Arizona Antelope Canyon

TR v Land Hessen – DPA not obliged to fine under the GDPR

November 29, 2024

In TR v Land Hessen (C‑768/21) the European Court of Justice (“ECJ”) found that following a personal data breach, a supervisory authority is under no obligation to exercise its corrective powers, specifically the power to impose an administrative fine, where such action is not appropriate or necessary or proportionate to the infringement of the EU General Data Protection Regulation (“GDPR”). A supervisory authority can therefore choose not to impose a fine on a data controller following a data breach, particularly where the controller has already taken necessary measures on its own to stop the breach and prevent its recurrence.

While ECJ decisions are not binding in the UK, the UK Information Commissioner's Office may be influenced by such a decision in exercising its powers under the the UK General Data Protection Regulation and Data Protection Act 2018. The decision is also relevant to UK organisations which are caught within the scope of the EU GDPR’s extra-territorial reach.

 

Background

A ‘personal data breach’ occurred when an employee of a German bank, Sparkasse X (“Bank”) unlawfully accessed the personal data of one if its customers, TR, on several occasions. The Bank assessed that the threshold to notify the breach under Article 33(1) GDPR (i.e. whether there is a risk to the rights and freedoms of the data subject, TR) had been met and reported the breach to the Hessen Commissioner for Data Protection and Freedom of Information (“HBDI”). The Bank did not consider that the threshold to notify the data subject under Article 34(1) GDPR had been met (i.e. whether there is a high risk to the rights and freedoms of the data subject) and did not notify TR.

TR became aware of the personal data breach and complained to the HBDI in July 2020. The main ground of the complaint was that, in failing to notify him of the breach, the Bank had not properly complied with Article 34(1) GDPR. The Bank’s position was that it had not notified TR as its data protection officer had taken the view there was no high risk to TR’s rights and freedoms. In coming to this decision, the data protection officer considered the fact that disciplinary measures had been taken against the employee concerned, and that she had confirmed in writing that she had neither copied nor retained the personal data, that she had not transferred the data to third parties and that she would not do so in the future.

In September 2020, the HBDI informed TR that the Bank had not infringed Article 34(1) GDPR and agreed with the Banks’ assessment that the personal data breach was unlikely to result in a high risk to TR’s rights and freedoms. TR lodged an action at the German Administrative Court (“Court”) seeking an order that the HBDI must take action against the Bank. TR submitted that the HBDI should have imposed a fine on the Bank for its infringements of the GDPR, particularly with respect to Article 5(1)(a): “personal data shall be processed lawfully…”.

 

Issue to be determined

Article 58(2) GDPR provides that supervisory authorities shall have certain corrective powers. This includes the power to impose an administrative fine pursuant to Article 83, which can be imposed in addition to or instead of the other corrective measures listed, depending on the circumstances of each individual case. The Court had to decide whether Article 58(2) should be interpreted as requiring the HBDI (as the supervising authority) to exercise its corrective powers following a data breach, or as meaning that the HBDI had the discretion to refrain from exercising its powers depending on the circumstances.

On one hand, the Court noted that academic writers had advocated for the position that the powers available to supervisory authorities to adopt corrective measures are intended to be used to restore a lawful situation when data processing infringes a citizen’s rights. However, the Court considered that such an interpretation was too broad, and noted that in certain cases it was inclined to allow the HBDI to exercise discretion to refrain from exercising its corrective powers, even after conducting a careful investigation into a complaint. On this basis, the Court stayed TR’s proceedings and referred the matter to the ECJ to answer the question:

Are Article 57(1)(a) and (f), Article 58(2)(a) to (j) and Article 77(1) [of the GDPR], to be understood as meaning that, where the supervisory authority finds that data processing has infringed the data subject’s rights, the supervisory authority must always take action in accordance with Article 58(2) [of that regulation]?’

 

ECJ's decision

The interpretation of a provision of EU law requires consideration of the wording, alongside its context and the objectives and purpose of the legislation.

Context – the ECJ considered the context of the mechanism available under Article 77(1) GDPR for data subjects to raise a complaint to a supervisory authority. To diligently handle such a complaint, Article 58(1) confers extensive investigative powers on each authority, and where an authority finds an infringement of the GDPR during its investigations, an authority is required to react in an appropriate, necessary and proportionate manner (as per the recitals) to remedy the shortcoming found. The measures available to an authority are those set out in Article 58(2), which includes the imposition of administrative fines.

In this regard, the ECJ noted that the GDPR leaves an authority with discretion as to the manner in which it must remedy the shortcoming found, depending on what is appropriate, proportionate and necessary based on all the circumstances of the case. However, this discretion is limited by the need to ensure a consistent and high level of protection of personal data through strong enforcement of the GDPR (as per the recitals).

Wording – there are key phrases which made it apparent to the ECJ that the power to impose fines is dependent on the circumstances of each individual case. Article 58(2)(i) GDPR specifically provides that a supervisory authority shall have the power to impose an administrative fine pursuant to Article 83, “in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case”. Article 83(2) reiterates this and further states that when deciding to impose an administrative fine, consideration should be given to 11 factors specified in Article 83(2).

On this basis, the ECJ recognised that an obligation on a supervisory authority to use its corrective powers could not be inferred from the wording, rather, such an obligation only arose where, taking into account all the circumstances, it was appropriate, necessary and proportionate to remedy the shortcoming found and ensure that the GDPR was fully enforced. In line with this understanding, it was open for an authority to refrain from using its corrective powers following a personal data breach where this was justified by the particular circumstances of the case. Such circumstances included for example where, as soon as it became aware of the breach, the controller had taken appropriate and necessary measures to ensure the breach was brought to an end and did not recur.

Objective – the ECJ considered recital 29 to the GDPR in order to understand the objective pursued by Article 58(2) and identified that the provision seeks to ensure that the processing of personal data complies with the GDPR and provides a mechanism for an authority to intervene and remedy situations where there has been an infringement. It follows that an authority’s exercise of its corrective power may not be required where the situation has already been remedied and the relevant controller has taken steps to ensure compliance, ultimately meaning that the authority is not liable to act to ensure enforcement of the GDPR.

With regards to the objective of Article 83 GDPR, recital 148 makes clear that the purpose is to strengthen the enforcement of the GDPR, however, in the case of a minor infringement or where an administrative fine constitutes a disproportionate burden, an authority may refrain from acting.

 

Key takeaways

The ECJ’s decision establishes that where there has been a personal data breach under the GDPR, the supervisory authority has the discretion to decide how it deals with that breach. Before exercising its power under Article 58(2) GDPR, the authority must consider the individual circumstances of the breach, what is a necessary, appropriate and proportionate response to the breach, and whether the exercise of its power aligns with the obligation on an authority to make good infringements of the GDPR.

It is therefore open to a supervisory authority, in specific circumstances, to choose not to exercise its power under Article 58(2) GDPR, and specifically, not impose an administrative fine on a controller following a personal data breach. This is particularly the case where the controller has already taken measures on its own to stop the breach and prevent recurrence.

 

With thanks to Melissa Diaz for her assistance in preparing this post.