Whose fault is it anyway?

The Advocate General of the European Court of Justice (CJEU) has issued an opinion that he rejects the concept of “strict liability” for alleged EU GDPR violations, which could mean that data protection authorities (DPAs) will have to prove that an individual within an organisation was responsible for an EU GDPR violation before they can impose a fine.

The Advocate General’s opinion is based on the text of the EU GDPR, which states that fines can only be imposed if there is “fault” on the part of the organisation. The Advocate General argues that this fault must be personal to an individual within the organisation and cannot simply be a failure of the organisation as a whole.

The Advocate General’s opinion is significant because it could impact how DPAs enforce the EU GDPR. If the CJEU agrees with the Advocate General, it will mean that DPAs will have to be more careful about the evidence they gather before imposing fines, potentially making it more difficult for DPAs to obtain significant fines. Still, it could also help to ensure that fines are only imposed on organisations that are truly responsible for EU GDPR violations.

The CJEU is expected to issue its final ruling on this case in the coming months.