The data protection regulations at a glance

This article examines the relationship of these new regulations to the General Data Protection Regulation, with a focus on the various sanctions and violations. First, a look at the various regulations:

The European Union General Data Protection Regulation (EU GDPR) has been in force since 25 May 2018. It affects all those operating in the EU and gives data subjects more control and rights over their personal data. The GDPR also puts more responsibility on companies while at the same time reducing their reporting obligations. The role of data protection authorities is strengthened. Many Swiss companies are directly affected by the General Data Protection Regulation, for example financial institutions that also sell their products in the EU.

The Data Governance Act, published as part of the European Data Strategy at the end of May 2022, will come into force in September 2023. The regulation forms the basis for a data exchange model that is intended to facilitate the sharing of data across different industries and countries – also against the background of enabling better development of artificial intelligence (AI).

The Data Act is intended to be the second pillar of the new European data strategy alongside the Data Governance Act. The aim is to use new regulations to better exploit the economic potential of the ever-increasing volume of data. The Data Act, proposed by the European Commission on 23 February 2022, is currently in the consultation process. It should be emphasised that the draft provides for an implementation period of only 12 months after entry into force.

Complementing this, the Von der Leyen Commission has proposed the Digital Services Act and the Digital Markets Act – both of which were passed by the EU Parliament in July 2022 and should come into force before the end of 2022. The Digital Services Act aims to make powerful digital platforms (gatekeeper platforms) such as YouTube, TikTok, Facebook and Instagram more transparent and hold them accountable for the risks they pose to society. These include, for example, clear rules and mandatory measures for dealing with illegal content or more transparency in online advertising. The Digital Markets Act, also an EU-wide code of conduct for large digital companies, is intended to ensure fairness and a level playing field for players in the digital markets in the EU.

The Artificial Intelligence Act, a risk-based approach to regulating artificial intelligence, has the potential to drive debate around the world on how to manage artificial intelligence. The Artificial Intelligence Act would be the world’s first legally binding horizontal regulation of AI systems. The draft is currently being discussed in the EU Parliament – with involvement from the worlds of society, politics and science – and the EU Council aims to reach an agreement in December 2022.

Various enforcement authorities

This creates a challenging situation. Each of these acts has its own rules and competent enforcement authorities, which don’t necessarily overlap with one another. With the exception of the Digital Markets Act, which the European Commission is responsible for enforcing, it’s envisaged that member states will designate competent authorities at national level to be responsible for monitoring and enforcing the regulations.

Despite appeals from the European Data Protection Board and the European Data Protection Supervisor, it’s uncertain whether member states will designate the current data protection authorities as the competent enforcement authorities. As a result, it’s possible for companies to face two separate investigations for the same violation.

Dual proceedings per se aren’t a new phenomenon. In the past, there have been numerous cases in which companies have been penalised twice for the same issue. In many of these cases, the companies invoked the principle of double jeopardy in their defence. This principle is used in common law jurisdictions, which is based on precedent.^[1] It prohibits a defendant from being convicted twice for the same crime. However, this principle is limited to criminal sanctions. Most violations of the GDPR aren’t likely to be subject to criminal sanctions.

Single or double sanctions?

The question therefore arises as to whether the principle of double jeopardy can be invoked in cases of dual proceedings under the GDPR and one of the acts. It’s expected that this will be the case. In current legal practice, the principle – regardless of its wording – is also invoked in cases that don’t involve criminal law in the strict sense of the term, but serious sanctions of a punitive nature. These aim not only to compensate for any damage caused, but also to have a deterrent effect. In this context, deterrence is to be understood in terms of negative general prevention. In other words, sanctions should help ensure regulatory compliance.

The sanctions under the GDPR and the sanctions imposed by the member states under the legislation are likely to pass this test, i.e. making sure that there’s no double jeopardy. However, it’s still uncertain whether this will be the case and in which constellations.

^{[1] Common law refers to the legal system that prevails in most English-speaking countries such as the United Kingdom and the United States. Although common law is based on statutes, the judicial decisions (so-called precedents) play a more important role. Accordingly, legal findings are based on analogies between individual cases that have already been decided upon.}