CJEU redefines GDPR fines and tightens data protection standards

CJEU clarifies fines for data breaches under GDPR, setting new standards. Recent landmark rulings pave the way for stricter penalties on negligent or intentional violations. Companies, including those outside the EU, face increased scrutiny.
Flag by EU.

The European Court of Justice issued a significant ruling that streamlines the process of imposing fines for breaches of data protection under the General Data Protection Regulation (GDPR). This consequential decision stemmed from two cases originating in Lithuania and Germany, seeking guidance on penalizing those responsible for managing data.

The judgment clarifies that for a national supervisory authority to impose an administrative fine under the General Data Protection Regulation (GDPR), there must be evidence of wrongful conduct, indicating that the GDPR violation occurred either intentionally or negligently. Additionally, if the fined entity is part of a group of companies, the fine calculation should consider the entire turnover of the group, considering the financial metrics of the corporate group to which the entity belongs. This ensures that the fine appropriately reflects the economic scale of the entire group, a crucial factor when subsidiaries or related companies are implicated in GDPR violations.

Why does it matter?

CJEU’s redefinition of GDPR fines marks a pivotal shift in data protection enforcement. It sets a stronger precedent for holding entities accountable for data breaches, emphasizing negligence or intent. Entities both within and outside the EU, such as those in the UK and the US, fall under the jurisdiction of the GDPR. To mitigate risks, companies must provide clearer directives on data protection and closely monitor compliance. The ruling signals a higher level of responsibility and potential financial repercussions for mishandling sensitive data, impacting global businesses’ compliance efforts and data security practices.