Landmark CJEU rulings limit scope for GDPR fines

The Court of Justice of the EU (CJEU) further confirmed that where fines are to be imposed on businesses that are part of wider corporate group, they should be calculated with reference to the entire group’s turnover. 

In two judgments issued on Tuesday morning, the CJEU ruled that ‘controllers’ – organisations responsible for how personal data is handled – that breach the requirements of the GDPR can only be fined for doing so if it can be shown that their infringement was intentional or that they acted negligently. 

The CJEU said that in considering whether the infringement was committed intentionally or negligently, “a controller may be punished for conduct falling within the scope of the GDPR if he could not have been unaware of the illegality of his actions, regardless of whether he perceived that he was in breach of the provisions of the GDPR”. It added that neither the action nor the knowledge of the “management body” of the organisation is required to establish intent or negligence on the part of the controller. 

The CJEU said that establishing fault is a condition for the imposition of a fine under the GDPR and that that view, which is based on the court’s interpretation of rules in the EU GDPR that govern when administrative fines can be imposed, is supported by the GDPR's general framework and purpose.  

Data protection law expert Jonathan Kirsop of Pinsent Masons said the ruling provides welcome clarification of the principles for issuing administrative fines under the GDPR. 

“The judgment seems to limit the scope for fines being imposed for more ‘technical’ or administrative breaches where a controller has acted in good faith and with its best efforts to ensure appropriate processes in place,” Kirsop said. “That said, fines will still be imposed where a controller should have known that it had committed a breach, whether or not it did so.” 

“In practice, we have seen data protection authorities (DPAs) focused on the largest and most egregious breach of GDPR principles so it may be that this clarification does little other than to make more explicit what was the approach of DPAs based on the resources and priorities that they have,” he said. 

Kirsop added that he would expect the UK government and Information Commissioner’s Office (ICO) to follow the same approach as set by the CJEU on the imposition of fines. 

“The CJEU’s finding, as a general rule, reflects how the ICO has tended to seek to enforce the UK GDPR by focusing on those violations which had the most impact and were derived from a materially deficient approach by controllers,” Kirsop said. “The UK government is currently seeking to update the UK data protection regime, with the Data Protection and Digital Information Bill currently before parliament, but the Bill maintains the administrative fine framework and principles of the GDPR, notwithstanding that it envisages expanding these to encompass electronic marketing violations.” 

In its second ruling, the CJEU also considered the concept of ‘undertaking’ under the GDPR: the regulation provides that ‘undertakings’ can be fined up to €20 million, or up to 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements of the GDPR.  

The CJEU reflected on the fact that EU competition law, under Articles 101 and 102 of the Treaty on the Functioning of the EU (TFEU), contains similar references to ‘undertaking’. It ruled that “where the addressee of the fine [under the GDPR] is an undertaking within the meaning of Articles 101 and 102 TFEU or a member of such an undertaking, the maximum amount of the fine is to be calculated on the basis of a percentage of the total annual worldwide turnover of the previous business year of the undertaking concerned”. 

Kirsop said: “By maintaining that an undertaking may encompass a group of entities – where engaged in a common economic activity – the court is explicit that group turnover will often be the basis for calculation and closes the door for any attempt to create artificial group structures with controllers placed in legal entities with limited turnover.” 

Earlier this year, a court in Denmark asked the CJEU to determine what the meaning of ‘undertaking’ in the GDPR is to help it resolve a dispute between the public prosecutor in the country and retailer ILVA A/S, which is part of the Lars Larsen Group. The public prosecutor is seeking the imposition of a fine against ILVA A/S calculated on the basis of the total turnover of the entire Lars Larsen Group. It is unclear whether the CJEU will now hear that case after today’s ruling.