In an Order of 25 May 2021 (Case No. 4 MB 14/21) (only in German), the Higher Administrative Court of Schleswig-Holstein (only in German) ruled on the right of companies to refuse to answer questions from the data protection authorities in connection with data protection audits (§ 58(1)(b) of the GDPR). What follows is our summary and analysis of this brand-new decision, which is highly relevant for companies, e.g. in light of the recent questionnaire on “Schrems II” and third-country transfers.
Facts of the case
The Order involved a dispute between an online mail order company (the petitioner) and the competent data protection authority (the respondent) concerning a request for information about the processing of personal data. In response to several complaints alleging that the company was engaging in personalized marketing to data subjects, the authority ordered the company to answer five questions and threatened to fine the company for each question it failed to answer. It also made reference to a possible right to refuse to provide information in accordance with § 40(4) Sentence 2 of the Federal Data Protection Act. The petitioner refused to answer and filed an action before the Administrative Court to set aside the fine, as well as a motion for suspensive effect, which the Administrative Court dismissed.
Content of the decision
The Higher Administrative Court found that the complaint was partially well-founded and engaged in an extensive examination of the question as to whether the company had a right to refuse to provide information. The Higher Administrative Court took the view that § 40(4) Sentence 2 of the Federal Data Protection Act only entitles companies to refuse to answer questions in cases where answering would create the risk of criminal prosecution or the risk of proceedings in accordance with the Act on Administrative Offenses, which would require a specific threat.
The request for information in the present case was made in connection with a data protection audit (Article 58(1)(b) of the GDPR), and the court stated that a distinction should be made between the individual questions and the risk associated with each question.
Roughly speaking, the individual questions can be summarized as follows:
- Which controllers and processors collect personal data and process it for marketing purposes?
- Which personal data is collected?
- Were the requirements in Article 24 and Article 32 of the GDPR adhered to?
- How many data subjects are there?
- Were the notification requirements in Article 14(1) and (2) of the GDPR adhered to?
The Higher Administrative Court concluded, based on its assessment, that providing answers to Questions 1, 2 and 4 cannot support the conclusion of unlawful processing in the absence of additional circumstances, such as the failure to obtain consent. Accordingly, a threat does not exist in this case and the company does not have the right to refuse to answer. Questions 3 and 5, on the other hand, are directed towards proceedings in accordance with the Act on Administrative Offenses, since violations of the specified requirements could result in fines in accordance with Article 83 of the GDPR, and the petitioner therefore has a right to refuse to provide this information.
The Higher Administrative Court also ruled that rights to refuse to provide information in administrative law can be asserted in opposition to requests for information themselves, and not only against the enforcement of such requests. Inherent to this right is the principle of freedom from self-incrimination; since this principle is derived from the general right to privacy and is therefore intended for natural persons, it appears questionable whether legal persons can invoke the right to refuse to provide information. But in light of the fact that this principle is also derived from the principle of rule of law (Article 20(3) of the Basic Law, Article 6(1) of the ECHR) this possibility is not entirely out of the question, in the view of the Higher Administrative Court.
The court also found as follows: “A violation of the freedom from self-incrimination may be established by calling upon a person to provide self-incriminating information by means of a legally binding administrative act, as well as by the enforcement of such a request under threat of administrative penalties. […] In light of the unresolved constitutional questions mentioned above, some of which are of a fundamental character, this court cannot find with the necessary degree of certainty that assessment of the fines was lawful, as the Administrative Court found, based solely on the consideration that the right to refuse information in accordance with § 40(4) Sentence 2 of the Federal Data Protection Act cannot be asserted in enforcement proceedings as a means of appealing the underlying administrative act (cf. § 248(2) of the General Administrative Act of the State of Schleswig-Holstein).”
Classification of the decision
The relevance of this Order in practice is particularly great in light of the coördinated investigations which have been launched by the supervisory authorities, by means of questionnaires, based on the “Schrems II” decision by the European Court of Justice (ECJ). As stated in this Order, companies may assert rights to refuse to provide information to the data protection authorities if they would otherwise expose themselves to the risk of further proceedings. But it should be kept in mind that this ruling by the Higher Administrative Court of Schleswig-Holstein was issued in summary proceedings by way of a temporary injunction, and that the Higher Administrative Court ultimately had to weigh the interests of both parties.
Based on our experience dealing with investigations by the authorities, we generally advise affected companies as follows:
- If the letter from the authorities does not contain instructions as to legal remedies, it is merely a request for information. In this case, it is not an administrative act and recipients cannot be required to respond under threat of penalties.
- Requests for information should be handled with care at all times in light of the possible measures which could follow such a request.
- Get help from an attorney if you feel unsure about how to deal with the authorities and particularly if you plan to assert rights to refuse to provide information, as the recent Order demonstrates. We have extensive experience dealing with German and European supervisory authorities and are eager to provide any assistance you may need.
- Even companies which have not yet been contacted by the supervisory authorities would be well-advised to immediately examine their existing third-country transfers given the high level of risk at the moment.
If you receive a request for information from the authorities or if you need legal assistance in connection with the evaluation of third-country transfers, please contact the Co-Head of our Digital Business Unit, Mr. Stefan Hessel.back