No GDPR fines for public sector bodies at all? No discrimination, and no problem!
The GDPR has been able to claim the spotlight in Europe for many different reasons. One of these is undoubtely the magnitude of its fines in case of violations. Theoretically, the GDPR allows administrative fines for an amount up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. In a policy domain – data protection – that notoriously lacked serious muscle prior to the GDPR, the introduction of these fines was a true gamechanger.
The playing field isn’t entirely level, though. The GDPR notes explicitly that “each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State” (article 83.7). In many respects, this makes sense. After all, fines are in principle paid to the state, and fining a public sectory body thus essentially amounts to moving tax payer money from one authority to another. That argument is of course not entirely persuasive, since a fine can also rob a public body of a part of its budget in the same way as a private entity, thus granting a fine a dissuasive power that other sanctions may lack. But then, if a fine under the GDPR lowers the budget of a public sector body, doesn’t that also impair its ability to serve the public interest by completing the task it has been set? It’s quite the conundrum for law makers.
In Belgium, a general exemption was introduced into national data protection law, protecting all public sector bodies from any administrative fines under the GDPR. This has understandably led to some controversy, since there are quite a few situations where publicly funded bodies compete directly with highly comparable private sector counterparts – consider e.g. the cases of publicly funded schools or hospitals, versus privately funded ones. With a blanket waiver of fines for the public sector, the exact same violation under the GDPR with the exact same impact on its victims would result in a fine for the private group, and no fine for the public one.
The Belgian Federation of Belgian Enterprises (Verbond van Belgische Ondernemingen – Fédération des Entreprises de Belgique) therefore introduced a procedure before the Belgian Constitutional Court, arguing that the general exemption of fines for public sector bodies constituted an unlawful and disproportionate discrimination, and therefore that this section of the law should be struck down. In a ruling on 14 January 2021, the Court rejected this position, noting that the discrimination was proportionate and justified due to the necessity of ensuring the continuity and quality of public service. In other words, the Court accepted that the GDPR’s provisions in relation to public sector fining could legitimately be interpreted as permitting a blanket exemption from all fines for public sector bodies. A request to submit a formal question on the matter to the European Court of Justice was denied, on the grounds that the Belgian interpretation could not possibly be considered a violation of European law.
The ruling was, for obvious reasons, very much welcomed by public authorities at all levels. It is of course possible that, at some point in the future, the aforementioned scenario occurs in real life, and that two identical incidents result in a substantial fine for a private body and a mere caution for a public sector body, in which case the private body may decide to take the matter directly to the Court of Justice. In the meantime however, the GDPR’s bite is significantly stronger for some parties than for others.
Article provided by: Hans Graux (Time.lex, Belgium)
Dr. Tobias Höllwarth (Managing Director INPLP)