More clarity expected in 2023 regarding liability for data protection breaches

The decisions of the CJEU in two sets of proceedings relating to the “imposition of fines” and “requirements for a claim for damages” in the context of violations of the GDPR (General Data Protection Regulation) are eagerly awaited.

I. Sanctioning of data protection breaches

Data protection breaches can be punished with fines according to Article 83 (4) to (6) GDPR. However, the question of whether the company is directly liable for a breach without further proof or whether a culpable breach by a person in a position of management must also be proven, is assessed differently according to German case law.

In its decision dated 11 November 2020 (29 OWi 1/20), the Regional Court of Bonn took the view that the so-called function bearer principle applies. For a fine, it is sufficient that there is an objective breach by an employee of the company. The proof of a concretely acting employee or even a person in a position of management is not necessary. Companies therefore run the risk that they will more easily become the target of a penalty notice.

The Regional Court Berlin took a different approach in its decision dated 18 February 2021 (526 OWi LG 1/20). Section 41 BDSG (German Federal Data Protection Act), which regulates the procedure for imposing fines, refers to Sections 30, 130 OWiG (German Act on Regulatory Offences). However, these provisions are based on the so-called legal person principle. The legal person principle states that a manager must have committed a culpable breach in the performance of his or her duties in order for it to be attributed to the company. If the breach was committed by an employee below management level, imputation can only be considered if the manager breached his or her supervisory duty and this breach of duty is, in turn, the cause of the breach. According to this view, the possibilities for companies to avoid liability are significantly expanded.

The contradictory position outlined above is therefore not merely of an academic nature, but has a direct impact on the effectiveness of such notices due to the fundamentally different requirements for the imposition of a fine. It is therefore to be welcomed that the Berlin Court of Appeal (3 Ws 250/21) has submitted the unresolved legal questions to the CJEU for clarification.

In its first question for a preliminary ruling, the court would like to know whether Article 83(4) to (6) of the GDPR is to be interpreted to the effect that it incorporates the functional concept of a company and the function bearer principle assigned to Article 101 and 102 TFEU (Treaty on the Functioning of the EU) into domestic law. This would have the consequence that by extending the legal person principle underlying Section 30 OWiG, fine proceedings can be brought directly against a company and the fine does not require a finding of an administrative offence committed by a natural and identified person, possibly in a criminal manner. In its second question, the Berlin Court of Appeal asks, should the first question be answered in the affirmative, whether Article 83(4) to (6) of the GDPR is to be interpreted to the effect that the company must be culpable for the breach committed by an employee or whether, in principle, an objective breach of duty attributable to the company is sufficient for the company to be fined (“strict liability”).

The oral hearing before the CJEU took place on 17 January 2022 (C-807/21), where the issues were controversially discussed. According to the Commission, the Parliament of the Netherlands and Norway, among others, the conditions for imposing a fine are essentially regulated in the GDPR. Article 83 (8) of the GDPR only allows the national legislator to regulate the procedure for imposing a fine, but not to establish additional substantive requirements, such as those in Section 30 of the OWiG. Deutsche Wohnen (the accused in the Berlin trial), Germany and Estonia disagreed with this view. It is also disputed whether a breach already implies fault and that this presumption must then be rebutted (Netherlands, Norway) or whether fault must be actually proven. The Commission and probably also the Parliament would allow the slightest negligence to suffice here. The Advocate General’s opinion has been announced for 27 April 2023; a prompt decision by the CJEU afterwards would be desirable.

II. Materiality threshold for claims for damages

In addition to fines imposed by the supervisory authorities, data protection breaches may also result in claims for damages on the part of the data subject pursuant to Article 82 GDPR. The prerequisite for this is that the data subject has suffered material or immaterial damage due to the breach. It is still disputed whether a certain threshold must always be exceeded for such non-material damage or whether every breach always triggers recoverable damage. According to German general tort law, the prerequisite for monetary compensation due to a violation of personality rights is that there is a serious encroachment that cannot be satisfactorily compensated in any other way. Whether this approach also applies to claims for damages based on Article 82 GDPR is disputed.

In order to shed more light on this question, the Austrian Supreme Court (OGH), among others, has submitted three questions to the CJEU (Case C-300/219). With its first question, it asks whether the violation of provisions of the GDPR as such is sufficient for the award of damages. Furthermore, it wants to know whether, in addition to the principles of effectiveness and equivalence, there are further requirements of EU law for the assessment of damages that must be observed. Finally, the Austrian Supreme Court asks whether non-material damage requires that the infringement has consequences or consequences of at least some weight that go beyond the annoyance caused by the infringement. The answers to these questions would presumably also answer the unresolved questions outlined above here and provide legal certainty.

On 6 October 2022, the Advocate General at the CJEU issued his opinion. According to this opinion, concrete damage is required for the applicability of Article 82 GDPR. The mere violation of data protection regulations is not sufficient and there are no punitive damages. The proof of damage must be provided by the claimant and there is not a presumption of fault.

If the CJEU follows the Advocate General, this would certainly be good news for companies, as they are often confronted with knee-jerk claims for damages. A decision to the contrary would presumably be a boost for data protection class actions which are still few and far between.