Does anyone remember 12 September 2019? The GDPR was still new, but the initial excitement had died down and the first practical experiences with the new law had crystallised. Much was unclear, but some things were slowly becoming clearer.

On 12 September, around 200 data protection lawyers met in Bremen, Germany for the 20th Autumn Conference of the German Foundation for Law and Informatics (DSRI) in the magnificent setting of the Junkers W33 BREMEN, the first aircraft that completed a successful transatlantic flight from Continental Europe to the US in 1928 (yes, Charles Lindbergh made it from west to east a year earlier).

The Bremen State Commissioner for Data Protection and Freedom of Information (LfDI), Dr Sommer, was also invited to take stock of the first 15 months of the GDPR.

One of the LfDI’s comments stuck in my mind. Dr Sommer made a bold statement that had the entire Bremen Hall murmuring: DPAs are obliged to impose fines for every data breach that results in a supervisory measure.

Really? Do DPAs have to impose fines?

Without going into detail, Dr Sommer derived her thesis from the wording of Art. 83 (2) sentence 1 GDPR. It states that „fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of the individual case“ (bold by author). The wording of Art. 58(2)(i) GDPR is also identical. It allows the authority to impose a fine ‚in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the individual case‘ (bold by author).

From the two options ‚in addition to‘ or ‚instead of‘ measures, it was concluded that a fine must always be imposed, regardless of the seriousness of the offence or the measure chosen. The authority – according to themselves – simply had no discretion.

Apart from ignoring the part of the sentence ‚depending on the circumstances of the individual case‘, the LfDI’s interpretation deprived us lawyers of three valuable interpretative tools provided by legal methodology: systematic interpretation, historical interpretation and teleological interpretation.

No, they didn’t have to.

The ECJ has now corrected this self-limitation in its judgment of 26 September 2024 (C -768/21).

The case concerned a data breach at a bank: an employee had accessed customer data without authorisation. The bank itself reported the incident and took remedial action. The Hessian Commissioner for Data Protection and Freedom of Information did not consider a sanction/fine necessary in this case. The plaintiff demanded the imposition of sanctions by the authority.

In its decision, the ECJ clarifies that supervisory authorities can (and must) exercise discretion in order to ensure an adequate level of protection of personal data. Whether the discretion has been exercised correctly can be reviewed in court. However, it is inadmissible not to exercise any discretion at all.

As surprising and wrong as the authorities‘ view was in 2019, the ECJ’s decision is reassuring for the protection of individual fairness and the exercise of discretion by authorities today.