Warnings instead of penalties for GDPR-infringements?

Several German language media (heise.de, derstandard.at), have reported that the Austrian governing parties passed various modifications regarding the national provisions to the General Data Protection Regulation (GDPR) with a “Data protection deregulation law (Datenschutz-Deregulierungs-Gesetz)” and a collective amendment last Friday.

The time has been too short to gain a profound overview of the hundreds of amendments and their consequences, but a closer look at one that has been hotly debated is already possible: According to media reports, the Austrian law will require the Data Protection Authority to issue a warning instead of imposing a penalty as defined in GDPR in the case of a first infringement. Is this legally possible?

The answer is a short one: No. The explanation may be a little bit longer: The General Data Protection Regulation is a European regulation and is therefore largely Community legislation that is directly applicable. While there are some opening clauses allowing for national characteristics, there are no such clauses regarding the penal provisions. According to ECJ settled case law, a directive in an Austrian law which is “interpreting” or “construing” a European regulation is simply not applicable and therefore not binding.

The Data Protection Authority will nevertheless issue warnings in the case of minor infringements, since GDPR lists them as an option. At the same time, GDPR requires penalties that are dissuasive in proportion to the infringement. It is to be expected that an infringement will lead to a penalty even the first time it occurs, since the Data Protection Authority will probably not feel bound by the restrictions passed in the Austrian law.

This procedure is equally problematic on another level: According to Art 8 Par 3 of the EU Charter of Fundamental Rights and GDPR itself, the Data Protection Authority is “independent”. The government can therefore not give any instructions. By issuing a “directive” by way of a law (even if it is non-binding), the governing parties are de facto wearing down the very independence of the supervisory authority that has been provided for by European law.

In short, companies that are affected should know: The governing parties have told an independent authority quite bluntly how they would like to have penalties under GDPR to be applied. The authority is not legally bound by that. The Agency has in fact stated several times that it will use warnings in those situations where it will be appropriate. But despite the national law, warnings will not be an automatic standard procedure.