33/2024
Issue
The Effect of European Union Law on the Criminal and Quasi-Criminal Liability of Legal Persons in Estonia
The punitive competence of the European Union encompasses both criminal law and, in the form of administrative sanctions, quasi-criminal law. Now undergoing vast changes amid rapid development, the latter field of Union legislation is anything but systematic. The sporadic evolution of EU punitive law recently led to the European Court of Justice judgement in the case Deutsche Wohnen, wherein the substantive provisions for liability of legal persons in Germany were found to be in contradiction with European Union law. The article gives an overview of the European Union’s legislation on criminal and quasi-criminal liability of legal persons, presents reflections on the Estonian experience, and articulates conclusions from the Deutsche Wohnen case.
Keywords:
European Union criminal law; administrative sanctions; quasi-criminal law; liability of legal persons; GDPR; Deutsche Wohnen
1. Introduction
This article presents an effort to analyse the effects of European Union law on national legislation pertaining to the liability of legal persons. The scope of EU criminal law connected with legal persons is rather constrained, with the Member States’ cautious and conservative approach having brought certain safeguards into play. The same cannot be said for the Union’s legislation on administrative sanctions or the so-called quasi-criminal law. Member States are bound by a plethora of directives and regulations, in various domains of Union law, whereby they are obliged to lay down rules on administrative liability for legal persons. That legislation lacks a common general component so may differ in many respects, whether in nuances or more fundamentally. Because transposing this body of legislation into national law has clear effects on the states’ criminal and quasi-criminal-justice systems, the non-systematic nature of Union legislation creates an argument against codification of the modes of liability for legal persons in national legislation: each piece of legislation might well require a tailor-made solution. This problem was highlighted by the recent judgement of the European Court of Justice in the Deutsche Wohnen case *1, wherein how the general part of German law addresses legal persons’ liability was found to be incompatible with the requirements of an especially prominent instrument of regulation, the GDPR *2.
The article gives an overview of the demarcation between European Union criminal and quasi-criminal law, followed by deeper analysis of the EU-level legislation related to the criminal and quasi-criminal liability models connected with legal persons. Then, for concrete illustration, the discussion turns to the Estonian legal system, introducing its peculiarities – namely, the concept of misdemeanours (governed by the general part of the Penal Code), which functions in transposition of the Union’s legislation on administrative sanctions. Before presenting general conclusions, the paper examines the effects of the judgement in Deutsche Wohnen on the choice of liability model oriented toward legal persons.
2. The divide between European Union criminal and quasi-criminal law
At first glance, the principles of national penal law appear to be guarded relatively well against disturbance wrought via European Union legislation. After a lengthy competence struggle that resulted in the landmark decisions in Environmental Crime *3 and in the Ship-Source Pollution case *4, the Member States agreed to very careful and limited delegation of criminal-law competence with the adoption of the Treaty of Lisbon. According to Article 83 (1) of the Treaty on the Functioning of the European Union (TFEU), the co-legislators are permitted to establish minimum rules pertaining to the definition of criminal offences and sanctions in only areas of particularly serious crime with a cross-border dimension resulting from the nature or impact of said offences or from a special need to combat them on a common basis. The relevant spheres of crime are exhaustively listed *5 in Article 83 of the TFEU, with the so-called annex competence expanding this competence to an area that has been subject to harmonisation measures only in conditions wherein alignment among the Member States in the domain of criminal law and regulations (i.e., approximation of law in that domain) proves essential for ensuring the effective implementation of a Union policy. As a means of last resort, a Member State may fall back on the ‘emergency brake’ procedure provided for in Article 83 (3) of the TFEU when finding that a draft Directive instrument is bound to affect fundamental aspects of its criminal-justice system. *6
Article 83, however, pertains to criminal law only in the strictest sense, and it forms merely one small part of the punitive-law competence of the Union. The latter competence of the EU has its roots in Member States’ obligations to lay down rules on sanctions, which need not be criminal-law-oriented. That said, administrative-offence law (or quasi-criminal law) became a distinct field of approximation in the years following the compromise on the criminal-law competence of the Union under the Treaty of Lisbon. *7 Numerous directives and regulations require Member States to lay down rules on punitive sanctions that, while not formally classified as of a criminal-law nature, would by dint of their punitive aim fall under the autonomous concept ‘criminal’ per the Engel and Bonda criteria (that is, qualify as quasi-criminal sanctions). *8 The associated legislation is adopted on various legal bases (such as Art. 16 or 114 of the TFEU) and, accordingly, circumvents the safeguards afforded to the Member States’ national criminal-justice systems by the Article 83 of the TFEU. The most prominent body of legislature for which Member States must set forth rules on levying quasi-criminal fines against legal persons concerns the financial-services sector. The proliferation of such legislation can be attributed to the 2010 European Commission communication on reinforcing the sanctioning regimes affecting that sector. *9 However, prescriptions for sizeable fines for breaches of Union law are by no means limited to one sector. High fines have become part and parcel of enforcing Union law in nearly every field. Among the most prominent examples are the fines set forth in the GDPR and in the directive on empowering competition authorities (the ECN+ Directive) *10.
This legislation has blurred the lines between criminal and administrative law. Furthermore, Article 83 of the TFEU restricts the harmonisation of criminal law to the mechanism of directives. Quasi-criminal law, in contrast, is harmonised on legal bases that leave room for the adoption of regulations. This opens room also for debate on the possibility of directly applicable Union-level quasi-criminal law.
3. Liability of legal persons under EU criminal and quasi-criminal law
3.1. The context in general
Natural persons have been subject to judgements of guilt and punishment throughout most of the history of criminal law. Notions such as intent, guilt, and blame are intrinsically linked to individual humans. With the growth of the modern economy, risks in spheres such as the environment, finance, and public health ballooned correspondingly. It became evident that legal persons, while not capable of acting without humans, are the catalyst of many offences and should, as such, be liable for these alongside the natural persons who commit the offences. *11
There are several differences in jurisdiction-specific ways of tackling the liability of legal persons. Firstly, legal persons are not made subject to criminal sanctions in all jurisdictions. Sanctions against legal persons are often imposed outside formal criminal law, in administrative proceedings. For example, German authors are of the view that the criminal-law concept of guilt requires a socio-ethical awareness that legal persons do not possess. Therefore, those scholars maintain that legal persons cannot be subject to criminal law and can only be held liable for administrative offences. *12 As a consequence of imposing sanctions beyond the lines of criminal law, the procedural guarantees afforded to legal persons may vary from one jurisdiction to another. Even though legal persons should benefit from procedural guarantees similar to those extended to natural persons, the threshold for minimum guarantees required by both the European Court of Human Rights and the European Court of Justice might be lower than that applied to natural persons. *13
Secondly, the sanctions applicable may vary, although a fine – whether underpinned by criminal or non-criminal law – constitutes the predominant form of negative sanctions for legal persons in any case.
Finally and most importantly, the models of liability applied to legal persons can dramatically differ. Punitive liability follows from breach of a legal norm. The key question is which breaches may be attributable to a legal person and under what circumstances. The divergence in models reflects differences in understandings of the nullum crimen nulla poena sine culpa principle. It is evident that some imputation model is necessary: otherwise, it would be impossible to discern whether a legal person is liable for a given breach. Even if views on whether legal persons are capable of guilt differ starkly, any punishment must be proportional to the aim. The twin aims of (criminal- or administrative-law) sanctions – namely, punishment and deterrence *14 – are achievable only if the wrongdoer was at fault (i.e., could have prevented the breach). *15
The models of liability of legal persons applied in general, across jurisdictions, can be summarised in terms of alignment with three main principles:
1) the identification model (also called the alter-ego, directing mind and will, or direct-liability model);
2) the respondeat superior model (known also as the agency, vicarious, or strict-liability model);
3) the organisational model (referred to also in connection with corporate culture).
The identification model is the narrowest. Only the actions of persons sufficiently high in the hierarchy of a legal entity are deemed connected to that legal person for liability purposes, in that the mind and will of only these persons can be equated to the mind and will of the legal person. The respondeat superior model, in contrast, is the broadest: a legal person is liable for any offences committed by persons under its authority, such as employees or contractors on assignment. Finally, the organisational model concentrates on the corporate culture and does not require ascertaining the guilt of any individual person. *16 It appears that, being extremely narrow renders the identification model insufficient for tackling sector-specific offences in conditions wherein the breach cannot be directly attributed to a person with a controlling mind. The respondeat superior approach, on the other hand, subjects the legal person to nearly blanket-level liability for the actions of everyone under its control. With that in mind, many jurisdictions employ a combination of models. For example, they might attribute the actions of any agent under the authority of a legal person to that legal person only in cases of failure of supervision or control.
3.2. European Union criminal law
Directives adopted on the basis of Article 83 of the TFEU that establish minimum rules related to defining criminal offences and sanctions require the Member States to guarantee that legal persons in addition to natural ones can be held liable for the criminal offences specified in the directive. *17 The grounds for liability of legal persons are uniform across all domains. Occasional negligible differences in wording notwithstanding, a template similar to the following in its language gets employed:
Article [number]
Liability of legal persons
1. Member States shall ensure that legal persons can be held liable for criminal offences referred to in [the Directive] where such offences have been committed for the benefit of those legal persons by any person who has a leading position within the legal person concerned, acting either individually or as part of an organ of that legal person, based on:
(a) a power of representation of the legal person;
(b) an authority to take decisions on behalf of the legal person; or
(c) an authority to exercise control within the legal person.
2. Member States shall ensure that legal persons can be held liable where the lack of supervision or control by a person referred to in paragraph 1 of this Article has made possible the commission by a person under its authority of a criminal offence referred to in [the Directive] for the benefit of that legal person.
3. Liability of legal persons under paragraphs 1 and 2 of this Article shall not preclude criminal proceedings against natural persons who commit, incite or are accessories in to the criminal offences referred to in [the directive].
Some, though not all, directives adopted on the basis of the Article 83 of the TFEU define a legal person as ‘an entity having legal personality under the applicable law, except for States or public bodies in the exercise of State authority and for public international organisations’. *18 The non-inclusion of public bodies in the concept’s definition is justified by the fact that the contrary would ultimately entail the state punishing itself. Moreover, public bodies have public functions, which should not be placed in jeopardy by sanctions. Nevertheless, Recital 12 of the recent directive on the protection of the environment through criminal law *19 reminds Member States that, since said directive establishes minimum rules, the states are free to adopt stricter rules, inclusive of rules on criminal liability for public bodies.
The imputation of liability is based on a modification to the identification model. Generally, only the actions of a person with sufficient authority may be attributed to the legal person. In an extension to this principle, however, actions of anyone subject to the legal person’s authority may be ascribed to that legal person in cases of a lack of supervision or control by persons with sufficient authority, The subsidiary nature of this extension of the identification principle is spotlighted by an odd distinction articulated in one of the criminal-law directives. Article 10 (2) of the directive on attacks against information systems *20 gives Member States more flexibility in the choice of sanctions to be applied where a legal person is held responsible for reason of lack of supervision or control. For the latter case, the Member State is not obliged to lay down rules on (criminal or non-criminal) fines; merely codifying effective, proportionate, and dissuasive measures is deemed sufficient.
The directives require Member States to ensure that a legal person held liable is subject to effective, proportionate, and dissuasive sanctions, which shall include criminal or non-criminal-system fines and may include other sanctions.
In consequence, the criminal-law directives do not require the Member States to set up a system of criminal penalties for legal persons. *21 Non-criminal penalties suffice. This has to do with the fact that some Member States deem only natural persons to be subject to criminal law whereas any negative sanctions on legal persons are imposed as a form of response to civil or administrative liability. *22 This distinction was called into question with the simultaneous adoption of the Market Abuse Regulation (MAR) *23 and the Directive on Criminal Sanctions for Market Abuse (CSMAD) *24. Both instruments require Member States to lay down rules on fines for legal persons that have engaged in market abuse, where the MAR stipulates administrative fines and the CSMAD criminal sanctions. However, in line with other criminal-law directives, the CSMAD allows for fines for legal persons under both criminal and non-criminal law. This fact led the Legal Service of the Council of the European Union to conclude that the EU’s member states are obliged to transpose the CSMAD’s requirements by stipulating criminal-law sanctions for legal persons, because a reference to non-criminal liability in the CSMAD would not add any further value to the MAR’s terms. *25 However, the legal service’s interpretation cannot be accepted, as it is contra legem. *26
Until very recently, the criminal-law directives were quite modest in their attention to harmonising sanctions against legal persons. The only mandatory prescription was a fine (under criminal or non-criminal law). In addition, the directives provided an indicative list of optional other sanctions, which might encompass:
(a) exclusion from entitlement to public benefits or aid;
(b) temporary or permanent disqualification from practising commercial activities;
(c) placing under judicial supervision;
(d) judicial winding-up; and/or
(e) temporary or permanent closure of establishments that were used for committing the offence.
The directive on criminal-law mechanisms’ application for fighting fraud perpetrated against the Union’s financial interests *27 explicitly added optional sanctions of another sort to the list: temporary or permanent exclusion from public-tender procedures. The directive specific to combating money-laundering under criminal law *28 articulated another kind: exclusion from access to any public funding. This exclusion, which likewise may be either temporary or permanent, covers tender-related processes but also grants and concessions.
A significant leap forward in the realm of criminal sanctions for legal persons was made with the adoption of Directive 2024/1203, on protection of the environment through criminal law. Before its adoption, and in marked contrast against European Union legislation on quasi-criminal fines for legal persons, the criminal-law directives did not harmonise either minimum or maximum fines for legal persons. The environmental-crime directive introduced specific thresholds for fines, expressing these as minimum/maximum levels or, alternatively, as a percentage of the legal person’s annual turnover. In addition, it provided for optional sanctions such as obliging the legal person to restore the harmed environment to its prior state or pay compensation for the damage to the environment, requiring the legal person in breach to establish due-diligence schemes, and publishing the judicial decision related to the criminal offence committed. Quickly following suit, the directive on criminal sanctions for violating EU-level restrictions *29 set forth terms for sanctions similar to these precedent-setting ones.
As European Union criminal law is angled purely toward minimum harmonisation, many aspects of the liability of legal persons are left to the discretion of the Member States, or at least so it seems. On the other hand, not many matters of interpretation of European Union criminal law have been brought to the attention of the European Court of Justice (ECJ). For example, it would be difficult to predict how the ECJ might respond when asked about national rules’ conformity with the directives where identifying a legal person as liable in the event of lack of supervision or control hinges on demonstrating intent on the part of a person failing to fulfil his or her supervisory duties. *30 Situating the limits of Member States’ discretion is ultimately a balancing act between respect for national criminal-justice systems and the aims behind the Union’s strivings for establishment of effective, proportional, and dissuasive sanctions. The absence of referrals from national courts pertaining to matters of substantive criminal law might stem from a cautious approach and desires to protect the criminal-justice system in question: do not ask if you are unwilling to know the answer.
3.2. The European Union’s quasi-criminal law
Quasi-criminal law focuses considerably less on the individual. Therefore, imposing non-criminal sanctions on legal persons is considered less problematic. In fact, a legal person is quite commonly the primary addressee of sanctions for breaches of norms established beyond the core of criminal law – in such domains as financial markets and data protection. Here, sanctions imposed on individuals are of a somewhat secondary nature.
Most of the Union’s legislation on quasi-criminal fines requires each Member State to lay down rules providing for the possibility of levying fines against legal persons. When we take the criminal-law directives as a backdrop, we find that legislation on quasi-criminal law does not provide for a definition of a legal person. Moreover, not only legal persons but also undertakings (expressing a broader notion) or associations of undertakings may be subject to fines, though this depends on the directive or regulation. In another general pattern, whether or not public bodies should be subjectable to fines seldom gets regulated at EU level. For example, Article 83 (7) of the GDPR explicitly leaves that issue to the discretion of the Member States.
The array of sanctions here shows greater variety than that visible in the criminal-law directives. Though the sanctions most often consist of fines, several alternatives exist: the minimal upper limit may 1) be of a fixed value, 2) depend on the profits gained or losses avoided on account of the infringements, or 3) be dictated by the turnover of the legal person. Furthermore, the quasi-criminal legislation requires Member States to lay down rules on further sanction-based and other measures, often rather specific. *31 While the body of legislation on Union criminal law is relatively coherent, legislation in the domain of quasi-criminal law exhibits vast differences from one legal act to the next. These go far beyond variations in the terminology employed. The treatment is anything but systematic.
Overall, the quasi-criminal-domain legislation does not specify the model to be applied for liability of a legal person. Furthermore, and in a sharp contrast against what the criminal-law directives address, legislation in the quasi-criminal realm does not, as a rule, render the sanctions contingent on any expressions/indications of intention (or negligence). Instead, such legislation commonly refers to ‘the degree of responsibility’ as an element for one to consider when imposing fines. In light of the fragmented nature of the Union’s quasi-criminal law, ascertaining specific facets to liability of legal persons when transposing such legislation into national law is challenging.
The fact that a directive or regulation does not specify the liability model applicable to a legal person does not mean that the choice is left entirely to the discretion of Member States. While this is especially evident from the Deutsche Wohnen judgement, discussed later in this article, some inspiration could have been drawn from the jurisprudence of the Court prior to the judgement in Deutsche Wohnen too.
The ECJ explained in judgements from 1990 and 1991, in Vandevenne and Hansen, that the Community legislation on road-transport rules did not require legal persons to face strict liability for the actions of their employees. However, neither did Community legislation preclude such strict liability, so long as the penalties furnished are similar to those imposed in the event of infringements of national law of a similar nature and importance and are proportionate to the seriousness of the infringement. *32
In this arena, the ECJ has dealt predominantly with administrative fines for competition-related infringements. For example, the Court has explained rationale for when an undertaking may be held liable for the acts of an independent service provider supplying it with services. *33 Also, the Court has found that applicability of Article 101 TFEU does not necessitate there having been action by, or even knowledge on the part of, the partners or principal managers of the undertaking concerned; action by a person who is authorised to act on behalf of the undertaking suffices. *34 This does not necessarily imply that the ECJ has adopted the respondeat superior model of liability. The concept of a person being authorised to act on behalf of an undertaking is similar to that of a person having a leading role in a legal entity on the basis of a power of representing that legal person from the perspective of the criminal-law directives. The latter directives thus consider the power of representation sufficient in equating the mind and will of the natural person to that of the legal person as an expression of the identification model.
As for interpreting what constitutes an intentional or a negligent infringement, the Court has found that the conditions for showing intent or negligence are satisfied where the undertaking concerned cannot have been unaware of the anti-competitive nature of its conduct, whether or not it was aware that it was contravening the competition rules of the establishing treaty. *35 This conclusion led to surprising wording for Recital 42 to the ECN+ Directive, which states that these two notions ‘should be interpreted in line with the case law of the Court of Justice of the European Union on the application of Articles 101 and 102 TFEU and not in line with the notions of intent and negligence in proceedings conducted by criminal authorities relating to criminal matters’. This formulation for the recital is erroneous, for it presupposes that the interpretation of the ECJ is always going to differ from that by national courts in handling of criminal matters. The interpretation issued by the ECJ dealt primarily with the question of error of law, which, at least in some Member States, does not bring in the intent of the offender. *36
From these examples it is not possible to ascertain which model of liability should be employed in applying quasi-criminal sanctions to legal persons. It could be argued that, for meeting the requirement of effectiveness of quasi-criminal sanctions, the imputation standard should be lower than that associated with the criminal-law directives. Indeed, the ECJ held in Spector Photo Group that administrative sanctions were chosen deliberately as a more effective tool for enforcement of Community law and stated that the effectiveness of such sanctions would be weakened were the imposition of sanctions to be contingent on systematic analysis of the existence of a mental element in a similar vein to that for criminal sanctions. *37 There are, however, a few circumstances wherein directives or regulations encompassing quasi-criminal sanctions have pointed to the same model of liability as the criminal-law directives. Some examples are:
– Article 53 (7)–(8) of the directive on preventing the financial system’s use for purposes of money-laundering or of terrorist financing (the AMLD) *38;
– Article 28 (5)–(6) of the regulation on information accompanying transfers of funds and certain crypto-currency assets *39;
– Article 92a of the regulation instrument pertaining to fisheries control *40; and
– Article 47 of the regulation on establishing a Community system to prevent, deter, and eliminate illegal, unreported, and unregulated fishing. *41
In conclusion, there is a lack of uniformity in the Union’s punitive legislation on non-criminal fines for legal persons. Still, this does not necessarily mean that Member States are free to choose whichever liability models suit their national systems. The ECJ has the final say here – it is the Court’s prerogative to draw the lines elucidating where the discretion of Member States ends and thereby delimit an effective, proportional, and dissuasive penalty system.
4. The Estonian approach
4.1. The current landscape in Estonia – a single penal code with elements of administrative law
Since the 2002 reform of its penal law, Estonia has had a single penal code in place (its KarS). That reform eliminated the distinction created by a parallel Criminal Code and Code of Administrative Offences, which had been in force since 1986 and been incorporated into the legal order of the newly independent Estonia. The legal-policy decision behind the reform arose primarily from the fact that the two codes provided for the same prerequisites for punishability, with the only differences being in the system of sanctions – the central penalty for an administrative offence was a fine, and the application of imprisonment was ruled out – and in the procedure. For reasons of procedural economy, the powers to impose penalties in the first instance for administrative offences, as minor infringements, were entrusted to administrative officials, whose decisions could be challenged in court. Since the radical modernisation of criminal law envisaged by the reform’s architects concerned itself largely with the concept of offences, they considered it expedient to handle the substantive parts of both codes in one go, via a merged instrument. However, an important difference between the two earlier codes became evident at this juncture: the range of subjects. Pre-reform criminal law did not recognise the liability of legal persons, and the latter could face punishment for breaches of their obligations in the case of administrative offences only if the law governing the relevant area featured specific provisions for this. At the same time, the general part of the Code of Administrative Offences did not lay down the conditions under which attributing a given infringement to a legal person could even be considered. It left the latter entirely to jurisprudence. In a nutshell, the Estonian legal order before the penal-law reform was remarkably similar to the current expression of German law, characterised likewise by a distinction between a criminal code (the German StGB) and a code of administrative offences (the OWiG), with the liability of legal persons being admissible only on the basis of the latter.
With enactment of Estonia’s new Penal Code system in 2002, the acts punishable under both of the previous codes were brought together under the umbrella term ‘offence’. The conduct criminalised under the previous system’s Criminal Code was treated as criminal offences while what had been deemed administrative offences were now handled as misdemeanours (per Subsection 3(2) of the Penal Code). Criminal offences are codified in a special section of the Penal Code, and misdemeanours are governed by the laws pertaining to the sector whose requirements are backed by sanctions articulated in those laws (per subsections 3 (3–4) of the Penal Code). Notwithstanding the decodification of misdemeanours, their punishment must be based on the general principles of liability laid down in the general part of the Penal Code (per Subsection 1(1)). This requirement applies to, among other things, the grounds for liability of legal persons. Namely, the general part of the Penal Code equipped Estonia with a set of criteria for attribution of a punishable act to a legal person, for the first time in the country’s legal history. While it did so uniformly, irrespective of whether the offence is a criminal offence or a misdemeanour, there is a clear tendency in Estonian legislative practice to transpose the penalties for legal persons under EU law primarily as attached to misdemeanours, notwithstanding the fact that the often extremely high fines for these offences would seem to presuppose their punishment as criminal offences in national law.
It can be assumed that, in taking this tack, the Estonian legislator has been guided by two main considerations. Above all, national legislation cannot ignore the fact that, as the foregoing discussion already has clarified, the EU legislator has in many cases given preference to sanctioning of infringements of certain requirements by means of administrative penalties. The penal-law reform, while drawing together the substantive provisions of the former Criminal Code and the Code of Administrative Offences, maintained a procedural distinction between criminal offences and misdemeanours. Since their respective procedural rules are still laid down in separate procedural codes – the Code of Criminal Procedure (KrMS) for criminal offences and the Code of Misdemeanour Procedure (VTMS) for misdemeanours – and because the powers of prosecution and imposition of the initial penalty for misdemeanours are vested in the relevant administrative authority (the Financial Supervisory Authority for financial offences, the Data Protection Inspectorate for data-protection offences, etc.), this permits one to argue that the ensuing penalty is an administrative penalty, a form of sanctions imposed by an administrative authority.
In addition to that factor, however, there is a second one. The more general procedural economy of such an approach cannot be denied. It brings savings by avoiding the creation of a conventional sector-specific police investigation and prosecution office within the criminal-justice system by concentrating the supervision of each sector in the hands of a single specialised agency. At the same time, the transposition of EU penal-law norms as specific to the misdemeanour realm has subjected the general foundations for liability of legal persons that are identified in the general part of the Penal Code to considerable strain. On one hand, these extend in the same way to criminal offences, but, at the same time, they cover all misdemeanours, regardless of whether these are connected with subjects regulated by EU law.
4.2. The basis for liability of legal persons: The original model and further developments
As adopted in 2002, the Penal Code established the conditions for attributing an offence to a legal person on the principle of derivative liability, allowing a legal person to be punished only for an offence committed by its body or senior official (under Subsection 14 (1)). Only legal persons in private law could be punished, with their legal form being immaterial, while the liability of the state, local government entities, and legal persons under public law was excluded (per Subsection 14 (3) of the code). In this respect, the concept of legal persons’ liability expressed bore similarity to the identification model discussed above. While the need to exempt certain legal persons from liability has not come under question, neither has it been a ‘non-issue’: the circle of persons whose actions could culminate in the liability of a legal person (or so-called associates) was widened quite soon after the introduction of the Penal Code. Citing a need to bring Estonian penal law into line with international requirements, amendments to the list of associates were proposed early on, and the list of associates soon was supplemented with the notion of a competent representative, in 2008. *42 At the same time, case law started to extend the grounds for liability of legal persons, expressly with regard to misdemeanours. Because the law conceives of misdemeanours as minor wrongs, the Penal Code (via its Section 23) punishes only the commission of the misdemeanour – its execution, not its instigation or participation in it. Embracing such a solution did not fail to have an impact on the liability of legal persons, since in most cases it was not the members of the company’s governing body or its top managers who broke the rules in a particular area but ordinary employees, who did so on their instruction. Relying on the theory of organisational supremacy (Organisatsionsherrschaft), borrowed from German penal law, Estonia’s case law solved this problem by finding that a legal person may be held liable for an offence committed by an ordinary employee if that offence was committed by a member of its body or a senior official. Taking into account the trends described above and the requirements of EU law that have followed in the years since, and bearing in mind that the nation’s courts still had not taken a position on the matter of the definition of a competent representative *43,in 2023 the Government of the Republic initiated drafting for more thorough revision focused on liability of legal persons. Passed at the end of the same year, the new law provided for the incorporation of the above-mentioned case-law conclusions into the general Penal Code. That is, one of its most important aspects was the inclusion in the circle of associates of any person who committed the offence in question at the direction of an organ, manager, or competent representative of the legal person. The act of law also supplemented the landscape with elements of organisational liability both by articulating them for cases of offences of omission (in Subsection 14 (2) of the Penal Code) and by holding the legal person liable for any act if the offence occurred because of its inadequate organisation or supervision (under Subsection 14 (1) of the code). *44The lack of clarity as to whether the original wording of Section 14 of the Penal Code allowed a legal person to be held liable for offences arising from inadequate organisation/supervision had come under repeated criticism in Estonian legal literature. *45
4.3. Recent case law of the European Court of Justice as a further driver for developments in the liability of legal persons
Notwithstanding some additions stemming from organisational theory, the scope and content of which the case law has yet to clarify, Section 14 did not completely erase the link between an act of a natural person and the liability of a legal person, so it did not completely abandon the model of derivative liability. This relationship still proved to be a tricky one, and the compatibility between derivative liability and the requirements of EU law ended up becoming the subject of a reference for a preliminary ruling addressed to the European Court of Justice by a German court of first instance. At particular issue was compatibility with the rules of the General Data Protection Regulation on the liability of legal persons. Accordingly, the judgement of the European Court of Justice in this case, Deutsche Wohnen, can be seen as a landmark ruling in many respects. First of all, the grounds for liability of a legal person (in cases of either criminal or administrative liability) as required by EU law had seldom found their way into the case law of the European Court of Justice. This ruling gains further weight in that it is unequivocally clear that the positions of principle expressed in the judgement affect the legal order of any Member State that follows the model of derivative liability with regard to the liability of legal persons.
The reference for a preliminary ruling requested clarification from the European Court of Justice on two specific questions, which were mutually related. Firstly, the Court was asked whether Section 30 of the German Code of Administrative Offences – i.e., the portion of the OWiG that establishes administrative liability of a legal person in terms of a derivative model, thereby presupposing the identification of the natural person (the associate) who committed the offence – is compatible with Article 83 of the General Data Protection Regulation. Then, the Court was asked to examine whether, under the same provision, a legal person may be sanctioned as a controller under the GDPR only if the controller has acted wrongfully or, instead, the legal person’s objective liability irrespective of fault could be considered also. As the ripples from the ruling spread, the Court’s answers became well-known: following the Advocate General’s recommendations, it answered the first question in the negative and the second in the affirmative. *46 The European Court of Justice began by validating the doubts expressed in the reference for a preliminary ruling – the construction used in German administrative penal law was not compatible with the requirements of the General Data Protection Regulation in so far as the law imposed additional conditions for liability of the legal person serving as the controller under the terms of the GDPR, conditions not derived from said EU regulation; thereby, the law made it more difficult to reach the high standard of data protection mandated. The General Data Protection Regulation does not distinguish between natural and legal persons’ liability for violations of its requirements, and nowhere does it state that the liability of legal persons follows only from infringements perpetrated by their organs and agents. On the contrary, liability is incurred for infringements committed by anyone acting in the interests of the legal person and in the course of its business. Therefore, any legal person may face an administrative fine for the infringements identified in Article 83 (4)–(6) of the GDPR, provided that said legal person can be regarded as a controller and that there is no need to demonstrate that the relevant offence was committed by an identified natural person. *47For its answer to the second question, however, the Court held that, since the substantive conditions under which the supervisory authority may impose an administrative penalty for violation of the requirements of the General Data Protection Regulation are exhaustively listed in the regulation itself, it follows from Article 83 (2) (b) of the GDPR that the prerequisites for application of an administrative penalty encompass, among other components, the conduct of a legal person in committing the infringement, intentionally or negligently. It does not follow from the text of the regulation that a legal person acting as a controller may be sanctioned also for an infringement not linked to fault. *48
The Court’s interpretation, according to which the sanctioning of a legal-person controller that has breached the requirements of the GDPR shall not depend on identifiability of the natural person who acted, de facto, on its behalf, did not leave Estonian law unaffected. Similarly to Germany’s Code of Administrative Offences, Section 14 of the Estonian Penal Code generally rendered the punishment of a legal person for an offence dependent on pinpointing of an identified natural person. According to a consistent body of case law, all the criteria for existence of the offence (the presence of the constituent elements of the offence, unlawfulness, and fault) must have been displayed in the conduct of the associate before the question of whether the offence was committed in the interest of the legal person may be considered. *49For the reasons listed above, the Criminal Chamber of the Supreme Court confirmed that the terms of Section 14, as in force until 31 October 2023, were out of step with EU law in that these regulations allowed fining of a legal person in misdemeanour proceedings for the infringements referred to in Article 83 (4)–(6) of the GDPR only if the infringement had already been ascribed to an identified natural person. On the other hand, the Supreme Court did not consider the amendments that entered into force on 1 November 2023 to be contrary to EU law. *50
5. Conclusions
The recent refinements to EU law, partly in connection with the case law described above, allow several conclusions to be drawn both as to the basis for liability of legal persons in Union law generally and about the direction in which the criminal or quasi-criminal/administrative law of the Member States could usefully be developed in light of it. First of all, it is worth underscoring that the Deutsche Wohnen interpretation, which speaks in favour of organisational liability of a legal person, is limited to the General Data Protection Regulation and the penal norms contained therein. As this article has brought to the fore, the development of EU law addressing the liability of legal persons is characterised by uneven evolution, particularly with regard to quasi-criminal law, which often gets grafted onto the regulations to ensure compliance with Union rules. This type of legislation is precisely what is at issue in the case of the GDPR; therefore, the Court treaded softly. It did not intend its interpretation of the basis for liability of a legal person in Deutsche Wohnen to be all-encompassing; rather, it focused on the application of a single Union act, which does not preclude alternative interpretations in other areas, interpretations that might favour other concepts of liability of legal persons. At least one new request for a preliminary ruling has arisen against the backdrop of this judgement, in another area: an Austrian court has asked whether the domestic concept of legal-personality-linked liability complies with what Union law demands in the sphere of acting against money-laundering and financing of terrorism. *51Across the various nations and their enforcers in individual fields of law, this patchy terrain inevitably entails having to grapple with several distinct concepts.
From another perspective, one could ask whether organisational liability in the abstract sense is embodied in the Court’s interpretation of the GDPR, according to which sanctioning a legal person does not presuppose the identification of the natural person who has de facto committed the infringement but at the same time does require that the legal person as a controller have committed the infringement wrongfully. Since intentionality and recklessness are, by their very nature, purely human attributes (characterising the mental attitude of the actor toward his or her actions and those actions’ consequences), a question naturally arises as to how the liability should be established in practice if the physical person who actually carried out the deed is not identified. *52 This is why the classical idea of organisational liability is anchored in the concept of objective liability, leaving aside the natural person who carried out the act. There exists a genuine risk that interpreting the basis for liability of a legal person in light of the Deutsche Wohnen ruling is going to collapse because an important pillar is missing: doing so attempts to reconcile inherently contradictory phenomena. Clearly, the problem has not gone unnoticed by the European Court of Justice, which has sought to explain the reasoning for the judgement’s findings on intent and negligence by referring, mutatis mutandis, to prior case law according to which the conditions for vicarious liability are met ‘where that controller could not be unaware of the infringing nature of its conduct, whether or not it is aware that it is infringing the provisions of the General Data Protection Regulation’. Where the controller is a legal person, the application of Article 83 does not require action or even knowledge on the part of the governing body of that legal person. *53 Critically, one must not overlook the fact that, while knowledge is quintessential to both intent and negligence, this element is not sufficient in itself for distinguishing between intentional and negligent action, especially when the criterion referred to by the Court involves an error of law rather than an error of fact. *54 The question of how legal knowledge is to be assessed if the knowledge of the entity’s governing body is not to be taken as a yardstick remains likewise unanswered.
From the point of view of national legislators, the fragmented and non-systematic nature of EU penal law seems to imply that, at least in the arena of application of EU law, the principle of national codification of penal law is probably going to need abandoning in the near future. Sector-based differences in the system underpinning the basis for liability of legal persons require sector-specific national transposition of EU law on sanctions rather than establishment of general principles of criminal or quasi-criminal law. The above-mentioned judgement wherein the Criminal Chamber of Estonia’s Supreme Court declared the general provision of the Penal Code for liability of legal persons to be contrary to EU law with regard to the General Data Protection Regulation illustrates this awkward situation well. This judgement led to two separate norms in the same general penal-law provision (in Section 14 of the Penal Code). The first of these expressis verbis provisions must be applied for the prosecution of a legal person under rules on national sanctions, while the second one, which follows from the interpretation of the Supreme Court, must be applied specifically in cases of infringements falling under the terms of the GDPR. Although such an approach – articulating new rules on the basis of case law – might well represent an emergency solution aligned well with an acute legal problem, how consistent it is with the principles of legal clarity and certainty is obviously highly debatable. The exceptional importance of those principles for penal law cannot be overstated.
pp.89-101