Since the adoption of the General Data Protection Regulation (GDPR) in 2016, considerable attention has focused on the vastly increased scope of potential administrative fines, and even more attention is being paid to the issue with the GDPR becoming effective on May 25, 2018. In this post, we summarize the key fining provisions, and analyze the recent relevant guidance on this issue from the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission).
To summarize, the GDPR provides for potentially massive new fines for violations of its provisions, which involve a significant increase from the prior (and current) EU data protection regime, as follows:
- The GDPR provides that (1) fines of up to 4% of an undertaking’s global annual turnover for the preceding fiscal year, or €20,000,000 (whichever is higher) can be levied for breaches of key data processing principles (such as lawfulness, fairness, transparency, purpose limitation, data minimization, storage limitation, integrity, confidentiality and accountability) or of data subjects’ rights (such as the right to be informed, right of access, right to rectification or the “right to be forgotten”) or for transferring personal data outside the EU without a valid ground or derogation; and (2) fines of up to 2% of an undertaking’s global annual turnover for the preceding fiscal year, or €10,000,000 (whichever is higher) can be levied for other breaches of the GDPR, including those concerning the principles of data protection “by design” and “by default”, the failure to designate a data protection officer, the failure to take appropriate security measures or the failure to duly notify data breaches.
- In some cases, the applicable cap may not always be clear (for instance, a breach of security obligations, which is subject to the lower cap, may also result in breaches of the principles of integrity and confidentiality, which are subject to the higher cap), and further guidance will be needed from data protection authorities as well as case law interpreting the GDPR.
- Under the current European regime (Data Protection Directive 95/46/EC) which will be superseded by the GDPR, the amount of potential administrative fines is a matter left to national discretion. By way of example and comparison with the GDPR:
- In the UK, the Information Commissioner’s Office (ICO) can levy fines of up to £500,000 for the most egregious breaches of the national data protection law, and its highest fines to date have been £400,000;
- In France, legal entities may be fined up to €3 million, although the highest fines to date have been €150,000 (as imposed on Facebook earlier this year and previously on Google in 2014);
- In Germany, the highest fine for a single infringement is €300,000 (subject to increases in order to disgorge excess profits generated by a breach), but multiple infringements may be bundled to create larger fines, as with the €1.46 million fine against Lidl in 2010 (the largest fine levied to date by the German regulator).
It is unsurprising that further information on the assessment criteria for these fines has been keenly anticipated. With less than six months before the deadline for complying with the GDPR, recently published guidance from the Article 29 Working Party provides some helpful insight for those considering their compliance priorities. A summary and analysis of the Article 29 Working Party’s assessment criteria guidance is set out below (full text here):
- “Undertaking” should be construed broadly. When it comes to determining turnover for purposes of calculating maximum fines, in line with previous EU case law, “undertaking” – i.e., the body of the corporation or partnership for purposes of calculating annual revenue – should be understood to mean an economic unit engaging in the same commercial/economic activities, which may include the parent company and all relevant subsidiaries.
- A fine may not always be appropriate. The guidance states that a reprimand may be issued instead of a fine in the following circumstances:
- where the fine would constitute a disproportionate burden to a natural person;
- where the breach is a minor infringement; and
- where the infringer adheres to a code of conduct, and the regulator considers that enforcement under the code will be sufficiently effective or proportionate.
- The guidance states that regulators should have regard to the following factors when assessing the nature, gravity and duration of the infringement:
- the number of individuals affected relative to the total pool; a larger number or proportion may indicate a systematic breach or lack of adequate routines;
- the purpose of the processing (and whether use of the personal data was compatible the specified purpose);
- the level of damage suffered by affected individuals, although the fine should not be taken to be compensation for the damage suffered; and
- the duration of the processing; a longer duration may indicate willful misconduct or failure to take appropriate preventative measures.
- Regulators should take into account the degree of responsibility of the controller or processor. The degree of responsibility will require an assessment of, for example, whether technical, organizational and security measures were implemented by the organization (by design and by default), taking into account best practices and the state of the art.
- Notification to the supervisory authority. While fulfilment of the GDPR notification obligations shall not be interpreted as an attenuating/mitigating factor, a failure to notify may be considered by a supervisory authority as an aggravating circumstance meriting a more serious penalty (failure to notify is unlikely to be classified as a minor infringement).
- Failure to follow the advice of your data protection officer may constitute an aggravating factor, as it may show that a breach was intentional. Other indicators of intention include amending records which include personal data to give a misleading impression about targets being met (noted by the Article 29 Working Party as having been seen in the context of hospital waiting time), or trading personal data for marketing purposes without regard to data subjects’ consent (i.e., selling data without checking, or disregarding, whether the data subjects’ consent has been obtained).
- Other aggravating factors include:
- Failing to dedicate adequate resources to data protection, taking into account the nature and complexity of the business;
- Previous infringements, where this indicates a general disregard for the data protection rules;
- Any economic gain obtained by the organization from the breach.
- Actions taken to mitigate the impact on individuals may reduce the level of the fine, although the guidance emphasizes that no credit will be given to organizations for simply complying with their GDPR obligations. Examples of potentially mitigating actions include timely action which prevents the breach from continuing or expanding.
Other than the scale of the potential fines, the guidance does not suggest a fundamental change in approach. For example, many of the points mentioned above are also featured in the current UK ICO guidance on calculating monetary penalties. However, unlike as currently prescribed by the ICO, neither the GDPR, nor the Article 29 Working Party’s guidance, requires that substantial damage or distress has resulted, or is likely to result, from the infringement in order to support the imposition of a fine. Supervisory authorities may therefore be willing to levy fines for minor breaches of the regulation even if they were previously barred from doing so. The GDPR does feature a “consistency mechanism,” which is intended to promote a consistent application of administrative fines across member states. It is likely therefore that supervisory authorities will look to each other more readily to determine what amounts to an “effective, proportionate and dissuasive” fine (as per Article 83 of the GDPR) under the circumstances.