Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Menü
Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
1. Article 83 of Regulation (EU) 2016/679 shall apply mutatis mutandis to infringements of this Regulation.
2. Infringements of the following provisions of this Regulation shall, in accordance with paragraph 1, be subject to administrative fines up to EUR 10 000 000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8;
(b) […]
(c) the obligations of the providers of publicly available directories pursuant to Article 15;
(d) the obligations of any legal or natural person who uses electronic communications services pursuant to Article 16.
(e) the obligation to designate a representative pursuant to Article 3 number 2.
3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7 shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
4. Member States shall lay down the rules on penalties for infringements of Articles 12, 13 and 14.
5. Non-compliance with an order by a supervisory authority as referred to in Article 18, shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
6. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 18, each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
7. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
8. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by [xxx] and, without delay, any subsequent amendment law or amendment affecting them.
(39) Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks set forth in this Regulation. Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.
(40) In order to strengthen the enforcement of the rules of this Regulation, each supervisory authority should have the power to impose penalties including administrative fines for any infringement of this Regulation, in addition to, or instead of any other appropriate measures pursuant to this Regulation. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. For the purpose of setting a fine under this Regulation, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 of the Treaty.
The change in the degree of harmonization from a Directive to a Regulation has required an adjustment of the sanctioning requirements.[1] While Art. 15 Sec. 2 ePrivacy Directive referred to Art. 24 Data Protection Directive, implementing a rather general provision which delegated “suitable measures (…) in particular sanctions” to a further specification by the Member States, the ePrivacy Regulation now (even though also referring to provisions of the GDPR) adopts a much more detailed liability regime.[2] This enables higher fines by the supervisory authorities and, thus, increases the risk of privacy non-compliance.[3]
The aim of Art. 23 ePrivacy Regulation is to unfold a deterrent effect and to ensure comprehensive compliance with the stipulations of the ePrivacy Regulation (so-called general and specific deterrence).[4] At the same time, it is intended to harmonize strongly divergent sanctioning practices in the Member States, to create uniform conditions of competition in the internal market and to bring the protection of privacy to a uniform level throughout the EU (see Recs. 9, 11, 13 and 150 GDPR).[5] In its practical effect, however, both the intended amount of fines and the corresponding enforcement practice, increasingly exhausting the given possibilities, gives rise to criticism in that the sanctioning system under Art. 83 GDPR rather serves to incite an overcompensation of enforcement deficits than to actually harmonize the enactment of data protection and privacy stipulations.
This being said, an extensive enforcement practice can neither guarantee comprehensive compliance with data protection and privacy regulations (which are already very strict by international standards), nor achieve a uniform practice of imposing fines.[6] On the one hand, this is proven by differing total numbers of sanctions imposed throughout the individual Member States and, on the other hand, by the emerging trend of ever higher fines.[7] While, at first, fines were rather moderate, supervisory authorities have now proceeded to two-digit and even three-digit million Euro amounts, as shown in the 225 Million Euro fine against WhatsApp Ireland.[8] The sanctioning approach still varies largely from Member State to Member State. Given a still wide and vague regulation under Art. 23 ePrivacy Regulation, as regards the amount of fines and their calculation, in particular, there is little prospect that this situation will change in future.
[1] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 83 Rec. 1.
[2] Cf. Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Rec. 1.
[3] Bergt, in: in: Kühling/Buchner, DS.GVO BDSG (2020), Art. 83 Rec. 2; also Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 83 Rec. 1.
[4] EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR of 12 May 2022, p. 38 Rec. 142; Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 1; Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 83 Recs. 8, 11.
[5] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Rec. 1; cf. also Bergt, in: in: Kühling/Buchner, DS.GVO BDSG (2020), Art. 83 Rec. 1.
[6] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 83 Rec. 11.
[7] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 83 Rec. 3 et seq. with further details.
[8] See https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-whatsapp-inquiry and corresponding binding decision of the EDPB (1/2021) of July 2021, p. 85; for a detailed and recent account on all sanctions imposed under the GDPR, see www.dsgvo-portal.de/dsgvo-bussgeld-datenbank/ and https://www.enforcementtracker.com/.
The sanctioning system pursuant to Arts. 18 Sec. 1ab Alt. 2; 23 ePrivacy Regulation in conjunction with Art. 83 GDPR is complementary to enforcement measures by the private sector, i.e., the right to compensation and effective judicial remedies pursuant to Art. 21 et seq. ePrivacy Regulation.[9] Since public investigation and correction cannot guarantee a comprehensive enforcement of ePrivacy provisions, a significant proportion of can be “cushioned” by the earlier.
The determination of the amount of fines as well as the concept of the fined body (here: “undertaking”) is inspired by antitrust law.[10] The amount of fines to be issued has now been harmonized with the GDPR fines.[11]
Art. 23 Sec. 1 ePrivacy Regulation refers to Art. 83 GDPR with regard to the general conditions and criteria of imposing fines. Accordingly, its stipulations shall apply mutatis mutandis. Like Art. 83 GDPR, Art. 23 ePrivacy Regulation is related to its respective following provision, Art. 24 ePrivacy Regulation, which requires Member States to impose penalties on infringements of this Regulation, in particular for such that are not subject to administrative fines. Penalties, as the term implies, refer to criminal sanctions, which are assigned exclusively to the competence of Member States.[12]
[9] Cf. in this respect also Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Rec. 2.
[10] Bergt, in: Kühling/Buchner, DS.GVO BDSG (2020), Art. 83 Rec. 2; see also Rec. 150 GDPR.
[11] Cf., for instance, the list provided by the German Federal Cartel Office (Bundeskartellamt), https://www.bundeskartellamt.de/DE/Kartellverbot/kartellverbot_node.html#:~:text=Die%20Geldbu%C3%9Fe%20gegen%20die%20verantwortlichen,und%20der%20Dauer%20der%20Tat.
[12] Bergt, in: Kühling/Buchner, DS.GVO BDSG (2020), Art. 83 Rec. 2.
Art. 23 Sec. 1 ePrivacy Regulation refers to Art. 83 GDPR, which shall apply mutatis mutandis to infringements under Chapters II and III ePrivacy Regulation. Since Art. 23 Secs. 2 to 6 ePrivacy Regulation themselves provide for specific stipulations on the amount and addressee of fines, as well as the procedural safeguards (Sec. 7) and the implementation of a respective sanctioning system by legal systems that do not have an administrative fine regime, this concerns only Art. 83 Secs. 1 to 3 GDPR.
Art. 83 Sec. 1 GDPR obliges supervisory authorities to ensure the effectiveness, proportionality and dissuasiveness of fines.[13] The assignment of the supervisory authorities’ competence corresponds Art. 18 Sec. 1ab Alt. 2 ePrivacy Regulation, mentioning administrative fines as a particular form of corrective powers and, thus, contains the respective legal basis.
a) Scope of discretion
While corrective powers come along with a strong degree of discretion in determining the amount of fines pursuant to Art. 23 Sec. 2 et seqq. ePrivacy Regulation, it is questionable if the competence to impose fines also entails a duty to do so in each individual case.[14] The wording of Art. 23 Sec. 2 et seqq. ePrivacy Regulation implies that infringements of provisions under the Regulations “shall” be subject to fines, implying a mandatory nature of this stipulation. Art. 83 Sec. 2 S. 1 GDPR, moreover, states that administrative fines shall be imposed “in addition to, or instead of” other measures, implying that they are required in any case (see also the wording in Rec. 40 S. 1 ePrivacy Regulation). However, this would disregard the following statement of Art. 83 Sec. 2 S. 2 GDPR, which explicitly refers to the authority “when deciding whether to impose an administrative fine” (which implies deciding “whether not” to impose fines). In view of this clear wording, the authority must be considered able to decide not only on the amount of fines but also on the imposition of a fine as such.[15]
The performance of discretion requires due diligence and is fully subject to judicial review.[16] It must comply with the legal boundaries set by the principles of effectiveness, dissuasiveness and proportionality, the fundamental rights of addressees and the specific stipulations pursuant to Art. 23 Recs. 2 et seqq. ePrivacy Regulation.
b) Effectiveness and dissuasiveness
Authorities need to respect the above-mentioned principles of Art. 83 Sec. 1 GDPR. Accordingly, a fine must be effective and dissuasive. A fine may either serve to reestablish compliance with the Regulation or to punish unlawful behavior (or both).[17] To what extent the issuance of fines, however, can, at all, be effective in reestablishing compliance might be questioned, particularly since a more evident option in guaranteeing compliance must be considered with respect to orders under Art. 18 Sec. 1ab Alt. 2 ePrivacy Regulation in connection with Art. 58 Sec. 2 lit. c GDPR and bans on the respective conduct under Art. 58 Sec. 2 lit. g GDPR.[18]
The fine needs to be deterrent in terms of both discouraging the addressee from committing the same infringement in future (specific deterrence) and impelling others to comply with privacy rules (general deterrence).[19] While authorities tend to argue that the point of reference for determining the amount of fines needs to be the economic abilities of an undertaking (only if a fine really “hurt”, it could unfold its deterrent effect),[20] they need to take into account, however, that an excessively hurtful fine might just as well jeopardize the undertaking as a such or lead to more sophisticated cover-up-strategies. Proportionality of the fine is, therefore, required. Generally speaking, an undertaking will stop with a specific conduct, when it is economically unprofitable.[21] A fine will be included to the calculation and, thus, already achieve the aim, when it increases costs of the particular infringing operation to a level, which exceeds its intended revenues. Consequently, having this scale in mind, taking the overall economic ability of an undertaking as a point of reference for determining the fine, must (almost always) be considered unproportionate.
c) Proportionality
Effectivity and dissuasiveness are contained by the principle of proportionality, as already follows from the fundamental rights of each addressee (cf. Arts. 49 Sec. 3, 52 Sec. 1 S. 2 CFR). This means that the fine must be necessary and appropriate with regard to its amount and context.[22] Like with all corrective measures, an authority must adequately respond to the nature, gravity and consequences of an infringement and apply its decision in a manner that suits the objectives legitimately pursued by the legislator (i.e. to reestablish compliance with the rules or to punish unlawful behavior).[23] This mandates to assess alternative measures: pursuant to case law of the CJEU, recourse must be taken to the least onerous option, where ever there are several appropriate measures available.[24] Particularly with regard to the corrective measure of an order pursuant to Art. 18 Sec. 1ab Alt. 2 ePrivacy Regulation in connection with Art. 58 Sec. 2 lit. c GDPR and bans under Art. 58 Sec. 2 lit. g GDPR, the imposition of fines should be reviewed critically:[25] Whenever the latter promise success, they should at least be enforced prior to considering a fine.
In order to assess the proportionality of a fine, all circumstances of the individual case must be taken into account (cf. Rec. 40 S. 2 ePrivacy Regulation).[26] In its guidelines on the calculation of administrative fines, the EDPB proposed particularly two aspects, namely the economic viability of a fine with respect to the specific situation of an undertaking (i.e., a possible jeopardy for the undertaking’s assets or existence) and its related social effects, e.g., the job market in cases of high regional unemployment.[27] This is in line with Rec. 39 ePrivacy Regulation, which “encourages” authorities to respect the specific needs of micro, small and medium-sized enterprises. Here, the assessment of possible fines must be guided by a special sensitivity for the effects and appropriateness of fines, as well as the availability of alternative measures. Other than that, the standards pursuant to Art. 83 Sec. 2 GDPR apply (see below).
d) Consistent application of the standards
A decisive factor in imposing fines is the consistency of application with regard to the standards mentioned above.[28] This is necessary, given the punitive effect of sanctions under Art. 23 ePrivacy Regulation, which, pursuant to Art. 49 Sec. 1 S. 1 CFR, must be predictable at the time of conduct.[29] Supervisory authorities should come to comparable decisions in essentially equal cases and establish respective policies in imposing fines.[30] This applies both nationally and internationally, since Art. 20 ePrivacy Regulation stipulates a comprehensive cross-border cooperation between authorities.
[13] Cf. already the decisions of the CJEU of 21 September 1989, C 68/88 – Greek Maize and of 10 July 1990, C-326/88 – Hansen, which underly this stipulation.
[14] Cf. Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Rec. 15; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 83 Recs. 30 et seq.
[15] Art.-29-WP, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, WP 253, p. 9; Holländer, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 83 Rec. 26; Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 9.
[16] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 83 Rec. 12.
[17] EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR of 12 May 2022, p. 38 Recs. 137 et seqs.
[18] Gola, in: Gola, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 15.
[19] EDPB, Guidelines 04/2022 of 12 May 2022, p. 38 Rec. 137 referencing CJEU, judgement of 13 June 2013, C-511/11 – Versalis, Rec. 94; cf. also Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 83 Rec. 50.
[20] See, for example, the Irish Data Protection Commission (DPC) in its dispute with Twitter, EDPB, decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR of 09 November 2020, Rec. 164.
[21] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 83 Recs. 33.
[22] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 83 Rec. 6.
[23] See Rec. 148 GDPR; also Art.-29-WP, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, WP 253, p. 6; EDPB, Guidelines 04/2022 of 12 May 2022, p. 38 Recs. 137 et seqs.; cf. also Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 9.
[24] CJEU, judgement of 26 October 2017, T-704/14 – Marine Harvest, Rec. 580; CJEU, judgement of 12 December 2012, T-332/09 – Electrabel, Rec. 279; cf. also Art. 49 Sec. 1 S. 3 CFR.
[25] Cf. Gola, in: Gola, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 15.
[26] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 83 Rec. 30.
[27] EDPB, Guidelines 04/2022 of 12 May 2022, p. 38 Rec. 40.
[28] Art.-29-WP, WP 253, p. 6
[29] Cf. Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 83 Rec. 8, 19.
[30] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 9.
Art. 22 ePrivacy Regulation in conjunction with Art. 83 Sec. 2 GDPR specifies the general standards for imposing administrative fines under Art. 83 Sec. 1 GDPR. Art. 83 Sec. 2 S. 1 GDPR clarifies the relation of fines vis-à-vis other administrative measures, i.e., Art. 58 GDPR, which applies mutatis mutandis under Art. 18 Sec. 1ab ePrivacy Regulation.[31] Art. 83 Sec. 2 S. 2 GDPR enlists different criteria, to which the authority shall give “due regard”. These specify the principle of proportionality pursuant to Art. 83 Sec. 1 Var. 2 GDPR.[32]
a) Assessment of the individual case and relation to other measures pursuant to Art. 83 Sec. 2 S. 1 GDPR in conjunction with Art. 58 Sec. 2 S. 1 GDPR; Art. 18 Sec. 1ab ePrivacy Regulation
Art. 83 Sec. 2 S. 1 GDPR stipulates that supervisory authorities shall take into account the circumstances of each individual case when issuing an administrative fine. To the extent that already the principle of proportionality encompasses a comprehensive assessment of the individual case, this is merely a declaratory statement.
Administrative fines can be imposed in addition to or instead of measures pursuant to Art. 58 Sec. 2 GDPR. Despite its misleading wording, this does not impose an obligation to issue fines.[33] Rather, it means that other measures represent a “minimum threshold” in the sense that these are options burdening the addressee lesser than fines.[34]
b) Criteria for imposing administrative fines, Art. 83 Sec. 2 S. 2 GDPR
The criteria mentioned under Art. 83 Sec. 2 S. 2 GDPR are comprehensive but not conclusive.[35] This already results from the principle of proportionality, pursuant to which all circumstances of the individual case must be considered.[36] Also, Art. 82 Sec. 2 lit. k GDPR clarifies the non-conclusive character of the provision by opening up the listed use cases to “any other aggravating or mitigating factor[s]”. However, given the provided level of specification, other criteria than those enlisted are conceivable to a limited extent only. Only Rec. 150 S. 4 GDPR complements the list with regard to persons other than undertakings, whose general level of income in the respective Member State shall be considered when determining the appropriate amount of an administrative fine.
Generally speaking, the list can be summarized as pursuing a risk-based approach: Undertakings tending to infringe the rights of end-users, in particular when showing structural deficits in data protection and privacy safeguards, will rather both be subject to fines and located at the upper limit of the scale, than those principally applying adequate safeguards. In detail relevant criteria for assessing a potential fine encompass:
Eventually, it appears noteworthy that the criteria listed above do not only signify relevant parameters for supervisory authorities, but also represent an important guideline for addressees of the ePrivacy Regulation. Since experience shows that some factors are considered to be more relevant than others, service providers, marketers and other addressees should identify the emphases applied by their own competent authority and align their operations accordingly. Generally speaking, an early cooperation with authorities and a demonstrated willingness to contain potential damages has proven to be sensible and might be an advisable approach in all conceivable cases.
[31] Cf. Art. 18 No. III.
[32] See above under No. II.1.c).
[33] See above under No. II.1.a); Art.-29-WP, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, WP 253, p. 9; Holländer, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 83 Rec. 26; Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 9; Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 83 Rec. 36.
[34] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 83 Rec. 36; different opinion held by Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Rec. 22 and 15.
[35] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Rec. 23.
[36] Cf. Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 83 Rec. 13.
Art. 83 Sec. 3 GDPR states that the infringement of several provisions must not lead to fines exceeding the amount specified for the gravest infringement. Incriminated parties are, thus, privileged in respect of a series of infringements. This approach resembles the so-called principle of absorption, which is found in many legal systems. It derives from the fundamental principle of ne bis in idem.[37] However, fines are not absorbed to the extent that only the amount of the most serious infringement remains in the equation. Rather, all imposable fines are added up initially, and later “capped” with respect to the highest possible fine for the single gravest infringement (cf. Art. 83 Sec. 4 to 6 GDPR in conjunction with Art. 23 Sec. 2 to 5 ePrivacy Regulation).[38]
Already one and the same operation can interfere with different provisions, as for example the performance of unsolicited marketing combined with a recording of the conversation or a processing of the related communication data (cf. Arts. 5, 16 Sec. 1 ePrivacy Regulation). It is also conceivable that the same interference with the communications secrecy pursuant to Art. 5 ePrivacy Regulation concerns both the content of communications and its related meta data.
Art. 83 Sec. 3 GDPR, however, also encompasses cases in which different operations that are linked to each other interfere with provisions of the GDPR (and, accordingly, the ePrivacy Regulation). How close this linkage has to be and, consequently, which separate conducts remain in the equation, is not specified by the provision. The EDPB provides an answer by assuming a sufficient linking if one unitary conduct consists of several parts and these are carried out by a unitary will.[39] Additional criteria include the contextual proximity in respect of the persons concerned, the purpose and the nature of the conduct, as well as a possible spatial and temporal relation between the operations.[40] It is decisive, whether all parts are related closely enough for an outside observer to consider them as one coherent conduct.[41]
In order not to undermine the principles of Art. 83 Sec. 1 GDPR (i.e. deterrence and effectivity), the EDPB proposes to handle the above-mentioned criteria restrictively.[42] With regard to the question, which individual parts can be included to the addition, the EDPB (evaluating Member States’ traditions on the rules of concurrence) applies a tripartite concept. This distinguishes between (i) concurrence and (ii) unity of actions as part of one sanctionable conduct and (iii) plurality of actions as the expression of an eligibility for multiple sanctions.[43] Accordingly, at first, the authority needs to assess which parts of the conduct are subject to the legal stipulation that are leges speciales towards others.[44] This might, for instance, be the case for cookies under Art. 8 ePrivacy Regulation encompassing stipulations under Arts. 5 to 7 ePrivacy Regulation. Remaining stipulations might, then, be subsidiary or consumed in the sense that one infringement regularly occurs in combination with another.[45] Consequently, whenever all parts of the conduct are absorbed, they are considered one infringement and the fine is only calculated based on that infringement and its legal maximum. If this is not the case, all parts are considered a unity of actions (also referred to as “ideal concurrence”) and, accordingly, added up pursuant to Art. 83 Sec. 3 GDPR. The fine must, then, however, not exceed the maximum of the fine for the respective gravest conduct. In respect of the ePrivacy Regulation this may pertain to Art. 23 Sec. 3 with a maximum amount of 20 Million Euros or 4 % of the undertaking’s total worldwide annual turnover.
Furthermore, it can be assumed that this assessment applies not only with regard to cases covered by a single Regulation, i.e. the ePrivacy Regulation or the GDPR, but also to cases covered equally by both Regulations. As Art. 1 Sec. 3 ePrivacy Regulation clarifies, the ePrivacy Regulation complements and specifies the GDPR. To the extent that the ePrivacy Regulation sets out leges speciales, these, consequently, “absorb” operations relevant under the GDPR. Complementary rules which cover cases, usually appearing in combination with a corresponding GDPR stipulation will, conversely, “be absorbed”. Where in the result both ePrivacy and GDPR rules remain in the equation, the principle of an addition allows a flexible combination of fines both pursuant to each respective regulation. The fine must, therefore, add up all individual infringements and respect the maximal amount pursuant to Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 Sec. 3 GDPR. This approach is admissible, given the relation of both regulations being complementary and specific, as opposed to an exclusive form of legislation. It is also mandatory with respect to the principle of proportionality and ne bis in idem.
Contrary to the imposition of a fine per se, absorption under Art. 83 Sec. 3 GDPR requires responsibility for the sanctioned process, i.e. intent or negligence. This is surprising, given the principle of faultless liability in Art. 83 Secs. 1, 2 GDPR and Art. 23 ePrivacy Regulation.[46] Therefore, this stipulations must be considered to mean that not only the faultless infringement of data protection (and privacy) stipulations is privileged, but also any kind of infringement.
[37] See, e.g., § 52 Sec. 2 German Criminal Code (StGB); in this regard, cf. Rönnau/Wegner, JuS 2021, 17 (18).
[38] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Rec. 36; Bergt, in: Kühling/Buchner, DS.GVO BDSG (2020), Art. 83 Rec. 62; EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR of 12 May 2022, pp. 2, 14 Recs. 43 et seq.
[39] EDPB, Guidelines 04/2022, p. 11 Rec. 28.
[40] EDPB, Guidelines 04/2022, p. 11 Rec. 28.
[41] EDPB, Guidelines 04/2022, p. 11 Rec. 28.
[42] EDPB, Guidelines 04/2022, p. 11 Rec. 28.
[43] EDPB, Guidelines 04/2022, p. 9, referencing CJEU, judgement of 26 October 2017, T-704/14 – Marine Harvest.
[44] EDPB, Guidelines 04/2022, p. 13 Rec. 32.
[45] EDPB, Guidelines 04/2022, p. 11 Recs. 36 et seq,
[46] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Rec. 26; Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 17; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 83 Rec. 10.
Art. 23 Secs. 2 to 5 ePrivacy Regulation implement a comprehensive catalogue of different infringements and their respective maximum fines. These are graded in ascending order, allowing either for an administrative fine of 10 Million Euro / 2 % of an undertaking’s total worldwide annual turnover (Sec. 2), or a 20 Million Euro fine / 4 % of the turnover (Secs. 3 and 4), whichever is higher.[47] In order to account for the peculiarities of each individual case, authorities can resort to the standards referenced pursuant to Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 Secs. 1, 2 GDPR.
This approach serves to categorize and, thus, rationalize the assignment of fines. It is necessary with regard to the sanctioning nature of the fines, since these cannot be qualified as punishment in terms of criminal law, but still entail a respective character. Consequently, fines need to meet the requirement of predictability pursuant to Art. 49 CFR.[48] On the same token, it is worth mentioning that still it is not adequately predictable which fine the authority is ultimately going to impose. The rather vague referencing of criteria pursuant to Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 Secs. 1, 2 GDPR and the stipulation of a maximum amount can generally not identify by itself the specific fine which the addressee must expect.[49] The need for predictability, however, must be regarded particularly high, given the drastic amounts of maximum fines, which were inspired by the law of antitrust and may potentially lead to a respectively excessive enforcement practice by authorities.[50]
Targeting this significant gap of specification, national supervisory authorities[51] and recently the EDPB have issued guidelines on the calculation of administrative fines under the GDPR. These will apply to the ePrivacy Regulation mutatis mutandis. Accordingly, the EDPB proposed a five-step-scheme assessing fines in each individual case.[52] In a first step, processing operations must be identified, as well as a possible linking between them.[53] With regard to the ePrivacy Regulation, this pertains to all different actions, interfering with the stipulations under Chapters II and III ePrivacy Regulation. In a second step, the “seriousness” of the infringement needs to be assessed (“starting point”) and put into the context of the respective annual turnover of the undertaking. Thirdly, all aggravating and mitigating circumstances pursuant to Art. 83 Sec. 2 GDPR must be determined. Fourthly, the applicable legal maximum fines need to be identified, in order not to exceed them pursuant to Art. 83 Sec. 3 GDPR. Lastly, the calculated fine needs to be reviewed in respect of the requirements of effectiveness, dissuasiveness and proportionality and may be adjusted accordingly.
To the extent this guidance repeats the standards provided under Art. 83 GDPR, it provides only limited insight in supervisory authorities’ future calculation procedure. The EDPB states itself that “throughout all abovementioned steps, it must be borne in mind that the calculation of a fine is no mere mathematical exercise. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can – in all cases – vary between any minimum amount and the legal maximum.”[54]
[47] For details on the calculation and the term of undertakings, see No. IV.1.
[48] For details see Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Recs. 52 et seqq.; Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 83 Rec. 19, referencing CJEU, judgement of 26 February 2013, C-617/10 Recs. 34 et seqq.
[49] Holländer, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 83 Rec. 48.
[50] Cf. Art. 23 Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 83 Rec. 2; cf. also Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 35, referencing CJEU, judgement of 12 June 2014 – T-286/09 – Intel/Commission about a fine, exceeding the mark of one billion Euros.
[51] See, for example, German conference of independent federal and state data protection authorities, Datenschutzkonferenz (DSK), Konzept der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder zur Bußgeldzumessung in Verfahren gegen Unternehmen of 14 October 2019; EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR of 12 May 2022.
[52] Cf. EDPB, Guidelines 04/2022, pp. 2, 8.
[53] See No. II.3. for details.
[54] EDPB, Guidelines 04/2022, p. 2.
Art. 23 Sec. 2 ePrivacy Regulation concerns infringements of stipulations protecting end-users’ terminal equipment information pursuant to Art. 8 ePrivacy Regulation (lit. a), the inclusion of personal information into publicly available directories under Art. 15 ePrivacy Regulation (lit. c), the prohibition of unsolicited marketing communications pursuant to Art. 16 ePrivacy Regulation (lit. d) and the obligation to designate a representative pursuant to Art. 3 Sec. 2 (lit. e) ePrivacy Regulation.
The legislator considers these infringements to be less severe than those mentioned in Art. 23 Secs. 3 and 5 ePrivacy Regulation. At a maximum amount of 10 Million Euro or 2 % of an undertaking’s total worldwide annual turnover of the preceding financial year (whichever is higher),[55] fines are, consequently, set lower than under Art. 23 Sec. 3 and 5 ePrivacy Regulation. With regard to Art. 8 ePrivacy Regulation, this, indeed, might be surprising, since the protection of end-users’ terminal equipment information constitutes an essential part of the principle of confidentiality of communications under Chapter II. The relatively higher classification of Arts. 5 to 7 ePrivacy Regulation prima facie could, hence, be regarded contradictory. Yet, the decisive factor is that in the most important application case, cookies used for marketing purposes only, and not for a utilization of the end-users’ most intimate information.[56] This is different in the use-case of Art. 5 ePrivacy Regulation, which explicitly concerns the “listening, tapping, storing, monitoring, scanning” or other conceivable kinds of interception and surveillance.[57] Interferences of the latter kind must be regard more severe, consequently.
The same assessment applies with regard to infringements of Arts. 15 and 16 ePrivacy Regulation. The inclusion of personal data into a publicly available directory is a socially known (while not necessarily accepted) practice, as well. Regularly, the quality of interference with an end-user’s privacy is rather low and only additional and exceptional factors can lead to more intrusive constellations (e.g., a continuous and high-frequency marketing approach).
[55] For details on the calculation and the term of undertakings, see No. IV.1.
[56] For details, see Art. 8 No. I.2.a)bb).
[57] Also see Rec. 15 ePrivacy Regulation; for more details, cf. the comments on Art. 5 ePrivacy Regulation.
a) Infringements of Arts. 5 – 7 ePrivacy Regulation (Sec. 3)
Pursuant to the assessment indicated above,[58] interferences with the general principle of confidentiality of communications, permitted processing of electronic communications data and time limits for erasure pursuant to Arts. 5 to 7 ePrivacy Regulation are considered particularly severe and threatened with a correspondingly high fine. This can be up to a maximum of 20 Million Euros or 4 % of an undertaking’s total worldwide annual turnover of the preceding financial year, whichever is higher.[59]
b) Non-compliance with an order pursuant to Art. 18 Sec. 1ab ePrivacy Regulation in conjunction with Art. 58 Sec. 2 lit. c – e GDPR (Sec. 5)
Art. 23 Sec. 5 ePrivacy Regulation subjects non-compliance with an order by a supervisory authority pursuant to Art. 18 Sec. 1ab Alt. 2 ePrivacy Regulation in conjunction with Art. 58 Sec. 2 lit. c to lit. e, lit. g and lit. j GDPR to fines which may amount up to 20 Million Euros or 4 % of an undertaking’s total worldwide annual turnover of the preceding financial year, whichever is higher.[60] The difference compared to fines under Art. 23 Sec. 2 and 3 ePrivacy Regulation is that the legislator, here, expressly takes account of non-compliance with a corrective measure. Thus, it mandatorily determines the “higher grade of injustice” of not complying with orders by a supervisory authority.
On the same token, the legislator “extracts” cases of non-compliance to orders from the set of criteria under Art. 83 Sec. 2 GDPR, namely its lit. i. The latter lists compliance and non-compliance to a measure under Art. 58 Sec. 2 GDPR (in conjunction with Art. 18 Sec. 1ab ePrivacy Regulation) as a factor in determining the imposition and amount of fines. As a consequence to this extraction, within the context of Art. 23 Sec. 5 ePrivacy Regulation, Art. 83 Sec. 2 lit. i GDPR only encompasses compliance and non-compliance with warnings (Art. 58 Sec. 2 lit. a GDPR) and reprimands (Art. 58 Sec. 2 lit. b GDPR), as well as the compliance with orders (Art. 58 Sec. 2 lit. c to lit. e, lit. g and lit. j GDPR).
It is questionable in this regard whether Art. 23 Sec. 5 ePrivacy Regulation also encompasses non-compliance with a temporary or definitive limitation including a ban on processing (Art. 58 Sec. 2 lit. f GDPR). A comparison with Art. 83 Sec. 5 lit. e GDPR shows that this has not been included to the stipulation. With respect to the principle of legal clarity and predictability of sanctioning rules, the lack of a respective inclusion can, however, not be teleologically corrected. A limitation of processing pursuant to Art. 58 Sec. 2 lit. f GDPR, thus, as well merely remains part of the criteria under Art. 83 Sec. 2 lit. i GDPR.
[59] For details on the calculation and the term of undertakings, see No. IV.1.
[60] For details on the calculation and the term of undertakings, see No. IV.1.
Requirements stipulated under Arts. 12 to 14 ePrivacy Regulation concern providers of number-based interpersonal communications services, i.e. telephone companies. These are required to facilitate the presentation and restriction of calling and connected line identification (Art. 12 ePrivacy Regulation), which are subject to exceptions under Art. 13 ePrivacy Regulation for emergency services. Also, providers need to allow for the ability to block unwanted, malicious or nuisance calls (Art. 14 ePrivacy Regulation). These stipulations are not subject to fines, since telephone companies themselves do not infringe the privacy of end-users in this case. They rather merely facilitate infringements when not implementing adequate safeguards as required under Arts. 12 to 14 ePrivacy Regulation. Given this subordinate role within the communication process, it would not be appropriate to issue fines. Yet, Member States shall lay down rules on penalties for non-compliance with these stipulations in accordance with Art. 24 ePrivacy Regulation.[61]
[61] See Art. 24 No. I. et seq.
On the one hand, fines can be imposed on both natural and legal persons, regardless of their legal form.[62] A difference only exists with respect to the amount of fines, since natural persons and persons other than undertakings can only be imposed with an absolute fine, not a relative fine (which is determined in respect of their total worldwide annual turnover of the preceding financial year). On the other hand, Art. 23 Sec. 6 ePrivacy Regulation stipulates that Member States may lay down rules on whether administrative fines may also concern public authorities and bodies and to what extent they can be imposed. This corresponds to Art. 83 Sec. 7 GDPR which implements the same delegation.
[62] Moos/Schefzig, in: Taeger/Gabel (2022), Art. 83 Rec. 118; Gola, in: Gola, Datenschutz-Grundverordnung (2018) Art. 83 Rec. 16.
Art. 23 ePrivacy Regulation specifically refers to undertakings as addressees of fines. The scope of the term is unclear, as is already the case within the context of Art. 83 GDPR,[63] as there is an unclear reference by Rec. 40 S. 3 ePrivacy Regulation to the term of undertakings pursuant to Arts. 101 and 102 TFEU and an inconsistent use of the term throughout the GDPR. The in essence, two different possible interpretations of the term take effect with respect to the calculation of a fine, i.e., the question which specific unit of an undertaking constitutes the reference point for determining its total annual turnover.
One school of thought argues that the reference under Rec. 40 S. 3 ePrivacy Regulation includes not only a specific legal person itself, but also the entire group based on the dogmatic of antitrust law.[64] Accordingly, undertakings, pursuant to the case law of the CJEU, are defined as any person or firm in an entity “engaged in an economic activity, regardless of its legal status and the way in which it is financed”.[65] When calculating the fine, this term is understood in a broad sense, pursuant to which not only the legal person as a such is subject of the calculation, but the functional economic entity in its entirety, i.e. all associated branches and units, regardless of their involvement to the infringing action (i.e., the group of undertakings).[66] This again significantly increases the maximum amount of possible fines.[67] A corresponding interpretation can also lead to parent companies being held liable for infringements committed by their subsidiaries.[68] In line with an extensive approach to data protection enforcement, this interpretation is applied by supervisory authorities.[69]
A broad interpretation, however, disregards the clear legislative intent, pursuant to which the term of “undertaking” does, in fact, not automatically encompass an associated group, but rather has to be distinguished from it (cf., e.g., the distinctions made within Recs. 36, 37, 48, 110 and Art. 88 Sec. 2 GDPR).[70] Subsequently, the term of “undertaking” defines only the specific unit, which (in the context of the ePrivacy Regulation and GDPR) carries out the infringing action.
This finding is confirmed by the fact that a comprehensive referral to the dogmatic of antitrust law would have required an explicit clarification within the very text of the provision itself and not a mere parenthetical note within the Recitals. Already the requirements of legal clarity and predictability contradict a vast interpretation of the term. What is more, despite this question being controversial under the GDPR for years, the ePrivacy Regulation did not take the chance of clarifying the question whether the dogmatic of antitrust law should apply, but rather also maintained a mere reference to its terminology in Rec. 40 S. 3 ePrivacy Regulation.[71] Consequently, “undertakings”, within the meaning of the ePrivacy Regulation (and GDPR) must be considered to be only the specific unit within a group, i.e. the one which is involved in a particular infringement. This unit, eventually, signifies the point of reference for the calculation, not, however, the economic entity (i.e. the group).[72]
Fines are calculated either with regard to the undertaking’s total worldwide annual turnover of the preceding financial year or by determining an absolute figure, whichever is higher. In consequence, this means any sanctioning procedure with the purpose of imposing a fine must always determine both the respective turnover and a preemptive fine, regardless of whether it will be able to impose it finally.[73] Since the specific procedure, standards and the weighing of arguments within the assessment under Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 Secs. 1, 2 GDPR is subject to a comprehensive discretion, the final result of determination must rather be considered subject to a decision with respect to the individual case, than a purely schematic decision.[74] That is true in particular, since neither factor (absolute figure or relative turnover) is specified and, therefore, generally cannot serve as a reference point for the respective other one. An exception is given only in case the authority intends to exhaust the full amount of the relative fine: whenever the annual turnover amounts to more than 500 Million Euros, both a relative calculation based on 2 % or 4 % exceeds the absolute amount of 10 Million Euros or 20 Million Euros.[75] From this it is apparent that the amount based on a relative calculation may lead to significantly higher fines than such of an absolute calculation. This represents a privilege of natural and legal persons other than undertakings.
[63] Cf. Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 83 Rec. 41.
[64] Cf. only Holländer, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 83 Rec. 14.1; Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Rec. 40.
[65] EC, judgement of 23 April 1991, C-41/90 – Höfner and Elser, Rec. 21; EC, judgement of 17 February 1993, C-169/91 and C-160/91 – Poucet and Pistre, Rec. 17; EC, judgement of 19 January 1994, C-364/92 – SAT/Eurocontrol, Rec. 18.
[66] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 2019, Art. 83 Rec. 43; Hohmann, in: Roßnagel, DSGVO (2017) p. 199 (200); Nemitz, in: Ehmann/Selmayr, DSGVO, 2018, Art. 83 Rec. 40 ff.; Rubin, r+s 2018, p. 337 (342); Uebele, EuZW 2018, p. 440 (445 et seq.).
[67] Voigt, IT-Sicherheitsrecht: Pflichten und Haftung im Unternehmen (2018), p. 101.
[68] Bergt, DuD 2017, p. 555 (556); Hohmann, in: Roßnagel, DSGVO (2017), p. 199 (200).
[69] Cf. Art. 29 WP, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 of 3 October 2017, WP 253, p. 6; Datenschutzkonferenz, Kurzpapier No. 2 – Aufsichtsbefugnisse/Sanktionen, p. 2.
[70] For instance, the corresponding Recital 37 S. 2 GDPR clarifies that “an undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings”.
[71] As is already the case in Rec. 150 S. 3 GDPR.
[72] Cf. also Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 83 Rec. 46.
[73] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 38.
[74] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 39.
[75] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 83 Rec. 39.
Art. 23 Sec. 6 ePrivacy Regulation allows Member States to lay down rules on whether and to what extent administrative fines may be imposed on public authorities. This applies without prejudice to other corrective powers of supervisory authorities pursuant to Art. 18 Sec. 1ab Alt. 2 ePrivacy Regulation. This approach, indeed, represents a privilege of public bodies with respect to the comprehensive subjection of other addressees to the sanctioning system of the ePrivacy Regulation. After all, infringements of privacy rights can occur not only in the private sector, but also in the public field. The sanctioning of public bodies, therefore seems to be critical in helping to enforce compliance with the ePrivacy Regulation. Member States should accordingly provide for a respective sanctioning stipulation, in order to ensure a consistent approach to privacy enforcement.
Rules concerning the imposition of fines on public bodies should encompass provisions regarding the calculation of fines, since such can often not resort to an annual turnover. Rather, these should take into account the budget provided by the state. Conversely, the enforcement of the fine should rather be a budgetary cut in the subsequent financial period than an actual collection in order to avoid a mere shifting of financial resources within the same public budgets.[76]
[76] Cf. Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 83 Rec. 55; also cf. Holländer, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 83 Rec. 79.1.
Pursuant to Art. 23 Sec. 7 ePrivacy Regulation, the exercise of corrective powers by the supervisory authority needs to be subject to appropriate procedural safeguards. This includes particularly the existence of effective judicial remedy and due processes. Specification of the respective standards is made by both the law of the Union and each individual Member State.
With respect to the law of the Union, enforcement of data and privacy protection must respect the procedural provisions under Arts. 47 et seqq. CFR, as well as the provisions under Arts. 6, 13 ECHR.[77] Accordingly, every addressee of fines must have access to an effective remedy before an independent court of the Member States and a respective fair and public hearing, including access to legal aid and representation. To the extent that the latter is already guaranteed pursuant to Art. 21 Sec. 1 Var. 3 ePrivacy Regulation, Art. 23 Sec. 7 HS. 2 Alt. 1 ePrivacy Regulation (“effective judicial remedy”) must be considered declaratory in nature. “Due process”, to the contrary, refers to the requirement of an adequate reasoning of the decision, as set forth by the case law of the Court of Justice.[78] Subsequently, the authority needs to indicate the factors which enabled it to determine the gravity and duration of an infringement, i.e., the basic method of calculation determining the ultimate amount of the fine. If those factors are not clarified by the authority, “the decision is vitiated by failure to state adequate reasons”.[79]
[77] Moos/Schefzig, in: Taeger/Gabel (2022), Art. 83 Rec. 159.
[78] CJ, judgement of 30 September 2003, T-191/98, T-212/98 to T-214/98 – Atlantic Container Line et al., Rec. 1521 referencing EC, judgement of 16 November 2000, C-291/98 P – Sarrió/Commission Rec. 73.
[79] CJ, judgement of 16 November 2000, C-291/98 P – Sarrió/Commission Rec. 73.
Art. 23 Sec. 8 ePrivacy Regulation is a specific provision concerning Member States, which do not provide for administrative fines by law. In these cases, fines may only be “initiated” by the competent supervisory authority (whose existence is mandatory due to Art. 18 Sec. 0 ePrivacy Regulation) and “imposed” by the competent national courts. In any case, fines must respect the basic principles indicated under Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 Sec. 1 GDPR, i.e., they must be “effective, proportionate and dissuasive”.[80] Conversely, all legal remedies opposing the decision must be provided equally effective.