When the European Union put the General Data Protection Regulation (GDPR) into force nearly three years ago, the expectation was Europe’s then-28-member bloc would enforce data protection in the same way. Such hopes now look premature.
Notwithstanding disagreements between different data protection authorities (DPAs) about how punitively they should enforce the GDPR, it now appears some jurisdictions have found local laws can either take priority or overrule it altogether.
In February, a €14.5 million (U.S. $17.2 million) fine against Deutsche Wohnen was dropped after the Regional Court in Berlin found that under German law the company could not be held responsible for violating the GDPR unless blame could be attached to a specific individual or executive—even though such a requirement does not exist in the GDPR itself.
Under Article 83 of the regulation—which relates to how administrative fines should be imposed—companies, rather than individuals, are held liable for data protection violations.
However, Germany’s Administrative Offences Act says fines can only be imposed on companies if there is evidence of a specific act, undertaken by management or legal representatives, that has led to the law being broken. The prosecution has filed an appeal against the Berlin court’s decision.
The Conference of German DPAs (known as the Datenschutzkonferenz, or “DSK”) has consistently expressed the view a data regulator need only establish a breach of the GDPR has occurred for a company to be held responsible and be subject to a fine. No individual (either an employee or senior manager) needs to be identified, the DSK says.
Camilla Winlo, director of consultancy at data privacy specialist firm DQM GRC, calls the ruling “unexpected.”
“The Berlin Court decided the Berlin DPA needed to provide evidence of negligence on the part of individual managers in order to make the fine stick. It appears what they actually provided was evidence of a failure to comply over a period of time,” she said, adding this “shows how difficult it is for DPAs to make GDPR fines stick.”
Winlo adds it could be difficult to prove the level of management involvement in future GDPR cases: “The Berlin DPA appears to have focused on the evidence of noncompliance with the data protection requirements around data erasure and storage limitation. It had evidence from a number of audits to show the issue had been raised and not addressed. However, it is not usually the role of an auditor to assign personal responsibility for addressing issues.”
“Only time will tell whether this issue can be aligned across Europe, and the outcome will be of major importance for GDPR enforcement activity going forward.”
Lars Lensdorf, Partner, Covington & Burling
While many experts say the Berlin court’s ruling puts the country at odds with the GDPR—as well as how other EU jurisdictions have enforced it—courts in some other EU member states have taken a similar line.
Last year, Austria’s Federal Administrative Court annulled a decision imposing an €18 million (U.S. $20 million) fine on the Austrian Post, the country’s main postal service, stating Austrian procedural law requires a supervisory authority to establish one or several individuals (not necessarily managers) of a company committed a GDPR breach.
At the time, many lawyers suggested France had decided to “creatively” use legislation in place before the GDPR took effect so that it could bring the companies to book more quickly than their designated supervisory authorities—Ireland (Google) and Luxembourg (Amazon)—could under the slow and much-criticized “one-stop shop” mechanism of the GDPR. Several experts believe other countries with strong GDPR enforcement appetites—such as Spain, Italy, and Belgium—might follow suit.
Experts suspect courts in other countries have also likely seen the GDPR conflict with pre-existing domestic legislation too (and possibly come off second best). The fact that not all EU DPAs publish information relating to penalty decisions makes proper analysis and comparison difficult, they say—an issue U.K. Information Commissioner Elizabeth Denham has also raised.
Akber Datoo, CEO at legal data consulting firm D2 Legal Technology, says the Deutsche Wohnen case and others “shows the calculation and determination of GDPR fines is still evolving,” and that it “re-emphasizes it may be worth challenging GDPR fines in court.” This is especially true in Germany, he says, because “the fining guidelines of the German DPAs can no longer be applied as they have been found to fail the Article 83 standards required.”
Lars Lensdorf, partner at law firm Covington & Burling, says the question of the interplay between Article 83 of the GDPR and national rules on evidence and procedure may ultimately be referred to the Court of Justice of the European Union. “Only time will tell whether this issue can be aligned across Europe, and the outcome will be of major importance for GDPR enforcement activity going forward,” he says.
Winlo advises caution, however. “I don’t think it’s a good idea to draw too many conclusions from one court decision that may yet be appealed and overturned,” she says.