GDPR fines: ECJ allows direct sanctions against legal persons, but no strict liability

The European Court of Justice (ECJ) decided in the “Deutsche Wohnen” case (Case C-807/21) that it is not necessary for imposing an administrative fine under the General Data Protection Regulation (GDPR) against a legal person to first attribute the infringement to an identified natural person. Conflicting Member State legislation does not apply. However, according to the ECJ, liability requires a culpable infringement (intent or negligence). Here, however, the ECJ refers to the low-threshold standard of culpability under EU antitrust law. Finally, the ECJ also rendered an obiter dictum on the concept of an undertaking when setting the maximum limit for an administrative fine, which may lead to higher penalties.

(This article has been published priorly in German here)

Background

In its current form, the German law on administrative offences does not provide for the direct liability of a company. Imposing an administrative fine on legal persons requires, according to Section 30 of the Law on Administrative Offences (OWiG), that a natural person (manager) has committed an unlawful and culpable or blameworthy offence that can be attributed to the company. Since the GDPR came into force, it has been controversial whether this also applies to administrative fines under Article 83(4) to (6) GDPR. At the same time as the GDPR became applicable, the German legislator stipulated in Section 41(1) of the German Data Protection Act (BDSG) that the provisions of the OWiG apply mutatis mutandis to infringements under Article 83(4) to (6) GDPR, unless the BDSG provides otherwise. Section 30 OWiG was not excluded from that application. This seemed only logical, as the GDPR provides for draconian sanctions for data protection infringements with administrative fines of up to EUR 10 million or EUR 20 million and, in the case of a company, even up to 2% or 4% of the total worldwide annual turnover of the preceding financial year, but does not contain any provisions on the specific conditions under which an administrative fine can be imposed on a company. In particular, the GDPR does not regulate when the commission of an offence by natural persons acting on behalf of a company can be attributed to that company. This regulatory gap, which is highly questionable from a rule-of-law perspective, was filled by Section 41 BDSG.

Regional Court of Bonn v Regional Court of Berlin

However, whether and to what extent Section 41(1) BDSG complies with European law has been discussed highly controversially not only in legal literature but also in case law. In the “1&1” case, the Regional Court of Bonn (decision dated 11 November 2020, case number 29 OWi 1/20) took the view that Article 83(4) to (6) GDPR provides for direct liability of legal entities. The culpable/reprehensible conduct of a natural person was not considered necessary; rather, it was deemed sufficient to establish an individualizable GDPR infringement (so-called “Funktionsträgerprinzip”). According to the court, the GDPR, operating under the principle of primacy of EU law, establishes direct liability for companies, similar to European antitrust law. In particular, Section 41(1) BDSG only provides that the provisions of the OWiG apply “mutatis mutandis” to substantive breaches of the GDPR, meaning that the reference to the OWiG does not preclude such an interpretation.

The Regional Court of Berlin (decision dated 18 February 2021, case number (526 OWi LG) 212 Js-OWi 1/20 (1/20)) ruled in the opposite direction in the “Deutsche Wohnen” case. As the GDPR does not contain any explicit provisions, the German liability regime pursuant to Sections 30 and 130 of the OWiG (the so-called “Rechtsträgerprinzip”) applies. The principle of fault results in the fact that only a natural person can be accused of committing an administrative offence. The court also dealt in detail with the “analogous” reference in Section 41(1) BDSG and found no room for a substantive restriction.

Course of proceedings

In the case at hand, a fine of EUR 14.5 million had been imposed by the Berlin Commissioner for Data Protection and Freedom of Information on the real estate company Deutsche Wohnen SE for allegedly storing personal data of tenants in violation of data protection law. The Regional Court of Berlin discontinued the proceedings on procedural grounds, stating that the decision at issue was seriously flawed due to a failure to comply with Section 30 OWiG, and therefore could not serve as a basis for setting an administrative fine. The Public Prosecutor’s Office of Berlin immediately appealed against this decision. The Higher Regional Court of Berlin (3 Ws 250/21 - 161 AR 84/21) referred two questions on the interpretation of Article 83(4) to (6) GDPR to the ECJ for preliminary ruling (C-807/21).

ECJ: Direct liability of legal persons

The ECJ has decided that fines under the GDPR can be imposed directly on legal persons if they have the status of a controller pursuant to Article 4 No. 7 GDPR (paragraph 32 et seqq.). The EU legislator wanted to ensure a high level of protection of natural persons with regard to the processing of personal data, so that it expressly wanted to include natural and legal persons in the broad definition of “controller” in Article 4 No. 7 GDPR (paragraph 38 et seqq.). Article 83 GDPR does not require that the breach be committed by representatives, directors or managers of the legal person, but also by any other person acting in the course of the business of the legal person and on its behalf (paragraph 44). Moreover, Article 58(2) GDPR defines the powers of the supervisory authorities to take corrective measures, without referring to the law of the Member States or leaving a margin of discretion to the Member States (paragraph 45). Article 58(4) GDPR and Article 83(8) GDPR – each interpreted in the light of Recital 129 of the GDPR – would indeed require Member States to effectively organise the procedures for monitoring and enforcing the Regulation (paragraph 47). However, this does not include the power to lay down substantive conditions (paragraph 48). It would be contrary to the purpose of the GDPR, which is to ensure a high level of data protection for natural persons, if individual Member States were allowed to create additional substantive conditions for the imposition of an administrative fine (paragraph 49 et seqq.). Conflicting provisions in the Member States which provide that an administrative fine in respect of an infringement referred to in Article 83(4) to (6) GDPR can only be imposed on a legal person in its capacity as controller only in so far as that infringement has previously been attributed to an identified natural person, must therefore be disregarded due to the primacy of EU law. This also applies to Section 41(1) BDSG in conjunction with Section 30 OWiG. Section 30(4) OWiG also allows a fine to be imposed independently on a legal person if no proceedings are instituted against the managing director or if such proceedings are discontinued. However, independent proceedings under Section 30(4) OWiG also require that a criminal or administrative offence has been committed by a managing director. This also applies if the administrative offence is based on a breach of the duty of supervision pursuant to Section 130 OWiG (possibly in conjunction with Paragraph 9 OWiG). Here, too, the offence must be attributed to an identified natural person, which the ECJ considers inadmissible.

ECJ: No strict liability

Furthermore, the ECJ decided that administrative fines under Article 83 GDPR can only be imposed if it is proven that the data controller – whether a natural or legal person – committed the relevant data protection infringement intentionally or negligently (paragraph 61 et seqq.) and therefore declined any strict (no-fault) liability. Article 83(1) to (6) GDPR therefore precisely defines the conditions for the imposition of administrative fines and leaves no room for discretion to the Member States (paragraph 65). From Article 83(2)(b) in conjunction with (3) GDPR it can be derived that only infringements of the GDPR committed by the data controller culpably, i.e. intentionally or negligently, can lead to administrative fines (paragraph 66 et seqq.). This interpretation is supported by the general scheme and purpose of the GDPR (paragraph 69 et seqq.); in particular, the EU legislator did not consider it necessary to introduce a system of strict liability in order to ensure a high level of data protection (paragraph 74).

By way of clarification, the ECJ states that it is sufficient for fault that the data controller in terms of Article 4 No. 7 GDPR could not have been unaware of the infringing nature of its conduct, whether or not it was aware that it was infringing the provisions of the GDPR (paragraph 76). This is roughly equivalent to an avoidable mistake of law under German law. Moreover, a fine under Article 83 GDPR against a legal person does not require any action or even knowledge on the part of a management body (paragraph 77). With reference to the relevant case law, the standard of culpability under EU competition and antitrust law is thus transferred to GDPR infringements.

The ECJ’s statements on the standard of culpability are further substantiated in another decision of 5 December 2023, the case “Nacionalinis visuomenės sveikatos centras” from Lithuania (Case C-683/21). In this case, the liability of the data controller in terms of Article 4 No. 7 GDPR under data protection law is also extended to the unlawful processing of personal data not carried out by the controller itself, but by a processor in terms of Article 4 No. 8 GDPR (paragraph 84). The controller’s liability for the conduct of a processor is excluded only if the processor has processed personal data for its own purposes or where that processor has processed such data in a manner incompatible with the framework of, or detailed arrangements for, the processing as determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented to such processing (paragraph 85).

ECJ: The concept on an undertaking under EU antitrust law applies to determining the maximum limit of an administrative fine

Although the EU antitrust concept of an undertaking from Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) is not relevant for the specific questions in the case at hand, the ECJ does not refrain from making statements, quasi per obiter dictum, on the concept of undertaking in connection with the determination of the amount of an administrative fine (paragraph 53 et seqq.). In order to determine the maximum amount of a turnover-based fine of up to 2% or 4% of the total worldwide annual turnover of the preceding financial year, the turnover of the undertaking within the meaning of Articles 101 and 102 TFEU is to be used as the basis for calculation. This is again a reference to EU competition and antitrust law. In this context, the term undertaking does not refer to the legal person that committed the infringement for which the fine is imposed, irrespective of the legal status of that entity and the way in which it is financed (paragraph 56). The term undertaking therefore refers to an economic unit even if in law that economic unit consists of several persons, natural or legal (paragraph 56). Consequently, the legal person that has committed the infringement may be fined not only on the basis of its own turnover, but also on the basis of the turnover of its parent company and, depending on the structure of the group to which it belongs, on the basis of the group’s turnover. Even if – and this is a slight deviation from EU competition and antitrust law – the parent company cannot be directly sanctioned for GDPR infringements by its subsidiaries if it is not itself involved as a controller or processor, it may still have to pay the bill if it wants to avoid the insolvency of the subsidiary sanctioned on the basis of the group turnover.

Evaluation

The ECJ considers the substantive conditions for a fine to be conclusively regulated in Article 58(2)(i) and Article 83(4) to (5) GDPR and denies the member states any discretion. However, the reasoning lacks dogmatic depth. There are also some inconsistencies. On the one hand, the ECJ clearly rejects any attribution considerations, but on the other hand it then refers to an infringement by “any” natural person acting in the course of the business of the legal person and on their behalf for the liability of a legal person (paragraph 44). By their very nature, legal persons can ultimately only act through natural persons. A similar contradiction exists with regard to the fault requirement. The ECJ states that the principle of fault also applies to legal persons and that the conduct or knowledge of the management body is irrelevant (paragraph 77). At the same time, however, the Court focuses on the “knowledge” or “awareness” of the controller (paragraph 76), which – at least according to the German understanding – can only be acquired by natural persons. As a result, the ECJ indeed assumes that the conduct and knowledge of natural persons can be attributed to the legal person, although they do not necessarily have to be representatives, directors or managers. However, a look at the standard of fault in EU competition and antitrust law shows how easy it is to assume negligence. In general, it is sufficient for negligence if any natural person has acted negligently on behalf of the company. There may be a limit to this if a person has clearly exceeded the limits of his or her function and this behaviour cannot be attributed to the company in any other way, for example by consent. The extent to which this approach can also be applied to GDPR offences, which are much easier to commit than antitrust offences, remains to be seen. Against this background, the implementation of a detailed and strictly monitored data protection compliance management system is recommended in any case, in order to be able to argue as a legal person in the event of a GDPR infringement by employees that it was not clear to the legal person that unlawful conduct was taking place. The ECJ’s ruling therefore does not relieve data protection authorities of the obligation to specifically determine that the GDPR breach was culpably committed, and to prove this by investigating the facts accordingly.

The ECJ’s statements on the validity of the concept of an undertaking under EU competition and antitrust law in determining the upper limit for turnover-based administrative fines are likely to lead to an increase in the average amount of administrative fines imposed on legal persons that are part of an economic unit within the meaning of Articles 101 and 102 TFEU. Even if turnover is not a criterion for the specific assessment of the amount of the fine, a higher upper limit gives the data protection authorities more room for manoeuvre. It remains to be seen, however, whether higher fines will also stand up in court, taking into account the circumstances of each individual case.

Consequences for the proceeding

In the “Deutsche Wohnen” case, the decision means that the Higher Regional Court of Berlin will uphold the immediate appeal of the Public Prosecutor’s Office to the extent that the Berlin Regional Court discontinued the proceedings due to significant deficiencies in the decision at issue. However, according to a recent press release by the Berlin Commissioner for Data Protection and Freedom of Information (here – in German), the decision at issue against Deutsche Wohnen SE should contain sufficient findings regarding the violation of the GDPR and the company's intentional conduct.

Outlook

But the last word has not yet been spoken. The concept of liability for administrative fines developed by the ECJ cannot be integrated into German law without contradictions. In particular, the German understanding of the principle of fault, which is based on the rule of law and human dignity, is difficult to reconcile with the ECJ's statements. It must be decided in each individual case when a legal entity, which can only act or refrain from acting through its representatives, actually culpably violates the GDPR. The application of the concept of an undertaking under EU antitrust law in determining the upper limit of the administrative fine is also more than questionable from a constitutional point of view. This is based solely on Recital 150 of the GDPR, which is not legally binding and is diametrically opposed to the regulatory part of the regulation, in particular with regard to the definitions in Article 4 No. 18, No. 19 GDPR and the entire system of the GDPR. The ECJ did not even begin to address any of this. So the discussion will continue.