The reasoning behind the draft laws not included in the laws those provisions from the EU regulations that can be applied only by the member states of the European Union, as well as those that prescribe obligations only for the member states, is questionable.
There are solutions in European legislation that the countries of the Western Balkans could adopt regardless of the fact that they are not members of the EU. This is supported by the fact that the governments of these countries often emphasize that their strategic commitment is to gain full membership in the EU. Governments would have to ensure that the core European values are respected to accomplish this intent. Respecting core European values is achieved, inter alia, by establishing an effective and dissuasive system of sanctions for violations of the laws proclaiming these values. This article explains the system of administrative fines in the EU and the possibilities for its establishment in the countries of the Western Balkans, as well as what kind of message the authorities of these countries are sending to citizens and industries by not showing their willingness to adopt European values.
- Legal solutions and EU practice
EU legislation prescribes a system of imposing effective, proportionate, and dissuasive administrative fines for violations of laws by companies. The general rule is that the authority to impose administrative fines is assigned to independent regulatory bodies of member states or the European Commission. Regulatory national bodies impose fines in administrative proceedings; national laws may regulate the procedure for imposing penalties by national regulatory bodies, whereby member states must meet the requirements regarding the effectiveness, proportionality, and dissuasive effect of the penalties.
Administrative fines are imposed on legal entities (companies), whereby determining the degree of guilt of responsible persons in companies is not a prerequisite for their imposition. It is to determine whether the legal entity itself, through its employees, committed a violation of the law intentionally or negligently. This practice was first established by the European Court of Justice and the European Commission, primarily in cases of competition law violations. In case C 807/21 of 05 December 2023 (Deutsche Wohnen v State Prosecutor's Office in Berlin) it is confirmed that this practice is also applied in the area of personal data protection.
First, the European Council adopted the Council Regulation (EC) No 1/2003 on 16 December 2002. This regulation prescribes that the European Commission is authorized to, in case of abuse of a dominant position on the market or the conclusion of restrictive agreements, impose an administrative fine on market participants and a group of market participants (undertaking) in the amount of up to 10% of the annual income generated by the participant or participants participating in the violation of the law in the previous business year. The Regulation expressly stipulates that the procedure for imposing administrative fines is neither a misdemeanour nor a criminal procedure.
According to the practice of the European Court of Justice, the term "undertaking" is any form of organization (entity) that is involved in economic activity, regardless of the legal form of such organization and the method of financing. Several entities that belong to the same group can form an economic unit, i.e. "undertaking". The term "undertaking" from Articles 101 and 102 of the Treaty on the Functioning of the EU means a single economic unit composed of several natural and legal entities. This further means that the term "undertaking" is any entity that is part of an economic entity; for example, a company within a concern or the parent company that manages the concern or the concern itself as an economic entity. The criteria on which it depends on whether the entity makes decisions independently or whether the parent company has a decisive influence on other entities are based on economic, legal, and organizational ties between the parent company and subsidiaries, such as the size of the stake, personnel or organizational ties, instructions and the existence of company contracts.
According to the so-called functional concept of an undertaking, European competition law establishes the concept of direct liability of legal entities, according to which all actions or omissions of persons acting in the name and on behalf of a legal entity are attributed to those legal entities, that is, they are considered to have been committed by the legal entities themselves. According to the standing of the European Court of Justice, the fact that the employees of a certain company did not act in accordance with the internal rules of that company does not exclude the responsibility of the company within the undertaking. Awareness of the management, (wrong) instructions, or the absence of due supervision are not necessary for the existence of responsibility for an undertaking. The essence of the concept of a single economic unit, according to the functional principle, is that the undertaking is responsible as a functional unit for the non-implementation of the law. If the undertaking has several legal entities, the penalty may be imposed on all legal entities. Those legal entities are relevant only as formal addressees of the decision on sanctions, proceedings are being conducted against them and they are the addressees of enforcement. Legal entities are jointly responsible for paying the administrative fine.
Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016, on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation or GDPR) prescribes a system of administrative fines for violation of the GDPR. GDPR prescribes upper limits of monetary fines (fixed amount) and percentage amounts from the realized income, as well as criteria for imposing administrative fines.
In the event that the violation of the GDPR was committed by a legal entity that operates within a group of companies or manages a group of companies (undertaking), an administrative fine is imposed in the percentage amount of the annual income of the undertaking. This approach is justified by the requirement for the imposing of administrative fines to be effective, proportionate, and dissuasive.
In the aforementioned judgment of the European Court of Justice in case C 807/21, the court concludes that the GDPR defines the term controller - as a natural or legal person, authority, agency, or other body that alone or together with others determines the purposes and means of personal data processing. The GDPR stipulates that the obligations and responsibilities of controllers shall be established for any processing of personal data carried out by the controller itself or on its behalf. In particular, the obligation of the controller is to implement adequate and effective measures and be able to demonstrate compliance of the processing activities with this regulation, including the effectiveness of the measures. These measures must take into account the nature, scope, context, and purposes of the processing and the risk to the rights and freedoms of natural persons. Article 83 (1) of the Regulation prescribes that each supervisory authority ensures that the imposing of administrative fines in each individual case is effective, proportionate, and dissuasive.
The controller is directly responsible for the implementation of the GDPR, i.e. for the acting of its managing bodies and for this reason, administrative fines are imposed directly on the controllers, whereby the competent authorities do not determine the degree of guilt of the responsible persons with the controller. This concept aims to achieve the goals proclaimed by the GDPR: i) to ensure a consistent and high level of protection of natural persons and to remove obstacles to the flow of personal data within the EU, the level of protection of the rights and freedoms of natural persons in relation to the processing of such data must be the same in all member states; ii) the effective protection of personal data throughout the EU requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for violations in the member states.
Determining the degree of guilt of responsible persons in legal entities would hamper the conduct of proceedings, and in the case of corporations, this activity is of limited scope due to administration and complex organization.
On the other hand, the existence of a system of penalties making it possible to impose, where justified by the specific circumstances of each individual case, an administrative fine pursuant to Article 83 of the GDPR creates an incentive for controllers and processors to comply with that regulation. Through their deterrent effect, administrative fines contribute to strengthening the protection of natural persons with regard to the processing of personal data and therefore constitute a key element in ensuring respect for the rights of those persons, in accordance with the purpose of that regulation of ensuring a high level of protection of such persons with regard to the processing of personal data.
The European Court of Justice further affirms that the condition for the imposing of administrative fines is that the controllers or processors violated the GDPR intentionally or negligently; the concept of the so-called objective responsibility for the violation of the GDPR is not accepted. In the specific case, it will be sufficient for the imposing of administrative fines for the supervisory authorities to determine that the violation of the GDPR occurred as a result of the actions or omissions of management or employees, without the obligation to determine which members of management or employees are involved. For example, the refusal of the management to act on the order of the supervisory body or the management's action contrary to the advice of the data protection officer would be an intentional violation, while failure to act according to internal documents would be negligent action. The existence of a violation does not require management's knowledge or lack of awareness that a violation is being committed or that the conduct is contrary to the GDPR.
- The situation in the countries of the Western Balkans
Personal data protection legislation in the countries of the Western Balkans is largely inconsistent with the GDPR requirement for the imposing of sanctions for non-implementation of the law to be effective, proportionate, and dissuasive. According to the report of the European Commission from 2023 for Montenegro, Bosnia and Herzegovina, and Albania, these countries, despite the fact that the GDPR has been applied in Europe for more than 5 years, have not yet adopted a general regulation on the protection of personal data. In Serbia, a general regulation was adopted in 2018, but the system of sanctions for its non-implementation is not aligned with the GDPR. In North Macedonia, a general regulation was adopted in 2020, and the system of fines is harmonized with the GDPR to a certain extent, in terms of their amount. The sectoral laws in Serbia and North Macedonia are not harmonized with the general regulation on the protection of personal data.
In all countries of the Western Balkans, misdemeanour courts are responsible for imposing misdemeanour fines, and the amounts of fines are minor compared to the ones prescribed by the GDPR (except in North Macedonia). The reasoning in the Serbian general regulation on the protection of personal data that the system of imposing fines cannot be harmonized with Article 83 of the GDPR is unacceptable. The Serbian legislator should have applied the solutions from the Draft Law on Protection of Competition from 2009 - to give the Commissioner the authority to impose administrative fines and to prescribe the relevant procedure in a general regulation. Instead of acting in the described manner when the general regulation was adopted, it took five years for the Strategy of the Law on Personal Data Protection to be adopted and for that strategy to mention the possibility of introducing administrative fines. On the other hand, the National Plan for Chapter 23 states "that the Personal Data Protection Strategy for the period from 2023 to 2030 was adopted on August 25, 2023. In accordance with the aforementioned strategy, forming a Working Group that will work on amendments to the Law on Personal Data Protection is one of the priorities, with the aim of further improving the normative framework in this area. The same Working Group will prepare the accompanying Action Plan for the period 2023-2025."
In North Macedonia, the general law on the protection of personal data should be amended in such a way that misdemeanour fines are replaced by administrative fines and that they are imposed only on controllers and processors, and not on responsible persons in legal entities (in accordance with the latest practice of the European Court of Justice).
Prescribing administrative fines that would be imposed in a special administrative procedure would improve the legal certainty and predictability of the application of the law in the practice of competent authorities, that is, prevent the possibility of different and uneven practices of different authorities. In addition, harmonizing the amounts of administrative fines with the amounts from the GDPR would certainly increase the degree of efficiency and effectiveness of sanctions for non-implementation of the law. It is a generally known fact that misdemeanour proceedings last a long time, and statutes of limitation often occur, while a separate issue is to what extent judges in misdemeanour courts are familiar with regulations on the protection of personal data (for example: how the data protection impact assessment shall be carried out).
According to research by the European Centre for Digital Rights (2,173 "insiders" - data protection officers and other personal data protection experts in companies in European countries), the most influencing factor for a company to improve compliance with the GDPR is the real possibility that companies are fined, while in second place is imposing of high fines on other companies.
Our conclusion is that the system of effective and deterrent sanctions for infringement of the law is an elementary prerequisite for respecting citizens' rights and that the countries of the Western Balkans will not be able to join the EU unless they harmonize their legislation with the EU's sanctions policy.
By Ivan Milosevic, Partner, and Andrea Cvetanovic, Senior Associate, JPM & Partners