Article 84 GDPR

From GDPRhub
Article 84 - Penalties
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 84 - Penalties


1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.

2. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Relevant Recitals

Recital 149: Criminal Penalties by and for Infringements of National Rules
Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

Recital 151: Administrative Fines in Denmark and Estonia
The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

Recital 152: Implementation of a National Penalty System if Necessary
Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by Member State law.

Commentary

Article 83 requires Member States to adopt by national law specific provisions for breaches of the GDPR not subject to the discipline of Article 83 GDPR. Such provisions must also be effective, proportionate and dissuasive. Pursuant to paragraph 2, Member States are required to communicate such legislative measures to the European Commission.

(1) Requirements for Member State Laws

Certain violations of the GDPR are not listed in the catalogue of penalties in Article 83 GDPR. National legislators may add provisions to fill these gaps. Under Recital 152 these provisions may either be civil or criminal in nature.

For example, § 62 of the Austrian Data Protection Act (Datenschutzgesetz - DSG) sets a penalty of €50,000 for, among other things, (1) intentionally obtaining illegal access to personal data (2) refusing an inspection by the Austrian DPA, (3) operating a CCTV system in violation of the specific rules set out in the Act. In the Netherlands, additional penalty provisions include Article 21a of the Act implementing the GDPR ('Uitvoeringswet Algemene verordening gegevensbescherming'), which permits the DPA to impose an administrative fine of up to €20 million (or 4% of the total worldwide annual turnover), where the requirements on access by payment service providers to the personal data of their users, established in Article 3.17(7) of the Financial Supervision Act (‘Wet op het financieel toezicht'), are violated.

The GDPR can in this way be viewed as an “atypical hybrid of regulation and directive.”[1] Whilst it establishes an EU-wide penalty regime for violations under Article 83 GDPR, Article 84(1) GDPR dispenses with complete harmonization. It does however provide that any sanctions chosen must be ‘effective, proportionate, and dissuasive,’ which limits national procedural autonomy to some extent.[2] Accordingly, rules on sanctions may not make it impossible in practice to exercise rights conferred by EU law,[3] and must be sufficiently preventative, meaning use is made of the possibility of imposing them across Europe.[4]

Relationship Between Article 83 and 84 GDPR

The extent to which conduct under Article 83 should be excluded from penalties issued under Article 84 is debated. Whilst Popp and Jay argue that the wording of the GDPR is simply unclear in this regard,[5] according to Hert, Boulet, and Lynskey, the existence of a penalty for conduct under Article 83 GDPR should not be seen to preclude a further penalty under Article 84.

For example, in cases where member states lay down criminal provisions under Article 84, Hert and Boulet argue that, this “[allows] an approach where the criminal is only used when the administrative fails.”[6] Lynskey notes that the words ‘in particular’ in Article 84(1) ("Member States shall lay down other penalties […] in particular for infringements which are not subject to administrative fines pursuant to Article 83") supports such a view.[7] In contrast, Mountain points to the phrase ‘other penalties’ (‘Member States shall lay down the rules on other penalties’), which would exclude all sanctions mentioned in Chapter VIII GDPR, i.e. the damages under Article 82 and fines under Article 83, bar where opening clauses exist.[8]

In any case, should fines for conduct falling under the two articles overlap, the principle of ne bis in idem, further discussed in the section below, must be honoured.

Criminal Penalties

Many illegal processing activities under the GDPR may give rise to violations of national criminal laws that are specific to data processing or have broader application (e.g. laws on cybersecurity, fraud and alike). Under § 63 of the Austrian Data Protection Act, for example, individuals who, with the intention of enriching themselves or a third party, deliberately use personal data that have been entrusted to them due to their professional occupation, or which they have illegally acquired, to financially benefit themselves or a third party, may be punished with imprisonment of up to one year.

Under Recital 149 GDPR, the imposition of criminal penalties for infringements of national rules on criminal penalties under Article 84 GDPR, should not lead to a breach of the principle of ne bis idem, as interpreted by the CJEU. This principle, derived from Article 50 CFR, establishes the right to not be tried and punished twice in criminal proceedings for the same criminal offence. As Lynskey notes, the administrative fines under Article 83 GDPR can likely be classified as criminal in nature, as the test in Engel (which asks, for example, whether the fine is punitive, and whether the domestic law treats the fine as criminal law) is satisfied, meaning compliance with Article 50 CFR may be threatened where a criminal sanction is issued under Article 84 for the same conduct.[9] Eurojust has noted the potential that the ne bis in idem principle may also be engaged at a transnational level, and Member States should consider criminal sanctions issued in other Member States.[10]

Decisions

→ You can find all related decisions in Category:Article 84 GDPR

References

  1. Kühling, Martini, Die Datenschutz-Grundverordnung: Revolution oder Evolution im europäischen un deutschen Datenschutzrecht?, Article 84 GDPR, margin numbers 448, 449 (Beck 2016) (accessed 23 July 2021), cited by Popp in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (Beck 2018, 2nd ed.) (accessed 23 July 2021).
  2. Lynskey in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1198 (Oxford University Press 2020); Popp in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (Beck 2018, 2nd ed.) (accessed 23 July 2021).
  3. CJEU, Rewe, Case C-33/76, 16 December 1967 (available here) cited by Lynskey in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1198 (Oxford University Press 2020).
  4. Gola, Datenschutz-Grundverordnung, Article 84, margin numbers 1-2 (Beck 2018, 2nd ed.) (accessed 23 July 2021).
  5. Jay, Guide to the General Data Protection Regulation, p. 331 (Sweet & Maxwell 2017); Popp in Sydow, Europaische Datenschutzgrundverordnung, Article 84, margin number 1 (Beck 2018, 2nd ed.) (accessed 23 July 2021).
  6. De Hert and Boulet, The Co-Existance of Administrative and Criminal Law Approaches to Data Protection Wrongs’ in Wright and de Hert, Enforcing Privacy: Regulatory, Legal, and Technological Approaches, p. 838 (Springer, 2016) (accessed 23 July 2021).
  7. Lynskey in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1199 (Oxford University Press 2020).
  8. Mountain in Juhling, Buchner, DS-GVO BDSG, Article 84, margin numbers 8-8b (Beck 2020, 3rd edn.) (accessed 23 July 2021).
  9. Lynskey in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1200 (Oxford University Press 2020).
  10. Eurojust, The Principle of Ne Bis in Idem in Criminal Matters in the Case Law of the Court of Justice of the European Union, p. 25 (September 2017), cited by Lynskey in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 84 GDPR, p. 1200 (Oxford University Press 2020).