European enforcement challenges: regulatory roulette?
October 2024 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
October 2024 Issue
In 2023, an aggregate amount of nearly €2bn in fines was imposed by European Union (EU) data protection regulators. Data-driven and (US-based) technology companies are the primary recipients. Not only the total amount is jaw dropping, but so are the highest fines. The top three fines in 2023 were €1.2bn, €390m and €345m.
With rising fines and regulators becoming increasingly comfortable using all the tools from their regulatory toolkit (e.g., dawn raids, injunctions and deletion orders), questions arise about the proportionality of certain measures, especially in situations where certain core concepts of the EU’s data protection law, the General Data Protection Regulation (GDPR), remain unclear.
Ambiguity on core GDPR concepts
At the core of the GDPR is the term ‘personal data’, which is broadly defined as “any information relating to an identified or identifiable natural person” (the data subject). In determining whether a natural person is directly or indirectly identifiable, all the means reasonably likely to be used to identify that person should be considered. According to the top EU court, it is not required that all the information enabling the identification must be in the hands of one person or entity.
This makes the determination a very factual question which in turn leads to diverging decisions between courts and regulators across the EU. For example, in 2023 the EU General Court ruled that the disclosure of pseudonymised (e.g., hashed) data to a recipient may not constitute “information relating to an identifiable natural person” if it has not been assessed whether the recipient has the legal means to un-hash the data and re-identify the individuals. While the decision was critically received, it shows that even top EU courts issue diverging rulings on such a key GDPR concept.
Another illustrative example is the ambiguity around the concept of a ‘personal data breach’. Even though this is a defined term under the GDPR (article 4 paragraph 12), interpretations still vary.
In the event of temporary unavailability of a system, the compliance question organisations face is whether this constitutes a personal data breach.
Because ‘data loss’ is included in the statutory definition, certain regulators argue that as long as it is unknown how long the data is unavailable, the system unavailability could mean data loss, and therefore a ‘personal data breach’ (which, in certain cases means that companies must notify regulators within 72 hours of becoming aware of the breach).
Some parties argue that the GDPR does not include data unavailability or lack of access in the definition of a personal data breach, viewing this exclusion as a deliberate legislative choice, and noting that temporary data unavailability is not the same as actual data loss. While a certain amount of ambiguity is inherent to relatively new legislation and legislation which includes technology neutral legal principles as opposed to more ‘tick box’ compliance, the associated legal uncertainty has many downsides.
Bearing in mind the regulator’s task to ensure a high level of data protection, they will likely act on the broadest interpretations of the law. Therefore, companies arguably know how a regulator will interpret the law – but does this mean they must accept these interpretations and potentially face mega fines and years of litigation in a game of regulatory roulette?
And if the proverbial goalposts have been moved during the game – meaning that a previously ambiguous aspect of the law has now finally been clarified by a top EU court – will regulators strictly enforce the clarified interpretation of the law with retroactive effect?
Proportionality in GDPR enforcement
The concepts of personal data and personal data breach are just some examples of ambiguous core GDPR concepts. The broader question is what this should mean for enforcement measures. Currently, there are nearly 50 cases pending at the European Court of Justice regarding the GDPR, highlighting the significance of these uncertainties.
In a situation where reasonable minds differ on the interpretation of key GDPR concepts and principles, it begs the question to what extent mega-fines are considered proportionate (which is a legal requirement when imposing a fine). As many questions are clarified by the top EU courts in the coming years, the legal uncertainty will decrease. Until then, it will be interesting to see whether more regulators start giving clear notice of alleged breaches of the law and imposing enforcement orders to comply more frequently, instead of resorting to imposing fines.
In the short term, this may lead to more national interim relief proceedings relating to the enforcement orders, but it should reduce the number of significant fines in situations where there is still significant legal uncertainty. This way, the proportionality of the enforcement measures will become more front and centre. This approach will also help ensure that enforcement actions, such as orders to comply, are subject to independent judiciary review at an earlier stage.
In any event, with the introduction of new legislation under the EU’s Digital Strategy, it is crucial that regulators ensure the proportionality of their actions and avoid games of regulatory roulette. This will help maintain a balanced and predictable regulatory environment, encouraging compliance and innovation.
Mark Egeler and Christoph Werkmeister are partners and Iris Vlastuin is an associate at Freshfields Bruckhaus Deringer LLP. Mr Egeler can be contacted by email: mark.egeler@freshfields.com. Mr Werkmeister can be contacted by email: christoph.werkmeister@freshfields.com. Ms Vlastuin can be contacted by email: iris.vlastuin@freshfields.com.
© Financier Worldwide
BY
Mark Egeler, Christoph Werkmeister and Iris Vlastuin
Freshfields Bruckhaus Deringer LLP