The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth

On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos Sánchez-Bordona delivered an opinion in which he approved direct enforcement of the General Data Protection Regulation (GDPR) against companies but rejected a broader concept of “strict liability” for alleged GDPR violations.

The opinion was issued in relation to a new landmark case (C-807/21) in which the CJEU will determine whether organisations face strict liability for violating the GDPR, or whether data protection authorities (DPAs) must prove relevant misconduct of an individual within the organisation before imposing fines. The Advocate General’s opinion, though not binding on the CJEU, carries considerable weight because courts often follow such opinions.

This Client Alert reviews the opinion and examines the potential implications for companies.