Landmark Ruling: The Court of Justice of the European Union Rejects Strict Liability in the General Data Protection Regulation


8 minute read | December.11.2023

The Cybersecurity & Privacy CompassIn this Essential Guide, which is part of Orrick’s Cybersecurity & Privacy Compass Series, we will provide insight into the potential fines that companies may face for violating the General Data Protection Regulation ("GDPR"), specifically when infringements are deemed negligent or wilful, as outlined in the ruling by the European Court of Justice for the European Union ("CJEU"). The Cybersecurity & Privacy Compass is your global guide to constant cybersecurity and privacy change.

Data-protection authorities in Europe can fine companies for violating the General Data Protection Regulation ("GDPR") only if the infringements are negligent or wilful, the European Court of Justice for the European Union ("CJEU") has ruled. The judgment C-807/21 (Deutsche Wohnen) rejects strict liability and provides legal clarity to companies in Germany and around Europe.

The CJEU has already ruled in another case this year regarding liability for damages. This decision provides further clarity by setting the conditions under which national data protection authorities may impose administrative fines on one or more data controllers for an infringement of the GDPR.

In particular, the CJEU holds that authorities can impose fines only in cases of negligent or wilful conduct, i.e., the authorities cannot impose fines for 'no-fault,' meaning there is no 'strict liability.'

However, there is an open and ongoing legal debate on the court's decision as it has not been explicitly clear on whether the faulty behaviour must have occurred at the management level or whether a wrongful behaviour of any person or party engaged by the controller is sufficient.

Key Takeaways of the Decision

  • Fines can be imposed directly on a legal person without the need for proceedings against a natural person acting on its behalf.
  • There is no strict liability, i.e., the mere infringement of a GDPR obligation is not sufficient enough to trigger a fine.
    • This is especially important in cases where data is compromised due to malicious third parties.
    • Authorities will need to provide arguments that an infringement of GDPR obligations is due to a culpable breach by a legal person.
    • If a cyberattack occurs despite appropriate security measures, and there is no other culpability, the risk of a fine will be reduced.
  • However, the threshold for liability may not be too high. The CJEU did not demand a culpable behaviour on the management's side, so GDPR compliance should still be given high priority.
    • Companies can mitigate risks by measures such as training, building a robust compliance organization, and having appropriate processes in place to ensure that employees and vendors comply with legal requirements.
  • The CJEU also confirms the interpretation already adopted by the data protection authorities of the term "undertaking" with regard to the number of fines, which refers to the entire group and not just one legal person.

Background to the Decision

The case stems from a fine the Berlin Data Protection Authority imposed on Deutsche Wohnen SE ("Deutsche Wohnen"), a major German real estate company. Authorities fined the company EUR 14.5 million for failing to delete tenant data despite a request to do so.

According to a special feature of the German law on administrative offenses applicable to the imposition of fines, authorities must prove fault on the part of a company's board members or representatives to fine that company.

This requires a culpable act or omission from someone acting on behalf of the company. Such a culpable omission is, for example, when a company lacks an adequate compliance organization. The fining authority must prove culpability, which is often difficult in practice.

With regard to the GDPR, which is European law, it has been disputed whether this German regulation is applicable, whether culpability is required at all, or whether any breach of the GDPR can lead to a fine.

Deutsche Wohnen challenged the fines before the Regional Court of Berlin (Landgericht Berlin), which ruled that there had to be a culpable act by a natural person for authorities to issue a fine. The decision was appealed to the Higher Regional Court, Berlin (Kammergericht Berlin) which referred the case to the CJEU, with the following two questions for a preliminary ruling:

  • Is Article 83 (4) to (6) of the GDPR to be interpreted as incorporating into national law the functional concept of an undertaking and the principle of an economic entity, ... as a result of which ... proceedings for an administrative fine may be brought directly against an undertaking?
  • Is Article 83 (4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have intentionally or negligently committed the breach of an obligation vicariously ... or is the objective fact of breach caused by it sufficient, in principle, for a fine to be imposed on that undertaking ("strict liability")?

The CJEU Decision and Its Consequences

First Question

According to the CJEU, there is no impediment under EU law to consider legal persons to be the perpetrator of the infringement and the party liable for the penalty. Indeed, it is one of the key mechanisms under the GDPR's effectiveness for imposing a penalty directly on a legal person. According to the CJEU, the GDPR allows for imposing administrative fines on legal persons directly.

With respect to the question of whether it is first necessary to impute an infringement to a natural person, the CJEU clarified that there is no rule that the liability of a natural person must first be established before a legal person can be held liable.

National legislation requiring to first bring proceedings against a natural person to issue a fine against a legal person violates the GDPR and is thus invalid.

The CJEU ruled that legal persons must bear the consequences, in terms of penalties of GDPR infringements in its name. The GDPR conclusively defines the powers of data protection authorities, in particular regarding remedial measures such as fines. There is no room for Member State regulation. The material requirements for fines are therefore not subject to national regulations. Member States may only determine the actual procedure for imposing fines. This is required by the principle that the GDPR aims to create a uniform level of data protection across the Member States. Moreover, the Member States are obliged not to impede the direct applicability inherent in regulations, which would conceal the nature and consequences of EU law to persons concerned.

The CJEU stated that legal persons are liable not only for infringements committed by their representatives, directors, or managers but also by any other person acting in the course of the business of those legal persons and on their behalf. The court stated further that where the controller is a legal person, it should also be clarified that, for Article 83 of the GDPR to apply, it is not necessary for there to have been action by or even knowledge on the part of the management body of that legal person. Following the decision, a legal debate regarding the statements of the CJEU ignited around the requirements for culpability of representatives and management.

The CJEU rules that the term 'undertaking' and its interpretation (within the meaning of Art. 101 and 102 TFEU) is not relevant for the imposition of fines. These are conclusively regulated in the GDPR. However, the interpretation of the term 'undertaking' is relevant for determining the amount of the fine. The CJEU notes that the term 'undertaking' used in Art. 83 of the GDPR, for determining the total annual turnover should be based on the concept of 'economic unit' (Judgment C‑882/19, paragraph 41 and the case law cited). Such, in its understanding, it means any entity engaged in an economic activity, irrespective of its legal status and the way in which it is financed.

Second Question

Culpability is required, i.e., either intentional or negligent behaviour must be present for a fine to be imposed. In other words – the CJEU has ruled there is no strict liability. Art. 83 (2) of the GDPR lists the criteria that the data protection authority takes into account when imposing a fine on the controller. According to letter b of this provision, these criteria include the "intentional or negligent nature of the infringement." The CJEU also highlights that GDPR does not mention any possibility that the controller will incur liability in the absence of wrongful conduct on its part.

The CJEU additionally uses the systematic structure of the GDPR, and the concept mentioned under question one that the GDPR must be applied uniformly throughout the Union. This also means that data protection authorities must have equivalent powers for ensuring compliance with the GDPR and for imposing equivalent fines. It further argues that it could harm competition within the European Union if some states were to introduce strict liability and thus adopt stricter liability rules than others.

As far as the standard applied to negligence is concerned, the CJEU ruled that, at a minimum, a data controller can be sanctioned for conduct even if it was unaware of the unlawfulness of its conduct, regardless of whether it was aware that it was in breach of the provisions of the GDPR.

Consequences

The decision will initially have a direct impact in Germany, where the provisions of the Administrative Offenses Act (Ordnungswidrigkeitengesetz) will have to be applied in line with the CJEU's interpretation of the GDPR.

On the other hand, the ruling provides some welcome clarification across Europe. For example, the CJEU has rejected the interpretation of some Member States, which considered strict liability to be permissible. The CJEU also comments on the question of the extent to which Member States may impose material regulations on the powers of data protection authorities, including fines—namely not at all. Finally, the CJEU comments, albeit only marginally, on the question of when negligence exists.