The supervising authority’s competence in data processing matters sanctioned by criminal law

Administrative District Court by referring to the principle of ne bis in idem upheld the Data State Inspectorate’s position that it has no competence to investigate alleged unlawful data processing activities or relating wrongful acts thereto when the event in question is linked with criminal law. In the particular case, a person complained to the Data State Inspectorate (the Inspectorate) about a bank which, in the person’s view, committed a breach in processing his personal data, resulting in EUR 2200 stolen from the person’s bank account. Afterwards, according to the person’s complaint, the bank failed to ensure to the person the right of access and failed to notify the personal data breach to the Inspectorate. When the person addressed the bank with a request, the bank replied that there was no breach committed by the bank and the money was stolen due to the person himself being negligent with his own personal data. The Inspectorate upheld the bank’s position and found that the bank has appropriately replied to the person’s request. The Inspectorate did not find that the bank has committed any breach in respect to the person’s data, thus the bank did not need to notify the Inspectorate. 

The court dismissed the person’s application about the Inspectorate’s decision and upheld the Inspectorate’s position. According to the court’s reasoning, data obtainment that leads to illegal use of financial instruments or means of payment is a crime and the national law lays down the rules on criminal liability for such infringement. The Inspectorate is the competent authority for investigation of administrative offences and imposition of administrative penalties for these offences. However, the Inspectorate is not competent to investigate any activities with personal data that are sanctioned by criminal penalties. The illegal processing of personal data and theft of the person’s money shall be assessed by the police during criminal investigation and the police is the competent authority to investigate cybercrimes. The court also pointed out to the principle of ne bis in idem (the prohibition of double-punishment) and the Inspectorate’s competence as laid down by the law. It is not yet known whether the court’s judgment is going to be appealed by the person.

According to Recital 149 of the preamble of the GDPR, "Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation."  Recital 149 also states that, “However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.” In addition, Article 84 (1) of the GDPR stipulates that “Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented.”

In the Latvian Criminal Law, there are several provisions included which stipulate criminal liability for illegal data processing activities.  For instance, pursuant to Article 145 (1), “For illegal activities involving personal data of a natural person, if it has caused substantial harm, the applicable punishment is the deprivation of liberty for a period of up to two years or temporary deprivation of liberty, or community service, or a fine”. In the case examined above, the illegal activities were caught by Article 193.1 (1) which stipulates that “For a person who commits obtaining or distribution of such data which enables illegal use of financial instruments or means of payment, the applicable punishment is the deprivation of liberty for a period of up to three years or temporary deprivation of liberty, or community service, or a fine.” Both of these rules were introduced long before the GDPR had been adopted.

It remains to be seen whether the Inspectorate will decline any competence in respect to illegal data processing activities that fall within the scope of criminal laws. On a side note, infringements sanctioned by the Criminal Law is the category of most serious offences under the national law, however, the fine that can be imposed as a criminal penalty is lower than the maximum administrative fine under the GDPR.