New GDPR guidelines on fines on the way
The European Data Protection Board ("EDPB") recently published new guidelines ("Guidelines") on the calculation of fines for breaches of the General Data Protection Regulation ("GDPR"). Currently, each national regulator has its own policy. For example, see here the fining policy of the Dutch data protection authority in the Netherlands and there are no common principles for the calculation of fines imposed under the GDPR. The Belgian and the Luxembourg authorities did not publish any guidelines of this kind.
Purpose of the Guidelines
The purpose of the Guidelines is to harmonise GDPR fining policies so that national data protection authorities ("Authorities") within the European Union will henceforth calculate fines for violations of the GDPR in a similar way. As a result, controllers and processors will know where they stand and what to expect when a fine is imposed, it being understood that in some countries (including Luxembourg) administrative fines cannot be imposed on public bodies.
At present, the Guidelines have yet to enter into force and are only in draft form. Anyone can provide feedback on the draft version until 27 June 2022.
The Guidelines include a step plan, set out below, to which Authorities can refer when imposing fines.
Step 1 – Determine the sanctionable conduct and the infringement
Determine the sanctionable conduct (a set of factual circumstances) and the infringement (an abstract legal description) on which the fine is based.
Step 2 - Determine the category of fine, the seriousness of the violation and the turnover of the undertaking concerned
Determine and assess the following:
- Category of fine: fines of up to EUR 10 million or 2% of total worldwide annual turnover for the preceding year or fines of up to EUR 20 million or 4% of total worldwide annual turnover, pursuant to Article 83(4) to (6) GDPR.
- Seriousness of the infringement: the nature, severity (the number of data subjects affected) and duration of the infringement, including whether the infringement was intentional or negligent and the categories of personal data concerned, pursuant to Article 83(2)(a), (b) and (g) GDPR. In particular, Authorities must determine whether the breach is of low, medium or high severity based on the abovementioned factors. Depending on the level of severity, the fine can be up to 10% of the applicable maximum (low), 10%-20% of the applicable maximum (medium) or 20%-100% of the applicable maximum.
- Turnover of the company: Pursuant to Article 83(1) GDPR, the fine must be effective, proportionate and dissuasive. For this reason, according to the EDPB it is fair to adjust the fine to the size of the company, taking into account its annual turnover. By means of the Guidelines, the EDPB grants discretionary power to Authorities to impose a higher minimum base fine depending on the company's turnover.
Step 3 – Determine if there are aggravating or mitigating circumstances
Determine whether there are aggravating or mitigating circumstances related to the past or present conduct of the controller or processor and increase or decrease the fine accordingly. Aggravating or mitigating circumstances, as referred to in Article 83(2) GDPR, include (i) financial gain, (ii) any relevant previous infringements (an aggravating circumstance only), and the (iii) degree of responsibility of the controller or processor.
Step 4 – Determine if the legal maximum is exceeded
Determine if the increases applied based on the preceding or subsequent steps will result in the relevant legal maximum amount being exceeded, it being understood that the legal maximum is calculated at group level.
Step 5 – Determine if the requirements of effectiveness, deterrence and proportionality are met
Analyse whether the final amount of the fine meets the requirements of effectiveness, deterrence and proportionality and increase or decrease the fine accordingly.
The Guidelines also contain useful guidance on how fines should be applied in the event of multiple acts resulting in an infringement or infringements and a single act giving rise to multiple infringements. When there is an insufficient link between two sets of factual circumstances, they will be considered to give rise to two separate acts of sanctionable conduct which can be fined separately, with the legal maximum applying to each individually. Likewise, linked sets of factual circumstances may give rise to multiple infringements. The Guidelines cite the example of a data broker that collects “consumer transaction history from dozens of retailers without a legal basis, to perform psychometric analysis to predict future behavior of individuals, including political voting behavior, willingness to quit their job and more”. The collection of data and the further use thereof are closely linked and constitute a single act of sanctionable conduct. If multiple infringements result from such conduct (such as the absence of a valid basis for processing or a failure to provide information to the data subjects or to ensure an effective right of access), Article 83(3) GDPR states that “the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement”. This means that when an Authority imposes a significant fine and the body before which an appeal is brought concludes that a particular violation cannot be proven, the amount of the fine will not be changed if another violation of the same or a higher level of severity has been upheld.
Effect of the Guidelines in practice
Although the Guidelines are intended to harmonise GDPR fining practices by Authorities, it is not clear from the step-by-step approach set out in the Guidelines that Authorities will in fact impose fines in a uniform way.
The step plan provides a framework for the calculation of GDPR fines, including categories to determine the severity of the infringement. At the same time, however, the Guidelines mainly contain criteria that still need to be fleshed out, including with regard to the number of data subjects affected, the volume of personal data involved in a breach, the nature of the breach and the purpose of the processing. To ensure legal certainty and equal treatment, it would be better if risk percentages were assigned to these criteria, with the total used to determine the severity of the infringement (low, medium or high). This total percentage could then be used as a starting point to complete the other steps. Steps 3, 4 and 5 indeed leave room for Authorities to influence calculation of the fine.
In addition, the EDPB clarifies in the Guidelines that Authorities will still have discretion to apply the "full range of fines", from the minimum amount up to the legal maximum, so that fines can be adjusted to a specific situation. However, if an Authority imposes a fine that derogates from the Guidelines (once they are final and in force), it must provide an appropriate justification for the derogation.
Completely equal treatment in the calculation of fines does not seem possible as much will depend on the precise circumstances of the case, and how these circumstances are assessed will most likely continue to differ, to some extent, from one Authority to another.