27 Nov GDPR enforcement: How the GDPR facilitates access to Justice, fights against discrimination, and promotes equality through effective, proportionate, and dissuasive fines

Authors: Kate Francis, Eleonora Margherita Auletta, Andrea Strippoli

Background: A highly contested enforcement scenario

Enforcement of the General Data Protection Regulation (hereinafter GDPR or Regulation)[1] has been highly contested in recent years. Multiple stakeholders have claimed that the GDPR has failed to adequately protect the rights and freedoms of individuals as it nobly aims to do.[2] Such criticisms are well-founded to a certain extent. For example, on 3 October 2023, the Data Protection Authority of Luxembourg – the country which acts as the Lead Supervisory Authority for some of the world’s biggest companies – published its annual report detailing key actions carried out in 2022. Quite shockingly, the report states that the Authority issued fines totaling a mere EUR 48,375.[3]

In an action which may be interpreted as acknowledging enforcement shortcomings, in July 2023, the European Commission proposed a new regulation aimed at streamlining cooperation between European Data Protection Authorities (DPAs) in the context of cross-border cases.[4] The proposed regulation will establish clear procedural rules that the DPAs will follow when applying the GDPR and is intended to both ‘reduce disagreements and facilitate consensus among authorities since the initial stages of the [enforcement] process’.[5]

Despite widespread criticism and the aforementioned examples of potential shortcomings in enforcement, statistically, GDPR enforcement has consistently increased since May 2018 when the Regulation started to apply. To date, over 2,120 enforcement actions have been documented by the ICTLC Research Team. Many of the fines contained in our Case Law Database provide clear examples of how the GDPR has facilitated access to justice and contributed to protecting fundamental rights beyond the rights to privacy and data protection, promoting equality and protecting against discrimination.

Facilitating access to justice in multiple ways

The GDPR facilitates access to justice in multiple ways, three of which are discussed here. Firstly, the GDPR provides for specific protections by allowing ‘risky’ data to be processed only in exceptional cases. Specifically, special category data,[6] including information on religion, sexual orientation, ethnicity, and health may only be processed in a number of exceptional cases. In this sense, the GDPR protects against discrimination and misuse which could impede on equality because if such data cannot be collected, it cannot be used to discriminate against an individual.[7]

Secondly, the GDPR has led to the rise of significant activism in the data protection space. Data protection activists by the likes of Max Schrems and his organization noyb effectively fight for better GDPR enforcement. Their actions have led to both enforcement actions by DPAs and court cases.  Effectively, organizations such as noyb enact what was promised in Article 80[8] and Recital 142[9] GDPR with such organizations ‘de facto and actively… patrolling the internet to find potentially unlawful data processing practices and reporting them to the authorities’.[10]

Thirdly, numerous sanctions have been issued by European which have led to the facilitation of justice.

Enforcement actions: Facilitating access to justice and combatting discrimination

A prime example of the GDPR’s potential to combat discrimination is found in the Bremen DPA’s 2022 fine to a Bremen-based housing company, Brebau GmbH, for EUR 1.9 million.[11] In this case, the housing company was found to have processed the personal data of over 9,500 potential tenants in lieu of a valid legal basis. More specifically, the company processed data which included information on personal appearance such as hairstyle and skin color, as well as information concerning health, ethnic origin, religion, and sexual orientation. The company also failed to answer requests from data subjects. Despite the grave violations of data protection law, the company was fined a lower amount than what it could have been fined for thanks to its high level of cooperation with the DPA and the concrete actions it put in place to mitigate the damages caused by its unlawful and discriminatory processing activities.

Other highly relevant examples come from the Netherlands and the Dutch Data Protection Authority which fined the Tax Administration on multiple occasions for having unlawfully processed the personal data of individuals. In 2021, the Dutch DPA fined the Tax Administration EUR 2.75 million in light of the so-called child benefits scandal which ruined many lives and led to countless individuals wrongfully being required to pay back child welfare benefits, putting their lives in absolute disarray.[12] The Tax Administration used dual nationality for the purpose of combatting organized fraud and used the nationality of applications (Dutch/not Dutch) ‘as an indicator in a system that automatically designated certain applications as risky’ despite such data not being necessary for either purpose.[13] The DPA found that unlawful processing of information on dual nationality of childcare benefit applicants in this case ‘not only infringed the GDPR but also infringed the fundamental right to not be discriminated against. In other words, the unlawful processing (via an algorithm) of one’s nationality has violated the right to equality and non-discrimination’.[14]

In April 2022, the same DPA imposed a EUR 3.7 million fine on the Tax Administration for having illegally processed the personal data of 270,000 individuals for six years in its ‘Fraud Identification Facility’ blacklist.[15] More specifically, in this case, fraud risk analysis was in part based on factors such as nationality, physical appearance, donations made to mosques and high medical costs, without any statutory basis for such processing.

The three examples highlighted here clearly demonstrate that the GDPR can and has been used to combat discrimination and even institutional racism embedded into organizational activities.

Conclusion

The GDPR has a significant potential to protect fundamental rights and freedoms, provide access to justice, fight discrimination, and promote equality. As exemplified in the three cases above, GDPR enforcement and the issuance of effective, proportionate, and dissuasive fines have positively contributed to combatting discrimination as a result of unlawful data processing activities. As enforcement of the Regulation accelerates and awareness on the part of the public about the risks of data processing becomes more widespread, it is reasonable to maintain that the number of sanctions issued in relation to data processing activities that lead to discriminatory outcomes will increase. At the same time, privacy activists have positively contributed to GDPR enforcement and will likely continue to play an important role in upholding the rights and freedoms individuals and encouraging enforcement actions by DPA. Organizations should not only carefully evaluate their data processing activities to ensure lawfulness of processing and compliance with the GDPR to avoid the imposition of economic sanctions in relation to discriminatory processing, but also adopt an ethical approach to data processing that goes beyond pure legal compliance, such as that which is promoted by the Maastricht University Data Protection as a Corporate Social Responsibility Framework[16] (UM-DPCSR Framework). In this way, organizations can positively contribute to a better data-driven world.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

[2] See, e.g., Irish Council for Civil Liberties, ‘5 years: GDPR’s crisis point’, May 2023, https://www.iccl.ie/wp-content/uploads/2023/05/5-years-GDPR-crisis.pdf  and noyb, ‘5 Years of the GDPR: National Authorities let down European Legislator. 85% of noyb cases not decided’, 23 May 2023, https://noyb.eu/en/5-years-gdpr-national-authorities-let-down-european-legislator

[3] National Commission for Data Protection of the Grand-Duchy of Luxembourg, ‘The CNPD paves the way for GDPR certification, engages in European cooperation and prepares for the Digital Package’, 3 October 2023, https://cnpd.public.lu/en/actualites/national/2023/10/rapport-annuel-2022.html. It must be noted, however, that these fines were national cases mostly related to transparency, geolocation, and video surveillance-related violations of the Regulation. Because Luxembourg has very stringent confidentiality rules, the DPA is not endowed with the power to publicize the names of the companies which it fines until following the appeals process.

[4] Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (COM/2023/348 final)

[5] European Commission, ‘Data protection: Commission adopts new rules to ensure stronger enforcement of the GDPR in cross-border cases’, 4 July 2023, Press Release, https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3609

[6] Article 9(1) GDPR prohibits the ‘[p]rocessing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’  unless an exception applies.

[7] This is also confirmed by the Bremen Data Protection Commissioner who stated that, ‘…the GDPR ensures that, in the vast majority of cases, this particularly protected data may not be collected and stored in the first place. Data that has not been collected cannot be misused. In this sense, the GDPR also protects against discrimination.’ See Die Landesbeauftragte für Datenschutz und Informationsfreiheit, Freie Hansestadt Bremen, ‘LfDI verhängt gegen die BREBAU GmbH Geldbuße nach DSGVO’, 3 March 2022, https://www.datenschutz.bremen.de/sixcms/media.php/13/Pressemitteilung%20LfDI%20Bremen.pdf

[8] Article 80 GDPR concerns the ‘Representation of data subjects’ and provides data subjects with ‘the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.’

[9] Recital 142 GDPR reads, ‘Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with a supervisory authority, exercise the right to a judicial remedy on behalf of data subjects or, if provided for in Member State law, exercise the right to receive compensation on behalf of data subjects. A Member State may provide for such a body, organisation or association to have the right to lodge a complaint in that Member State, independently of a data subject’s mandate, and the right to an effective judicial remedy where it has reasons to consider that the rights of a data subject have been infringed as a result of the processing of personal data which infringes this Regulation. That body, organisation or association may not be allowed to claim compensation on a data subject’s behalf independently of the data subject’s mandate.’

[10] Paolo Balboni, ‘Two-sided control’, 11 August 2021 [Paolo Balboni Personal Blog]

[11] Die Landesbeauftragte für Datenschutz und Informationsfreiheit, Freie Hansestadt Bremen, ‘LfDI verhängt gegen die BREBAU GmbH Geldbuße nach DSGVO’, 3 March 2022, https://www.datenschutz.bremen.de/sixcms/media.php/13/Pressemitteilung%20LfDI%20Bremen.pdf

[12] Dutch Data Protection Authority, Tax Administration fined for discriminatory and unlawful data processing, 7 December 2021, https://autoriteitpersoonsgegevens.nl/en/current/tax-administration-fined-for-discriminatory-and-unlawful-data-processing

[13] Ibid.

[14] Ibid.

[15] Dutch Data Protection Authority, Tax Administration fined for fraud blacklist, 12 April 2022, https://autoriteitpersoonsgegevens.nl/en/current/tax-administration-fined-for-fraud-blacklist

[16] Paolo Balboni and Kate Francis, ‘Data Protection as a Corporate Social Responsibility’, 16 March 2022, https://www.maastrichtuniversity.nl/file/20220316um-dpcsrframeworkv33balbonifrancis0pdf