ECJ: Advocate General rejects strict liability for data protection breaches

On the controversial issue of strict liability of companies for breaches of the General Data Protection Regulation (GDPR), the Advocate General at the ECJ delivered his opinion on April 27, 2023 (C-807/21). In it, he rejects strict liability.

Previously, fines were imposed regardless of fault

As a rule, fines can only be imposed on companies if executives commit negligent or intentional acts that can be attributed to the company. This is based on “Rechtsträgerprinzip” according to. § 30 OWiG.

On February 18, 2021, the Berlin Regional Court took the view that in fine proceedings pursuant to Article 83 of the GDPR, a legal entity cannot itself be considered a “data subject,” but only a secondary party. This follows from the fact that administrative offenses can only be committed by natural persons. A legal entity, on the other hand, can only be held responsible for the actions of its members or representatives. Because § 30 para. 1 OWiG always links the imposition of fines to culpable misconduct on the part of natural persons, for which the legal person is only liable on the legal consequences side.

The Regional Court of Bonn and the German data protection authorities, on the other hand, assume the application of the “function bearer principle” known from European antitrust law in connection with strict liability in the context of Art. 83 GDPR. Accordingly, the company would be the directly materially liable addressee for sanctions. Violations by employees (not only management personnel) would then already be sufficient for the imposition of a fine. It should not depend on fault.

On January 17, 2023, the Grand Chamber of the ECJ addressed two questions referred for a preliminary ruling during the oral proceedings. A fine of approximately EUR 14.5 million was imposed on a German housing company. The questions of the applicability of the function bearer principle and the requirement of proof of culpable conduct were submitted to the ECJ for consideration.

Advocate General: Violations of all employees attributable, fault is a prerequisite

In his opinion of April 27, 2023, Advocate General Campos Sánchez-Bordona argues against strict liability of companies.

However, it also takes the view that a legal person must bear the consequences of GDPR infringements not only “if committed by their representatives, managers or directors, but also if the violations were committed by natural persons (employees in the broad sense) acting within the scope of the company’s business activities and under the supervision of the first-mentioned persons.”

As a result, violations of supervisory duties must at least be proven so that the culpable actions of employees outside the management level can be attributed to the legal entity. The Berlin Regional Court will have to clarify whether German administrative offence law adequately implements the GDPR in this respect.

In addition, the Advocate General also takes a position on the assessment of the amount of the fine. Accordingly, “thereference for the determination of this amount must not be the formal legal personality of a company, but the ‘economic entity ‘ “. It can be deduced from this that the assessment of fines should be based on the group’s turnover – and not just the turnover of the company. This could lead to a substantial increase in fines.

Significance of the dispute in terms of practical law

The state of the dispute has serious implications for the conduct of fine proceedings.

Data protection authorities are demanding that they be allowed to impose fines on companies for data protection violations, irrespective of the principle of fault. The principle of fault would lead to a considerable restriction of fine proceedings against companies. The recitals to the GDPR show that this was not the intention of the European legislator.

This view would make it easier for the data protection authorities to impose GDPR fines and would thus mean a significant increase in the liability risk for companies, as they can become the addressee of a fine regardless of any specific fault.

Admittedly, the Advocate General has rejected a corresponding strict liability and the chambers of the ECJ regularly follow the Opinion of the Advocate General in their decision-making. Nevertheless, a different outcome of the proceedings remains possible.