The Court of Justice of the European Union (CJEU) has ruled on the interpretation of Article 83 of the EU General Data Protection Regulation (EU GDPR) and the imposition of fines for breaching the Regulation. Whilst the EU GDPR is no longer applicable under UK law, it would be surprising if the Information Commissioner’s Office (ICO) decided to completely ignore the decision.
Article 83 of the EU GDPR states:
“1. Each supervisory authority shall ensure that the imposition of the administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in Paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
- Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2).”
The Article then goes on to list what factors need to be considered when deciding what level of fine should be imposed.
The CJEU was asked by the National Public Health Centre in Lithuania to consider whether Article 83 of the EU GDPR should be interpreted to mean that fines can only be imposed when a controller has intentionally or negligently committed an infringement of the Regulation.
When reaching a decision, the CJEU considered the precise wording of Article 83 and the general purpose of the EU GDPR. Article 83(1) of the EU GDPR confirms that fines must be “effective, proportionate and dissuasive”. Article 83(2) confirms that fines shall be imposed, “depending on the circumstances of each individual case”. The CJEU confirmed that it follows from this that:
“only infringements of the provisions of that regulation which are committed wrongfully by the controller, that is to say, those committed intentionally or negligently, may result in an administrative fine being imposed on the controller pursuant to that article.”
In relation to whether an infringement has been committed intentionally or negligently the CJEU confirmed that “a controller may be penalised for conduct falling within the scope of the GDPR where that controller could not have been unaware of the infringing nature of its conduct, whether or not it was aware that it was infringing the provisions of the GDPR”.
UK law
Following Brexit, the Data Protection Act 2018 (DPA 2018) was amended to implement the UK’s version of the EU GDPR. Under the DPA 2018, the ICO (as the UK’s supervisory authority) has the power to impose fines for breaches of the DPA 2018. Section 155 of the DPA 2018 confirms:
“(1) If the Commissioner is satisfied that a person—
(a) has failed or is failing as described in section 149(2), (3), (4) or (5), or
(b) has failed to comply with an information notice, an assessment notice or an enforcement notice,
the Commissioner may, by written notice (a “penalty notice”), require the person to pay to the Commissioner an amount in sterling specified in the notice.”
Examples of when the ICO can impose a fine include (but are not limited to):
- A breach of any of the data protection principles, such as the lawfulness, fairness, and transparency principle, the purpose limitation principle, etc; and
- Breach of any rights of the data subject, including the right of access, right of rectification, etc.
Section 149 of the DPA 2018 sets out the exhaustive list of circumstances that could give rise to the ICO issuing a penalty notice.
Comment
Whilst both the EU GDPR and the DPA 2018 gives the supervisory authority the power to impose fines for breaches of the relevant data protection regime, the wording of the relevant provisions is very different. Notwithstanding this, the decision made by CJEU in relation to the circumstances in which a fine should be imposed will likely shape the way that the ICO deals with exercising its power under Section 155 of the DPA 2018.
It will be interesting to see how this decision affects the ICO’s issue of penalty notices going forward.
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us