During the coronavirus crisis, COVID-19 apps became popular. These apps allowed users to be notified when they had (potentially) been in contact with corona patients. Due to their nature, the COVID-19 apps encountered many (privacy) concerns. In Lithuania, the Ministry of Health had commissioned a party to develop a corona app after a public tender. Importantly, the Ministry decided not to buy the application in the end. Nevertheless, both the app builder and the Ministry were fined by the Lithuanian Data Protection Authority for violating several articles of the GDPR. The Ministry decided to challenge the fine, partly because it argued that it was not a data controller for the data processing operations in the application. The national court submitted a request for a preliminary ruling to the Court of Justice of the European Union. The national court inquired when a party qualifies as a data controller and whether a fine can be imposed for a GDPR violation without a deliberate act or omission by a party. This article discusses the Opinion of the Advocate General Emiliou in case C-683/21 Nacionalinis visuomenės sveikatos centras that was delivered in this case on 4 May 2023.
In March 2020, the Lithuanian Minister of Health decided to commission the National Public Health Centre of the Ministry of Health (hereinafter, ‘NVSC’) to develop the mobile COVID-19 application KARANTINAS. This was a so-called corona application, which informed individuals if they had been in contact with or in the vicinity of corona patients. After a public tender, the company IT sprendimai sėkmei UAB (hereinafter ITSS) was chosen to develop the application. KARANTINAS was made available in various app stores in early April. Due to lack of funding, the NVSC canceled the deal, but KARANTINAS remained available in the app stores.
NVSC asked ITSS not to include NVSC data and not to refer to NVSC in KARANTINAS. However, the publicly available version listed NVSC as a data controller together with the ITSS. In addition, an earlier concluded confidentiality agreement between the parties also identified both of them as controllers.
In April, the Lithuanian Data Protection Authority launched an investigation into ITSS and NVSC. In the meanwhile, KARANTINAS' operations have been suspended. Almost a year after the start of the investigation, the Lithuanian Data Protection Authority imposed an administrative fine on both ITSS and NVSC for multiple breaches of the GDPR. NVSC decided to appeal the administrative fine.
Questions of law
The case came before the Lithuanian court, which referred six preliminary questions to the Court of Justice of the European Union (hereinafter ‘CJEU’). In his opinion, the Advocate General (hereinafter ‘AG’) grouped the Lithuanian court questions into the following four categories:
- What is the scope of the term "controller"? In determining NVSC's role, is it relevant that the tender procedure was eventually aborted, KARANTINAS was never purchased, and NVSC never approved or authorized the operation of KARANTINAS? (Questions 1 to 3)
- When can two entities be regarded as joint controllers? (Question 5)
- Does the use of personal data during the test phase of a mobile application qualify as data processing (Question 4)?
- Can an administrative fine be imposed on the NVSC for the breach of the GDPR in the absence of any mens rea? (Question 6)
When does processing responsibility exist?
The first three questions of the referring court that have been tackled by the AG relate to the concept of controller under the GDPR. In that respect, the AG first noted that a factual analysis is required to determine who is a data controller. This is in line with the previous case law of the CJEU and the European Data Protection Board (hereinafter ‘EDPB’) Guidelines 07/2020 on the concepts of controller and processor in the GDPR (hereinafter ‘Guidelines’). Thus, to determine whether NVSC should be considered a data controller for KARANTINAS, the actual influence NVSC exercised over the data processing operations in KARANTINAS should be analyzed. In that respect, the analysis should distinguish between the application’s development phase and the use phase. It should also be examined whether NVSC actually established the purpose and means of the data processing operations by KARANTINAS. In this case, AG argued that the CJEU should consider whether the decision to make KARANTINAS available to the public was taken with NVSC's (explicit or tacit) consent. This is because making the application available to the public involves the processing of personal data. Thus, whether NVSC is a data controller for KARANITAS depends on whether it exercised actual influence over the data processing operations.
Notably, according to the AG, an entity, such as NVSC, which initiates the development of an application, can only be considered a data controller if there are sufficient factual elements proving that that entity has exercised influence both on "purposes and means" at the development stage, and on the actual processing of the personal data, i.e., on the making available to the public. It is, of course, up to the referring court to factually test this.
When is there joint processing responsibility?
In his Opinion, the AG examined the question of when joint data processing responsibility exists. He argued that the presence of such a responsibility is subject to two conditions. Firstly, joint controllers must separately qualify as controllers as per Article 4(7) GDPR. Secondly, the controllers' influence over the processing must be exercised jointly. This may, as per the EDPB Guidelines, occur in various forms. Nevertheless, in order for joint processing responsibility to exist, what is decisive is the processing would only be possible with the participation of both parties. The AG left the exact assessment of this issue to the referring court.
Do data processing operations in an application's test phase qualify as processing?
With regard to the fourth question, the AG noted that it makes no difference for the GDPR whether personal data are processed in the context of an application available to the public or for its development. When personal data is processed in a test phase, the GDPR applies to it. Notably, the use of (exclusively) pseudonymized data does not make any difference for the outcome this assessment.
Does the imposition of an administrative fine for the GDPR violation require a fault?
The answer to the last question is arguably the most interesting one. Accordingly, the AG analyzed whether an administrative fine can be imposed on a legal entity that has neither intentionally nor negligently breached the GDPR.
To begin with, the AG argued that the competent regulator must look into two assessments after establishing an GDPR violation. First, it must determine if a fine should be imposed in the first place. Second, the amount of the fine must be determined. Such a twofold assessment is to be conducted on the case-by-case basis, taking into account all the necessary relevant circumstances of the issue in question.
Furthermore, the AG considered that the presence of a fault is a necessary prerequisite for the imposition of a fine. He primarily justified this argument via grammatical interpretation of the GDPR. Accordingly, Article 83(2) GDPR states that the 'serious' omission is considered an aggravating circumstance that can lead to a higher fine. However, the supervisory authority must also always consider mitigating measures taken by an entity to prevent (the risks and consequences of) the breach while determining the fine. The AG also notes that the fine must be punitive in nature, present a high degree of severity, and has to be dissuasive and effective. The fine should, however, also comply with the principle of proportionality. Hence, for the fine to be proportionate, it can only be imposed if the infringement in question occurred intentionally or negligently.
Moreover, the AG stated that the condition of a fault does not jeopardize the effet utile of the GDPR and the protection it provides to data subjects. Indeed, he emphasized that in practice, the threshold for a negligent breach of the GDPR is so low that cases when it is impossible to impose a fine for the mere reason that negligence has not been established are hard to imagine. The objective of ensuring effective enforcement of the GDPR is thus not at risk. The AG also advised the CJEU to follow the example of fining in competition law. He argued that the requirements listed in Article 83(2) GDPR match those which are relevant for determining the amount of a fine in competition law infringement cases.
The AG also underlined that Member States cannot deviate from the aforementioned framework on fines for the GDPR violation. Indeed, to maintain the harmonized framework on protection of personal data and consistent application of the GDPR, Member States should not be given a margin of appreciation to determine whether fault is required for the imposition of an administrative fine. However, they are allowed to specify in their national law procedural conditions on the imposition of a fine.
Lastly, the AG addressed the question of whether a fine can be imposed on a controller in a context where the unlawful processing of personal data was not carried out by the controller itself but by a processor. The AG answered this question affirmatively. A processor processes personal data (exclusively) on the controller's behalf, which makes the controller liable for it. The exception to this rule brought forward by the AG is the when the processor acts outside of the scope of the mandate given to it by the controller. In that case, the processor is to be considered a new controller.
To conclude, it is a clear and straightforward Opinion where the AG has arrived to meaningful conclusions. The answers to the first questions are fully in line with previous CJEU jurisprudence and EDPB Guidelines. The points made by the AG regarding these questions do not bring forward to any new arguments or provides us with any new insights. They do, however, confirm the existing interpretation and application of the GDPR.
By contrast, things get more exciting when the AG addresses the question of liability and fines for the GDPR infringements as this topic has not yet been discussed so extensively in the case law of the CJEU. However, the arguments made by the AG in this respect are logical and consistent with the GDPR and its objectives. It is now up to the CJEU to make its decision on this matter and it remains to be seen whether it decides to follow the reasoning of the AG.
N.B. This article is also available in Dutch on Data & Privacy Web. You can access it via the following link.