Case note: The duty to handle complaints, but how?, by Lisette Mustert

Introduction

In the first years after the entry into force of the General Data Protection Regulation (GDPR) it has become apparent that large differences in GDPR enforcement exist among the Member States (Mustert 2023). Reasons for these differences and subsequent risks of under-enforcement are often found in the complexity of the enforcement mechanism and the interaction between EU and national procedural law (see e.g. the EDPB’s letter to the Commission of 2022). However, the role of the EU legislature which drew up the GDPR in a manner leaving a lot of discretion to data protection authorities (DPAs) in determining how to enforce the GDPR should not be underestimated. While the Court of Justice of the EU (CJEU) has now clarified in the SCHUFA Holding case that the GDPR requires that DPAs must deal with complaints regarding personal data breaches (see joined Cases C-26/22 and 64/22), the CJEU leaves open how DPAs shall do this. In the more recent TR v Land Hessen case, Advocate General Pikamäe identifies a subsequent obligation for DPAs to act where a complaint-based investigation proves a violation of the GDPR  (see the opinion of A-G Pikamäe in Case C-768/21). Again, however, how this action shall take shape is up to the DPAs to decide, within the limits of EU law.

The question as to whether and how a data protection authority shall act

Data subjects have the right to lodge a complaint with a national DPA, which shall be handled by this DPA and investigated to the extent appropriate (Article 57(1)(f) GDPR). In the SCHUFA Holding case the CJEU interpreted this provision as an obligation for DPAs to deal with complaints, which cannot be ignored (Joined Cases C-26/22 and 64/22, para. 56). This conclusion solves a perennial issue in the area of personal data protection, where complaints are often handled only when a complaint points at a serious or systemic data protection violation (Mustert 2023). Such prioritization policies are detrimental to a consistently high level of personal data protection throughout the EU. In line with this judgment, Advocate General Pikamäe concludes in his opinion in case TR v Land Hessen that a DPA has an obligation to act when it finds a personal data breach in the course of investigating the complaint. In the words of the Advocate General “the complaints procedure would serve no purpose if the supervisory authority could remain passive in the face of a legal situation contrary to EU law” (A-G Opinion in Case C-768/21, para. 42).

Besides confirming the duty to deal with complaints, the CJEU did not waste many words on how a DPA should deal with a complaint in the SCHUFA holding case. Instead, the CJEU concluded that DPAs enjoy a margin of discretion with regard to the handling of complaints, as long as they “react appropriately in order to remedy the shortcomings found” (Joined Cases C-26/22 and 64/22, para. 57, emphasis added). This requires, inter alia, to act with all due diligence. The Advocate General continues from there in his opinion in case TR v Land Hessen, by highlighting that DPAs have a latitude to choose the measure “capable of bringing the situation back into compliance with EU law” (A-G Opinion in Case C-768/21, para. 45). Three matters require further attention here.

Remedying or sanctioning the ‘shortcomings’ or ‘inadequacies’

First, both the CJEU and the Advocate General place a lot of emphasize on ‘restoring the situation’, or ‘remedying shortcomings’ or ‘inadequacies’. The Advocate General, for example, argues that a DPA can decide not to take action, e.g., where this is not ‘necessary’ because the problem has been resolved in the meantime or ceased to exist. On the one hand, this seems in line with the GDPR – see e.g., all references that the CJEU and Advocate General make to recitals and provisions within the GDPR that leave discretion to the DPAs to adopt corrective measures (such as recitals 129 and Article 58(2) of the GDPR). However, the GDPR is ambiguous in this respect as it also requires ‘strong enforcement’ and provides for the imposition of punitive measures(see Recital 7 and Article 83 of the GDPR). An administrative fine could be considered, for example, on the basis of the intentional or negligent character of the infringement, or the nature, gravity and duration of the infringement. Such administrative fines are likely to have a punitive character and need to be dissuasive (see Article 83(1) of the GDPR). Hence, even where an infringement has been brought to an end, an administrative fine can nevertheless be considered in order to establish both a general and specific deterrent effect (see Case C-544/11 P, para. 94). While the Advocate General acknowledges the latter and refers to the different factors that a DPA shall take into account to determine where an administrative fine is necessary, he nevertheless concludes that this system of sanctions which the legislature provided for is flexible and differentiated (A-G Opinion in Case C-768/21, para. 70). This conclusion points at a pertinent issue regarding GDPR enforcement: the discretion that the Regulation leaves to DPAs when choosing for a particular corrective measure. One can raise serious doubts about this flexibility in a Regulation that aims to protect a fundamental right (see Princen and Luchtman 2023) – especially in light of the constitutional obligation for DPAs to ensure compliance with this fundamental right (Brito Bastos and Pałka 2023). The scale of this concern seems, however, not to be recognized by the CJEU and the Advocate General, especially when they refer to violations of the fundamental right of the protection of personal data merely as ‘shortcomings’ or ‘inadequacies’.

Limits to the DPAs’ discretion

Secondly, the CJEU places a lot of weight on the duty for DPAs to act with all due diligence when determining how to handle a complaint (Joined Cases C-26/22 and 64/22, para. 57). While the discretion discussed above is indeed limited, inter alia, by the general principles of EU law such as the duty of care, due diligence, or sincere cooperation, these boundaries may have limited impact where DPAs act first and foremost in accordance with their own national procedural laws and safeguards (Mustert 2023). While cooperation between DPAs in cross-border cases may, nevertheless, be of help in reaching a more consistent level of GDPR enforcement, experiences with this cooperation mechanism have shown many deficiencies too (Gentile and Lynskey 2022). While differences in national procedural laws make it difficult – or even prevent – for DPAs to cooperate with authorities in other Member States, the outsized role that the GDPR grants to the lead DPA forms another real time problem. The latter concern stems from the fact that the GDPR’s cooperation procedure is the least proceduralized process under the GDPR, allowing DPAs to interpret their cooperative duties as it fit national laws, strategies and interests. Therefore, the lead DPA can, for example, bar other concerned DPAs from meaningfully participating and pushing for advancement in the enforcement procedure, for instance, by failing to provide relevant information to other DPAs (Mustert 2023).

A new route to GDPR compliance: ‘autonomous’ measures

Lastly, A-G Pikamäe emphasizes that DPAs may choose to focus on serious cases that deserve priority where minor breaches are, for example, remedied by measures taken by the controller itself – e.g., disciplinary measures against the employee who have committed the infringement, such as in the case TR v Land Hessen (A-G Opinion in Case C-768/21, para. 14). In this regard, the Advocate General seems to create an entirely new route to ensure GDPR compliance, for which he even sets out specific requirements. Hence, in the words of the Advocate General a partial ‘delegation’ of the DPA’s tasks is possible in case of (i) express consent from the DPA, (ii) a rigorous examination by the DPA of the situation in light of the safeguards as laid down in Recital 129 of the GDPR; and (iii) an agreement with the entity that is to carry out the autonomous measure, which provides for the DPA’s right to intervene if its instructions are not complied with (A-G Opinion in Case C-768/21, paras. 51-53). This last point seems unnecessary, as Article 31 of the GDPR requires the controller and/or processor to cooperate with the DPA in the performance of its tasks anyways, and a failure to do so can be subject to a high administrative fine (see Article 83(4) GDPR).

Such a route to compliance seems to point at the Advocate General’s preference for remedying rather than sanctioning GDPR violations. While this may be in line with the GDPR’s requirement to only adopt measures which are necessary, this route may risk becoming a new avenue for DPAs to circumvent their responsibilities – especially where no consensus exists on which cases are minor and which are not. Furthermore, clarification would be needed on how such measures are being applied in a cross-border context, in order to prevent that these cases short-circuit the one-stop-shop and cooperation mechanism. While the Advocate General clarifies that DPAs shall not circumvent the supervisory system put in place in the GDPR (A-G Opinion in Case C-768/21, para. 53), it is doubtful whether this phrase is simply enough to establish that.

Data subjects do not have a right to request a particular corrective measure

In the TR v Land Hessen case, the question has also been raised whether a complainant can require the DPA to adopt a specific measure. This possibility is generally ruled out by the Advocate General, but especially in the context of measures that aim to punish conduct considered contrary to EU law, which right belongs exclusively to the State and its organs (A-G Opinion in Case C-768/21, para. 77). The Advocate General acknowledges, however, that certain criteria listed in Article 83 of the GDPR suggest that the position of the data subject should be taken into account as well – such as the damage suffered. Hence, while the Advocate General recognizes no right for a data subject to request for the adoption of a particular measure in the GDPR, he does recognize the possibility for a data controller or processor to take matters into its own hands by means of autonomous measures, as discussed above. The Advocate General’s conclusion seems in line with the position of the Commission in its proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR – see especially recital 25 in which the Commission clarifies that the investigation into an alleged violation does not constitute an adversarial procedure between the complainant and the parties under investigation.

Outlook

Both the Advocate General and CJEU have by now confirmed the duty of DPAs to deal with complaints, and to act upon proven violations of the right to the protection of personal data. This obligation follows from various interpretations of the GDPR – the CJEU engaged in a literal, contextual and teleological interpretation in SCHUFA Holding. However, the GDPR is not clear on how DPAs shall handle such complaints. While boundaries can be found in general principles of EU law or the duty for DPAs to cooperate with counterparts in other Member States, discretion remains for DPAs to take action. While the EU Commission recognized these concerns, the proposal seems to fall short on posing stricter limits to the DPAs discretion (Mustert 2023a). One can now only hope either that this proposal will undergo substantial changes in the versions of the Parliament and the Council, or that that the CJEU takes a stronger stance regarding the substance of complaint handling in its judgment in the TR v Land Hessen case.

Posted by Lisette Mustert (Assistant Professor of Administrative Law, Utrecht University).