Article 84 GDPR: Difference between revisions

From GDPRhub
Line 196: Line 196:


== Commentary ==
== Commentary ==
Article 83 requires Member States to adopt by national law specific provisions for breaches of the GDPR not subject to the discipline of Article 83 GDPR. Such provisions must also be effective, proportionate and dissuasive. Pursuant to paragraph 2, Member States are required to communicate such legislative measures to the European Commission.
Article 84 requires Member States to adopt by national law specific provisions for breaches of the GDPR not subject to the discipline of Article 83 GDPR. Such provisions must also be effective, proportionate and dissuasive. Pursuant to Article 84(2) GDPR, Member States are required to communicate such legislative measures to the European Commission.


===(1) Requirements for Member State Laws===
===(1) Requirements for Member State Laws===
Certain violations of the GDPR are not listed in the catalogue of penalties in [[Article 83 GDPR]]. National legislators may add provisions to fill these gaps.
Certain violations of the GDPR are not listed in the catalogue of penalties in Article 83 GDPR. National legislators may add provisions to fill these gaps. Under Recital 152 GDPR, these provisions may either be civil or criminal in nature. For example, § 62 of the Austrian Data Protection Act (Datenschutzgesetz - DSG) sets a penalty of €50,000 for, ''inter alia'', (1) intentionally obtaining illegal access to personal data (2) refusing an inspection by the Austrian supervisory authority, (3) operating a CCTV system in violation of the specific rules set out in the Act. In the Netherlands, additional penalty provisions include Article 21a of the Act implementing the GDPR ('''Uitvoeringswet Algemene verordening gegevensbescherming''<nowiki/>'), which permits the supervisory authority to impose an administrative fine of up to €20 million (or 4% of the total worldwide annual turnover), where the requirements on access by payment service providers to the personal data of their users, established in Article 3.17(7) of the Financial Supervision Act (‘''Wet op het financieel toezicht''<nowiki/>'), are violated. The GDPR can in this way be viewed as an “''atypical hybrid of regulation and directive''.”<ref>''Kühling'', ''Martini'', Die Datenschutz-Grundverordnung: Revolution oder Evolution im europäischen un deutschen Datenschutzrecht?, Article 84 GDPR, margin numbers 448-449 (C.H. Beck 2016), cited by ''Popp'' in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (C.H. Beck 2018, 2nd edition).</ref> Whilst it establishes an EU-wide penalty regime for violations under Article 83 GDPR, Article 84(1) GDPR dispenses with complete harmonisation. It does, however, provide that any sanctions chosen must be ‘effective, proportionate, and dissuasive,’ which limits national procedural autonomy to some extent.<ref>''Lynskey'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1198 (Oxford University Press 2020); ''Popp'' in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (C.H. Beck 2018, 2nd edition).</ref> Accordingly, rules on sanctions may not make it impossible in practice to exercise rights conferred by EU law,<ref>CJEU, Rewe, Case C-33/76, 16 December 1967 (available [https://curia.europa.eu/juris/showPdf.jsf;jsessionid=DECFEDDC0BE6EAA5C6A2BC7AE72E4904?text=&docid=89192&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=5435313 here]) cited by ''Lynskey'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1198 (Oxford University Press 2020).</ref> and must be sufficiently preventative, meaning use is made of the possibility of imposing them across Europe.<ref>''Gola'', Datenschutz-Grundverordnung, Article 84, margin numbers 1-2 (C.H. Beck 2018, 2nd edition).</ref>
 
Under Recital 152 these provisions may either be civil or criminal in nature. For example, § 62 of the Austrian Data Protection Act (Datenschutzgesetz - DSG) sets a penalty of €50,000 for, among other things, (1) intentionally obtaining illegal access to personal data (2) refusing an inspection by the Austrian DPA, (3) operating a CCTV system in violation of the specific rules set out in the Act. In the Netherlands, additional penalty provisions include Article 21a of the Act implementing the GDPR ('''Uitvoeringswet Algemene verordening gegevensbescherming''<nowiki/>'), which permits the DPA to impose an administrative fine of up to €20 million (or 4% of the total worldwide annual turnover), where the requirements on access by payment service providers to the personal data of their users, established in Article 3.17(7) of the Financial Supervision Act (‘''Wet op het financieel toezicht''<nowiki/>'), are violated.  
 
 
 
The GDPR can in this way be viewed as an “''atypical hybrid of regulation and directive''.”<ref>''Kühling'', ''Martini'', Die Datenschutz-Grundverordnung: Revolution oder Evolution im europäischen un deutschen Datenschutzrecht?, Article 84 GDPR, margin numbers 448, 449 (Beck 2016) (accessed 23 July 2021), cited by ''Popp'' in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (Beck 2018, 2nd ed.) (accessed 23 July 2021).</ref> Whilst it establishes an EU-wide penalty regime for violations under [[Article 83 GDPR]], Article 84(1) GDPR dispenses with complete harmonization. It does however provide that any sanctions chosen must be ‘effective, proportionate, and dissuasive,’ which limits national procedural autonomy to some extent.<ref>''Lynskey'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1198 (Oxford University Press 2020); ''Popp'' in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (Beck 2018, 2nd ed.) (accessed 23 July 2021).</ref> Accordingly, rules on sanctions may not make it impossible in practice to exercise rights conferred by EU law,<ref>CJEU, Rewe, Case C-33/76, 16 December 1967 (available [https://curia.europa.eu/juris/showPdf.jsf;jsessionid=DECFEDDC0BE6EAA5C6A2BC7AE72E4904?text=&docid=89192&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=5435313 here]) cited by ''Lynskey'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1198 (Oxford University Press 2020).</ref> and must be sufficiently preventative, meaning use is made of the possibility of imposing them across Europe.<ref>Gola, Datenschutz-Grundverordnung, Article 84, margin numbers 1-2 (Beck 2018, 2nd ed.) (accessed 23 July 2021).</ref>
====Relationship Between Article 83 and 84 GDPR====
====Relationship Between Article 83 and 84 GDPR====
The extent to which conduct under [[Article 83 GDPR|Article 83]] should be excluded from penalties issued under Article 84 is debated. Whilst Popp and Jay argue that the wording of the GDPR is simply unclear in this regard,<ref>Jay, Guide to the General Data Protection Regulation, p. 331 (Sweet & Maxwell 2017); ''Popp'' in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (Beck 2018, 2nd ed.) (accessed 23 July 2021).</ref> according to Hert, Boulet, and Lynskey, the existence of a penalty for conduct under [[Article 83 GDPR]] should not be seen to preclude a further penalty under Article 84.  
The extent to which conduct under Article 83 GDPR should be excluded from penalties issued under Article 84 GDPR is debated. Whilst Popp and Jay argue that the wording of the GDPR is simply unclear in this regard,<ref>''Jay'', Guide to the General Data Protection Regulation, p. 331 (Sweet & Maxwell 2017); ''Popp'' in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (C.H. Beck 2018, 2nd edition).</ref> according to de Hert, Boulet, and Lynskey, the existence of a penalty for conduct under Article 83 GDPR should not be seen to preclude a further penalty under Article 84 GDPR.  For example, in cases where Member States lay down criminal provisions under Article 84 GDPR, de Hert and Boulet argue that, this “[''allows''] ''an approach where the criminal is only used when the administrative fails.''<ref>''De Hert and Boulet'', The Co-Existance of Administrative and Criminal Law Approaches to Data Protection Wrongs’ in Wright and de Hert, Enforcing Privacy: Regulatory, Legal, and Technological Approaches, p. 838 (Springer, 2016).</ref> Lynskey notes that the words “''in particular”'' in Article 84(1) GDPR (''Member States shall lay down other penalties […] in particular for infringements which are not subject to administrative fines pursuant to Article 83'') support such a view.<ref>''Lynskey'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1199 (Oxford University Press 2020).</ref> In contrast, Mountain highlights the phrase ''other penalties''(“''Member States shall lay down the rules on other penalties''”), which would exclude all sanctions mentioned in Chapter VIII GDPR, i.e. the damages under Article 82 GDPR and fines under Article 83 GDPR.<ref>''Mountain'' in Kühling, Buchner, DS-GVO BDSG, Article 84, margin numbers 8-8b (C.H. Beck 2020, 3rd edition).</ref> In any case, should fines for conduct falling under the two articles overlap, the principle of ''ne bis in idem'', further discussed in the section below, must be taken into account.  
 
For example, in cases where member states lay down criminal provisions under Article 84, Hert and Boulet argue that, this ''“[allows] an approach where the criminal is only used when the administrative fails.''<ref>De Hert and Boulet, The Co-Existance of Administrative and Criminal Law Approaches to Data Protection Wrongs’ in Wright and de Hert, Enforcing Privacy: Regulatory, Legal, and Technological Approaches, p. 838 (Springer, 2016) (accessed 23 July 2021).</ref> Lynskey notes that the words ‘in particular’ in Article 84(1) ("''Member States shall lay down other penalties […] in particular for infringements which are not subject to administrative fines pursuant to Article 83"'') supports such a view.<ref>''Lynskey'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1199 (Oxford University Press 2020).</ref> In contrast, Mountain highlights the phrase "''other penalties''" (‘Member States shall lay down the rules on other penalties’), which would exclude all sanctions mentioned in Chapter VIII GDPR, i.e. the damages under Article 82 and fines under Article 83 GDPR.<ref>''Mountain'' in Juhling, Buchner, DS-GVO BDSG, Article 84, margin numbers 8-8b (Beck 2020, 3rd edn.) (accessed 23 July 2021).</ref>
 
In any case, should fines for conduct falling under the two articles overlap, the principle of ''ne bis in idem'', further discussed in the section below, must be taken into account.  


====Criminal Penalties====
====Criminal Penalties====
Many illegal processing activities under the GDPR may give rise to violations of national criminal laws that are specific to data processing or have broader application (e.g. laws on cybersecurity, fraud and alike). Under § 63 of the Austrian Data Protection Act, for example, individuals who, with the intention of enriching themselves or a third party, deliberately use personal data that have been entrusted to them due to their professional occupation, or which they have illegally acquired, to financially benefit themselves or a third party, may be punished with imprisonment of up to one year.
Many illegal processing activities under the GDPR may give rise to violations of national criminal laws that are specific to data processing or have broader application (e.g. laws on cybersecurity, fraud and alike). For example, under § 63 of the Austrian Data Protection Act, individuals who, with the intention of enriching themselves or a third party, deliberately use personal data that have been entrusted to them due to their professional occupation, or which they have illegally acquired, to financially benefit themselves or a third party, may be punished with imprisonment of up to one year. According to Recital 149 GDPR, the imposition of criminal penalties for infringements of national rules on criminal penalties under Article 84 GDPR should not lead to a breach of the principle of ''ne bis idem'', as interpreted by the CJEU. This principle, derived from Article 50 CFR, establishes the right to not be tried and punished twice in criminal proceedings for the same criminal offence. As Lynskey notes, the administrative fines under Article 83 GDPR can likely be classified as criminal in nature. Thus, compliance with Article 50 CFR may be threatened where a criminal sanction is issued under Article 84 for the same conduct.<ref>''Lynskey'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1200 (Oxford University Press 2020).</ref> Eurojust has noted the potential that the ''ne bis in idem'' principle may also be engaged at a transnational level, and Member States should consider criminal sanctions issued in other Member States.<ref>Eurojust, The Principle of Ne Bis in Idem in Criminal Matters in the Case Law of the Court of Justice of the European Union, p. 25 (September 2017), cited by ''Lynskey'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1200 (Oxford University Press 2020).</ref>
 
Under Recital 149 GDPR, the imposition of criminal penalties for infringements of national rules on criminal penalties under Article 84 GDPR, should not lead to a breach of the principle of ''ne bis idem'', as interpreted by the CJEU. This principle, derived from Article 50 CFR, establishes the right to not be tried and punished twice in criminal proceedings for the same criminal offence. As Lynskey notes, the administrative fines under Article 83 GDPR can likely be classified as criminal in nature, is satisfied, meaning that compliance with Article 50 CFR may be threatened where a criminal sanction is issued under Article 84 for the same conduct.<ref>''Lynskey'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1200 (Oxford University Press 2020).</ref> Eurojust has noted the potential that the ''ne bis in idem'' principle may also be engaged at a transnational level, and Member States should consider criminal sanctions issued in other Member States.<ref>Eurojust, The Principle of Ne Bis in Idem in Criminal Matters in the Case Law of the Court of Justice of the European Union, p. 25 (September 2017), cited by ''Lynskey'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1200 (Oxford University Press 2020).</ref>


=== (2) Notification Obligation ===
=== (2) Notification Obligation ===
Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to Article 84(1) GDPR, by 25 May 2018 and, without delay, any subsequent amendment affecting them.


== Decisions ==
== Decisions ==

Revision as of 11:27, 29 April 2022

Article 84 - Penalties
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 84 - Penalties


1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.

2. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Relevant Recitals

Recital 149: Criminal Penalties by and for Infringements of National Rules
Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

Recital 151: Administrative Fines in Denmark and Estonia
The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

Recital 152: Implementation of a National Penalty System if Necessary
Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by Member State law.

Commentary

Article 84 requires Member States to adopt by national law specific provisions for breaches of the GDPR not subject to the discipline of Article 83 GDPR. Such provisions must also be effective, proportionate and dissuasive. Pursuant to Article 84(2) GDPR, Member States are required to communicate such legislative measures to the European Commission.

(1) Requirements for Member State Laws

Certain violations of the GDPR are not listed in the catalogue of penalties in Article 83 GDPR. National legislators may add provisions to fill these gaps. Under Recital 152 GDPR, these provisions may either be civil or criminal in nature. For example, § 62 of the Austrian Data Protection Act (Datenschutzgesetz - DSG) sets a penalty of €50,000 for, inter alia, (1) intentionally obtaining illegal access to personal data (2) refusing an inspection by the Austrian supervisory authority, (3) operating a CCTV system in violation of the specific rules set out in the Act. In the Netherlands, additional penalty provisions include Article 21a of the Act implementing the GDPR ('Uitvoeringswet Algemene verordening gegevensbescherming'), which permits the supervisory authority to impose an administrative fine of up to €20 million (or 4% of the total worldwide annual turnover), where the requirements on access by payment service providers to the personal data of their users, established in Article 3.17(7) of the Financial Supervision Act (‘Wet op het financieel toezicht'), are violated. The GDPR can in this way be viewed as an “atypical hybrid of regulation and directive.”[1] Whilst it establishes an EU-wide penalty regime for violations under Article 83 GDPR, Article 84(1) GDPR dispenses with complete harmonisation. It does, however, provide that any sanctions chosen must be ‘effective, proportionate, and dissuasive,’ which limits national procedural autonomy to some extent.[2] Accordingly, rules on sanctions may not make it impossible in practice to exercise rights conferred by EU law,[3] and must be sufficiently preventative, meaning use is made of the possibility of imposing them across Europe.[4]

Relationship Between Article 83 and 84 GDPR

The extent to which conduct under Article 83 GDPR should be excluded from penalties issued under Article 84 GDPR is debated. Whilst Popp and Jay argue that the wording of the GDPR is simply unclear in this regard,[5] according to de Hert, Boulet, and Lynskey, the existence of a penalty for conduct under Article 83 GDPR should not be seen to preclude a further penalty under Article 84 GDPR.  For example, in cases where Member States lay down criminal provisions under Article 84 GDPR, de Hert and Boulet argue that, this “[allows] an approach where the criminal is only used when the administrative fails.[6] Lynskey notes that the words “in particular” in Article 84(1) GDPR (“Member States shall lay down other penalties […] in particular for infringements which are not subject to administrative fines pursuant to Article 83”) support such a view.[7] In contrast, Mountain highlights the phrase “other penalties” (“Member States shall lay down the rules on other penalties”), which would exclude all sanctions mentioned in Chapter VIII GDPR, i.e. the damages under Article 82 GDPR and fines under Article 83 GDPR.[8] In any case, should fines for conduct falling under the two articles overlap, the principle of ne bis in idem, further discussed in the section below, must be taken into account.

Criminal Penalties

Many illegal processing activities under the GDPR may give rise to violations of national criminal laws that are specific to data processing or have broader application (e.g. laws on cybersecurity, fraud and alike). For example, under § 63 of the Austrian Data Protection Act, individuals who, with the intention of enriching themselves or a third party, deliberately use personal data that have been entrusted to them due to their professional occupation, or which they have illegally acquired, to financially benefit themselves or a third party, may be punished with imprisonment of up to one year. According to Recital 149 GDPR, the imposition of criminal penalties for infringements of national rules on criminal penalties under Article 84 GDPR should not lead to a breach of the principle of ne bis idem, as interpreted by the CJEU. This principle, derived from Article 50 CFR, establishes the right to not be tried and punished twice in criminal proceedings for the same criminal offence. As Lynskey notes, the administrative fines under Article 83 GDPR can likely be classified as criminal in nature. Thus, compliance with Article 50 CFR may be threatened where a criminal sanction is issued under Article 84 for the same conduct.[9] Eurojust has noted the potential that the ne bis in idem principle may also be engaged at a transnational level, and Member States should consider criminal sanctions issued in other Member States.[10]

(2) Notification Obligation

Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to Article 84(1) GDPR, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Decisions

→ You can find all related decisions in Category:Article 84 GDPR

References

  1. Kühling, Martini, Die Datenschutz-Grundverordnung: Revolution oder Evolution im europäischen un deutschen Datenschutzrecht?, Article 84 GDPR, margin numbers 448-449 (C.H. Beck 2016), cited by Popp in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (C.H. Beck 2018, 2nd edition).
  2. Lynskey in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1198 (Oxford University Press 2020); Popp in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (C.H. Beck 2018, 2nd edition).
  3. CJEU, Rewe, Case C-33/76, 16 December 1967 (available here) cited by Lynskey in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1198 (Oxford University Press 2020).
  4. Gola, Datenschutz-Grundverordnung, Article 84, margin numbers 1-2 (C.H. Beck 2018, 2nd edition).
  5. Jay, Guide to the General Data Protection Regulation, p. 331 (Sweet & Maxwell 2017); Popp in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (C.H. Beck 2018, 2nd edition).
  6. De Hert and Boulet, The Co-Existance of Administrative and Criminal Law Approaches to Data Protection Wrongs’ in Wright and de Hert, Enforcing Privacy: Regulatory, Legal, and Technological Approaches, p. 838 (Springer, 2016).
  7. Lynskey in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1199 (Oxford University Press 2020).
  8. Mountain in Kühling, Buchner, DS-GVO BDSG, Article 84, margin numbers 8-8b (C.H. Beck 2020, 3rd edition).
  9. Lynskey in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1200 (Oxford University Press 2020).
  10. Eurojust, The Principle of Ne Bis in Idem in Criminal Matters in the Case Law of the Court of Justice of the European Union, p. 25 (September 2017), cited by Lynskey in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1200 (Oxford University Press 2020).