On December 5, 2023, the European Court of Justice (ECJ) issued two decisions that lower the overall threshold for liability imposed upon controllers under the EU's General Data Protection Regulation (GDPR) and provide useful clarification on which entities may be liable for GDPR violations.
One of the main issues addressed by the ECJ is the definition of "controller" under the GDPR. The ECJ adopted a broad and functional approach to this concept and clarified that an entity can be a controller even if it did not perform the data processing itself provided that it exerted influence over the processing for its own purposes. This means that public and private entities alike could be controllers of personal data collected and processed by, for example, a mobile app, even though it did not develop or own the app.
Further, the ECJ clarified the concept of “joint controllers” (when two or more entities jointly determine the purposes and means of personal data processing), explaining that a formal arrangement between the entities is not necessary to establish joint controller status, provided there is evidence of participation in the decision-making process. This implies that entities collaborating or cooperating in data processing activities could be held jointly liable for GDPR violations.
The ECJ also affirmed that “processing” under the GDPR has a broad scope, and that it includes the use of personal data for testing purposes unless the personal data is anonymous or fictitious. This could have significant implications for software development (potentially even in the artificial intelligence space), as even use of personal data for non-released or non-commercial software could implicate GDPR requirements.
With regard to potential fines under the GDPR (which can be up to 20 million euros or 4% of a company's global annual turnover, whichever is higher), the ECJ found that fines should only be imposed where it can be shown that a controller or processor acted “intentionally or negligently.” This standard is assessed objectively - asking whether the controller or processor should have been aware of their violation of the GDPR, regardless of their actual subjective knowledge of the infringement. Further, management of a “legal person” (i.e., a company) does not necessarily need to be aware of the wrongful conduct for the company to be held liable. Under the GDPR, a legal person is responsible for acts committed by “any other person acting in the course of business of that legal person and on its behalf.”
The two decisions will have a significant impact on the GDPR enforcement within the EU as they expand the scope of who can be considered a controller or a joint controller, clarify the liability assessment between controllers and processors, limit the ability to impose fines without showing fault, and make clear that non-material harm is compensable for GDPR violations. They also promote greater consistency and coherence in the interpretation and application of the GDPR across the EU and enhance the protection of the rights and interests of data subjects.
/Passle/655dcaac6d480d2e47438266/SearchServiceImages/2024-04-17-21-26-58-068-66203ea2326ad244c0dbf36a.jpg)
/Passle/655dcaac6d480d2e47438266/SearchServiceImages/2024-02-22-06-07-13-414-65d6e491f044e8ffe34bb259.jpg)
/Passle/655dcaac6d480d2e47438266/SearchServiceImages/2024-02-22-01-01-42-943-65d69cf6e32bf99d3fbd327b.jpg)
/Passle/655dcaac6d480d2e47438266/SearchServiceImages/2024-02-13-16-38-00-734-65cb9ae8a663ca0e2ecf87be.jpg)