On 04 May 2023, Advocate General (“AG”) Emiliou of the Court of Justice of the European Union (“CJEU”) delivered an opinion in case C-683/21, which focuses on the application of the system of fines of Article 83 of the General Data Protection Regulation (“GDPR”).
Background of the Case
A dispute had arisen between the Lithuanian National Public Health Centre (“NVSC”) and the Lithuanian data protection authority about the development of a corona app by the NVSC. In March 2020, the Lithuanian Minister of Health instructed the NVSC to develop and acquire the app. The NVSC engaged the company ITSS to develop the app, with the intention of acquiring it at a later stage. The app was developed and made available to the public in several app stores, which mentioned both ITSS and the NVSC as controllers. It was alleged that the NVSC had never officially consented to or authorised this.
A tendering procedure was started to continue the acquisition of the app by the NVSC, but this procedure was abandoned for lack of funding. However, the app still remained available in the app stores.Following an investigation, the Lithuanian data protection authority imposed administrative fines on the NVSC and ITSS, in their capacity as joint controllers, for several infringements of the GDPR. The NVSC appealed against this decision to the national Lithuanian court, which referred six preliminary questions to the CJEU. In this blog we will discuss the sixth question.
Opinion of the AG
The sixth question, which deals with a situation between a controller and a processor, concerns the conditions of the administrative fine under Article 83 (1) of the GDPR. The AG divides the sixth preliminary question of the Lithuanian court into two parts, namely:
- whether an administrative fine can be imposed on a controller or processor that has not intentionally or negligently infringed the GDPR? and
- whether an administrative fine can be imposed on a controller when the unlawful processing of personal data was not done by the controller itself, but by a processor?
The AG starts his answer by observing that this will be the first time for the CJEU to give an interpretation of Article 83 of the GDPR. Then the AG describes the review framework of this article.
To answer the first part of the question, the AG points out that on the basis of a textual interpretation of Article 83(2) of the GDPR, this article can be interpreted in two ways. However, the AG believes that the interpretation in which intent or negligence (i.e. fault) is a required condition for imposing a fine properly reflects the intention of the EU legislature.
The AG gives several reasons for reaching this conclusion. He emphasizes that this interpretation is consistent with the primary objective of the GDPR, which is to ensure a consistent and high level of protection to natural persons. In addition, the AG believes that supervisory authorities will seldom have difficulty to assume that infringement of the GDPR occurs at least negligently, because the threshold for negligence is very low in practice. The AG therefore advises the CJEU to align with the fining system of competition law, which also only applies if intent or negligence are established.
In the AG's opinion, Member States cannot interpret this differently and have no margin of appreciation in this respect. In other words: the Member States are not free to decide whether intent or negligence is a required condition for imposing a fine, because this does not comply with the harmonisation the GDPR intends to achieve between the Member States. However, the Member States do have the discretion to attach procedural conditions to the imposition of a fine in national legislation.
In his answer to the second part of the question, the AG asserts that the definitions of controller (Article 4(7) GDPR) and processor (Article 4(8) GDPR) confirm that a fine can be imposed on a controller, even though the personal data were unlawfully processed by the processor only and the controller took no part in the processing. The AG believes that this is possible as long as the processor:
- processes the personal data on behalf of the controller;
- acts within the scope of the mandate conferred upon it;
- does not use the personal data for its own purposes; and
- it is clear that the parties have not acted as joint controllers.
In short, the AG concludes that intent or negligence must be established before a fine can be imposed on a controller or a processor pursuant to Article 83 of the GDPR. In addition, a controller may be fined if a processor infringes the GDPR intentionally or negligently, regardless of whether the controller has processed the personal data itself.
What next?
The CJEU will now render a judgment on this issue. This opinion of the AG is not binding for the CJEU in this process. The opinion only serves as advice to the CJEU, and a binding judgment will eventually be rendered by the CJEU at its discretion. The CJEU’s judgment is expected to follow at the end of this year or the beginning of 2024.
You can read the full opinion of the AG here: