On April 27, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in the case C-807/21 on the conditions for imposing GDPR fines on legal persons (e.g., companies). He opined that Member States’ law may not stipulate conditions going beyond those set out in the GDPR that make it more difficult to impute GDPR infringements to companies. In addition, he is of the opinion that the GDPR penalties may only be imposed on intentional or negligent conducts, since the GDPR does not provide for a strict liability (no fault) system.
The case arises from a €14.5 million fine the Berlin Supervisory Authority imposed on Deutsche Wohnen SE for infringing the GDPR’s data retention obligations. Subsequently, the District Court of Berlin overturned the fine, because the fine failed to satisfy certain rules under the German Act on Regulatory Offences (see our blog post). The Berlin Public Prosecutor’s Office then appealed the case to the Higher Regional Court, which referred the following two questions to the CJEU:
(1) May a penalty be imposed on a company for infringement of the GDPR without first imputing that infringement to a natural person acting on the legal person’s behalf?
The AG is of the opinion that GDPR must be interpreted as meaning that the imposition of an administrative fine on a company is not conditional on a prior finding of an infringement committed by one or more individual natural persons acting on behalf of that company. Member States laws may not require this to be a pre-condition to impose a GDPR administrative fine.
(2) Must the GDPR infringement in respect of which the penalty is imposed in all cases have been committed intentionally or negligently, or may a penalty be imposed by the mere objective fact that a GDPR obligation was breached?
The AG is of the opinion that the question is inadmissible because it is hypothetical in nature, since in the Deutsche Wohnen SE was found to intentionally breach the GDPR. Nevertheless, he state that in his view GDPR fines require the conduct constituting the infringement to be intentional or negligent, thus ruling out the application of a strict liability regime.
This German case is similar to an Austrian case, in which the Federal Administrative Court annulled the €18 million fine that the Austrian Supervisory Authority imposed on the Austrian Post on the grounds that Austrian procedural law requires imputing the GDPR infringement to a natural person (not necessarily a manager) acting on the legal person’s behalf (see the decision, only available in German).
* * *
The AG’s opinion is not binding on the CJEU. The Covington Privacy and Cyber team will report back once the CJEU renders its judgment.
(This blog post was written with the contribution of Alberto Vogel.)