By Decision of the Court of Justice of the European Union ("CJEU") of 14.12.2023 in case C‑340/21 the CJEU clarified several controversial aspects of the implementation of the GDPR.
First, should the GDPR be interpreted to mean that unauthorized disclosure of personal data or unauthorized access to such data by a "third party" within the meaning of the GDPR are in themselves sufficient to accept, that the technical and organizational measures implemented by the relevant controller are not "appropriate"?
Second, whether Article 32 of the GDPR should be interpreted as meaning that the assessment of whether the technical and organizational measures applied by the controller under this Article are appropriate should be made by national jurisdictions specifically, in particular taking into account the risks associated with the relevant processing?
The CJEU concluded that in the event of an attack on the controller's security by a malicious third party, the GDPR must be interpreted in the sense that unauthorized disclosure of personal data or unauthorized access to such data by a "third party" is not in itself sufficient, to consider that the technical and organizational measures applied by the relevant controller are not "appropriate". Next, the CJEU has accepted that the controller has a certain discretion to determine the appropriate technical and organizational measures to ensure compliance with this risk level of security. This does not change the fact, however, that the national regulator must be able to assess the complex judgment made by the controller and, in doing so, make sure that the measures chosen are fit to guarantee such a level of security. Accordingly, the assessment of whether the applied by the controller technical and organizational measures are appropriate must be made by the regulator specifically, taking into account the risks associated with the respective processing and assessing whether the nature, scope and application of these measures are consistent with those risks.
Separately, in decisions on cases C-683/21 (Nacionalinis visuomenes sveikatos centras) and C-807/21 (Deutsche Wohnen) the CJEU has held that when a supervisory authority imposes a fine or a penalty on a controller, including if it considers that the violation was committed intentionally or negligently, under the GDPR, it cannot engage the controller's liability in the absence of fault on his part and the existence of a culpably committed violation is a condition for the imposition of such a penalty. In more detail, it should be specified that a controller can be sanctioned for actions that fall within the scope of GDPR if the controllers clearly understand their unlawful nature.
The takeaways from these several recent CJEU decisions are as follows: Yes, a data controller can submit a data breach notification to the competent regulator in compliance with its GDPR obligations and still be penalized for its own actions. However, this means that the controller must have acted culpably and this must have been seriously analyzed and motivated by the relevant regulator. This is a very important clarification regarding the observed practice of some regulators to impose sanctions with blanket reasons for "lack of sufficient technical and organizational measures".
It is also worth recalling that according to the "Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679" "intent" includes awareness of the characteristics of the offense and the will to commit it. It is generally accepted that intentional violations, where a clear disregard for legal provisions is demonstrated, are more serious than negligent violations. Examples of circumstances that are indicative of intentional violations may be unlawful data processing, expressly ordered by the controller's senior management or contrary to the advice of the data protection officer alteration of personal data to create a misleading ( positive) impression that certain goals have been achieved, the trading of personal data for marketing purposes, etc. Violations of the meaning and principles of the GDPR are listed, which to an extremely serious degree demonstrate disregard for the legal provisions and quite deliberate illegal actions as well as an actual will to violate.
Obviously, the conclusions we can draw from the CJEU decisions in light of the guidelines we already have are that imposing sanctions on unscrupulous controllers makes sense and is part of the competence of the European regulators. However, this cannot be self-serving and the regulators cannot claim intentional (or negligent) actions solely to protect the imposed sanctions, without motivating its conclusions in an indisputable manner and without taking into account the set of protective measures, taken by the controller. After all, imposing punishment before an offense has only happened in "Alice in Wonderland" so far.
By Irena Georgieva, Managing Partner, PPG Lawyers
