European Advocate General rejects the need for “strict liability” in GDPR violations – The last word, however, is not yet spoken

It is, by now, well known that not taking data protection seriously can prove costly for organizations. Since the introduction of the European General Data Protection Regulation (the "GDPR") in 2018, non-GDPR-compliant organizations have been exposed to the risk of fines of up to EUR 20 million, or four percent of a group's total worldwide annual group turnover. Across Europe, cases involving high fines are increasingly common, with some reaching hundreds of millions of Euros. One of the key questions regarding such fines is whether the GDPR entails strict liability (as advocated, for example, by some German Data Protection Authorities and courts) or whether some level of intent or negligence is required before a fine can be imposed. On April 27, 2023, the Advocate General delivered his opinion on this question in relation to a request for a preliminary ruling from the Kammergericht Berlin, the Higher Regional Court of Berlin/Germany, to the Court of Justice of the EU (the "CJEU"), in an administrative law proceeding. The proceedings involved a EUR 14 million fine imposed by the Berlin Data Protection Authority against a real estate company for various violations of the GDPR in the context of the processing of tenants' personal data.

Unclear requirements and divergent views from supervisory authorities and German courts

The GDPR per se does not provide a legal framework that stipulates the conditions for attributing blame in the context of a data breach committed by an individual acting on behalf of a company (e.g., executives or employees). The core question is: Which legal regime governs the imposition of GDPR fines on companies? Is it a strict liability regime (similar to that which exists under EU antitrust law) or is it Member State laws, which follow their own specific standards?

Under current German law on administrative offenses, a fine can, in general, only be imposed on a company to the extent that the law enforcement authorities can prove either a culpable violation of the law by the company's executives, or a violation of their supervisory duties resulting in a culpable breach of the law by an employee or other persons acting on behalf of a company. Obviously, this leads to a higher burden of proof for law enforcement authorities compared to, for example, the strict liability principle of EU antitrust law. Supporters of the concept of strict liability point to the principle of the effectiveness of European law (effet utile), which contradicts diverging national practices in this area.

Need for a decision by the European Court of Justice

In the aforementioned case, the court of first instance had doubts about the requirement of a strict liability concept and repealed the fine imposed against the real estate company.

The court found that a strict liability concept would violate, inter alia, the principle of culpability and concluded that the Berlin Data Protection Authority did not investigate the case in sufficient detail. At the appeal stage, the Berlin Court of Appeal (Kammergericht) made a reference to the CJEU, seeking clarification on whether or not the GDPR required a strict liability concept.

In his eagerly awaited opinion on the case, the Advocate General found that the imposition of an administrative fine on a company is not conditional on a prior finding of an infringement committed by one or more specific individuals acting on behalf of that company. In reaching this conclusion, the Advocate General emphasized that the GDPR's penalty system only focuses on the legal person acting as controller or processor, and any other interpretation would lead to an unjustified weakening of the scope of punishable conduct. The Advocate General further found that administrative fines imposed under the GDPR require the infringement to have been committed intentionally or negligently, to ensure a uniform approach to this issue across the EU. In the Advocate General's view, such a uniform approach "would not be achieved if each Member State were able to penalize infringements of a disparate nature, including mere objective infringements devoid of intent or negligence."

Outlook

In the context of GDPR fines, the Advocate General appears to be reluctant to go down the route of the German law on administrative offenses, but also clearly advocates against the application of a strict liability concept, primarily for the purpose of ensuring the uniform application of the GDPR's penalty system across the EU. However, the CJEU is not bound by the opinion of the Advocate General and it remains to be seen whether it will follow the Advocate General's approach. Clearly, this topic will be of huge interest to any organization that is facing potential enforcement action under the GDPR. If the CJEU adopts the Advocate General's approach and rejects strict liability for GDPR infringements, it will follow that Data Protection Authorities must satisfy the burden of proof regarding intent or negligence by the relevant controller or processor. On the other hand, if the CJEU does not adopt the Advocate General's approach, then it is likely to become significantly easier for Data Protection Authorities to issue penalties for GDPR non-compliance.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2023 White & Case LLP}