Covid-19 as "force majeure" in data protection law? Companies are not liable

Curfews have already been imposed in several European countries due to the spread of the corona virus. In Bavaria the event of disaster has been declared (German). Citizens are also required to work in their home offices. For many companies, this means that internal (administrative) processes are no longer functioning without restrictions or, if the company is closed down, not at all.

The consequence in data protection law is that requests from data subjects under the GDPR, for example for access in accordance with Art. 15 GDPR, can either only be dealt with great delay or not adequately at all in the near future. For example, it may be that due to employees working at home, not all internal documents can be checked for personal data. It is also possible that companies may not (or no longer) be able to fully comply with their obligations under the GDPR due to the current circumstances.

From a practical point of view, the question arises for controllers as to how they can deal with this situation. Does the GDPR permit, for example, that prescribed periods under Art. 12 para. 3 GDPR (max. 3 months for answering data subjects' requests) are extended even further or not observed? In the event of a violation of the GDPR based on the current exceptional situation, can a company somehow relieve itself of the burden or is there a risk that administrative proceedings or fines will be imposed by the authorities (Art. 83 GDPR) or that claims for damages will be initiated by data subjects (Art. 82 GDPR)?

Current views of data protection authorities

The English authority, ICO, has indicated that it will take account of current circumstances in the event of delays in the fulfilment of data protection obligations (ICO, Data protection and coronavirus: what you need to know). In this respect, the authority assumes that the legal deadlines cannot be extended, but that delays in processing the rights of the persons concerned due to the corona virus would not be punished.

The EDSA does not comment on the (non-)validity of the deadlines. However, the EDPS is of the opinion that the special circumstances would not change the existing obligations of the controllers (EDSA, Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak).

In the view of the Irish data protection authority DPC, it is not possible to waive the regulations of the GDPR. However, the DPC makes some practical recommendations. (DPC, Data Protection and COVID-19) The DPC points out that the time limit for processing the data subject's request will be extended by up to two months, with an explanation of the reasons for this. In addition, a staged procedure is also conceivable for responding to data subjects' requests.

Exceptions under the “Time Limits Regulation”?

The Regulation determining the rules applicable to periods, dates and time limits (Regulation (EEC, Euratom) No. 1182/71), which is directly applicable to the calculation of time limits prescribed by European law (i.e. also those under Art. 12 para. 3 GDPR or Art. 33 para. 1 GDPR), does not provide for any exception to existing time limits in exceptional cases.

Exceptions in the GDPR?

Art. 12 GDPR does not provide for any exceptions to the time limits regulated therein. Regarding the general obligations under the GDPR, individual articles contain some exceptions. For example, Art. 14 para. 5 lit. b GDPR, for the case that the provision of this information proves impossible or would require a disproportionate effort. However, this exception only applies to the provisions of Art. 14 GDPR.

Force majeure: no liability of the companies

In the current situation, I believe that a general exception or privilege, which is not explicitly mentioned in the GDPR, but which is intended to be a general exception or privilege, should be considered: the existence of "force majeure".

It is important here to refer to the provisions of European law regarding this exception, since the GDPR is to be applied as European law to European law autonomously.

It follows from settled case-law of the ECJ that the concept of force majeure must be understood, in general, in the sense of abnormal and unforeseeable circumstances, outside the control of the party relying thereupon, the consequences of which, in spite of the exercise of all due care, could not have been avoided (ECJ, 18.3.2010, C?218/09).

It is also settled case-law that, since that concept does not have the same scope in the various spheres of application of European Union law, its meaning must be determined by reference to the legal context in which it is to operate (ECJ, 18.3.2010, C?218/09; ECJ, 25.1.2017, C-640/15). In this respect, the purpose of the respective regulation is decisive for its application. The special nature of the respective field of law influences above all the interpretation of the term in the individual case (cf. ECJ, 22.1.1986, C-266/84).

It should therefore be examined whether the GDPR also provides for such an exception, which controllers may be able to invoke in the current times. With regard to the GDPR, it is firstly noticeable that it does not recognise the term "force majeure". At least not in the final version. If one looks at the first draft of the EU Commission and also at the proposals of the EU Parliament in the legislative procedure, it becomes clear that the circumstance of force majeure did play a role: specifically in the context of the liability of companies for damages to data subjects.

Recital 146 GDPR reads: “The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage”. (emphasis by me)

In the earlier versions of the GDPR, however, this recital was still formulated with a specific reference to "force majeure". Recital 118 (Council document 9398/15, 1.6.2015, https://data.consilium.europa.eu/doc/document/ST-9398-2015-INIT/en/pdf pdf): “Any damage which a person may suffer as a result of unlawful processing should be compensated by the controller or processor, who should be exempted from liability if they prove that they are not responsible for the damage, in particular where he establishes fault on the part of the data subject or in case of force majeure.” (emphasis by me)

The exemplary list of circumstances ("in particular") when no liability should exist has been deleted on the basis of a proposal by the Council and replaced by a general and comprehensive wording ("in any way responsible").

The specific term "force majeure" is indeed missing. However, in my opinion, not because it should no longer be possible to invoke it, but rather because the legislator wanted to define the possibility of non-existent liability in a more general way, without giving specific examples.

Therefore, I consider it in any case justifiable that companies can invoke the circumstance of "force majeure" in the context of infringements of the GDPR, which have their demonstrable cause in the current circumstances of the corona virus or related government measures. In this case, companies are not liable for damages of data subjects.

I would also argue that this idea of exemption from liability in exceptional situations, which is clearly laid down in the GDPR, applies not only to claims for damages under Art. 82 GDPR, but also to compliance with time limits (e.g. Art. 12 para. 3 GDPR or Art. 33 para. 1 GDPR) or even other obligations where applicable. Because, if no liability is assumed if a damage has occurred, then it must be even more possible to justify an extension of statutory time limits with this exception. After all, I suppose that currently in general want to want to fulfil their obligations. It is just that they cannot at present do so within the parameters laid down by the regulations. This is my opinion (developed in a somewhat longer follow-up session) on the interpretation and application of the GDPR in current times. However, as already mentioned above, this also means that other legal opinions (especially those of supervisory authorities) are possible.

Finally, regarding possible fines for violations of the GDPR, it should be noted that Art. 82 para. 2 lit. k GDPR requires the supervisory authorities must consider "any other aggravating or mitigating factor applicable to the circumstances of the case". In my opinion, this also includes a case of "force majeure".