The General Data Protection Regulation (GDPR) is a difficult piece of legislation to comply with, and not meeting some of its requirements may lead to hefty fines of up to 4% of global annual revenues of the preceding year or 20 million euros, whichever is highest. Organisations may find it difficult to calculate risk exposure when confronted with a potential breach of the GDPR, leading to frustration and often focussing on worst case scenarios only.
The European Data Protection Board (EDPB) recently issued guidelines on how Member States’ data protection authorities (DPAs) should calculate fines for infringements. The guidelines follow a step-by-step approach and provide a consistent methodology for all DPAs to follow. Although these guidelines are directed toward DPAs, they also allow companies to assess their risk exposure more accurately and realistically.
How were fines calculated before the guidelines?
Under the GDPR, each European Union Member State has its own DPA responsible for enforcement. These DPAs calculate so-called administrative fines (i.e., fines for violations of the GDPR) based on various criteria set out in the GDPR. In general, DPAs are required to:
- Ensure that the fine is effective, proportionate and dissuasive.
- Consider any aggravating or mitigating circumstances, including intention or negligence, the seriousness of the infringement and the infringer’s level of cooperation.
- Respect the maximum amounts for fines set out in the GDPR.
However, these broad parameters leave much room for interpretation on how fines should be calculated, leading to some uneven application across the EU and requiring lengthy dispute resolution procedures when DPAs disagree with each other on how to apply fines. It also is very difficult for businesses to accurately assess their financial exposure in the event of an infringement. The guidelines attempt to address these issues by introducing a five-step approach for all DPAs to use when calculating fines.
What is the five-step approach?
The five-step approach encourages DPAs to be objective when assessing fines under the GDPR by providing a practical calculation method and specifying a number of factual elements to consider, as follows.
Step 1: Identify infringing activities
|
Identify the processing operations which infringe the GDPR. |
|
Apply Article 83(3) GDPR, which states that if an undertaking commits several infringements for the same/linked processing operations, the total amount of the administrative fine must not exceed the amount for the most serious infringement. |
Step 2: Starting point
|
Identify the legal maximum |
Article 83(4) infringement |
10 million euros or, for undertakings, 2% of worldwide turnover (whichever is higher) |
|
Article 83(5) and (6) infringement |
20 million euros or, for undertakings, 4% of worldwide turnover (whichever is higher) |
|
|
Assess the seriousness (nature, gravity and duration) |
Low seriousness |
0 – 10% of legal maximum |
|
Medium seriousness |
10 – 20% of legal maximum |
|
|
High seriousness |
20 – 100% of legal maximum |
|
|
Adjust depending on the worldwide turnover of preceding financial year |
? 2 million euro turnover |
0.2 – 0.4% of the starting amount |
|
2 to 10 million euros |
0.3% – 2% of the starting amount |
|
|
10 to 50 million euros |
1.5 – 10% of the starting amount |
|
|
50 to 100 million euros |
8 – 20% of the starting amount |
|
|
100 to 250 million euros |
15 – 50% of the starting amount |
|
|
250 to 500 million euros |
40 – 100% of the starting amount |
|
|
> 500 million euros |
100%+ (i.e., dynamic legal maximum applies – see below) |
Step 3: Mitigating/ aggravating circumstances
|
DPAs must consider the aggravating and mitigating circumstances listed in Article 83(2) GDPR, such as:
|
Step 4: Ensure legal maximums are not exceeded
|
Static maximums |
Article 83(4) |
Up to 10 million euros |
|
Article 83(5) and (6) |
Up to 20 million euros |
|
|
Dynamic maximums |
Article 83(4) |
Up to 2% of undertaking’s total annual turnover of previous financial year |
|
Article 83(5) and (6) |
Up to 4% of undertaking’s total annual turnover of previous financial year |
Step 5: Effectiveness, proportionality and dissuasiveness
|
The DPA must assess whether the fine is effective, proportionate and dissuasive, or whether further adjustments are necessary to meet those requirements.
|
How does this work in practice?
The guidelines provide two practical examples, one of which we summarise below.
Conclusion
While the EDPB expects DPAs to apply the above calculation methods, it also states that fines should not be assessed in an automated, or merely mathematical, way. Each fine should instead be reviewed by a human being on its individual merits, taking care to ensure that the fine is effective, proportionate and dissuasive. This means that DPAs have considerable discretion over what the final amount will be, subject to the legal maximums.
The harmonised approach set out in these guidelines should provide more transparency and predictability in respect of administrative penalties in the EU (note that the Information Commissioner’s Office issued its own guidance, currently in draft form, with different calculations for organisations subject to the UK GDPR). Although the EDPB’s guidelines do not guarantee a set amount for fines, they do provide granular detail on the legal limits and mitigating/aggravating factors that will be taken into consideration. This should encourage DPAs to take a more consistent, objective approach across the EU and enable businesses subject to the GDPR to assess their compliance risk more accurately.
Please get in touch with the Cooley cyber/data/privacy team if you would like some assistance with calculating a potential GDPR fine.
