BEERG Special 2022 Preview - GDPR: the issue of application overreach

While 2021 saw the gradual move to erode the one-stop-shop principle that underpins GDPR continue, it also saw some potentially encouraging developments. Two in particular stand out: the first is the commentary on “application overreach” from European Court of Justice Advocate General Michal Bobek. It was made in the course of an opinion at Para 65 of this case opinion). Here is the quote

I suspect that either the Court, or for that matter the EU legislature, might be obliged to revisit the scope of the GDPR one day. The current approach is gradually transforming the GDPR into one of the most de facto disregarded legislative frameworks under EU law. That state of affairs is not necessarily intentional. It is rather the natural by-product of the GDPR’s application overreach, which in turn leads to a number of individuals being simply in blissful ignorance of the fact that their activities are also subject to the GDPR. 

Not that Mr Bobek is alone in spotting this overreach. 2021 was a record year for GDPR fines, with more fines issued in the first ten months of 2021 than in all of 2020 including some possible nine figure fines. Meanwhile the average cost of a data breach rose from €3.4 million to €3.8 million in 2021, according to IBM’s latest annual research. 

2021 also saw a detailed and critical re-appraisal of GDPR’s operation from German MEP Axel Voss (CDU-EPP), one of the MEPs who served as a shadow rapporteur when the regulation was going through the European Parliament. He expanded on these concerns in a BEERG Byte discussion with Tom Hayes last April. 

Voss is critical of how some data regulators focus on a restrictive enforcement approach that meant enforcing the rules on low-level GDPR compliance, as opposed to focusing on the real issues of data protection in a modern data driven world. 

A note of caution, however. No one is anticipating any legislative changes soon, with Wojciech Wiewiorowski, the European Data Protection Supervisor telling a recent online conference that: “There is no possibility of any changes being made to the GDPR until 2025, when the terms of the current European Commission and European Parliament will have ended. There is no political will to act before then to change any part of it.”

This brings us to the second development, which is related to the first and hangs on some recent Court decisions, particularly in Germany. Some regional German courts have overturned data breach fines imposed by data protection authorities on the grounds that the authority had failed to satisfy a requirement of German law that fines may not be imposed on an entity unless the offence can be attributed to a legal representative of the entity and can also be demonstrably linked to an intentional or negligent act of management. 

Last February the Berlin District Court overturned a €14.5 million fine imposed by the Berlin data protection authority. It should be noted that some other regional courts have taken a different approach. Last October the German Federal Ministry of the Interior (BMI) appeared to back the legal interpretation offered by the Berlin court saying in a report on the operation of the data protection laws, that direct corporate liability does not correspond to the will of the German legislature. 

As we commented almost a year ago: it is highly likely that this issue will probably end up in the European Court of Justice… queued up behind a range of other key GDPR complexities, but the key point remains: should every GDPR breach constitute an offence? 

Shouldn’t an offence result from a deliberate or actual misconduct before fines are imposed, and shouldn’t the authorities need to prove actual misconduct?