When British Airways and Marriott International received massively discounted General Data Protection Regulation (GDPR) fines from the U.K.’s data regulator, critics said the decisions sent the “wrong message” to companies that penalties levied under the privacy law could be challenged effectively.
And when German property company Deutsche Wohnen successfully managed to get its €14.5 million GDPR penalty annulled in March after a court ruled the fine was incompatible with German national law, many lawyers suggested taking on data protection authorities (DPAs)—in whichever country—has to be worth a punt if a company can afford it.
According to a recent report released by the European Data Protection Board (EDPB), the body responsible for overseeing GDPR implementation across the bloc, most DPAs in the European Economic Area have had GDPR decisions with fines successfully appealed—some more than others.
Between the law’s May 25, 2018, enforcement date until May 31 this year, Bulgaria has had a leading 328 of its fine decisions appealed in court: 71 were annulled and 24 were modified. Spain has had 266 decisions appealed, resulting in 68 annulments and 22 modifications. Of Italy’s 233 decisions appealed, 25 were annulled and 14 modified.
When to appeal a GDPR fine
Sarah Simpson, senior associate at law firm Katten Muchin Rosenman, says while DPAs are mainly “being challenged successfully according to the specific facts of the cases involved,” several common themes are becoming apparent about why companies have sufficient grounds to successfully appeal. These include:
- DPAs misapplying their powers;
- Fines being disproportionate to the nature of the violation;
- Companies successfully demonstrating they did not willfully intend to commit a breach, nor gained any benefit as a result of it (despite the level of negligence);
- Companies demonstrating they have successfully mitigated the damage suffered by the data subjects concerned and cooperated fully with the DPA to reduce future impact; and
- COVID-19’s impact on a company’s financial ability to pay.
Simpson believes it is still worthwhile for companies to challenge fine decisions if they have the funds to do so.
“Given some fines have been reduced by up to 90 percent, it is certainly worthwhile to consider instructing experts to vigorously challenge a DPA enforcement notice/notice of intent, especially where considerable fines are at stake,” she says.
Even countries without triple-figure appeals have seen a high rate of successful court challenges. For example, of Austria’s 14 fines subject to appeal, four were annulled and another four modified. Belgium has seen 12 of its GDPR fines challenged in court, resulting in eight being annulled, while of the Netherlands’ four decisions subject to appeal, one was annulled (although the Dutch DPA is currently appealing this) and another modified.
Conversely, DPAs in France, Greece, Romania, Slovakia, Croatia, and Malta have not seen any of their fine decisions overturned when challenged.
The data published by the EDPB is hardly exhaustive: for example, information about why any of the fines were annulled or modified (and by how much) is not disclosed. National DPAs are also not under any legal obligation to make their decisions public—a situation that has raised concerns (and complaints) by both companies and those data regulators that believe increased transparency would create better enforcement consistency.
Experts say it is difficult to determine any trends in enforcement from the figures or make any link between the number of fines issued versus the number of appeals. Some also point out a DPA’s preferred sanction is for companies to make corrective actions to prevent further GDPR violations/harm, rather than hand out financial penalties.
Several lawyers believe the number of appeals is down to companies simply having the legal right to test decisions, while their success is due to their merits on a case-by-case basis.
Julie Rubash, chief privacy counsel at data privacy software vendor Sourcepoint, says, “It is not surprising so many appeals have taken place since regulators are dealing with a new law, so there may be incidences where DPAs have been overzealous or interpreted the GDPR incorrectly.”
Rubash also believes part of the problem is because of the regulators’ lack of resources and experience.
“The EDPB’s report makes it very clear most DPAs believe they don’t have the budgets or technical skills to process GDPR complaints and investigations quickly,” she says. “As a result, inexperienced and under-resourced staff have likely made mistakes interpreting what the GDPR means in practice in their early actions.”
“We are seeing the results of early investigations commenced in 2018/19 that may have lacked the level of expertise and refinement required to ensure challenges were kept to a minimum,” says Kingsley Hayes, head of law firm Keller Lenkner UK’s Data Breach specialty. “There is also the salient point that the level of fines set was open to scrutiny and had to be justified. Without a prior history of fines, challenges were always inevitable.”
Ilia Kolochenko, data privacy and security expert at information security vendor ImmuniWeb, says the large number of appeals in some countries might be because of the “broad discretion” DPAs have to impose penalties depending on their severity and the level of harm caused. Sanctions can also be issued for “subjective” reasons, such as the degree of cooperation an offending company has had with the regulator.
Further, Kolochenko says, some DPAs “instinctively follow national judicial trends” and “consider political or social factors when imposing GDPR penalties” to encourage future infringers to openly cooperate or, conversely, demonstrate zero tolerance for specific privacy violations. As a result, courts might disagree with a DPA’s reasoning or legal arguments on appeal.