The European ePrivacy Regulation (Council Proposal 10.02.2021)



ePrivacy Regulation, Article 23, General conditions for imposing administrative fines.


1. Article 83 of Regulation (EU) 2016/679 shall apply mutatis mutandis to infringements of this Regulation.


2. Infringements of the following provisions of this Regulation shall, in accordance with paragraph 1, be subject to administrative fines up to EUR 10000000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:


(a) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8;


(b) deleted.


(c) the obligations of the providers of publicly available directories pursuant to Article 15;


(d) the obligations of any legal or natural person who uses electronic communications services pursuant to Article 16.


(e) the obligation to designate a representative pursuant to Article 3 number 2.


3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7 shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.


4. Member States shall lay down the rules on penalties for infringements of Articles 12, 13 and 14.


5. Non-compliance with an order by a supervisory authority as referred to in Article 18, shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.


6. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 18, each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.


7. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.


8. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by [xxx] and, without delay, any subsequent amendment law or amendment affecting them.


Note: This is not the final text of the ePrivacy Regulation. This is the text of the ePrivacy Regulation Proposal of the Council of the European Union from 10.2.2021.