The threat of fines costing millions for data protection violations is considered one of the big innovations of the General Data Protection Regulation (GDPR). Data protection breaches could now prove costly for businesses. Around three years after the GDPR came into effect, the first court rulings on fines have now been issued in Germany.
It’s time to take stock: in retrospect, is the threat of sanctions just a spectre? The German courts have now handed down their first decisions and they could hardly be more varied. However, they cannot be said to signal the all-clear (for the time being).
Ihr Experte für Fragen
Rechtsanwalt und Partner bei PwC Legal
IP, IT & Data Protection
Tel.: +49 211 981-2572
Because of their size, fines are central to the incentive system in data protection law and have motivated many companies to take a closer look at their data protection compliance systems. The imposition of fines, their specific arrangements and their levels are being hotly debated in specialist circles. The controversy mainly revolves around three highly practical questions:
The German supervisory authorities committee, the Datenschutzkonferenz (DSK), published its approach to imposing fines on companies at the end of 2019. This approach has come in for fundamental criticism ever since it was published. The DSK takes the view that a modern law on company sanctions with considerable maximum fines is required, and that the turnover of a company represents a suitable, appropriate and fair reference value to ensure effectiveness, proportionality and deterrence. For this reason, the German authorities have agreed to use company turnover as the sole economic baseline for determining fines.
However, this does not take into account the sector in which a company operates – which has a significant impact on turnover-to-profit ratio. For example, the technology sector typically generates higher profits on a given turnover than consumer goods manufacturing. With identical turnover and an identical data protection breach, companies with low profit margins will be hit harder than companies of the same size (as measured by turnover) from other sectors. Despite this, the data protection authorities are sticking to their guns when it comes to using company turnover as the only economic indicator.
In addition to this, the data protection authorities’ approach does not determine penalties based on the turnover of the individual company responsible for a data protection breach. Instead – where a company belongs to a group of undertakings – the entire group’s consolidated turnover is to be used. This is also in line with the EU’s intentions: in the recitals of the GDPR there is a passage that states that, for the purpose of imposing fines on companies, the term “company” should be understood in the sense of European antitrust law. According to this understanding of the term “company”, which has become known as the “single economic entity doctrine”, several legally independent companies can be treated as one unit as a result of economic ties. In this way, the European Commission intended to prevent legally independent companies without significant turnover from committing data protection violations in the European Union while a parent company located in another EU country benefitted from those violations but remained unaffected by any fines.
On the other hand, it could be argued that the passage in question is not found in the binding text of the regulation, which expressly refers to “the company” and not to the “group of undertakings” – also a familiar term in data protection law. However, German practice with regard to fines has given rise to fears that, for example, an internal IT service provider with no significant turnover could receive a large fine based on its parent company’s turnover – a scenario that could quickly result in the insolvency of individual companies in high-turnover groups.
Another central issue is the question of which criteria govern whether companies in Germany can receive penalty notices at all. This procedure comes under national law, with the Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) rendering the Administrative Offences Act (Gesetz über Ordnungswidrigkeiten, or OWiG) applicable. Under Section 30 of the OWiG, a fine can generally only be imposed on a legal person if it can be proven that a manager (board member, partner in the firm etc.) violated his/her duty.
The question of whether this regulation also applies in the event of a data protection breach and, accordingly, whether the competent supervisory authority would have to prove an individual breach, is highly controversial. The data protection supervisory authorities have so far unanimously held the view that Section 30 of the OWiG is not applicable to sanctioning proceedings arising from data protection violations.
Both the Bonn Regional Court (Landgericht Bonn) and the Berlin Regional Court (Landgericht Berlin) recently dealt with the applicability of Section 30 of the OWiG, and took contrary positions.
In its ruling on 11 November 2020, it is true that the Bonn Regional Court criticised the supervisory body’s approach to calculating fines and reduced the fine to €900,000. However, the court also took the view that proof of an individual’s breach of duty is not required. The court based its position on the recitals of the GDPR and the need for the effective application of sanctions following data protection infringements. It was held that the application of Section 30 of the OWiG would endanger important principles, not least the principle of effectiveness in EU law (effet utile) and the need for consistent sanctions based on consistent European regulations.
By contrast, the Berlin Regional Court upheld the applicability of Section 30 of the OWiG – and therefore the requirement of a breach of duty on the part of a manager – in its decision on 18 February 2021. It held that the BDSG as currently applicable – unlike the first draft of the BDSG – did not explicitly exclude the reference to Section 30 of the OWiG in the context of data protection violations. Only a natural person can be accused of committing such a regulatory offence. A legal person, meanwhile, may be held accountable only for the actions of its board members or representatives. As a result, the Berlin Regional Court overturned the fine imposed by the regulatory authority.
While the judgment of the Bonn Regional Court has become final, the Berlin public prosecutor filed a complaint, with the result that the Berlin Higher Regional Court (Kammergericht Berlin) will now be hearing the dispute. The fact is that the Berlin Regional Court’s line of reasoning would de facto lead to a dramatic increase in the costs for the supervisory authorities to ascertain the facts of the case, and it would often be impossible to prove a specific breach of duty by an individual manager.
The Berlin Regional Court ruling may initially suggest that, in many cases, German companies will not face any fines at all. However, this impression is deceptive: due to this unsatisfactory result, it is likely that the supervisory authorities and other courts will agree with the Bonn Regional Court’s view – at least, as long as no case-law from the Court of Justice of the European Union is available. However, it could take several years before the Court of Justice reaches any judgment. Companies should therefore (continue to) act preventatively and implement suitable compliance measures. This includes making managers in particular aware of data protection law, as their infringements can, in any event, be attributed to the company under Section 30(1) of the OWiG.
A complaint by an individual to the supervisory authority or a report of a data breach can often trigger sanctioning proceedings. Our experience shows that companies should perform a careful legal analysis of the matter when communicating with the supervisory authorities, and they should evaluate the various options for action in collaboration with the authorities and in the administrative procedure stage. This often allows sanctioning proceedings to be avoided altogether, preventing a long and costly legal dispute from arising.
To manage processes and applications in a structured and user-friendly way, we at PwC have developed the Data Protection Manager. The Data Protection Manager is a cloud-based software-as-a-service (SaaS) solution that enables you to ensure compliance with the GDPR and avoid heavy fines.
“The legal situation is unclear. Companies should make the most of the momentum to sensitise their executives and take further precautions to avoid investigations by the supervisory authorities, which can lead to fines.”