CJEU on GDPR fines: Advocate General rejects ‘strict liability’ and ‘supranational sanctions regime’
Companies may be subject to direct GDPR enforcement by DPAs, notwithstanding applicable national procedural rules. By Tim Wybitul and Amy Smyth of Latham & Watkins.
On 27 April 2023, Advocate General Manuel Campos Sánchez-Bordona delivered his opinion in Case C-807/21, providing a number of helpful arguments for companies defending against fines under the General Data Protection Regulation (GDPR). The Advocate General rejected the idea of strict liability for alleged GDPR violations. He therefore suggests that data protection authorities (DPAs) must prove relevant misconduct of an individual or lack of supervision within the organisation before imposing fines. In the likely event that the CJEU follows the opinion of the Advocate General, companies may have an arguable defence against DPAs seeking to impose fines solely on a strict liability basis. In parallel, companies should ensure that their data protection governance is sufficiently robust and well-documented in order to defend against allegations of insufficient GDPR supervision.
International Report subscribers, please login to access the full article
If you wish to subscribe, please see our subscription information.