Liability for data protection fines – who ends up with the bill?

As increasing number of GDPR fines are being handed out, they raise questions about which legal entity is ultimately bearing the liability. There is a significant risk that in addition to the infringer, statutory liability can extend to the infringer’s parental entities and entities that acquire the infringer’s assets in an M&A transaction.

No one could have missed when the EU’s General Data Protection Regulation (GDPR) entered into force in spring 2018. GDPR brought with it new responsibilities for everyone who processes and keeps records of personal data. But above all else, it was the sharply increased penalties that attracted attention, and for good reason. The new fines of potentially up to EUR 20 million or 4% of a company group’s global turnover – whichever higher – set a very new tone for the previously toothless enforcement system. These penalties are now being applied for the first time, and they have brought with them new questions concerning the attribution of liability; in other words, who ultimately pays the fine in cases where there are changes in data controllership or the entity in breach has become insolvent. What has typically not been on the radar is the surprising extent of data protection liability: there is a significant risk that in addition to the legal entity that infringes GDPR, liability can be extended to the infringer’s parental entities as well as to entities that acquire the infringer’s assets.

When GDPR entered into force, the question concerning the entity responsible for the fines went almost completely unnoticed. While the responsibilities under the GDPR are directed at processors and controllers of personal data, the fines under Article 83 GDPR mention “undertakings” as subjects of the fine. Recital 150 in GDPR further clarifies that these undertakings “should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU”. This somewhat cryptic passage refers to the EU’s competition law articles. The EU’s competition rules are not directed at companies or legal entities but at “undertakings”. Over several decades, the Court of Justice of the European Union (CJEU) has provided extensive case law on how to interpret the concept of an undertaking, particularly regarding the attribution of liability for competition fines.

A highly simplified version of the CJEU’s case law on undertakings in competition law is that undertakings are ultimately not legal entities but economic entities. They are the combination of “personal, tangible and intangible” assets that are used to operate a particular business. As such, an undertaking can cover several legal entities. One well-established consequence of this concept is the so-called parental liability doctrine. It means that parental entities can quite easily be held jointly and severally liable with their infringing subsidiary, even if the parent did not participate in the infringement or was not even aware of it. Another consequence that has been created by the CJEU is the doctrine of economic continuity or economic succession, in which a company that acquires another company’s assets may under certain conditions become liable for the seller’s competition fines. As opposed to legal succession, where a company expressly takes over another company’s liabilities, economic succession may take place involuntarily. If the infringer no longer exists or is no longer able to pay the fine, but another company has acquired its assets and continues its business, then that acquiring company may become liable for the fines as the “economic successor” of the infringer. Again, this can happen even if the successor company took no part in the infringement and was not even aware of it.

Because the GDPR is a relatively new piece of legislation, the CJEU has not yet had an opportunity to rule on whether the attribution of liability is identical for competition fines and GDPR fines. Nonetheless, given the use of the term “undertaking” and the explicit reference to the EU’s competition rules, we consider there to be a high risk that the CJEU will interpret the attribution of liability similarly in both areas of law. Furthermore, the Finnish Office of the Data Protection Ombudsman has recently made public statements that seem consistent with this type of attribution of liability.

So, if the attribution of liability is similar for competition law and data protection law, what does that mean in practice? For the day-to-day operations of a processor or controller of personal data, not much. However, in situations where an infringement of GDPR has taken place, it would usually be difficult to limit the liability to the infringing company’s assets because its parent company can often also be held jointly and severally liable. For corporate acquisitions, it means that the liability for GDPR fines can follow the seller’s assets in an asset purchase, even if the parties have not agreed on it and even if they have expressly agreed against it. This increases the importance of a proper data protection due diligence as well as sufficient contractual safeguards between the buyer and the seller in the purchase agreement. Nevertheless, though the level of GDPR fines in Finland so far seems to be near the lower end of the scale, the risk of transferring data protection liabilities is an issue to be carefully examined in every transaction. As always, the first step is to be aware of the existence of the risk so that it can be identified and controlled to the extent possible under particular circumstances.

More by the same author

Implementation of the NIS2 Directive in Finland: New Cybersecurity Requirements for Critical Sector Businesses and Entities

On 23 May 2024, Finland took a significant stride towards strengthening its cybersecurity legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cybersecurity measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024. The proposal denotes a significant step towards more regulated cybersecurity and positioning the review and supervision of cybersecurity risks as a top management issue.

Government proposal regarding the implementation of EU’s NIS 2 Directive published

On 23 May 2024, the Finnish Government submitted its proposal regarding the implementation of EU’s NIS 2 Directive ((EU) 2022/2555, the “Directive”) to the Parliament. The proposal includes, inter alia, the adoption of the new Cybersecurity Act and amendments to the Act on Information Management in Public Administration and the Act on Electronic Communications Services. The objective is that the proposed legislation would enter into force on 18 October 2024.

Finland chapter for ICLG: Competition Litigation 2024

ICLG – Competition Litigation Laws and Regulations – Finland chapter covers common issues in competition litigation law and regulations – including interim remedies, final remedies, evidence, justification/defences, timing, settlement, costs, appeal, leniency and anticipated reforms. Read the Finland chapter we contributed.

Latest insights

The Ministry of Finance Proposes a New Tax Credit for Large Industrial Investments

Article / 7 Oct 2024
Reading time 2 minutes

Q&A: Exploring the Future of Legal Work with AI

Article / 1 Oct 2024
Reading time 2 minutes