: The role of criminal law in EU data protection law (reflection 3)

Let us return to criminal law and the short provision on data protection crimes. Is Article 84 GDPR and its compactness the result of negligence? In the past we emphasized that the objective of the Regulation (to take away differences between Member States) is not served by the open nature of the said provision.^[1] A more complete implementation survey is needed to take stock about possible divergences in this regard. Why has the GDPR accepted a double regime, one harmonized (Article 83 GDPR), and another open (Article 84 GDPR)? One reason is the organization of EU criminal law. A regulation can impose on Member States to introduce criminal sanctions in generic terms, but the details have to be spelled out in a directive.

Yet this does not explain the sloppy legal basis for the use of criminal law in the GDPR. What does Article 84 mean when it states that “Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83”? Considering the long list of administrative infringements targeted in Article 83 GDPR, what is left over for criminalization? Recital 149 GDPR hardly adds more clarification, but comes up with pragmatic arguments to use criminal law (now and then): if criminal law is applied, an extra law enforcement toolbox is opened with far-reaching enforcement powers in the area of money laundering and asset confiscation and of course the possibility of full reliance on the police apparatus.

These pragmatic reasons to rely on criminal law are well-known but have caused many conflicts of principle for thecriminal law system which encompasses the most severe instrument at a state’s disposal in times of peace and is therefore designed to be a last resort enforcement system. Encouraging use of criminal law for pragmatic reasons (“you can have the police for free”) is in part neglecting these foundations for opportunistic motives, a development that has led worldwide to overuse of criminal law systems in Western states that are supposed to prioritise liberty by avoiding too much criminal law.^[2] The EU contributes to overuse by poorly guiding Member States in their use of criminal sanctions, combined or not with administrative sanctions.

Mitsilegas and Vavoula question the effectiveness of current EU sanctioning practices by pointing at EU anti-money laundering law, also poor in its guidance about the use of criminal law. It is questionable, both authors observe, whether this lack of harmonization contributes towards the effectiveness of EU law in the field. If the choice of the EU legislator has sanctioned an infringement administratively, then the choices of Member States to “goldplate” implementation by imposing criminal sanctions should be limited by the requirement to ensure the effectiveness of EU law. In the name of effectiveness de-criminalization, rather than over-criminalization could be the outcome!

The Belgian Data Protection Authority was already referred to several times in this contribution for its stubborn resistance against the administrative sanctioning logic in the GDPR (supra). Its opinion from 2012 also contains two interesting arguments in favour of not using administrative law but relying on criminal law. Firstly, there is a more principled or substantive argument: in particular the serious administrative infringements in Article 83(5) GDPR (fines up to 20 million or 4% of the turnover) are too serious to be labelled administrative wrongs and should be regarded as criminal law offences. Secondly, the authority points at technical problems with administrative enforcement of data protection wrongs: criminal offences mostly consist of several infringements and contrary to normal courts, DP As cannot deal with the facts in a global manner.^[3]

The first substantive argument of the Belgian authority - serious wrongs should be dealt with by criminal law, not administrative law - is underdeveloped in our opinion. In 2016 we looked at current sanctioning systems, at the reasons to rely on administrative sanctions as opposed to criminal sanctions, at why states often prefer to develop both sanctioning systems in parallel, at the need to keep the both sanctioning systems separate and to identify a proper role for them, amongst others based on a last-resort role of criminal penalties. What the Belgian authority is doing (proposing to transform half of the list of administrative data protection wrongs into crimes) is not the outcome of our exercise done in 2016. We reached a different result, more in favour of the use of administrative sanctions, but without closing the door for a possible use of criminal law, although this should preferably be dealt with in a new directive complementing the GDPR.

The second, more technical, argument of the Belgian authority is particularly strong. A global approach to wrongs is in some cases best not left to a specialized administrative authority. If in data protection enforcement there are “areas of significant public concern” (term coined by the ICO in the 2019 Vote Leave case above), a society as a whole should be alerted and reflect about its responses. In particular, fraud with a huge impact on political institutions (like the fraud reported in the Vote Leave and Cambridge Analytica cases) merits a more global response and scrutiny by the criminal law system. If criminal law should serve for something, should it not be this?

• [1] De Hert, supra note 57, 262-268 2 Article 83(2) TFEU requires that minimum standards related to criminal penalties have to 3 be adopted by using a directive (and not a regulation). See R. Sicurella, 'EU Competence in Crim 4 inal Matters’, in Mitsilegas, Bergstrom, Konstadinides (eds), supra note 98, 49-77. Comp. Belgian DPA, Opinion no. 35/2012 of 21 November 2012 on the draft regulation, para. 158. 5 Recital 149 GDPR: “Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice”. Article 84 does not seem to prohibit criminalisation of acts that are mentioned in Article 83, but encourages states that want to use criminal law ‘in particular’ for other kinds of acts. For example, the Portuguese law that implements the GDPR - Law 59/2019 - specifies certain conducts related to undue access to data which result in a criminal sanction up to one or two years of prison, or a criminal fine/pecuniar}' penalty. See Section III of the Law, Articles 46-52, https://dre.pt/web/guest/pesquisa/7search/123815982/ details/maximized.
• [2] 2 They link their critical observation to the phenomenon of ‘goldplating’ in EU implementation laws (the practice of national legislators exceeding the terms of EU-directives when implementing them into national law). 3 V. Mitsilegas, N. Vavoula, ‘The Evolving EU Anti-Money Laundering Regime. Challenges for Fundamental Rights and the Rule of Law’ (2016) 23 Maastricht Journal of European and Comparative Law 261,272. 4 Ibidem. 5 Belgian DPA, Opinion no. 35/2012 of 21 November 2012 on the draft regulation, para. 159: “The CPP also has serious doubts about the qualification of the sanctions established by article 79. Although these sanctions are explicitly described as “administrative sanctions”, the CPP is of the opinion that they are criminal sanctions and having regard to the case law of the European Court of Human Rights and the EU policy. The importance of determining whether criminal sanctions are concerned, essentially relates to the fact that article 6 of the European Convention
• [3] on Human Rights and article 6 of the Treaty on the European Union stipulate that in such a context sufficient legal safeguards must be provided (for example the possibility to appeal to an independent judge). The text of the draft regulation does not mention this at all”. 2 Ibidem, para. 156: “[It] is rather rare that the facts of constituting a violation of the regulation are solely related to data protection: criminal offences mostly consist of several infringements of which one aspect is related to “data protection”. In those cases, the scope of the Data Protection Authority will prevent the latter from dealing with the facts in a global manner. They will be limited to the aspect “data protection”, because the (authority) at its level cannot appeal to the concurrence of offences technique, according to which the maximum penalty is applied to facts under dispute. Only courts and tribunals may rely on this technique and handle criminal offences as a whole”. 3 Herlin-Karnell, supra note 98. Ost and Van De Kerchove speak about networks of sanctions (réseaux de santions) that exist next to each other, each having fuzzy limits and all having uncertain articulations from one to each other (F. Ost, M. van de Kerchove, De la pyramide au réseau? Pour une théorie dialectique du droit (Publications des Facultés universitaires Saint-Louis, 2002), 243. 4 De Hert, Boulet, supra note 57. 5 See more in detail, ibidem.