Nearly three years after a sweeping privacy law took effect in Europe, regulators are seeing more sanction decisions challenged and overturned as companies file appeals.
European courts struck down or reduced several multimillion-dollar fines in recent months, raising questions about whether judges and privacy regulators disagree about how to enforce the 2018 General Data Protection Regulation. Companies taking note are more willing to challenge authorities’ rulings, according to privacy lawyers and regulators.
Many regulators received small or no budget increases when the GDPR took effect and struggle to deal with new investigations. Appeals are an added challenge.
“Many organizations no longer hesitate to challenge the decision of data protection authorities. That’s a big change,” said Ahmed Baladi, a partner in the Paris office of law firm Gibson, Dunn & Crutcher LLP.
It can make sense for companies to challenge a fine if they think a regulator made a mistake in following legal procedures, or if they think the fine is unreasonably large, he said.
A Belgian court overturned several decisions from Belgium’s data protection authority because the regulator didn’t follow legal procedures and made mistakes, said Hielke Hijmans, president of the authority’s office that handles fines and other sanctions.
The number of appeals picked up over the past six months, he said. Companies have filed 15 appeals of the authority’s GDPR decisions and a court has overturned or partially struck down most, he said. An additional six cases are pending the court’s decision.
Such appeals haven’t stopped the regulator from fining companies, but they have forced regulatory employees to spend more time on each case, making sure they follow procedures and precisely define the remit of their investigation, Mr. Hijmans said. The office is short-staffed and pays an external law firm to represent it in each court appeal, adding concerns about budget, he said.
“I don’t want it to have a chilling effect but I can’t ignore the fact that our lives are becoming more difficult at the moment,” he said.
A Berlin court last month overturned the city’s privacy regulator’s €14.5 million ($17.3 million) fine against German property company Deutsche Wohnen SE because the regulator didn’t identify an individual employee who was responsible for the violation in its decision. After the court ruled, the Berlin prosecutor’s office filed a complaint in the case, which is continuing.
Deutsche Wohnen declined to comment.
If the court’s decision stands, the ruling would “considerably restrict our enforcement power,” Maja Smoltczyk, Berlin’s privacy regulator, said in an email.
Requiring regulators to name an individual responsible for allowing or committing violations would make it more difficult for regulators to investigate large companies with complex corporate structures, and make it easier for them to identify employees handling data processes at smaller companies, she said.
Many companies changed privacy policies to comply with the GDPR when it took effect in 2018 and sought to avoid fines that can reach up to 4% of their global revenue, or €20 million. Firms hired privacy lawyers and set up processes to handle data securely and delete it when no longer needed.
In Austria, a new law requiring investigators to attribute violations to a specific person—and prove he or she knew or did nothing to stop them—tripped up the country’s privacy authority in a recent case. In December, an Austrian court overturned an €18 million fine against postal service provider Österreichische Post AG . Employees at the Austrian privacy authority weren’t aware of the new law, Matthias Schmidl, deputy head of the office, said in an email.
The new requirement will substantially change how the authority investigates violations, he said.
Österreichische Post declined to comment.
Austrian regulators, and potentially German authorities if the Berlin court requires privacy rulings to identify individual employees, will need to assess companies’ GDPR training and the role of their data protection officer before naming an individual in a decision, said Stefan Hessel, an associate in German law firm Reusch Rechtsanwaltsgesellschaft mbH.
“The key question is when is the company responsible,” Mr. Hessel said.
In cases where the alleged violation could damage a company’s reputation, however, appealing a GDPR decision can bring more negative attention to a company, said Mr. Baladi of Gibson, Dunn & Crutcher. That is especially so if a judge upholds the fine, he said.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8