Articles

Part three - GDPR and public law: To retroact or not?

Part three - GDPR and public law: To retroact or not?

Part three - GDPR and public law: To retroact or not?

07.06.2019 BE law

Since the General Data Protection Regulation (“GDPR”) became applicable almost one year ago, multiple questions have arisen about its interaction with other fields of law. In this three-part blog series of “GDPR and public law”, we discuss three capita selecta of the interaction of GDPR with public law and government. In this blog we discuss the retroactive application of GDPR.

With the GDPR becoming applicable on 25 May 2018 and the new Belgian Data Protection Act of 30 July 2018 entering into force on 5 September 2019, more severe administrative fines and criminal sanctions were introduced in conjunction with several data protection obligations. According to European and national law, there can be no retroactive application of more severe penalties.[1] The European Court of Human Rights has developed some criteria in its jurisprudence to assess whether this principle of non-retroactivity also applies to administrative fines, being (i) the legal qualification of the infringement in national law, (ii) the nature of the infringement and (iii) the severity of the penalty. Following this test, it appears that the administrative fines under the GDPR fall within the scope of this principle of non-retroactivity.

What does this mean in practice?

For infringements that existed only before 25 May 2018, the new sanctions may not be imposed. For infringements that existed only after 25 May 2018, the new sanctions may be imposed. The difficulty lies with infringements that existed both before and after 25 May 2018.

For infringements that existed before and after 25 May 2018, a distinction must be made between criminal sanctions and administrative fines. For criminal sanctions, the infringement will most likely be considered as a whole by using typical mechanisms of criminal law such as “eenheid van opzet / unité d'intention” and “voortdurend misdrijf / infraction continue”. In this respect Article 65 of the Belgian Criminal Code states that: “where one and the same act gives rise to several offences or where several offences which are the successive and continuous execution of the same criminal intention are simultaneously submitted to the same criminal court, only the most serious penalty shall be imposed”. Consequently, the new sanctions will probably be applied to the whole of the infringement.

For administrative fines, the situation is more unclear. The Belgian Constitutional Court has previously ruled that it is not discriminatory that these mechanisms of criminal law do not apply to administrative fines. Article 82, §3 GDPR states that: “if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement”. Other than the Article 65 of the Belgian Criminal Code as referred to above, this article is limited to infringements of the GPDR itself and does not explicitly refer to any succession or continuity over time. However, Data Protection Authorities have a lot of leeway and can apply various criteria to ensure reasonableness when imposing administrative fines, amongst which the duration of the infringement, so that de facto they could probably apply the same mechanisms.

 

[1] See Article 7 of the European Convention on Human Rights and Article 2 of the Belgian Criminal Code.

Team

Related news

08.11.2019 EU law
Erik Valgaeren is session chair during IBA's 6th Biennial Technology Law Conference in Berlin

Speaking slot - Stibbe's TMT partner, Erik Valgaeren, chairs a session discussing the new legal challenges, created by the most recent technological developments in the field of software, data, online services and telecom, including 5G, pricing algorithms, platforms and data monetization. This session will take place on the 8th of November 2019 in Berlin.

Read more

21.10.2019 EU law
Elektronische identificatie en ondertekening conform eIDAS

Articles - De eIDAS-verordening heeft een juridisch kader geïntroduceerd dat de betrouwbaarheid en acceptatie van elektronische transacties binnen de EU moet vergroten. Hiervoor wordt een gelijk speelveld beoogd waarin burgers en bedrijven binnen de EU met hun eigen nationale elektronische ID zich ook digitaal kunnen identificeren bij openbare instanties uit andere lidstaten. Daartoe worden uniforme eisen gesteld aan de betrouwbaarheidsniveaus van deze elektronische ID’s.

Read more

07.11.2019 NL law
Symposium 'From Stint to Fipronil: a compensation fund for victims of energetic government intervention in crisis situations

Seminar - Stibbe is organising a symposium in Amsterdam on Thursday 7 November entitled 'From Stint to Fipronil: a compensation fund for victims of energetic government intervention in crisis situations'. During this symposium, Stibbe lawyer Tijn Kortmann and Prof. Pieter van Vollenhoven, alongside other experts,  will speak about the compensation fund which, according to van Vollenhoven, injured parties should be able to call upon if a decision by the government turns out to be too drastic.

Read more

21.10.2019 NL law
Omgevingsvergunning – beslistermijn, inwerkingtreding en onherroepelijkheid (FAQ)

Short Reads - Voor veel activiteiten die van invloed zijn op de fysieke leefomgeving is een omgevingsvergunning nodig op grond van de Wet algemene bepalingen omgevingsrecht (hierna: Wabo). Bedrijven die dergelijke activiteiten willen ondernemen moeten dus een vergunning aanvragen. Het is niet altijd duidelijk welke procedure moet worden gevolgd, hoelang de procedure zal gaan duren en wanneer de vergunning gebruikt kan worden of onherroepelijk is.

Read more

23.10.2019 BE law
Wetsvoorstel beoogt bevoegdheid ondernemingsrechtbanken over nietigheidsvorderingen tegen besluiten administratieve overheden uit te sluiten

Articles - Bij de Kamer van Volksvertegenwoordigers werd op 4 oktober 2019 een wetsvoorstel ingediend dat de artikelen 2:44 en 2:46 WVV wijzigt. Op die manier wordt uitdrukkelijk aangegeven dat de bevoegdheid van de ondernemingsrechtbank om kennis te nemen van de nietigheidsvordering ten aanzien van de besluiten van organen van rechtspersonen niet geldt voor de handelingen die uitgaan van administratieve overheden.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring