German court slashes GDPR fine in a clear rejection of turnover focused German fine model
Cuts fine to less than 10% of the original amount
In the first decision of a German court on the German calculation model for GDPR fines, the court spectacularly rejected the model. Finding that fines for violations under GDPR may not primarily depend on the turnover of a company. Other factors need to be taken into consideration for the determination of a fine that ensures effectiveness, proportionality and deterrence as requested in Article 83 GDPR.
Background
The German calculation model for fines under the GDPR has a strong focus on the turnover of a company. (See our previous Talking Tech article for details). Based on this model, German data protection authorities have issued several multi-million Euro fines for GDPR violations, including a fine in the amount of (i) EUR 14.5 million against the real estate company Deutsche Wohnen SE and (ii) EUR 9.55 million against 1&1 Telecom GmbH ("1&1") in the end of 2019 (see our previous Talking Tech article for details), (iii) EUR 10.4 million against notebooksbilliger.de in January 2021 and (iv) a record fine in the amount of EUR 35.6 million against H&M Hennes & Mauritz Online Shop A.B. & Co. KG ("H&M fine") in October 2020.
These fines give Germany three of the top ten fines in the EU for GDPR violations so far, the H&M fine being the second highest fine after the EUR 50 million fine of the French data protection authority, CNIL, against Google Inc.
In comparison, the Dutch data protection authority published a fine model, which focuses on the gravity and seriousness of the GDPR violation. This model contains four fine categories which are linked to a specific fine bands of a minimum and a maximum amount and a basic fine within such bands. This amount is the starting point for the authority for the calculation of the fine in an individual case.
With this calculation model, the Netherlands hold the 7th place (EUR 3.5 million) of the top ten list of fines issued per country (per total amount) whereas Germany is on the 2nd place (approx.. EUR 63.4 million) with an cumulative fine amount over 18 times higher than the Netherlands.
The German calculation model, has been criticized from the beginning for being too focused on turnover. As a consequence, three of the four fines have been or are currently subject to judicial review. Only the H&M fine was accepted without objection.
1&1 just won its appeal against the fine in the first decision by a German court on the calculation model and achieved a reduction of over 90% from EUR 9.55 million to EUR 900,000.
Before this background and the likely fare-reaching knock-on effects of the decision, we take a closer look at the judgement.
Proceedings triggered by criminal charges
The subject of the proceeding before the Regional Court of Bonn was a fine of 9.55 million EUR imposed by the Federal Commissioner for Data Protection and Freedom of Information ("DPA") on the telecommunications service provider 1&1 in December 2019 (judgement of 11 November 2020, case no. 29 OWi 1/20 LG, available here – in German only). The fine proceedings were triggered by criminal charges pressed by a 1&1 customer for stalking. An ex-wife of a customer had learned the customer's new telephone number from the 1&1 call centre after she had pretended to be his wife and was only required to give the customer's name and date of birth for authentication purposes. The DPA imposed the fine on the basis that 1&1 had disclosed the cell phone number of one of its customers to an unauthorised third party by failing to implement an appropriate authentication procedure within its call centre.
Weak authentication process violates Art. 32 GDPR
Concerning the facts, the Court confirmed the DPA's view that 1&1 had failed to adequately adapt its technical and organizational measures pursuant to Art. 32 GDPR regarding its customer authentication process. In general, the company allowed its call centre agents to ask for the caller's name and date of birth in order to authenticate the caller. Even in the event of a call from a third party, the company considered these protective measures to be sufficient. According to both the view of the DPA and the Court, such authentication procedure cannot withstand the requirements for an adequate level of protection under Art. 32 GDPR. The Court found that 1&1 had the time and the necessary resources to adapt its data protection measures to the standards required by the GDPR within the two-year transition period between the date the GDPR came into force and its application. According to the Court, it would have been easy for 1&1 to ensure an appropriate level of protection for the data being processed by taking suitable measures, such as requesting contract details or customer numbers.
"The fine must be significant; however, it must not appear to be an undue burden in the sense of an excessive response to the specific violation."
As regards the amount of the imposed fine, the fact that the violation of Art. 32 GDPR was indeed a violation of the GDPR, but not a severe one, was not sufficiently considered in the calculation of the fine in the opinion of the Court. The Court took a closer look at the German calculation model for fines and found weaknesses in the model when it comes to the appropriate imposition of fines.
The Court confirmed that the calculation model, which provides that the turnover is an essential factor in determining the appropriate level of the penalties, leads to appropriate fines in terms of the GDPR for a medium data protection violation. However, when it comes to a minor GDPR violation by a company with a large turnover (at group level or otherwise) the model would lead to a disproportionately high fine, whilst conversely leading to a disproportional low fine in case of a severe GDPR violation by a company with a low turnover.
Fact-based considerations take precedent over turnover in fine calculation
The strong focus on the annual turnover is, therefore, "problematic and contrary to the purpose of the fine under Art. 83 para. 1 GDPR". The imposition of a fine must be effective, proportionate and dissuasive in each case, pursuant to Art. 83 para. 1 GDPR. Art. 83 para. 2, s. 2 GDPR lists criteria relevant for the infringement, e.g. type, severity and duration of the breach, nature of affected data, degree of responsibility. Revenue, however, is not listed as a criterion. According to the Court, this does not mean that the turnover of a company should have no influence on the amount of the fine. The reference to the turnover as a means to frame imposable fine amounts set in Art. 83 para. 4 and 5 GDPR constitutes a necessary tool for the assessment of the fine. However, the structure and wording of Art. 83 para. 2, s. 2 GDPR shows that for the assessment of the fine, the criteria relevant for the infringement are to be considered first.
Where facts of the case clearly speak in favour of or against the severity of the breach, fact-based assessment considerations as set out in Art. 83 para. 2, s. 2 GDPR take precedence over turnover. The Court ruled that this had not been sufficiently taken into account by the DPA in the present case. The case at hand was clearly a minor violation of Article 32 GDPR due to the following facts:
- The incident represented a single and extraordinary case of misuse of 1&1's customer call centre;
- There was no indication of a mass leak of personal data;
- The violation was not committed intentionally;
- The nature of the affected data was not sensitive;
- Weak authentication was used for reasons of customer friendliness;
- Extensive cooperation of 1&1 with the DPA after the incident;
- Change of authentication procedure (1&1 changed the authentication procedure without undue delay to a five-digit service PIN);
- The damage to the company's reputation caused by the multimillion fine imposed.
Against this background, the Court ruled that a fine of EUR 9.55 million was too high. It reduced the fine to a more appropriate amount of EUR 900,000.
Direct accountability of companies for GDPR breaches
In addition to a clear rejection of the German fine model, the Court also addressed – for the first time – the highly debated question whether a company can also be the direct addressee of a fine notice if the respective breach of the GDPR cannot be linked to a specific act or omission of at least one person in the management of the company, i.e. if a company can be directly liable for violations of law irrespective of a proven wrongdoing by an individual. The question is whether the German concept (Rechtsträgerprinzip) or the concept of European supra-national anti-trust sanctions law (Funktionsträgerprinzip) applies. According to European supra-national anti-trust sanctions law, legal entities are directly liable for violations, regardless of which individual acted on their behalf (direct corporate liability). Knowledge of, or even instruction by, the management or breaches of the duty of supervision by the management are not required.
Germany does, so far, not recognize the concept of criminal liability of corporate entities. Regulatory fines may be imposed on the entity itself because of criminal or regulatory offences committed by its representatives or senior managers only. Regulatory fines can be imposed on entities irrespective of whether relevant individuals are convicted and whether fines or imprisonment are also imposed on them. However, whilst the imposition of a regulatory fine does not necessarily require any prior conviction of an individual and whilst relevant individuals do not necessarily need to be specifically identified in fine notices, imposing a regulatory fine on legal entities does require some finding of wrongdoing of individuals acting for the legal entity (representatives or senior managers). This principle is regulated in Sec. 30 para. 1 German Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten, "OWiG").
The legal question was, therefore, whether Sec. 30 OWiG, as a German national law provision, applies in the context of Art. 83 GDPR. As the link and proof of wrongdoing by an individual within the meaning of Sec. 30 OWiG did not take place in the fine notice in the 1&1 case, the decision of this question was decisive.
The Court assessed that the German legislature seems to have opted for the application of the concept of Sec. 30 OWiG in referring to the application of the OWiG in the German data protection law, i.e. Sec. 41 para. 1 German Federal Data Protection Act (Bundesdatenschutzgesetz), unless not explicitly excluded. Sec. 30 OWiG is not excluded. Accordingly, the German legislature seems to require a proven wrongdoing by an individual, namely by a representative or senior manager of the relevant legal entity.
The Court also highlighted a number of dissenting opinions speaking against the application of Sec. 30 OWiG in connection with sanctions under Art. 83 GDPR, including – not surprisingly – the data protection authorities.
GDPR contains uniform and effective sanctioning system
The Court clearly rejected the requirement of wrongdoing by an individual and therewith the application of Sec. 30 para. 1 OWiG. According to the Court, the purpose of Art. 83 GDPR is a uniform and effective sanctioning system of data protection violations by companies within the European Union. There is no room for the requirement of attribution of the action or omission of an individual pursuant to Sec. 30 para. 1 OWiG. If national regimes such as Sec. 30 OWiG would be applicable, there would be the danger of divergent sanctions practices in the EU. This would be detrimental to the approach of a uniform and effective sanctioning system.
The Member States, therefore, only have the possibility to regulate the procedural law nationally according to Art. 83 para. 8 GDPR, but they cannot regulate aspects of the substantive law on fines. This was a fundamental concern in the creation of the GDPR.
Difference of opinion in European judiciary
The Court also recognized that European courts have different opinions on this issue and in particular referred to Austrian case law. The Federal Administrative Court of the Republic of Austria ("Austrian Federal Administrative Court") denied an application priority of Art. 83 para. 4 to 6 GDPR (judgment of 12 May 2020, case no. Ro 2019/04/0229, available here - in German only). It established the applicability of Sec. 30 of the Austrian Data Protection Act (Österreichisches Datenschutzgesetz), a provision comparable to the German Sec. 30 para. 1 OWiG, and required that the fine is linked to the conduct of an individual.
Despite the contradicting judgement of the German Court, the Austrian Federal Administrative Court confirmed its view in its recent ruling (judgment of 26 November 2020, case no. AZ W258 2227269-1).
It is noteworthy that the Austrian Federal Administrative Court, albeit recognizing the difference of opinion in European courts on the question, dismissed a referral to the European Court of Justice.
It should also be noted that the French Administrative Court opted for the German approach and ruled in its decision (judgement of 19 June 2020, case no. 430810) that no wrongdoing of an individual has to be proven for a fine against a legal entity under the GDPR.
New standards for fine procedures
With their judgment – which is final and binding after both parties withdrew their appeals – the judges in Bonn have set new standards for the German procedure of imposing fines for GDPR violations.
The judgement will likely have a knock-on effect on the currently pending court cases related to the non-final fines imposed on Deutsche Wohnen SE and notebooksbilliger.de. It will be interesting to see whether the competent courts follow the view of the Court in the 1&1 case and again dismiss the focus of the fine model on turnover by decreasing the imposed fines.
German data protection authorities certainly follow these developments closely, and the German fine model will likely have to be adapted to the standards of the GDPR as laid out by the Court.
Progress in the area of corporate liability for data protection breaches
This decision will provide clarity for German companies. It makes clear that fines need to be appropriate, whilst also confirming that German data protection authorities do not need to prove an individual wrongdoing by an individual representative or senior manager of a company to be able to impose a fine on the company itself.
In view of the different European interpretations of Art. 83 GDPR, it remains to be seen, however, whether there will be a referral to the European Court of Justice to settle the matter.
For German companies, it should be noted that the decision of the Court in this respect follows the political decision to strengthen corporate liability. On 21 October 2020, the German government has initiated the final phase of the legislative process by introducing its draft law to the German Parliament. The draft Association Sanctions Act (Verbandssanktionengesetz) pursues the goal of placing the sanctioning of associations whose purpose is directed at economic business operations on an independent legal basis.
Above all, the ruling clearly shows that a significant reduction of a fine is possible with an effective legal defence. Companies are therefore well advised to consider suitable defence strategies in advance and to implement them in their compliance programs.
Tabea Leidinger contributed to this article.