Cordery

Legal.Compliance.

European Court ILVA Case: Can the Turnover of a Parent Company Be Used as the Basis of a Fine for an EU GDPR Infringement Committed by a Subsidiary?

Introduction

The issue of whether a fine for an infringement of the EU General Data Protection Regulation (“EU GDPR”) committed by a subsidiary should be based on the turnover (sales) of the subsidiary’s parent company is currently before the European Court of Justice (“the European Court”). If the European Court gives an affirmative answer to this question then a subsidiary would face a significantly higher fine than if the fine were based on the turnover of the subsidiary. The issues at stake relate to EU competition/anti-trust law – we have previously written about the interplay between Competition/Anti-Trust Law and Data Protection/Privacy Law here: https://www.corderycompliance.com/atl-dpl-0823-04/. This article briefly highlights the key points in the case.

What’s the factual background to the case?

The Danish company ILVA A/S (“ILVA”) is a subsidiary of the Lars Larsen Group. The group’s total turnover in the 2016/2017 financial year was 6.57 billion in Danish Krone, of which the turnover of ILVA was just under 1.8 billion in Danish Krone.

In February 2021, for infringing EU GDPR, in particular for failure “to fulfil its obligations as controller in relation to the retention of personal data concerning no fewer than 350 000 former customers”, a local Danish court fined ILVA 100,000 in Danish Krone (USD $14,585/€13,416 /UK £11,500, at today’s rate). The court calculated the fine on the basis of ILVA’s turnover, i.e. not on the basis of the Lars Larsen Group turnover.

The public prosecutor in the case appealed the ruling to a higher Danish court. Acting on a recommendation of the Danish data protection regulator, before the local Danish court the public prosecutor had sought a fine of 1.5 million in Danish Krone, which had been estimated not only on the turnover of ILVA but on the total turnover of the entire Lars Larsen Group – the prosecutor sought the same fine amount before the higher Danish court.

What are the legal issues in the case?

EU GDPR sets out threshold levels for fines for infringements of EU GDPR, including based on turnover, which apply to individuals and so-called “undertakings”. An “undertaking” is not defined in EU GDPR. However, EU GDPR (at Recital 150) states that, in the context of EU GDPR fines, the meaning of “undertaking” should be understood in accordance with EU (treaty) competition law rules. Although those EU (treaty) competition rules refer to “undertakings” they don’t themselves actually define the meaning of “undertaking”, but, broadly-speaking, both EU secondary competition law and regulatory practice along with the case-law of the European Court consider that an “undertaking” includes “undertakings” in the same group and when a fine is imposed (for infringing EU competition rules) the total (worldwide annual) turnover of the group can be considered (as opposed to the turnover of just an “offending” subsidiary).

Because it seems that neither the Danish, French, German or English language versions of EU GDPR help clarify whether, when setting a fine for an infringement of EU GDPR by an “undertaking”, regard should be had to the turnover of the overall group of which a company is a part of, in order to help the higher Danish court reach a decision in the appeal, the Danish court has stayed the case and is using the so-called “preliminary reference procedure” to the European Court asking for an interpretation of EU law as regards whether:

  • Under EU GDPR “the term ‘undertaking’ covers any entity engaged in an economic activity, regardless of that entity’s legal status and the way in which it is financed?”; and,
  • If the answer to the question above is “yes”, must EU GDPR “be interpreted as meaning that, when imposing a fine on an undertaking, regard must be had to the total worldwide annual turnover of the economic entity of which the undertaking forms part, or only the total worldwide annual turnover of the undertaking itself?”.

It is also worth noting that the European Data Protection Board states in its “Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 2.1, Adopted on 24 May 2023” that “in cases where the [data] controller or [data] processor is (part of) an undertaking in the sense of [the EU treaty competition law rules), the combined turnover of such undertaking as a whole can be used to determine the dynamic upper limit of the fine […]”.

What are the next steps?

It may take anywhere between 18 months and 2 years from this summer 2023 for the judgment in this matter to be issued, prior to which there will first be an Advocate-General’s Opinion and a hearing.

What are the takeaways?

This is a case that has been waiting to happen and the outcome will be very important as regards the basis on which subsidiaries can be fined for data protection infringements, notably because of the possibility of higher fines on subsidiaries.

It will also be interesting to see how deeply the European Court goes into the two questions it is being asked, notably as to whether it will follow its thinking in competition/anti-trust law where, broadly-speaking, the court has ruled that when a parent company exercises “decisive influence” over the conduct of its subsidiary, the two entities in effect constitute a single “undertaking” and can therefore in effect be held jointly liable for a competition/antitrust infringement and fine – can the same be said for an EU GDPR infringement?

Businesses should therefore keenly follow how the case pans out – watch this space.

More information

We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.

The official summary of the case before the European Court can be found here: https://curia.europa.eu/juris/fiche.jsf?id=C%3B383%3B23%3BRP%3B1%3BP%3B1%3BC2023%2F0383%2FP&nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lgrec=en&parties=Ilva&lg=&cid=2394099.

The European Data Protection Board “Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 2.1, Adopted on 24 May 2023” can be found here: https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-042022-calculation-administrative_en.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 347 2365
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.