EU: Advocate General Opines in “Deutsche Wohnen” Case and Rejects “Strict Liability” for GDPR Violations

Last week, the Advocate General for the European Court of Justice (“ECJ”) stated that, in his view, Article 83 of the GDPR does not allow for “strict liability” for data protection violations. Rather, the Advocate General opined that Data Protection Authorities (“DPAs”) need to establish that the violation of the GDPR was caused intentionally or negligently before they issue an administrative fine.

In particular, the Advocate General elaborated that “the assessment of whether [the obligations of the GDPR] have been complied with involves a complex process of evaluation and examination going beyond the mere finding of a formal breach.” (marginal number 80.)

As a result, should the ECJ follow the Advocate General’s opinion, DPAs would have to show that a legal entity has breached the GDPR intentionally or negligently. And because the “will of the legal person” is formed by its representatives and employees, DPAs will need to provide evidence of their negligent conduct in order to impose a fine—even though it may not be legally required to establish the liability of a natural person for the breach itself.

Current German law follows a slightly stricter approach, as fines can only be imposed on companies if there is evidence of a specific culpable act undertaken by management or legal representatives that led to the law being broken—for instance, insufficient management supervision. If the ECJ follows the Advocate General’s opinion, Germany’s courts will have to disregard national law that is stricter than EU law.

Background:

The Berlin DPA fined the company “Deutsche Wohnen” approximately EUR 14.5 million for alleged data protection violations—albeit without establishing a specific violation committed by management or a violation committed by a normal employee that was enabled by a lack of supervision.

The company challenged the fine in front of the courts. The Berlin Regional Court quashed the fine in the “Deutsche Wohnen” case due to a procedural impediment: German law traditionally does not allow fining legal entities directly, but requires a breach of law by one of their representatives, which is then attributed to the legal entity. Since, according to the Court, Section 30 of the German Law on Misdemeanors (“OWiG”) also applies to the imposition of fines under Article 83 of the GDPR, it is necessary to establish a specific act committed by a representative of the legal entity that caused the GDPR violation, which can also come in the form of failure to establish a sufficient compliance structure. Because the Berlin DPA did not investigate such an act by a representative, the fine was held to be unlawful and lifted by the Court.

On the immediate appeal of the public prosecutor’s office, the Berlin Court of Appeal referred two questions to the ECJ, asking:

• whether a GDPR fine can be imposed on a legal entity without it first being necessary to establish the liability of a natural person; and
• whether the GDPR violation that triggers the fine must, in all cases, have been committed intentionally or negligently, or whether the mere objective fact of breach of an obligation is sufficient.

In the oral proceedings before the Grand Chamber of the ECJ, the Federal Republic of Germany also took the position of the defense, namely that Sections 9, 30, and 130 of the OWiG apply to the imposition of GDPR fines and that strict corporate liability cannot be in line with EU law.

The Advocate General’s Opinion is not binding for the ECJ. It is the role of the Advocates General to propose to the Court an independent legal opinion. The Judges of the Court are now beginning their deliberations in this case. A ruling is expected in a few months. As a general matter, the ECJ follows the Advocate General’s Opinion in the majority of cases.

Read the Advocate General’s Opinion.