Warnings instead of penalties for infringements of the General Data Protection Regulation?

28 April 2018

Several German language media (heise.de, derstandard.at), have reported that the Austrian governing parties passed various modifications regarding the national provisions to the General Data Protection Regulation (GDPR) with a “Data protection deregulation law (Datenschutz-Deregulierungs-Gesetz)” and a collective amendment last Friday.

The time has been too short to gain a profound overview of the hundreds of amendments and their consequences, but a closer look at one that has been hotly debated is already possible: According to media reports, the Austrian law will require the Data Protection Authority to issue a warning instead of imposing a penalty as defined in GDPR in the case of a first infringement. Is this legally possible?

The answer is a short one: No. The explanation may be a little bit longer: The General Data Protection Regulation is a European regulation and is therefore largely Community legislation that is directly applicable. While there are some opening clauses allowing for national characteristics, there are no such clauses regarding the penal provisions. According to ECJ settled case law, a directive in an Austrian law which is “interpreting” or “construing” a European regulation is simply not applicable and therefore not binding.

The Data Protection Authority will nevertheless issue warnings in the case of minor infringements, since GDPR lists them as an option. At the same time, GDPR requires penalties that are dissuasive in proportion to the infringement. It is to be expected that an infringement will lead to a penalty even the first time it occurs, since the Data Protection Authority will probably not feel bound by the restrictions passed in the Austrian law.

This procedure is equally problematic on another level: According to Art 8 Par 3 of the EU Charter of Fundamental Rights and GDPR itself, the Data Protection Authority is “independent”. The government can therefore not give any instructions. By issuing a “directive” by way of a law (even if it is non-binding), the governing parties are de facto wearing down the very independence of the supervisory authority that has been provided for by European law.

In short, companies that are affected should know: The governing parties have told an independent authority quite bluntly how they would like to have penalties under GDPR to be applied. The authority is not legally bound by that. The Agency has in fact stated several times that it will use warnings in those situations where it will be appropriate. But despite the national law, warnings will not be an automatic standard procedure.

Max Schrems
Lawyer, author and data protection activist

Max Schrems has conducted several successful judicial proceedings in the areas of data protection and privacy. His cases (e.g. against Facebook and the EU-US Safe Harbor Agreement) have received wide media coverage. For many years, he has been advocating the idea of a professional NGO working to enforce the rights arising from data protection and to represent Internet users who are usually not able to litigate proceedings against major corporations by themselves. With NOYB – European Center for Digital Rights, Schrems has turned this vision into a reality!

Tags

EU-GDPR

Follow this blog

Data processing

We will process your personal data for the purpose of registration for our blog article alerts and will inform you when appropriate of newly available blog articles on www.fabasoft.com by email. For more information on how we process your data and how you can cancel the receipt of information, see our Privacy Policy.

To prevent automated spam submissions leave this field empty.