Zum Inhalt Zum Hauptmenü

Suchformular

Administrative authorities may impose millions in fines

Datum: 
30. Januar 2018

As is well known, the new Austrian data protection regime provides for the exorbitantly high fines of up to EUR 20 million or 4% of worldwide group sales to be imposed by the data protection authority itself from 25 May 2018. There were massive constitutional objections to this new criminal competence due to the level of punishment. Now, however, the Constitutional Court (VfGH) has clarified in a parallel case that even authorities may impose fines in the millions:

As the DORDA data protection team has already reported in the past (see e.g. here), the system for imposing fines in the new Austrian Data Protection Act 2018 (Sec 30 DPA 2018 in the version of the Data Protection Amendment Act 2018) is based on the almost identical regulation of Sec 99d Banking Act (BWG). Essentially, this means that the Financial Market Authority ("FMA") may impose fines of up to 10% of the Group's annual turnover in the event of infringements of the Banking Act and thus in individual cases also in the millions. Since the end of 2016, the VfGH had already been in the process of reviewing the constitutionality of this regulation. In particular, the question was whether the imposition of such high penalties required the jurisdiction of the (criminal) courts (and not an administrative authority). In its earlier case law, the VfGH had already stated that significantly lower penalties - specifically around EUR 145,000 - could only be imposed in ordinary court proceedings (the equivalent of around EUR 145,000 in 1995: VfSlg 14,361/1995).

Now, shortly before the deadline for application of the GDPR, the VfGH has decided on the admissibility of Sec 99d BWG and surprisingly deviates completely from its previous case law: It allows administrative authorities to impose fines of up to several million euros (full text of the decision here). The High Court justifies this by the fact that the amount of the threatened sanction alone is not decisive. Finally, the appeal against penal decisions of the first instance, which was introduced in 2014, provides sufficient legal protection: the administrative court now decides in the second instance by independent judges who are not subject to instructions. This means that the penal system is also permissible under European law.

The VfGH has thus made it clear on the merits that administrative authorities can impose penalties in the millions in accordance with the law. Due to the parallel situation under the new data protection regime and the explicit reference of the DPA 2018 to Sec 99 d BWG, the decision also has a direct effect on the assessment of the criminal competence of the data protection authority. It can therefore be assumed that the imposition of fines under the GDPR and the DPA 2018 is in principle permissible within the planned administrative structure (i.e. an administrative authority that is both prosecutor and judge) and at the prescribed level.

Nevertheless, the fundamental decision does not dispel all concerns about the criminal provisions of the new data protection regime: Compared to banking law, the future penal framework for data protection infringements is up to EUR 20 million, even for small companies (and even for individual entrepreneurs), irrespective of group sales. The imposition of millions in fines by the data protection authority that are independent of turnover and threaten the very existence of the company could therefore - at least in individual cases - be inadmissible and thus unconstitutional in total.

The confirmation of the admissibility of the penal system makes the correct and timely implementation of the necessary measures under the GDPR even more explosive. This makes it even more important to use the remaining time efficiently and purposefully.