GDPR dealt blow as German court drops $17.2M Deutsche Wohnen fine

The ruling, made by the Regional Court in Berlin in February, puts Germany at odds with the rest of the European Union over how the General Data Protection Regulation (GDPR) should be interpreted and whether national law trumps EU law.

Under Article 83 of the GDPR—which relates to how administrative fines should be imposed—companies, rather than individuals, are held liable for data protection violations.

However, Germany’s Administrative Offences Act (OWiG) says fines can only be imposed on companies if there is evidence of a specific act undertaken by management or legal representatives that has led to the law being broken.

In September 2019, Deutsche Wohnen was fined by the Berlin data protection authority (DPA) for failing to implement measures to enable regular deletion of tenant data that was no longer required. At the time, the €14.5 million fine was the largest financial penalty issued under the GDPR in Germany.

However, following an appeal, the company released a statement on Feb. 23 announcing the court declared the fine invalid because it was not “sufficiently substantiated.”

In particular, the court held since the Berlin DPA did not specify what actions the management team had specifically committed to cause the violations, there was no case to answer (even though the court does not dispute the company held onto customer information unnecessarily).

The public prosecutor in Berlin has now appealed the decision in consultation with the Berlin DPA, but it will likely take a long time until a final decision will be rendered, experts say.

A spokesperson for Deutsche Wohnen declined to comment on the ongoing legal proceedings.

This is the second time a GDPR fine has failed to stand up in German court.

In November 2020, the Bonn Regional Court reduced a €9.55 million fine against 1&1 Telecom by 90 percent down to €900,000 due to the DPA’s errors in its assessment when setting the fine. In that case, the court simply said the original penalty had been “unreasonably high.”

Clarity needed?

Since 2019, German DPAs have said the OWiG is at odds with the GDPR and therefore contradicts EU law. Germany’s data regulators have argued national legislation either needs to be removed or amended to ensure the country is in sync with the rest of the European Union regarding data privacy.

German DPAs have also said if GDPR violations can only be enforced if members of management can be proven to have been responsible for them, then a fine against a large company would often not be provable due to the complexity of corporate structures, thereby putting small- and medium-sized companies at a disadvantage.

Manuela Finger, intellectual property partner in the Munich office of law firm Gowling WLG, says that “the Berlin Regional Court’s interpretation of the German law on administrative offenses is not in line with the will of the European legislator. These regulations must be interpreted in light of European regulations in order to ensure uniform application of the GDPR in all member states.”

Experts believe the Berlin court’s decision will lead to similar appeals by other companies that have received GDPR-related fines in Germany. Some also suggest German DPAs’ fining mechanisms will now need to be reviewed since they are more likely to be subject to challenge—especially if they do not make reference to and substantiate specific acts taken by management.

“While there is a joint approach among German DPAs, this decision will probably trigger similar arguments by other companies that have been fined,” says Finger. “There will also be calls for clarification of the German rules on administrative offenses under GDPR, be it by a verdict by the Court of Justice of the EU or by clarifying German legislation.”