Aon | Professional Services Practice
Release Date: July 2021
Is the privacy pendulum swinging? European courts overturn some GDPR fines
Three years after its enactment, enforcement of the European Union General Data Protection Regulation (GDPR) has been successfully challenged in some cases, with regulators also reducing a number of significant fines that they originally imposed.
In 2020 alone, European data protection authorities levied some 340 fines amounting to over €170 million, approximately 130% more than the total fines (€73 million) issued during the 20-month period following the GDPR’s enactment in May 2018.
However, companies were also successful in challenging and, in some cases, overturning, significant fines. Successful legal challenges are influencing how the GDPR is being enforced.
Below is a brief overview of some high-profile GDPR fines that were overturned or considerably reduced:
- In February 2021, the Regional Court (Landgericht) of Berlin overturned a €14.5 million GDPR fine against real estate firm Deutsche Wohnen SE, ruling that it had not been sufficiently substantiated, as the regulator failed to name an individual employee responsible for the violation. The Berlin Commissioner for Data Protection for Freedom of Information has asked the public prosecutor to appeal the decision.
- In December 2020, the Federal Administrative Court in Austria (Bundesverwaltungsgericht) invalidated an €18 million GDPR fine against the Austrian Post (Österreichische Post AG). Employees at the Austrian Data Protection Authority (Die Datenschutzbehörde) had reportedly been unaware of a new law stipulating that violations be attributed to specific people.
- In November 2020, the Regional Court (Landgericht) of Bonn reduced a €9.55 million GDPR fine against German telecom company 1&1 by over 90% to €900,000. The court ruled that the penalty was excessive and questioned the turnover model used by the authorities in calculating the fine.
- As we noted in “Why should business leaders be concerned about GDPR fines?”, the UK’s Information Commissioner’s Office (ICO) significantly reduced two high-profile fines against British Airways (BA) and Marriott International Inc. in October 2020. The Marriott fine was reduced by 81% to £18.4 million (from £99 million) and the BA fine was reduced by 89% to £20 million (from £183 million). The ICO reportedly considered the adverse impact of the COVID-19 economic lock-down in making this decision.
Timeline of Notable GDPR Fines from May 25, 2018 until June 2021
Notable GDPR Fines | May 25, 2018 to June 2021
Overview and discussion
The potential for large fines under the GDPR regime is a concern for business leaders and companies have overhauled privacy programs to protect themselves against potential enforcement actions.
The precedents from Austria and Germany demonstrate that legal challenges may be a viable option for companies faced with GDPR fines. Courts have also overturned GDPR fines in other European jurisdictions, such as Belgium and Poland.
The court rulings in these jurisdictions may also restrain data protection authorities in their enforcement. Requirements to name individual people or associate violations with specific employees may present complications for regulators, given the complex corporate structures of some companies.
Faults by regulators, for example, in applying the calculation model for fines (as in the 1&1 matter) may also result in significant reductions in the fines. Some privacy regulators are reportedly taking considerable effort and time to limit such mistakes.
Other regulators, such as the Irish Data Protection Commission, have been criticized for engaging in many lengthy high-profile investigations (for example, Facebook) which have not led to enforcement actions.
Aon’s Professional Services Practice will continue to monitor major developments relating to the enforcement of the GDPR and its overall impact on the data privacy landscape.