Oct 42024

Advisor to the CJEU Confirms GDPR Fines For Subsidiary Infringements Should Reflect Group Turnover

William RM Long, Francesca Blythe and Anila Rayani
, , , ,

On 12 September 2024, Advocate General Medina issued their Opinion in Case C-383/23 (Opinion) in which they confirmed that supervisory data protection authorities (SAs) must, when calculating the fine for a GDPR infringement committed by a subsidiary, take into account the total annual turnover of the entire group—a concept known as parental liability.

Determining the Fine

The Opinion provides that where an infringing controller or processor forms part of a group of companies which satisfies the concept of an “undertaking” within Articles 101 and 102 TFEU, SAs should take into account the total annual worldwide turnover of the undertaking as a whole, when determining the maximum fine as well as the actual fine to be imposed.

The Opinion outlines a two-stage process that SAs should follow to calculate the appropriate level of fine.

Step 1: Determine the maximum fine – does the controller or processor form part of an “undertaking”?

To determine if a group of companies forms an “undertaking” for the purposes of Articles 83(4) and (5) EU GDPR, the Opinion explains that SAs should consider whether the parent company exercises decisive control over its subsidiaries. Relevant information could include operational links between the entities, powers of the parent company to influence governance including board appointments and calling meetings, and legal, contractual and financial arrangements.

Step 2: Determine the actual fine – consider the specific circumstances of the individual case

Article 83(2) EU GDPR requires SAs to have “due regard” to the specific circumstances of the case by considering the elements listed therein to ensure the fine imposed is sufficiently “effective, proportionate and dissuasive” (Article 83(1) EU GDPR). At this stage, the concept of an “undertaking” could be used as one of the relevant factors for setting the level of fine. For example, if the SAs determine that the parent company played a role in the violation committed by the subsidiary, this may increase the actual fine set by the SA.

In Practice

Whilst this Opinion does not represent a change in position by the Court of Justice of the European Union (CJEU), it adds to a body of growing case law regarding the doctrine of parental liability. The European Data Protection Board (EDPB) has previously taken a firm view on parental liability under the EU GDPR, overseeing significant fines of EUR 225 million and EUR 345 million in recent years for infringements by subsidiaries, despite continued legal challenges from global companies regarding the application of fining principles by SAs.

Next Steps

The CJEU will now consider the Opinion and provide its ruling in Case C-383/23, a process which can take a number of months. Although the Opinion is not binding on the Court, it typically follows the conclusions of the Advocate General to form the basis of its final judgment.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Anila Rayani

London

anila.rayani@sidley.com

You might also like
Top Trends in the European Digital Health/AI Market

Digital health AI technologies are transforming the advancement of drug development and healthcare delivery at an unprecedented speed, backed by governments facilitating the momentum to improve healthcare for their growing populations. Sidley’s European life sciences lawyers Josefine Sommer, Eva von Mühlenen, and Francesca Blythe share a timely take on the top 5 life sciences industry trends being shaped by pioneering digital technologies. We are delighted to present a series of insightful interviews with leaders from a diverse digital health ecosystem giving their perspectives from RocheOrigen Genetics, FemTech InsightsVergeSteto, and Clario.

Compliance Programs Expected to Evolve With Technology: DOJ Updates Corporate Compliance Guidance to Include Artificial Intelligence

On September 23, 2024, the U.S. Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs (the ECCP) to reflect DOJ’s evolving expectations with respect to corporate compliance programs, including how those programs appropriately address the compliance risks of new technology such as artificial intelligence (AI). While the ECCP is drafted as a guidance document for prosecutors to assess the effectiveness and adequacy of a company’s compliance program, the ECCP also is a tool for companies to conduct a similar assessment. With DOJ’s most recent update to this document, this tool now reflects DOJ’s focus on disruptive technology risks. This Update provides some general background on the ECCP and analyzes DOJ’s latest revisions to the ECCP, including the introduction of questions and considerations for companies concerning their use of new and emerging technology such as AI.

U.S. Department of Commerce Issues Proposed Rule on ICTS Supply Chain for Connected Vehicles

On September 26, 2024, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a long-awaited rule proposing to ban certain connected vehicles transactions involving hardware and software linked to the People’s Republic of China (China) and Russia. BIS also proposed extensive compliance obligations for importers and manufacturers of connected vehicles and related components, which come as the automotive industry continues to grapple with how to protect critical safety-related data as vehicle interconnectivity increases.