Latham & Watkins Scores Important Victory Regarding Data Protection Fines

On December 5, 2023, the European Court of Justice (CJEU) issued a landmark ruling in a case involving a Latham client in Germany. The Court ruled that EU Data Protection Authorities cannot impose "no-fault" fines on companies. The present proceedings are based on a 2019 Berlin Data Protection Authority decision and will have important impact on how the EU General Data Protection Regulation (GDPR) is implemented at a national and international level.

Background

In 2019, Berlin’s Data Protection Authority (BInBDI) issued a GDPR fine against Latham’s client for allegedly failing to implement measures to enable regular deletion of tenant data that purportedly was no longer required. At that time, the €14.5 million fine was the largest financial penalty issued under the GDPR in Germany.

German data protection authorities assumed that GDPR fines could be imposed on companies for alleged data protection violations without first having to establish any liability (strict liability). Following an objection, the Regional Court in Berlin canceled the fine. The Regional Court found that, under German law, a company could not be held responsible for violating the European Union’s privacy laws unless a specific intentional or negligent violation is established. That decision was appealed, and the Berlin Court of Appeals referred the case to the CJEU, which is ultimately competent to determine questions concerning the interpretation of the GDPR and other EU laws.

Imposing fines under the GDPR

If data protection authorities impose fines directly on companies under the GDPR, the CJEU ruling states that this requires proof of intentional or negligent actions by representatives, directors, managers, or other persons acting in the course of the business and on behalf of a legal person. However, the BlnBDI had not provided any such evidence, as it assumed a strict liability. Accordingly, the authority did not feel bound by the German Administrative Offenses Act (OWiG). In particular, the fine notice contained no evidence or findings of specific alleged violations or lack of supervision as required under the OWiG. In particular, Sec. 66 OWiG requires that the fine notice specifies the alleged offense. This is what the Berlin Regional Court had objected to, which resulted in it discontinuing the proceedings against Latham’s client.

The CJEU has now confirmed that the imposition of a GDPR fine requires proof of culpable conduct on the part of a representative or employee of the company.

"I am pleased that the CJEU agreed with our arguments on the inapplicability of strict liability for GDPR fines,” said Tim Wybitul, Privacy & Cyber partner at Latham & Watkins in Frankfurt. "This confirms that data protection authorities are bound by the rule of law and the principle of culpability, and cannot sanction companies without proof of culpable violations,” Wybitul explains. “The German government has also spoken out against this demand by the data protection authorities in the proceedings. To date, neither the Berlin Regional Court nor the Court of Appeal have established any breach or culpable action by any employee of the company. In the previous proceedings, the Berlin Regional Court had rather pointed out that the fine notice did not contain the legally required findings on a culpable offense. The decision shows that the data protection authorities cannot disregard fundamental rights,” Wybitul continues. “The CJEU has rejected the 'strict liability' assumed by the data protection authorities. The ball is now back in the Berlin Court of Appeal’s court, which will hopefully interpret the CJEU's guidelines carefully and proportionally."

The Latham team was led by Privacy & Cyber partner Tim Wybitul with antitrust partner Sven Völcker and associates Dr. Isabelle Brams, Jonas Kraus, and Clemens Ganz in Frankfurt.