Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Menü
Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 23, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.
2. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, no later than 8 months after the date set forth under Article 29(2) and, without delay, any subsequent amendment affecting them.
Art. 24 ePrivacy Regulation delegates the implementation of rules on other penalties than fines to the Member States. These rules complement the scope of corrective measures of supervisory authorities laid down under Art. 18 Sec. 1ab Alt. 2 ePrivacy Regulation. At the same time, the Union legislator meets the principle of subsidiarity between EU and Member State regulation pursuant to Art. 5 Sec. 1 S. 2 TEU.[1] Member States have sufficient leeway in determining the relevant conduct and sanction but, however, also have to implement respective legislation.[2]
As Recital 149 GDPR (corresponding to the comparable stipulation of Art. 84 GDPR) states, penalties may be of criminal or administrative nature. This opens up a “cascade of options”[3] which provide Member States and their supervisory authorities with a wide scope of action.[4] On the same token, this broad leeway for national legislators impedes a uniform sanctioning framework as well as an associated uniform enforcement practice.[5]
Systematically, penalties must be distinguished from other corrective measures pursuant to Art. 18 Sec. 1ab ePrivacy Regulation in conjunction with Art. 58 GDPR. Whereas Art. 18 Sec. 1ab ePrivacy Regulation is principally concerned with remedies aimed at changes for the future, i.e., eliminating current and preventing future infringements, penalties concern the past, reacting to a given infringement and compensating for done injustice.[6]
[1] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 84 Rec. 1.
[2] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 84 Rec. 5; Holländer, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 84 Rec. 5.
[3] Holländer, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 84 Rec. 2; Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 84 Rec. 1.
[4] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 84 Rec. 2; Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 84 Rec. 1; Holländer, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 84 Rec. 5.
[5] Cf. Recs. 9, 11, 13 and 150 S. 1 GDPR, Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 84 Rec. 3.
[6] Holländer, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 84 Rec. 3.
The opening clause of Art. 24 Sec. 1 ePrivacy Regulation allows Member States to implement their own privacy related sanctions. In this regard, it does not stipulate limitations, but rather indicates only a minimum standard referring to infringements that are not subject to administrative fines pursuant to Art. 23 ePrivacy Regulation. These include infringements Arts. 12 to 14 ePrivacy Regulation (i.e., less severe forms of unsolicited communications) as explicitly excluded from fines by Art. 23 Sec. 4 ePrivacy Regulation. Other than that, sanctions can either fill up gaps in sanctioning inadmissible conduct pursuant to the ePrivacy Regulation or complement existing sanctioning regimes. Also, Member States can stipulate sanctions for infringements of rules adopted pursuant to other delegations of the regulation and specific national provisions.[7]
[7] Cf. Rec. 149 S. 1 GDPR; also Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 84 Rec. 4, referencing CJEU, judgement of 21 September 1989, C-68/88.
Penalties under Member State laws must be effective, proportionate and dissuasive (cf. Art. 24 Sec. 1 S. 2 ePrivacy Regulation). As the CJEU clarified in its case law, this, however, already results from obligations under primary law pursuant to Art. 4 Sec. 3 S. 2 et seq. TEU.[8] Measures must both serve to prevent the public from infringing privacy stipulations (so-called general deterrence) and the individual infringer from continuing their conduct (so-called specific deterrence).[9] Yet, these stipulations must not overshoot the target. In order to safeguard a proportionate implementation, the limiting requirements of Union law apply pursuant to Art. 51 Sec. 1 S. 1 CFR and must be complied with by the national legislator.[10] Inter alia, this concerns Art. 47 CFR, which requires access to an effective judicial remedy and fair trial, as well as the principles of legality and proportionality pursuant to Art. 49 CFR. National legislation must also observe the principle of legal certainty: the specific scope of application of a penalty, its preconditions and legal consequences must be stipulated clearly enough, so that each possible addressee can align their conduct and anticipate sanctions for a possible infringement.[11] This excludes mere references to regulations that are not sufficiently clear by themselves, since then, only a prior judicial clarification can eliminate uncertainties.[12]
Recital 149 S. 3 GDPR explicitly clarifies that Member States must obey the prohibition of double jeopardy, i.e., the principle of ne bis in idem as per its interpretation by the CJEU. Subsequently, the same conduct must not be subject to two separate punishments. Yet, a combination of one punishment under criminal law and one (or further) administrative sanctions under public law is admissible.[13] In that regard it needs to be assessed, however, whether the second sanction qualifies as “punishment”.[14] This must be determined with respect to the classification under national law, the nature of the offense and the degree of severity of the penalty.[15] Even though the second sanction might, subsequently, be qualified admissible, its concrete form must take into account the culminating effect of multiple sanctions and the respective burden for the addressee – after all, an overall sanction for the same conduct must be appropriate and proportionate.[16]
[8] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 84 Rec. 5.
[9] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 84 Rec. 14.
[10] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 84 Rec. 5.
[11] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 84 Rec. 5.
[12] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 84 Rec. 5.
[13] CJEU, judgement of 26 February 2013, C-617/10 – Akerberg Fransson, Recs. 34 et seqq.; CJEU, judgement of 5 June 2012, C-489/10 – Bonda, Rec. 37.
[14] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 84 Rec. 4.
[15] CJEU, judgement of 5 June 2012, C-489/10 – Bonda, Rec. 37.
[16] Frenzel, in Paal/Pauly, DS-GVO BDSG (2021), Art. 84 Rec. 6 with further reference; cf. also Rec. 149 S. 3 GDPR.
With regard to the specific form of punishment, Member States have comprehensive leeway.[17] In that regard, criminal punishments are the measure of choice when handling “serious infringements”. Pursuant to the guiding principle “tort does not pay”, this serves to detract a possible enrichment brought about by the infringement (restitution effect) and to prevent an overall incentive for conducting profit-oriented crime (deterring effect).[18] Other options, classically, include imprisonment or monetary penalty.[19]
[17] Gola, in: Gola, Datenschutz-Grundverordnung (2018), Art. 84 Rec. 5.
[18] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 84 Rec. 5, referencing House of Lords, decision of 21 January 1964, [1964] AC 1129 – Rookes v. Barnard.
[19] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 84 Rec. 10; cf. for a detailed account of sanctions as per a “European understanding” Holländer, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 84 Rec. 3.
According to Rec. 152 S. 2 GDPR, penalties can also be administrative in nature. Since a comprehensive amount of administrative measures is already regulated within Art. 18 Sec. 1ab Alt. 1 and 2 ePrivacy Regulation and these also include penalizing measures (as for instance warnings or regular investigations pursuant to Art. 58 Secs. 1 lit. b, 2 lit. a GDPR) it is difficult determining additional options.[20] Such may, however, be given any time the quality of enforcement achieves a particular level, at which a measure does not only serve to investigate or correct a certain conduct but also to compensate for done injustice.[21]
[20] Cf. Rec. 152 S. 7 GDPR; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 84 Rec. 8.
Pursuant to Art. 24 Sec. 2 ePrivacy Regulation, each Member State shall notify the Commission about the provisions implemented according to Sec. 1. For this, the provision stipulates a maximum time frame of eight months after the ePrivacy Regulation’s entry into force pursuant to Art. 29 Sec. 2 ePrivacy Regulation.