CURRENT MONTH (December 2023)
Court of Justice of the European Union Clarifies Imposition and Calculation of Administrative Fines for Companies Established in the EU or Processing EU Data
By Jessica Varda, J.D. Candidate, Class of 2026, Louis D. Brandeis School of Law at the University of Louisville
The Court of Justice of the European Union (CJEU) issued judgments on December 5, 2023, clarifying that national supervisory authorities may impose an administrative fine on a data controller for an infringement of the General Data Protection Regulation (GDPR) when the infringement was committed wrongfully, meaning intentionally or negligently. The objective fact that a breach occurred (“strict liability”) is not sufficient for the imposition of an administrative fine.
The GDPR applies to:
- a company or entity which processes personal data as part of the activities of one of its branches established in the [European Union (EU)], regardless of where the data is processed; or
- a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.
The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The CJEU issued the judgments in response to two cases. In C-683/21, a Lithuanian court requested an interpretation of the GDPR in relation to a decision by which the State Data Protection Inspectorate, Lithuania imposed an administrative fine on the National Public Health Centre under the Ministry of Health, Lithuania pursuant to Article 83 of the GDPR for the creation, with assistance of a private undertaking, of a mobile application for registering and monitoring personal data related to COVID-19 exposures. In C-807/21, a German court requested an interpretation of the GDPR in relation to an administrative fine imposed by the Berlin Public Prosecutor’s Office on Deutsche Wohnen SE, a real estate company, for storing the personal data of tenants for longer than necessary.
Per the GDPR, “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.” The opinion in C-683/21 clarifies that what is a controller can be inferred from the factual circumstances: “An entity which is in fact in a position to determine the purposes and means of the processing will thus be regarded as a ‘controller’, irrespective of whether it was formally appointed as such (by law or in a contract or otherwise).” Where the controller is a legal person, they are liable also for any infringements committed on their behalf, regardless of whether the processing is carried out in accordance with written guidelines or instructions from the controller. A controller may be fined for operations performed by a processor to the extent that the controller may be held responsible for such operations. Per the GDPR, “‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
In the case that there are two or more entities participating in the determination of the purposes and means of processing, the CJEU will classify them as joint controllers regardless of any formal arrangement. If an offending company or entity is part of an undertaking, fines must be calculated based on the annual turnover of the undertaking as a whole for the preceding business year. Previous case law indicates “the concept of an undertaking encompasses every entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financed.” An undertaking may consist one or several individual companies, natural persons, or corporate entities.
Robocallers Beware! FCC Issuing Enforcement Actions
By Alan S. Wernick, Esq., Aronberg Goldgehn
A robocall is any call made using an automatic telephone dialing system or an artificial or prerecorded voice. 47 U.S.C. § 227. Robocalling technologies do have many legitimate purposes to do good—for example, to notify residents in a community of an emergency such as threatening weather or a missing child. Robocalling technologies have also been used for bad and/or illegal purposes—for example, to spoof the phone number and/or caller ID of a legitimate business to try to trick the recipient of the robocall.
On December 20, 2023, the Federal Communication Commission (“FCC”) issued letters to two businesses, CallWin and Solid Double, “to cease and desist their transmission of apparently illegal robocalls that have targeted American consumers.” According to an FCC December 20, 2023, press release, the letter issued to Solid Double was the first enforcement action taken by the FCC in response to a complaint received through the Private Entity Robocall and Spoofing Portal (the “Portal” is available here).
The purpose of the Portal is for private entities to submit information about suspected robocall (47 U.S.C. §227(b)) and spoofing violations (47 U.S.C. §227(e)) to the FCC Enforcement Bureau. According to §227(b) of the Communications Act and §64.1200(a) of the FCC’s rules, absent valid consent or an emergency purpose, making autodialed or prerecorded voice message calls to phone numbers is prohibited. Furthermore, §227(e) of the Communications Act and §64.1604 of the FCC’s rules prohibit transmitting inaccurate or misleading caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value.
A private entity is any entity other than (1) an individual natural person or (2) a public entity. Users of the Portal’s submission form might include (i) a for-profit or a nonprofit corporation, association, or organization experiencing a deluge of robocalls overwhelming its internal phone network, (ii) voice service providers that found evidence of illegal robocalls traversing their networks, or (iii) private entities that have had their phone number(s) spoofed.
The December 20, 2023, letter to Solid Double resulted from a complaint the FCC Enforcement Bureau received from a private entity via the Portal. Details of the complaint are in the letter. In this instance the private entity’s complaint stated, among other things, that one of its business phone numbers was being used in a spoofing campaign by a malicious party. The FCC Enforcement Bureau issued a subpoena to the Industry Traceback Group (“ITG”) who then provided traceback evidence of the spoofed calls’ origination. ITG notified Solid Double of the spoofed calls, but it continued to originate illegal traffic from its clients. The December 20, 2023, FCC letter to Solid Double informed it of consequences if it fails to prevent new and renewing customers from using its network as a platform to originate illegal calls, including:
- Downstream U.S.-based voice service providers may begin blocking all call traffic from Solid Double’s network.
- Removal of its certification from the Robocall Mitigation Database.
- Monetary, and other, enforcement penalties for failing to take steps to address illegal robocall traffic on Solid Double’s network.
If you represent a business providing phone call services, or a business that has received numerous robocalls or had any of its phone numbers spoofed and used as part of another’s robocalling activities, then a remedy may be available through the FCC’s Enforcement Bureau or the FCC’s Robocall Response Team. Individual consumers may find some assistance at the FCC’s Consumer Inquiries and Complaint Center.
© 2023 Alan S. Wernick and Aronberg Goldgehn.
See Implementing Section 10(a) of the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), FCC Notice of Proposed Rulemaking (FCC 20-174) (released December 8, 2020). ↑