CJEU: Advocate General Rejects “Strict Liability” for GDPR Fines Against Companies
On April 27, 2023, the Advocate General at the European Court of Justice (CJEU) Campos Sánchez-Bordona delivered his opinion in a landmark case against a German corporation. The Advocate General stated that data protection authorities cannot impose fines on companies without establishing proof of culpability, i.e. intentional or negligent actions violating the GDPR.
German data protection authorities argue that companies, rather than individuals, can be held liable for data protection violations under the GDPR. However, Germany’s Administrative Offences Act (OWiG) says fines can only be imposed on companies if there is evidence of a specific culpable act undertaken by management or legal representatives that has led to the law being broken, for instance, insufficient management supervision. Specifically, the Advocate General requires proof of lacking supervision if culpable GDPR violations committed by an employee below the management level are to be imputed to the company. In the proceeding at hand, the authority had not made any such findings, as it pursued a concept of so-called “strict liability”, which the Attorney General rejected.
The case, which dates back to 2019, raises important questions over how the GDPR sanction rules should be interpreted at a national and international level.
“The Advocate General’s opinion shows that companies can successfully defend themselves against excessive interpretations of EU laws by data protection authorities and respective allegations resulting in GDPR fines,” says Tim Wybitul, data protection partner at Latham & Watkins in Frankfurt. “The Advocate General at the CJEU follows Latham’s defense arguments with regard to the question of a supposed ‘strict liability’. This demand as made by the German data protection authorities seeking to be allowed to sanction companies without findings of culpable action is a violation of the principle of culpability and the rule of law principle.”
Background
In 2019, Berlin’s data protection authority (BInBDI) issued a fine against Latham’s client for allegedly failing to implement measures to enable regular deletion of tenant data that was no longer required. At the time, the €14.5 million fine was the largest financial penalty issued under the GDPR in Germany.
The data protection authorities assumed fines could be imposed on companies for alleged data protection violations without first having to identify individual liability (strict liability). Following an appeal, the fine was dropped by the Regional Court in Berlin. The Regional Court found that under German law, the company could not be held responsible for violating the European Union’s strict privacy laws unless blame could be attached to a specific individual or executive. The decision was appealed and the Berlin Court of Appeals referred the case to the CJEU, which is ultimately competent to determine questions concerning the interpretation of the GDPR and other EU laws.