Article 84 GDPR
|← Article 84 - Penalties →|
1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.
2. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
(1) Requirements for member state laws
Certain violations of the GDPR are not listed in the catalogue of penalties in Article 83 GDPR. National legislators may add provisions to fill these gaps, Under Recital 152, such provisions may be either civil or criminal in nature.
For example, § 62 of the Austrian Data Protection Act (Datenschutzgesetz - DSG) sets a penalty of €50,000 for, among other things, (1) intentionally obtains obtaining illegal access to personal data (2) refuses refusing an inspection by the Austrian DPA, (3) operates operating a CCTV system in violation of the specific rules set out in the Act. In the Netherlands, additional penalty provisions include Article 21a of the Act implementing the GDPR ('Uitvoeringswet Algemene verordening gegevensbescherming'), which permits the AP DPA to impose an administrative fine of up to €20 million (or 4% of the total worldwide annual turnover), where the requirements on access by payment service providers to the personal data of their users, established in Article 3.17(7) of the Financial Supervision Act (‘Wet op het financieel toezicht'), are violated.
The GDPR can in this way be viewed as an “atypical hybrid of regulation and directive.” Whilst it establishes an EU-wide penalty regime for violations under Article 83 GDPR, Article 84(1) GDPR dispenses with complete harmonization. It does however provide that any sanctions chosen must be ‘effective, proportionate, and dissuasive,’ which limits national procedural autonomy to some extent. Accordingly, rules on sanctions may not make it impossible in practice to exercise rights conferred by EU law, and must be sufficiently preventative, meaning use is made of the possibility of imposing them across Europe.
Relationship between Article 83 and 84 GDPR
The extent to which conduct under Article 83 should be excluded from penalties issued under Article 84 is debated. Whilst Popp and Jay argue that the wording of the GDPR is simply unclear in this regard. According to Hert, Boulet, and Lynskey, the existence of a penalty for conduct under Article 83 GDPR should not be seen to preclude a further penalty under Article 84.
For example, in cases where member states lay down criminal provisions under Article 84, case of criminal provisions, Hert and Boulet argue that, this “[allows] an approach where the criminal is only used when the administrative fails.” Lynskey notes that the words ‘in particular’ in Article 84(1) (‘Member States shall lay down other penalties […] in particular for infringements which are not subject to administrative fines pursuant to Article 83’) supports such a view. In contrast, Golla and Mountain point to the phrase ‘other penalties’ (‘Member States shall lay down the rules on other penalties’), which would exclude all sanctions mentioned in Chapter VIII GDPR, i.e. the damages under Article 82 and fines under Article 83, bar where opening clauses exist.
In any case, should fines for conduct falling under the two articles overlap, the principle of ne bis in idem, further discussed in the section below, must be honoured.
Many illegal processing activities under the GDPR may give rise to violations of national criminal laws that are specific to data processing or have broader application (e.g. laws on cybersecurity, fraud and alike). Under § 63 of the Austrian Data Protection Act, for example, individuals who, with the intention of enriching themselves or a third party, deliberately use personal data that have been entrusted to them due to their professional occupation, or which they have illegally acquired, to financially benefit themselves or a third party, may be punished with imprisonment of up to one year.
Under Recital 149 GDPR, the imposition of criminal penalties for infringements of national rules on criminal penalties under Article 84 GDPR, should not lead to a breach of the principle of ne bis idem, as interpreted by the CJEU. This principle, derived from Article 50 CFR, establishes the right to not be tried and punished twice in criminal proceedings for the same criminal offence. As Lynskey notes, the administrative fines under Article 83 GDPR can likely be classified as criminal in nature, as the test in Engel (which asks, for example, whether the fine is punitive, and whether the domestic law treats the fine as criminal law) is satisfied, meaning compliance with Article 50 CFR may be threatened where a criminal sanction is issued under Article 84 for the same conduct. Eurojust has noted the potential that the ne bis in idem principle may also be engaged at a transnational level, and Member States should consider criminal sanctions issued in other Member States.
→ You can find all related decisions in Category:Article 84 GDPR