No individual enforcement of sanctions against data protection supervisory authorities – Background to a current CJEU judgment
In its decision of 14 March 2024 (Case C-768/21), the Court of Justice of the European Union (CJEU) clarified that data subjects do not have a legally enforceable right against a data protection supervisory authority to demand the imposition of a fine or other remedial measures against those responsible for a data protection breach. This decision clarifies the role and scope of action of supervisory authorities and has far-reaching consequences for the legal protection of data subjects.
Legal framework and the mandate of supervisory authorities
The structure of the General Data Protection Regulation
The General Data Protection Regulation (GDPR), as the core regulatory framework of European data protection law, provides for a graduated system of sanctions and remedial measures in the event of violations of data protection obligations. The primary responsibility for their enforcement lies with the national data protection supervisory authorities. Pursuant to Art. 57 et seq. GDPR, the authorities are obliged to investigate complaints, clarify the facts, and take appropriate measures at their own discretion when violations are identified.
Duties as the ‘guardian’ of data protection law
The role of supervisory authorities is not limited to merely enforcing the law in individual cases. Rather, they act as an independent instance mediating between data subjects and those responsible, ensuring compliance with data protection law. Their activities are characterized by procedural discretion, allowing them to respond appropriately to various violations.
Subject: No individual right to sanctions or remedial measures
Background and CJEU Decision
The judgment was based on a case in which a data subject demanded the imposition of a fine against a controller. The supervisory authority did initiate investigations but did not impose any sanctions. According to the CJEU, the authority is not bound by individual demands in its selection and assessment of measures.
The core of the decision is that while data subjects have a right to effective handling of complaints and information about the outcome of their complaint, they cannot assert a specific claim to a particular measure — such as a fine. The selection and severity of any sanctions rest within the authority’s discretion.
Reasoning of the Court
The judges emphasized that the sanction provisions of the GDPR primarily protect public interests and do not primarily regulate individual compensation or satisfaction claims. If a data protection violation is established, the authority is instead obliged to take appropriate measures within its discretion. The decision on the nature and amount of a sanction is made independently of the wishes of the data subject.
Implications for the legal protection of data subjects
Rights of the data subject
Data subjects can still lodge complaints and request thorough investigations. In the event of a complaint, the competent supervisory authority is obliged to review the facts objectively and communicate the outcome. However, there is no enforceable right to the imposition of a specific sanction. If the data subject wishes to take further action against controllers, the path remains open through a civil law claim for damages, which must be asserted separately.
Significance for practice
For companies, public bodies, and other data processors, the decision provides greater legal certainty in dealing with requests and complaints from data subjects. In the area of internal corporate compliance and supervisory proceedings, the discretion of the authorities must be taken into account. Data subjects, on the other hand, must expect that they cannot force the sanctioning of a controller, but are dependent on the authority’s own discretion.
Outlook and ongoing developments
The judgment highlights the limits of individual legal protection in European data protection law. This strengthens the role of supervisory authorities, whereas the enforcement of individual claims for compensation or the ordering of fines remains subject to special legal provisions and separate court proceedings. It remains to be seen how national courts and authorities will implement the decision in practice and to what extent any need for adjustment in the area of complaint procedures will be identified.
If you have further questions regarding data protection issues, regulatory procedures, or sanction practices, the Rechtsanwalt at MTR Legal will be pleased to provide you with sound legal advice and many years of experience in data protection law.
Source:
EuGH, Urteil vom 14.03.2024, C-768/21, https://curia.europa.eu/juris/document/document.jsf?docid=284844
