The European Court of Justice has today fined Spain €15 million for failing to implement the Law Enforcement Directive, which it should have done by 6 May 2018 (shortly before the GDPR took effect). Notably, it’s the first time that the ECJ has issued a lump sum fine and a daily penalty for a member state’s failure to implement an EU directive.
Since the introduction of the GDPR, the enforcement of Europe’s data protection rules has largely focused on private organisations. Today’s judgment shows that national governments are not immune from censure – particularly where they fail to implement the very rules with which organisations are expected to comply.
Spain had claimed that its delay in transposing the LED was the result of exceptional political circumstances. However, in finding that Spain had persistently breached its obligations under the Lisbon Treaty by failing to bring the LED onto its statute book, the ECJ imposed a concurrent lump sum penalty and daily penalty payments for a member state’s failure to implement an EU directive.
It’s difficult to argue with the court’s conclusion, given that a key aim of the LED is to ensure a consistent level of protection for personal data throughout Europe. Indeed, it’s also likely that the Spanish data protection authority itself would give short thrift to an organisation which argued that its longstanding non-compliance with the GDPR could be overlooked on the basis that it has an unusual corporate governance structure.
In the light of the seriousness and duration of the infringement, the Court orders Spain to pay the Commission a lump sum in the amount of € 15 000 000 and, should the infringement established have persisted up to the date of delivery of its judgment, as from that date and until the infringement established has been brought to an end, a daily penalty payment of € 89 000.
https://curia.europa.eu/jcms/upload/docs/application/pdf/2021-02/cp210022en.pdf
unknownx500
