights, the supervisory authority must always take action in accordance with Article 58(2) [of that regulation]?"
The CJEU's Decision in Case C-768/21 Land Hessen
In considering the question, the CJEU noted that each DPA is required to handle complaints which any data subject is entitled to lodge in its territory in accordance with Article 77(1) of the GDPR. Article 58(1) of the GDPR confers on DPAs investigative powers and Article 58(2) sets out DPA's corrective powers. These include the power to impose an administrative fine pursuant to Article 83 of the GDPR in addition to, or instead of, the exercise of any other powers set out in Article 58(2).
In the present case, the HBDI had examined the data subject's complaint, informed him of the outcome of the investigation, confirmed that a personal data breach had occurred in relation to his personal data and concluded there was no need to take an action against the savings bank under Article 58(2).
The CJEU stated that the GDPR leaves a DPA a discretion as to the manner in which it must remedy shortcomings it has found, since Article 58(2) confers on DPAs the power to adopt various corrective measures. The DPA must determine which action is appropriate and necessary, and in doing so must take into account all the specific circumstances of the case, with a view to ensuring that the GDPR is fully enforced with all due diligence. Importantly, a DPA's discretion is limited by the requirement to ensure a consistent and high level of protection of personal data, through strong enforcement.
The CJEU noted that with respect to imposing administrative fines, it is apparent from Article 83(2) of the GDPR that such fines are imposed depending on the circumstances of each individual case in addition to, or instead of, the other corrective measures under Article 58(2). The CJEU stated that it cannot be inferred either from Article 58(2) or from Article 83 of the GDPR that the DPA is under an obligation to exercise a corrective power in all cases where it finds a breach, in particular the power to impose an administrative fine. It also held that a complainant whose rights have been infringed does not have a subjective right to seek the imposition by the DPA of an administrative fine.
The DPA is, however, required to take action where the exercise of one or more of its corrective powers provided for in Article 58(2) of the GDPR is, taking into account all the circumstances of the specific case, appropriate, necessary and proportionate to remedy the shortcoming found and ensure that that GDPR is fully enforced.
Therefore, the exercise of a corrective power may, exceptionally and in light of the particular circumstances of the specific case, not be required even though a breach has been established, provided that the infringement has already been made good, the processing of the controller is in compliance with the GDPR, and such non-action by the supervisory authority is not liable to undermine the requirement for the strong enforcement of the GDPR.
On this basis, the CJEU ruled that "Article 57(1)(a) and (f),Article 58(2) and Article 77(1) of the GDPR must be interpreted as meaning that, when a breach of personal data has been established, the supervisory authority is not required to exercise a corrective power, in particular the power to impose an administrative fine, under that Article 58(2) where such action is not appropriate, necessary or proportionate to remedy the shortcoming found and to ensure that that regulation is fully enforced".
Key Takeaways
We set out below some of the key points to note from this judgment:
- If an infringement of the GDPR is established following investigation, a DPA must take measures which are appropriate, necessary, and proportionate, considering the specifics of each case.
- In exceptional circumstances, a DPA may refrain from exercising corrective powers even after establishing a breach has occurred. This may arise where, for example, a breach has been "made good" and the controller has taken necessary and appropriate measures, as soon as it became aware of the breach, to remedy the breach, prevent recurrence and ensure compliance with the GDPR.
- A DPA's discretion is limited "by the need to ensure a consistent and high level of protection of personal data through strong enforcement". Therefore, a DPA must take action when corrective measures under Article 58(2) of the GDPR are deemed appropriate, necessary, and proportionate based on the specific circumstances of the case and to ensure that the GDPR is fully enforced.
- A DPA is not required to impose a fine in each case where the GDPR was infringed. This is especially relevant in the case of a minor infringement or if the administrative fine would impose a disproportionate burden on a natural person. A DPA's obligation is to impose appropriate actions to remedy any shortcomings found, based on the circumstances of the individual case, which may include imposing a fine in addition to, or instead of, another corrective measure.
- Data subjects whose rights have been infringed do not have a subjective right to demand the imposition of administrative fines by a DPA.
This judgment will provide welcome clarity regarding the scope of DPAs' discretion when it comes to imposing corrective measures, in particular administrative fines. This will be especially relevant when DPAs are investigating more minor infringements and infringements which have largely been remedied by controllers at the first opportunity.
Also contributed to by Rory Purcell
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.