Assessing impact of court ruling on GDPR strict liability


The idea companies can be held “strictly liable” for violations of the European Union’s privacy rules was shot down, following a judgment from Europe’s top court.

On Dec. 5, the Court of Justice of the European Union (CJEU) held that a data controller can only have an administrative fine imposed on it for an infringement of the General Data Protection Regulation (GDPR) if the infringement was committed intentionally or negligently.

The judgment “shows that companies can defend themselves successfully against excessive allegations of GDPR violations,” said Tim Wybitul, privacy and cyber partner at law firm Latham & Watkins.

lock iconTHIS IS MEMBERS-ONLY CONTENT. To continue reading, choose one of the options below.