RKHKm - 4-23-742
RKHKm - 4-23-742 | |
---|---|
Court: | Riigikohtu (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 32 GDPR § 29(1)(5) VTMS §14 62(1) IKS |
Decided: | 20.06.2024 |
Published: | 24.06.2024 |
Parties: | Ida-Tallinna Keskhaigla |
National Case Number/Name: | 4-23-742 |
European Case Law Identifier: | |
Appeal from: | Harju Maakohtu (Estonia) |
Appeal to: | Unknown |
Original Language(s): | Estonian |
Original Source: | Riigi Teataja (in Estonian) |
Initial Contributor: | im |
The Supreme Court held that requiring the identification of a responsible natural person within the controller’s organisation is not necessary in order to assign liability to a legal person.
English Summary
Facts
On 13 February 2023, the DPA imposed a fine of € 200,000 EUR to Ida Tallina Central Hospital (‘controller’) for the unlawful disclosure of health data within the meaning of Article 9(1) GDPR. A member of the management board threw them into an open bin outside of the hospital and open to public access. With this conduct, the controller violated the requirements of Article 32(1)(b) GDPR to ensure the confidentiality of the services processing personal data. Pursuant to Article 62 PDPA, the controller committed a misdemeanour. The decision of the DPA was appealed by the controller.
On 31 August 2023, the Harju County Court (‘first instance court’) annulled the decision of the DPA and ruled that the controller could not be punished for committing a misdemeanour because of the principle of derivative liability applied. According to this principle:
1) a legal person, such as a hospital, can only be liable for an offence if the conduct of its body, member, manager, or competent representative met all the elements of a tort or delict, and
2) if the act was committed in the interests of the legal person.
In this case, the violation was attributed to a member of the management board, but the misconduct did not meet all the legal elements of the offense to be done in the interest of the hospital. Since this was not the case, the hospital could not be held liable for the alleged infringement.
On 21 December 2023, an appeal against the decision of the first instance court was filed by an out of court proceeding by the data subject which sought the annulment of the above decision.
The controller argued in the appeal proceeding that the misdemeanour proceedings should be terminated as the offence is time-barred according to 29(1)(5) Code of Misdemeanour Procedure (‘VTMS’).
Holding
The Supreme Court clarified that in Estonia, due to the unique structure of their legal system, fines for GDPR violations are imposed through misdemeanour procedures by a supervisory authority. The same is confirmed by the derogation for Estonia in recital 151 GDPR. This approach must have the same effect as fines imposed directly under the GDPR, ensuring that data breaches are effectively sanctioned even after the regulation comes into effect. As a result, the Supreme Court identified a contradiction between national law and EU law.
§14 of the Penal Code requires an identification of a responsible natural person in order to assign liability to a legal person. On the other hand, under the GDPR, legal persons can be fined for certain type of data breaches without needing to identify the specific individual responsible for the violation. Same was confirmed by the CJEU decision in the Deutche Wohnen case in which the Court stated that the GDPR does not differentiate between natural and legal persons when determining liability for data breaches.
Moreover, the Supreme Court noted that national courts must ensure that EU law takes precedence over conflicting national laws. They must ignore any national provision that conflict with directly applicable EU law to ensure its full effect, regardless if the national law provides a higher standard of protection.
However, in the meantime, the Penal Code has been amended in a way that it provides broader grounds for liability attributable to the controller. More specifically, based on current version of Penal Code § 14(1)(2) it is not necessary to identify the natural person who committed the alleged act within the framework of the activities of the legal person and on behalf of the legal person in order to attribute liability for the violation of the requirements of the GDPR to the legal person.
At this moment, the Supreme Court cannot definitively determine whether the principles of foreseeability, definiteness, and non-retroactivity of law are met for retroactively applying liability guidelines to legal persons before 1 November 2023, the day the Penal Code was amended. If a court in a pending misdemeanour proceeding questions whether these general principles and the specific derogation for Estonia might justify not applying the GDPR, it can seek a preliminary ruling from the CJEU.
Nevertheless, the Supreme Court took into account the controller’s argument and assessed that pursuant to § 29(1)(5) of the VTMS, misdemeanour proceedings must be terminated upon expiry of the limitation period. In misdemeanour proceedings, the statute of limitations is an absolute obstacle to the proceedings, which does not allow further proceedings. Since two years have passed since the misdemeanour was completed on 11 February 2024, and the statute of limitations has not been suspended, the misdemeanour proceedings against the controller must be terminated.
The Supreme Court, therefore, annulled the decision of the first instance court and terminated the misdemeanour proceedings. This termination is based on § 29(1)(5) of the VTMS which states that proceedings must be terminated if the statute of limitations for the misdemeanour has expired.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
R I I G I C O H U S CRIMINAL COLLEGE COURT DECISION On behalf of the Republic of Estonia Case number 4-23-742 Decision date June 20, 2024 Court composition Chairman Saale Lao, members Hannes Kiris and Nele Siitam Court case Aktiaseltsi Ida-Tallinn Central Hospital misdemeanor personal data according to § 62 (2) of the Defense Act Disputed court decision Harju County Court decision of August 31, 2023 Complainant and type of complaint Out-of-court procedure Data Protection Inspectorate, cassation Other defense attorneys of Ida-Tallinn Central Hospital in the cassation proceedings, attorney-at-law parties Maarja Pild and barrister Karmen Turk Case review April 24, 2024, written procedure RESOLUTION 1. Annul the decision of the Harju County Court of August 31, 2023 and terminate the misdemeanor proceedings Due to the expiration of the statute of limitations for a misdemeanor on the basis of § 29 (1) p. 5 of VTMS. 2. Dismiss the cassation appeal. 3. Order 13,260 euros from the Republic of Estonia in favor of Aktiaseltsi Ida-Tallinn Central Hospital to cover the fee paid to the defenders selected in the county court and cassation proceedings. CIRCUMSTANCES AND PROCEDURE 1. With the decision of the Data Protection Inspectorate (AKI) dated February 13, 2023, AS Ida-Tallinn was punished With a fine of 200,000 euros on the basis of § 62 (2) of the Personal Data Protection Act (IKS) of the Central Hospital. The person subject to the procedure was punished for the fact that on February 11, 2022 AS Ida-Tallinn Keskhaigla The garbage container in front of the Magdalena polyclinic contains publicly available health data documents. This is a special type of data in the sense of art. 9, paragraph 1 of the General Regulation on the Protection of Personal Data (GPR). with personal data. According to article 32, paragraph 1, point b of IKÜM, AS had the responsibility of Ida-Tallinn Central Hospital ensure the confidentiality of services processing personal data. Enabling third parties access to special types of personal data, AS Ida-Tallinn Keskhaigla violated the specified requirements and committed the misdemeanor stipulated in § 62 of the Criminal Code. 2. The personal defense attorneys of the subject of the appeal procedure submitted to the Harju County Court, they requested an out-of-court hearing annulment of the decision and termination of the procedure. 3. On August 31, 2023, the Harju County Court annulled the decision of AKI of February 13, 2023 and closed the proceedings on the basis of § 29 subsection 1 point 1 of the Misdemeanor Procedure Code (VTMS). The county court took the view that in the processing of personal data, the requirements of article 32 paragraph 1 point b of IKÜM were violated, but AS Ida-Tallinn Punishing the Central Hospital for committing a misdemeanor was out of the question. The court explained that the act the derivative liability provided for in § 14 (1) of the Penal Code (KarS) in force at the time of the commission based on the principle, the legal entity was only liable if the executive employee of its body, its member 4-23-742 or in the behavior of a competent representative all the elements of the delict structure were present and if it was established that the act was committed in the interest of a legal entity. In the present case, a violation of data protection requirements was alleged to a member of the management board of the person subject to the procedure. Only personal data could be breached, Article 32(1)(b) of the IKYM the controller, which was AS Ida-Tallinn Keskhaigla. Therefore, the member of the board could not be a member of § 62, subsection 1 of the IKS to commit a misdemeanor qualified by To attribute to AS Ida-Tallinn Keskhaigla. POSITIONS OF THE PARTIES IN THE CASSATION PROCEEDINGS 4. On December 21, 2023, a cassation appeal was filed against the decision of the County Court of Harju, which requests annulment of the decision of the county court and enforcement of the extrajudicial decision. Cashier's views are as follows. 5. The county court does not correctly apply the substantive law, finding that a legal person is not a legal person as provided in § 62 to be punished for the commission of a misdemeanor only if a constituent act has been previously attributed to an identified natural person. The above is contrary to IKYM art. 83 and the European Court (EC) given in the Grand Chamber's decision of 5 December 2023 in case C-807/21 (hereinafter Deutsche Wohnen's decision) with guidelines. § 14 of the Criminal Code must be followed when imposing a fine for the violations listed in Art. 83 of the IKÜM not applicable to the extent that it is inconsistent with European Union (EU) law. 6. Amendments to § 14 of the KarS, which entered into force on November 1, 2023, do not eliminate the mentioned domestic and EU law contradiction. Derivative liability has been waived in the case of torts of omission (KarS § 14 (2)), but in the case of operational delicts (Section 14(1) of the Criminal Code), liability must still be assigned to a legal entity to identify the natural person who violated obligations. 7. § 315 of the Code of Criminal Procedure (KrMS) allows the court decision to be made available to the parties postpone the time, but the corresponding court order is not independently contestable. Collaborating with misdemeanors with a short limitation period, this may lead to a situation where judicial review of the judgment is available changing the time of making is not guaranteed. The county court extended the judgment available to the parties making time three times. The assessor asks to clarify whether the court has to apply § 315 of the Criminal Code consider the statute of limitations for the misdemeanor. 8. On April 24, 2024, the defenders of AS Ida-Tallinn Keskhaigla filed a cassation response, in which they request dismiss the cassation, noting that the misdemeanor has expired and the misdemeanor procedure VTMS § 29(1) excluded according to p. 5. POSITION OF THE COLLEGE 9. The collegium first assesses the defenders' statement (I) regarding the statute of limitations for the misdemeanor and responds then, to ensure the uniform application of the law, an out-of-court procedure in the manner of obiter dictum raised substantive and procedural legal issues (II). Finally, we summarize the result of the cassation proceedings and the request for reimbursement of the legal expenses of the defenders is resolved (III). I 10. According to the misdemeanor protocol, AS Ida-Tallinn Keskhaigla committed the misdemeanor on February 11, 2022. According to Section 81(3) of the Criminal Code in force at the time the act was committed, the misdemeanor has expired if two years have passed from completion to the entry into force of the decision made on it, if the law does not provide for a three-year statute of limitations. The three-year term applicable to the misdemeanors provided for in Chapter 6 of the IKS Paragraph 1 of IKS § 73, which provides for the limitation period, entered into force only on November 1, 2023. Nor does a misdemeanor case appear from the material, the circumstances specified in § 81, subsection 7 of the Criminal Code, which would have caused the statute of limitations of the misdemeanor to stop. 2(6) 4-23-742 Although the county court made a judgment before the expiration of the statute of limitations for the misdemeanor, the decision is not a cassation entered into force due to submission. 11. According to VTMS § 29 (1) (5) misdemeanor proceedings must be terminated when the limitation period expires. The statute of limitations is an absolute procedural impediment in misdemeanor proceedings, which does not allow the matter to proceed further proceedings (e.g. RKKK 11.10.2016, 3-1-1-88-16, p. 8). Because the person subject to the procedure has been accused Two years have passed since the completion of the misdemeanor on February 11, 2024, and the misdemeanor will not expire before then. stopped, the misdemeanor proceedings against AS Ida-Tallinn Keskhaigla must be terminated. II 12. Outside the limits of the cassation decision, the panel considers it necessary to explain the obiter dictum the following in order. 13. IKS § 62, which stipulates the responsibility of the responsible and authorized processor of personal data in accordance with the requirements of the IKÜM for infringement, falls within the scope of EU law. Thus, the cassator reasonably points out to the position expressed in the EC Deutsche Wohnen decision, that IKÜM art. 58 (2) point (i) and art. 83 (1) 6 must be interpreted in such a way that they conflict with national legal regulations, according to which it is possible impose a fine on the legal entity as the controller for the violation specified in paragraphs 4-6 of Art. 83 only if this violation has been previously attributed to an identified natural person. IKYM art-te 58 and 83 such interpretation applies in principle retroactively from the moment these provisions entered into force (see e.g. EC 22.02.2022, C-430/21, p. 77). 14. In summary, the EC found in the Deutsche Wohnen decision that IKÜM does not differentiate liability when determining natural and legal persons. The latter are not responsible for mere violations which committed by their representatives, managers or administrators, but also for violations committed by them any other person acting in the course of and on behalf of the business of the legal entity. To a legal entity if the person in charge of personal data can be fined as specified in sections 4-6 of article 83 of the IKÜM for violations, and the IKÜM does not stipulate that a violation must be established in order to impose a fine committed natural person. IKYM regulates the prerequisites for setting fines listed in paragraphs 1-6 of art. 83 only EU law, which is why member states have no competence to establish additional substantive conditions (see also EC 05.12.2023, C-683/21, p. 70). 15. According to the board's assessment, it follows from the above that it is not in accordance with EU law until October 31 2023 (including the year) the regulation of § 14 of the Criminal Code, which allowed a legal person IKÜM art 83 For the violations specified in subsections 4-6, a fine must be imposed in misdemeanor proceedings only if this violation was previously attributed to an identified natural person (see e.g. RKKK 29.05.2020, 1-18-9594/31, p. 10). 16. According to established EC practice, the principle of EU law gives primacy to the national court the obligation to ensure the full effect of requirements arising from EU law in the dispute under its proceedings, omitting, where necessary, on its own initiative, any conflicting domestic law with an EU legal provision having direct legal effect (see e.g. EK 24.07.2023, C-107/23, p. 95). EK is only in limited cases confirmed the right of the national court to retain EU law for the protection of the person subject to the procedure not applied and apply a higher national standard of fundamental rights protection. For example, conditional from the contradiction with the general principle of criminal law nullum crimen nulla poena sine lege scripta stricta praevia, according to which the solution of the question of guilt must be based on a well-defined and time of commission of the act of the penalty norm established by law in force (§ 23 of the Constitution, § 2 subsection 1 and § 5 of the Criminal Code as well as Article 7(1) of the European Convention for the Protection of Human Rights and Fundamental Freedoms and Article 49 of the EU Charter of Fundamental Rights paragraph 1). When assessing whether a national court must fail to apply what is inconsistent with EU law domestic law, the EC also prohibits foreseeability, definiteness and retroactive force analyzed whether the EU legislator has harmonized the disputed norm and whether it is domestic 3(6) 4-23-742 the application of the norm systematically prevents the imposition of effective and deterrent penalties (see e.g. EK Grand Chamber 05.12.2017, C-42/17, p-d 29–62; cited C-107/23, paragraphs 95-125). The EC has also explained, that although the principle of provisions in the Law on Crimes and Punishments (nullum crimen nulla poena sine lege) cannot be interpreted as prohibiting the gradual refinement of penal norms, it may still do so retroactive application of the new interpretation of the norm that provided for the violation. It is with such a case act when the result of the judicial interpretation is not reasonably expected of the commission of the violation at the moment, especially in view of the interpretation of the relevant provision prevalent in the jurisprudence at that time (e.g. EC Grand Chamber 28.06.2005, joined cases C-189/02 P, C-202/02 P, C-205/02 P–C-208/02 P and C-213/02 P, paragraphs 215-218 and the practice of the European Court of Human Rights referred to there). Provisions of criminal law the principle of non-retroactivity also applies to fines of an administrative nature (see e.g cited C-189/02, p 202; EC Grand Chamber 20.12.2017, C-521/15, p-d 145–146). 17. IKÜM is a regulation and therefore binding as a whole and directly applicable in all member states. Recital 151 of the IKÜM describes, among other things, the exception applicable to Estonia: because Estonia the legal system does not allow fines to be set according to the provisions of the IKÜM, fines are set in Estonia supervisory authority within the framework of misdemeanor proceedings, provided that such application of the rules has equivalent effect as fines imposed by supervisory authorities. So it will also be looked at after IKÜM entering into force in Estonia, cases of violation of data protection requirements are handled in misdemeanor proceedings. Corresponding content the elements of a misdemeanor are stipulated in the IKS (Chapter 6) and the Criminal Code (Articles 157 and 157 of the Criminal Code). As far as IKYM violations are misdemeanors, then as a starting point, the provisions of the general part of KarS extend to punishing them (KarS § 1 subsection 1 and § 3 subsection 2 in combination). 18. EC practice on the issue of predictability and retroactive force of the penalty norm has mainly developed in connection with the statute of limitations for illegal activities and offenses damaging the financial interests of the EU (see e.g EC Grand Chamber 08.09.2015, C-105/14; cited C-42/17 and C-107/23). There is no implementation of IKÜM provisions EC has had to explain in this context so far. The college cannot be outside the specific take a final position on the resolution of a misdemeanor case, whether foreseeability, definiteness or the law principles of non-retroactivity are consistent with the legal one given in the Deutsche Wohnen decision retroactive application of the guidelines concerning the responsibility of the person in those misdemeanor cases where blameworthy The violation of IKÜM requirements took place before November 1, 2023. If the court has a pending in misdemeanor proceedings, doubt as to whether the general principles of criminal law are applicable to Estonia in the IKÜM with the established exception may be a reason not to apply IKÜM and to proceed from domestic fundamental rights protection from a higher standard, he can ask the EC for a preliminary ruling (see also RKKK 01.07.2022, 1-20-1599/59, page 43). 19. According to the assessor's assessment, the amendments to § 14 of the KarS, which entered into force on November 1, 2023, do not eliminate domestic and the inconsistency of EU law, insofar as the derivative liability of the legal entity has only been waived in the case of torts of omission (KarS § 14 (2)), but not for torts of activity. College of this do not agree with the position. 20. § 14 paragraph 1 of KarS, which regulates the liability of a legal person, provides the prerequisites for punishing a legal person for the offense committed by the activity. With the changes that entered into force on November 1, 2023, § 14 of the Criminal Code was retained The derivative liability of a legal entity in subsection 1 clause 1 in the current sense, i.e. according to the mentioned provision is in order to assign responsibility to a legal entity, it is still necessary to identify a natural person (a legal entity body, its member, executive employee or competent representative), whose act can be attributed to a legal entity. § 14 of the Criminal Code however, the bases of liability of a legal person have been expanded in comparison with the previous one in paragraph 1 p. 2. 21. According to § 14 (1) p. 2 of the valid KarS, a legal person is responsible for an act in the cases provided for in the law, committed by any person in his interest or in breach of his legal obligations on the order of the body or person specified in point 1 of paragraph 1 or the incomplete work organization of a legal entity or due to supervision. One of the motivations for changing the law was the desire to expand the responsibility of a legal entity 4(6) 4-23-742 conditions in such a way that, in the case of operational delicts, punishment would also be possible in the situation where the act was committed the natural person who placed it is not identifiable or if it is not a body of a legal entity, its member, with a senior employee or a competent representative (see 94 SE, composition of the Riigikogu XIV, explanatory note to the second draft for reading, pages 5-7). Because a fine arising from art. 83 of the IKÜM shall be imposed on a legal entity apply the current KarS § 14 in accordance with EU law (see also RKÜK 15.03.2022, 5-19-29/38, p. 41), it is therefore not necessary to identify a legal entity for the violation of IKÜM requirements a natural person who committed the reprehensible act in the framework of and on behalf of the activity of a legal entity. 22. In response to the cassator's arguments regarding the time of making the judgment available extension, the panel notes the following. Although VTMS § 2, KrMS § 315 paragraph 2 and § 385 p 23 in combination, changing the time of making the court decision available to the parties is not an appeal contestable, the control over the judge's activities is also ensured by the courts in the organization of misdemeanor proceedings with supervision regulated by law. If the judge does not do what is necessary without good reason procedural action, then the chairman of the court may decide on such a remedy for the administration of justice implementation, which presumably allows the procedure to be completed within a reasonable time (Act on Courts (KS) § 45 subsection 1). It can also be a failure to fulfill an official duty or an inappropriate performance as a basis for the judge's disciplinary responsibility (CS § 87). 23. In the case at hand, the county court announced the final part of the judgment at the court session on August 31, 2023, allowing the full judgment to be made available to the parties no later than October 6, 2023. The court ordered On October 4, 2023, the new time for publishing the decision will be November 6, 2023, then November 27, 2023, and at the latest on December 21, 2023. The county court made the full text of the decision available to the parties on December 15, 2023. The disputed misdemeanor case is not complex in its content and, according to the collegium there are no substantive reasons why the county judge could not keep his promise deadlines, by repeatedly postponing the time of notifying the parties of the judgment (see also RKKK 07.03.2024, 1-21-8941/64, p-d 26–27). 24. The court has the duty to ensure the speedy resolution of the misdemeanor case (VTMS § 2 and KrMS § 15). Procedure in planning, as well as in changing the time of making the court decision available to the parties, the court shall consider otherwise among others, take into account that misdemeanors generally expire within two years and the court must manage the proceedings in such a way that it can be completed before the expiration date of the misdemeanor (see e.g. RKKK 01.06.2023, 4-22-3036/61, p 13). However, the obligation to process the misdemeanor case without delay also applies in an out-of-court procedure. In the current case, it took AKI a year to reach a misdemeanor verdict. At the same time it can be seen from the file that for more than seven months (18.02.2022–07.06.2022 and 29.06.2022–24.10.2022) the matter was not processed on its merits. In summary, the court can be expected to conduct misdemeanor proceedings before the expiration date only if he has been given a reasonable time to resolve the matter. III 25. Based on the above and guided by § 174 p. 4 of the VTMS, the collegium cancels the Harju County Court of the decision of August 31, 2023, and terminates the misdemeanor proceedings on the basis of § 29 (1) p. 5 of the VTMS, a misdemeanor due to the expiration of the statute of limitations. The cassation of the out-of-court procedure remains unsatisfied. 26. The defenders of AS Ida-Tallinn Central Hospital request in the county court proceedings and in the cassation proceedings reimbursement of the fees paid to the selected defenders in the total amount of 24,102 euros (without VAT). According to the application and the invoices attached to it, the selected defenders provided legal aid in the county court 115 hours and 8 hours and 36 minutes in the cassation procedure, for which AS Ida-Tallinn was presented Central hospital bills in the amount of 22,425 euros and 1,677 euros. The price of one working hour of defenders is 195 euros (excl without VAT).VTMS § 23 states that in case of termination of misdemeanor proceedings, among other things, VTMS § 29 On the basis provided for in subsection 1 p. 5, the person subject to the procedure shall be compensated to the counsel selected at his request reasonable fee paid. 5(6) 4-23-742 27. The cost of one working hour of the defenders is reasonable. However, the collection cannot be considered reasonable time spent on county court and cassation proceedings. The collegium agrees with the county court that the first in the first-level proceedings, both the preparation of the procedural documents and the litigation were unfounded related time expenditure, and agrees with the court's final conclusion that the fee paid in the county court must be counted reasonable for 65 hours, i.e. in the amount of 12,675 euros (without VAT). Cassation response The panel also does not consider the 8 hours and 36 minutes spent on preparation to be justified, taking into account that the proceedings are terminated due to the statute of limitations of the misdemeanor and other claims of the defense counsel's cassation response overlap to a significant extent with the views expressed in the earlier proceedings. The college counts the fee paid to the defense counsel in the cassation procedure as reasonable in the amount of three hours 585 euros. 28. On the basis of § 23 and § 38 (1) of VTMS and § 186 (1) of KrMS, the board condemns AS Ida-Tallinn from the state 13,260 euros (without VAT) in favor of the Central Hospital in the county court and cassation proceedings to cover fees paid to selected counsel. (signed digitally) 6(6)