Update Data Protection IP, Media & Technology Nr. 112 and Update Compliance 13/2022
Data Protection Infringements and their Price – EDPB's new Guidelines on Calculating Fines under the GDPR
The European Data Protection Board (EDPB) recently presented new guidelines dealing with the methodology for calculating fines for data protection infringements (Guidelines) under the European General Data Protection Regulation (GDPR). It has provided a five-step plan that all European data protection authorities will have to use to uniformly determine and calculate the fines they impose. Aim of the Guidelines is to standardize the different fining practices of the Member States’ national data protection authorities and render the enforcement activities more transparent.
The EDPB had already published some guidelines in 2018 that laid out the conditions under which data protection authorities should impose a fine following a data protection infringement. The new Guidelines are designed to complement these previous guidelines.
Guidelines' objectives: Europe-wide harmonization of fines relating to data protection infringements
The Guidelines aim to solve the problem of the inconsistent handling of data protection infringements across Europe that has persisted since the GDPR entered into force around four years ago: Not only do the national data protection authorities vary in their level of enforcement activity, they also utilize the fining framework presented in the GDPR differently. This leads to significant variation in the level of the fines imposed across Europe.
Therefore, the national data protection authorities now need to use the methodology established in the Guidelines to calculate fines relating to infringements of the GDPR. This should lead to a harmonization throughout Europe of such fines relating to data protection infringements.
The EDPB’s approach: Standardized methodology for setting fines
The Guidelines lay out five steps to help the responsible authorities calculate the level of individual fines:
1. Identifying the (number of) actual data processing operation(s) and legal assessment of the (number of) infringements in accordance with Art. 83(3) GDPR;
2. Determining the starting level of the fine (Art. 83(4) to (6) GDPR) and classifying the seriousness of the infringement taking into account the turnover of the undertaking;
3. Evaluating any mitigating or aggravating circumstances of the individual case relating to the controller/processor responsible for the data processing and increasing or decreasing the fine accordingly;
4. Identifying the relevant maximum amount for the fine that must not be exceeded for the infringement/infringements in question;
5. Verifying that the total of the calculated fine is effective, dissuasive and proportionate within the meaning of Art. 83(1) GDPR and adjusting the calculated amount of the fine if required.
The EDPB emphasizes that the data protection authorities must always assess the full circumstances of each specific case. Furthermore, the data protection authorities must carefully justify their fining decision on the basis of all relevant factors (see Art. 83(2) GDPR).
Determining the starting level of the fines
A key point in the Guidelines deals with establishing the starting level for calculating the fine, known as the “starting point”.
This is decided using three factors: the classification of the offence in relation to the violated standard, the seriousness of the individual offence and the turnover of the respective undertaking. From this basis, the Guidelines then lay out three different reference frameworks, according to the seriousness of the infringement. Thus, the starting point for minor infringements should be between 0% and 10% of the maximum amount and between 10% and 20% for medium infringements. For severe infringements, a starting point between 20% and 100% of the maximum framework becomes applicable.
Depending on the undertaking’s turnover and the severity of the infringement, the starting point can be further adjusted by the data protection authorities. In this regard, the Guidelines include various turnover thresholds at which the data protection authorities can consider applying a percentage adjustment to the starting point. It is especially noticeable that (even if the starting point can thus be reduced significantly in terms of percentage) undertakings with a high turnover can still be fined comparably high amounts for minor infringements. This is clear from example 6a presented in the Guidelines (see pp. 23 et seq. of the Guidelines), in which the EDPB considers that, even for a minor infringement and with a 50% reduction, an amount of EUR 25 million would be an appropriate starting point for calculating the fine for an undertaking with an annual turnover of EUR 8 billion. Consequently, this means that the EDPB’s stipulations may lead to proportionally high fines for large undertakings with high turnovers.
That being said, the EDPB explicitly states that fines must always be proportionate, so an undertaking’s financial situation and the risk of insolvency as a result of the fine must be taken into account in the overall calculation. However, the EDPB also clearly states that the mere fact that an undertaking is in a poor financial situation or will be placed in such following the fine, is not enough per se to reduce the level of a fine or to avert it altogether. Rather, according to the EDPB, the affected undertakings must concretely present the negative risks (e.g. by submitting financial data, restructuring plans, arrangements with banks) so that these can be taken into account when calculating the fine.
Given this, it remains to be seen whether the EDPB model for determining the starting point will be upheld in court.
Direct corporate liability without personal culpability of the undertaking's management
A further important point of the Guidelines relates to the direct liability of undertakings for GDPR infringements. According to the EDPB, a corporate fine does not depend on conduct imputable to individual natural persons, such as members of the undertaking’s management. In its Guidelines, the EDPB assumes direct and autonomous corporate liability. This would mean that national regulations of Member States that oppose direct corporate liability are unlawful.
This point is particularly relevant for fining procedures in Germany, as the German Act on Regulatory Offences (OWiG) explicitly provides for corporate liability only if the undertaking’s management is directly and personally culpable (Sections 30, 130 OWiG). The German data protection authorities consider these regulations inapplicable in relation to fines according to the GDPR – as the EDPB now does, too.
No standardized practice has yet been established on this point in German jurisprudence. While the Regional Court of Bonn (ruling of November 11, 2020 – 29 OWi 1/20) maintained that the aforementioned OWiG regulations were inapplicable, the Regional Court of Berlin (ruling of February 18, 2021 – 526 OWi LG 212 Js-OWi 1/20) came to the conclusion that the OWiG regulations are applicable without restriction and stopped the fining proceedings against the undertaking in question because the supervisory authorities had not sufficiently established a concrete, imputable and culpable conduct of natural persons.
This question of direct corporate liability will ultimately be clarified by a decision from the ECJ. Such a decision is expected soon following the submission of the Regional Court of Berlin on December 6, 2021 (Case no. 3 Ws 250/21). Should the ECJ agree with the view of the EDPB and the German supervisory authorities, a very valuable defense argument in practice in Germany (no direct corporate liability) will no longer be valid.
Conclusion
The new EDPB Guidelines are still in the consultation phase, so further amendments to the Guidelines by the EDPB cannot be excluded. However, experience tells us that we cannot expect fundamental adjustments. In conclusion of this process the question will be, to which extent the Guidelines will affect the practice of the German data protection authorities. It will be crucial to see whether they will adapt their current detailed fining concept or will even relinquish it entirely. In any case, the German data protection authorities will have to take into account the Guidelines when interpreting the regulations on fines.
From a corporate perspective, the contents of the Guidelines give some valuable insights for practice. Indeed, the Guidelines provide a reliable reference point to be able to determine the fine an undertaking could potentially receive. This is because, even if the final level of the fine continues to be subject to the judgment of the relevant supervisory authority, and it remains necessary to carry out a comprehensive assessment of the relevant factors, it is nonetheless possible to make at least an estimate of the potential starting point. This will, in turn, enable better risk assessments and lead to the development of avoidance and defense strategies. This could be very important for undertakings with a high turnover, as these could be fined comparably high amounts, even for minor infringements.
The indications of direct corporate liability – pending the expected decision of the ECJ – show the future direction of practice for the time being. A conclusive clarification of the much-criticized direct corporate liability may only be expected with the pending decision of the ECJ. Until then, affected undertakings should continue to carefully examine all arguments to defend themselves against fining decisions.