EU Court of Justice rules: GDPR fines require negligence or malice

In two recent cases, the Court of Justice of the European Union (CJEU) ruled on whether unintentional violations of the EU General Data Protection Regulation (GDPR) can result in enforcement.

The court’s decisions establish that the GDPR is not a “no-fault” or “strict” liability law: Some degree of negligence or intent is required in order to get a fine. But the rulings don’t necessarily make GDPR compliance any easier.

This article will explore what happened in these two cases and explain what the CJEU decided.

Lithuanian Contact-Tracing App: Case C‑683/21

In March 2020, a person supposedly representing the Lithuanian National Public Health Centre (NVSC) approached a mobile app developer called ITSS to create a COVID-19 contact tracing app.

The NVSC and ITSS exchanged information about the app’s functionalities and data collection via email. Both entities prepared a confidentiality policy, identifying themselves as “controllers”.

However, there was no formal contract, joint controller agreement, or data processing agreement between the NVSC and ITSS.

App Publication and Subsequent Issues:

The ITSS app was released on Google Play and the App Store in April 2020. Around 3,800 people who downloaded the app entered personal data, including location and health data. The app featured a link to the NVSC’s website.

By May, the NVSC realized it couldn’t finance the app. As such, it discontinued the project and asked ITSS to remove any references to the NVSC from the app.

In February of the following year, Lithuania’s Data Protection Authority (DPA) fined NVSC €12,000 and ITSS €3,000 for GDPR violations, identifying them as joint controllers responsible for the personal data unlawfully processed via the app.

Both NVSC and ITSS disputed the finding, with NVSC claiming it wasn’t a controller or processor and ITSS asserting it was merely a processor.

German Real Estate Dispute: Case C‑807/21

Deutsche Wohnen is a German real estate firm that owns around 163,000 housing units and 3,000 commercial units through holding companies. The holding companies manage operations across the business, while DW manages the holding companies.

The holding companies and DW are controllers of their tenants’ personal data, including proof of ID, tax, social security, and health insurance information.

Berlin Data Protection Authority Inspection

In June 2017, the Berlin DPA inspected DW’s holding companies and raised issues with how they stored personal data, resulting in findings that the companies had violated the data minimization and storage limitation principles (among other infringements).

The DPA ordered DW to delete certain personal data. In its response, DW said it would be technically and legally infeasible to delete the data, but reassured the DPA that it would be migrating the data to a new storage system imminently.

The DPA made a further inspection in 2019 and found that, despite having implemented a new storage system, was continuing to store the personal data of at least 15 tenants unnecessarily.

The DPA issued several fines against DW: One of €14,385,000 and 15 others of between €3,000 and €17,000.

DW appealed the DPA’s decision at the Berlin Regional Court and won.

The court’s decision relates mostly to German law, which states that an administrative fine can not be imposed on a legal person (i.e. a corporation) in itself but can only result from violations committed by a natural person (individual) representing the legal person.

Questions for the Court in C‑683/21 and C‑683/21

The CJEU considered several questions referred from the Lithuanian and German courts. We’ll focus on the questions that relate to liability under Article 83 of the GDPR, which sets out the conditions for imposing administrative fines.

In the Lithuanian case: Given that the NVSC did not sign any contract commissioning the app, and even asked ITSS to stop developing the app, should the NVSC be liable for any GDPR violations associated with the app?

In the German case: Is the German law, which allows for administrative only where a violation is attributable to an individual, compatible with the GDPR? If not, could DW get a fine even if it, as a company, did not do anything intentional or negligent?

More fundamentally, is the GDPR a “no-fault” or “strict” liability law? If an organization does everything necessary to meet the GDPR’s requirements, but a GDPR violation still occurs, can that organization receive a fine?

Liability Under the GDPR

In both cases, the CJEU ruled that the GDPR is not a “strict liability” law. As such, there must be some “intent or negligence” given rise to a violation in order for a DPA to issue an administrative fine.

In the German case, the court said that a GDPR fine can only be imposed where the controller “could not be unaware” of its GDPR violation (i.e., where it is possible for the controller to be aware of the violation), whether it was aware of the violation or not.

The court also found that the German law requiring administrative penalties to be attributable to an individual was not compatible with the GDPR—and that the administrative fine should be calculated according to DW’s total turnover (rather than any of the holding companies).

In the Lithuanian case, the court underlined that controllers are not always liable for violations committed by their processors if the processor acts without the controller’s consent by processing personal data for its own purposes.

In that case, however, the NVSC and ITSS were deemed joint controllers despite the lack of a written joint controller agreement.

As such, while the CJEU has firmly established that DPAs can only impose GDPR fines where there has been some fault on the part of the controller or processor, the threshold for finding fault remains relatively low.