No sanctions for breach of GDPR for ČEZ and non-profits?
A group of deputies headed by Marian Jurečka (KDU-ČSL) has submitted a draft amendment to the Personal Data Protection Act. The deputies have taken on the role of protectors of public institutions and non-profit organisations against the harsh sanctions introduced by the General Data Protection Regulation (GDPR): the proposed amendment aims to exempt these entities from the GDPR sanctions to be imposed by the Office for Personal Data Protection.
The authors of the draft intend to make use of an option provided by the GDPR allowing the member states to lay down the rules of imposing administrative fines on their public authorities and entities; the GDPR thus responded to the fact that some member states’ constitutional law explicitly forbids penalising public authorities. However, taking advantage of this option in a Czech legal context goes against the intentions of the EU legislators. Moreover, the proposed amendment extends the term ‘public entity’ to non-profits as well, thus embarking on a rather extensive interpretation of EU standards, while such a task ought to pertain solely to the Court of Justice of the EU, to ensure their uniform application across all member states.
The submitted draft amendment also adapts the GDPR in a rather unsystematic way, by simply exempting some institutions from sanctions. Not to mention that comprehensive GDPR adaptation laws abolishing the Personal Data Protection Act altogether are already being debated in the Chamber of Deputies. The whole proposed amendment does therefore seem rather redundant.
While the proposers emphasise that the exemption is meant to make life easier for small municipalities and non-profits, the wording is so wide that it would also apply to ministries and governmental institutions that process large quantities of personal data in their systems. The proposed amendment also exempts from the sanctions public institutions including, according to the government’s statement, public transport companies or business entities such as ČEZ (a partly state-owned Czech energy company). Such a wide exemption is obviously contrary to the principle of equality before the law and puts some entities in an unreasonably advantageous position. While the proposers obviously intended to provide relief for some entities such as non-profit organisations for whom the sanctions would be unnecessarily harsh, the manner of implementing the exemption is far from ideal, considering the above.
Moreover, non-profits or other entities do not need to worry about unreasonably high sanctions, even without the amendment: in accordance with the principles of imposing administrative sanctions, no penalty shall be destructive for the entity affected and shall always reflect the gravity of the breach of duties stipulated by the GDPR.
The proposed amendment is unsystematic and most likely also in breach of the constitutional principle of equality before the law. Moreover, it uses undefined and misleading legal terms. The government in resignation is of a similar opinion and has already expressed its disagreement with the draft. We therefore recommend focusing primarily on the development of the laws adapting the GDPR as proposed by the government, which are to be discussed in the committees of the Chamber of Deputies in May and then put on the chamber’s agenda. If these laws are passed, the mentioned amendment will be pointless, as the entire Personal Data Protection Act will thereby be abolished.