“Poena Sine Culpa” in Data Protection Law? On The Validity and Scope of the Principle of Culpability in the Imposition

Thomas  Hoeren  Philip  Mayer  Gesa  Schenke

Journal №2 (2024)
“Poena Sine Culpa” in Data Protection Law? On The Validity and Scope of the Principle of Culpability in the Imposition
∘ Thomas Hoeren ∘ Philip Mayer ∘ Gesa Schenke ∘

Abstract

In the preliminary ruling proceedings in the Deutsche Wohnen case from 2023, the ECJ clarified that the supervisory authorities must be able to prove fault towards the controller when imposing fines in accordance with Art. 83 GDPR. Depending on how the decision is read, the Court thus rejected the calls for strict liability. Meanwhile, the Berlin Court of Appeal, which referred the case to the ECJ, took note of the decision and referred it back to the competent Berlin Regional Court by order of 22 January 2024, which must reassess the legality of the fine in light of the Court's requirements. The decision of the Court of Appeal gives cause to recapitulate the principles established by the ECJ and - as will be shown - to apply a different reasoning than that chosen by the Court of Justice. The ECJ derived the culpability requirement from a methodologically correct interpretation of Art. 83 GDPR and the general system and objective of the General Data Protection Regulation (GDPR) and thus from secondary law. The following article examines whether the culpability requirement does not already follow from primary law, which is superior in terms of normative hierarchy, insofar as fines under the GDPR are criminal sanctions within the meaning of primary law. In the course of this, the article will deal with the anchoring of the principle of fault in EU law and the case law of the ECtHR on the principle of nulla poena sine culpa.

See in detail: