The Court of Justice of the European Union (CJEU) clarified in two judgments in the last month of 2023 (Deutsche Wohnen, ECLI:EU:C:2023:950 [DW] and Nacionalinis visuomenės sveikatos centras, ECLI:EU:C:2023:949 [NVSC]) the conditions under which data protection authorities across the EU may impose fines on companies for violations of the GDPR. Specifically, when those violations were committed either by unidentifiable employees at a company (DW) or by third parties (NVSC).
The NVSC case arose in Lithuania, and concerned the development of a Covid-tracking app by a third-party vendor on behalf of the Lithuanian public health services. The dispute in DW related to the company’s storage of information allegedly in violation of the GDPR. At issue in both cases were the extent to which the companies could be held responsible if infringements of GDPR had occurred, but a third party (NVSC) or unidentifiable employees (DW) engaged in the allegedly violating acts. Both cases involved interpretation of national law in light of the GDPR, and were thus referred by national courts to the CJEU.
By way of background for the DW matter, German law thus far, a corporation could only be fined if the bad acts of which it has been accused could be traced to wrongdoing of an identifiable individual. In contrast this is not a prerequisite, under the GDPR. The CJEU ruled that national law (in this case German law) cannot impose a stricter liability threshold than GDPR.
Additionally, the CJEU ruled that under the GDPR, there must be intention or negligence to be established on the part of the controller, in addition to a finding of infringement, for fines to be levied although a natural person does not need to be identified specifically.
With respect to the NVCS matter, the CJEU clarified the liability of controllers for actions of processors. In principle, controllers are liable for infringements of processors acting on their behalf. This does not, however, apply if the processor departs from the agreement in place with the controller.
In both cases, the CJEU noted that while Member States can design the administrative procedure leading to the imposition of a fine, the substantive conditions establishing liability are solely governed by GDPR. In reaching its decisions, the CJEU indicated that the maximum liability for assessing an administrative fine should be based on 4% of the total worldwide group turnover of the undertaking concerned. The concept of an undertaking is well known to European competition lawyers. An undertaking is the ‘economic unit’ encompassing all entities which form together a unitary organization of personal, tangible and intangible elements is well established.
The CJEU’s findings confirm the view expressed by the European Data Protection Board in its Guidelines 04/2022 on the calculation of administrative fines under the GDPR. There, the Board supported the transposability of the competition law concept of undertaking, and the above-mentioned principles of employee conduct attributability already. It is noteworthy, though, that in the cases discussed in this article the CJEU stressed that the concept of undertaking is only relevant for determining the amount of the administrative fine. This begs the question if and to what extent the principle of parental liability, well-established for private enforcement of EU competition law, also applies to private actions for damages under the GDPR.
Putting It Into Practice: The European rulings send a mixed message to data controllers and processors. The rejection of strict liability (irrespective of wrongdoing on the part of the controller) will come as a relief. While the clarification that fines might be as high as 4% of the global turnover of a corporate group is not surprising, even where the infringement was committed by a local subsidiary, this serves as a reminder that GDPR breaches can result in serious (financial) consequences and the European regulators have steadily increased the fines imposed since the coming into force of the GDPR.