Liability for data protection fines – who ends up with the bill?

Posted on

28 Jun

2021

Dittmar & Indrenius > Insight > Liability for data protection fines – who ends up with the bill?

As increasing number of GDPR fines are being handed out, they raise questions about which legal entity is ultimately bearing the liability. There is a significant risk that in addition to the infringer, statutory liability can extend to the infringer’s parental entities and entities that acquire the infringer’s assets in an M&A transaction.

No one could have missed when the EU’s General Data Protection Regulation (GDPR) entered into force in spring 2018. GDPR brought with it new responsibilities for everyone who processes and keeps records of personal data. But above all else, it was the sharply increased penalties that attracted attention, and for good reason. The new fines of potentially up to EUR 20 million or 4% of a company group’s global turnover – whichever higher – set a very new tone for the previously toothless enforcement system. These penalties are now being applied for the first time, and they have brought with them new questions concerning the attribution of liability; in other words, who ultimately pays the fine in cases where there are changes in data controllership or the entity in breach has become insolvent. What has typically not been on the radar is the surprising extent of data protection liability: there is a significant risk that in addition to the legal entity that infringes GDPR, liability can be extended to the infringer’s parental entities as well as to entities that acquire the infringer’s assets.

When GDPR entered into force, the question concerning the entity responsible for the fines went almost completely unnoticed. While the responsibilities under the GDPR are directed at processors and controllers of personal data, the fines under Article 83 GDPR mention “undertakings” as subjects of the fine. Recital 150 in GDPR further clarifies that these undertakings “should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU”. This somewhat cryptic passage refers to the EU’s competition law articles. The EU’s competition rules are not directed at companies or legal entities but at “undertakings”. Over several decades, the Court of Justice of the European Union (CJEU) has provided extensive case law on how to interpret the concept of an undertaking, particularly regarding the attribution of liability for competition fines.

A highly simplified version of the CJEU’s case law on undertakings in competition law is that undertakings are ultimately not legal entities but economic entities. They are the combination of “personal, tangible and intangible” assets that are used to operate a particular business. As such, an undertaking can cover several legal entities. One well-established consequence of this concept is the so-called parental liability doctrine. It means that parental entities can quite easily be held jointly and severally liable with their infringing subsidiary, even if the parent did not participate in the infringement or was not even aware of it. Another consequence that has been created by the CJEU is the doctrine of economic continuity or economic succession, in which a company that acquires another company’s assets may under certain conditions become liable for the seller’s competition fines. As opposed to legal succession, where a company expressly takes over another company’s liabilities, economic succession may take place involuntarily. If the infringer no longer exists or is no longer able to pay the fine, but another company has acquired its assets and continues its business, then that acquiring company may become liable for the fines as the “economic successor” of the infringer. Again, this can happen even if the successor company took no part in the infringement and was not even aware of it.

Because the GDPR is a relatively new piece of legislation, the CJEU has not yet had an opportunity to rule on whether the attribution of liability is identical for competition fines and GDPR fines. Nonetheless, given the use of the term “undertaking” and the explicit reference to the EU’s competition rules, we consider there to be a high risk that the CJEU will interpret the attribution of liability similarly in both areas of law. Furthermore, the Finnish Office of the Data Protection Ombudsman has recently made public statements that seem consistent with this type of attribution of liability.

So, if the attribution of liability is similar for competition law and data protection law, what does that mean in practice? For the day-to-day operations of a processor or controller of personal data, not much. However, in situations where an infringement of GDPR has taken place, it would usually be difficult to limit the liability to the infringing company’s assets because its parent company can often also be held jointly and severally liable. For corporate acquisitions, it means that the liability for GDPR fines can follow the seller’s assets in an asset purchase, even if the parties have not agreed on it and even if they have expressly agreed against it. This increases the importance of a proper data protection due diligence as well as sufficient contractual safeguards between the buyer and the seller in the purchase agreement. Nevertheless, though the level of GDPR fines in Finland so far seems to be near the lower end of the scale, the risk of transferring data protection liabilities is an issue to be carefully examined in every transaction. As always, the first step is to be aware of the existence of the risk so that it can be identified and controlled to the extent possible under particular circumstances.

More by the same author

Quo vadis, GDPR enforcement? Tide is turning and it could affect your business

Just before the summer, around EU’s General Data Protection Regulation's (“GDPR”) birthday, it is usually a time to reflect at the past year and assess the functionality of the GDPR. Now that our beloved regulation has been applicable law for over 3 years, the discussion has shifted from the general interpretation and functionality of data… Read more

European Commission adopts new standard contractual clauses for data transfers

On Friday 4 June, the European Commission adopted new standard contractual clauses ("SCCs") to be used in cross-EU border processing of personal data. The new SCCs entail a general facelift and update as compared to the existing clauses and, in particular, the new clauses align with the requirements for data transfers following the Schrems II… Read more

Private equity investor fined for portfolio company’s competition infringement

The long-running competition law saga between the European Commission and The Goldman Sachs Group Inc. ("GS") recently concluded with a sharp reminder from the European Court of Justice ("ECJ") that in EU competition law, liability for infringements can readily be expanded to parent entities, including private equity investors. More unusually, the ECJ confirmed GS's joint… Read more

Latest insights

Lawyers and the Art of Negotiation

Article / 28 Jun 2021

Summer '21 marks the beginning of the end for single-use plastics in Europe

Article / 28 Jun 2021