Claire Morrissey: The new EU-wide approach to GDPR fines
Claire Morrissey of Maples and Calder, the Maples Group’s law firm, examines new EU guidelines on GDPR fines.
The approach to the General Data Protection Regulation (GDPR) fines has varied significantly across EU member states. On 16 May 2022, the European Data Protection Board (EDPB) published draft guidelines on the calculation of administrative fines under the GDPR.
The Guidelines are intended to harmonise the starting point and methodology for calculating GDPR fines but not the outcome, as fines will depend on all the circumstances of the particular case.
Current approach
GDPR fines have been trending upwards with a sharp increase in the number of headline-grabbing fines imposed on big tech in 2021 and 2022.
Prior to August 2021, Google’s 2020 fine of €50 million was the highest fine on record. This is now only the sixth highest recorded fine imposed for GDPR breaches. This is also reflected in the Irish Data Protection Commission’s (DPC) approach to fines, with its three largest fines being imposed in the last 12 months.
Organisation | Fine | Date |
---|---|---|
WhatsApp Ireland | €225,000,000 | September 2021 |
Meta | €17,000,000 | March 2022 |
Bank of Ireland | €463,000 | April 2022 |
€450,000 | December 2020 |
The Guidelines introduce a harmonised five-step method for calculating administrative fines.
Establishing the number of infringements
A supervisory authority (SA) first identifies the processing at issue. The SA will consider whether the actions resulting in GDPR breaches result from multiple different processes, or one single process (or linked processes). Where the same or linked processes result in multiple breaches, the fine imposed will not exceed the maximum amount which applies to the most serious infringement.
Two processing operations resulting in a breach will be “linked” for the purposes of determining the fine imposed if the infringing activities forms one set of linked operations (e.g. collecting and storing data) or if the infringing activities occur in close succession.
For instance, a financial institution requesting and receiving a credit check from a credit reporting agency without proper legal basis and storing this information without the appropriate safeguards, involves two infringements resulting from two processing operations: collection and storage; but because each processing operation forms part of one “linked operation,” the Guidelines provide that they would be considered linked processes for the purposes of identifying the maximum fine.
Find the starting point sum for the fine calculation
Once the relevant processing infringement(s) are identified, the SA identifies the starting point sum (SPS) for the calculation of the fine. This will be divided into three stages:
(a) Identifying which GDPR maximum fine category it falls into:
- Two per cent of the undertaking’s annual turnover or €10 million (whichever is higher) for infringements falling under Article 83(4)GDPR; or
- Four per cent of the undertaking’s annual turnover or €20 million (whichever is higher) for infringements falling under Articles 83(5) and 83(6) GDPR.
The SA uses the higher of the two amounts to determine the GDPR maximum fine category in respect of an infringement.
(b) The SA then determines the overall seriousness of the infringement. This involves an assessment of the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, and the categories of personal data affected (particularly where special categories of data are affected) are taken into account (Articles 83(2)(a) ((b), and (g) GDPR respectively). The following percentages of the applicable GDPR maximum fine category will be applied depending on the level of seriousness of the infringement in order to determine the SPS:
Level of Seriousness | Liability Cap Relative to the GDPR Maximum Fine Category |
---|---|
Low | 0 – 10% |
Medium | 10 – 20% |
High | 20 – 100% |
(c) The SA then has discretion to reduce the SPS to a lower percentage of the sum calculated in (b) as per the table below in order to ensure the fine is effective, proportionate and dissuasive. The SA is not obliged to reduce the SPS and even if it does, it may reduce the sum only partially.
Annual Turnover | SPS Reduced to % of the SPS |
---|---|
< €2 million | 0.2% |
€2 – 10 million | 0.4% |
€10 – 50 million | 2% |
€50 – 100 million | 10% |
€100 – 250 million | 20% |
> €250 million | 50% |
Aggravating and mitigating circumstances
After establishing an SPS, the SA reviews aggravating and mitigating circumstances under Article 83(2) GDPR and if necessary, adjusts the fine accordingly. Factors that may be considered include:
- Any action taken to mitigate the damage suffered by data subjects, with particular regard to the timeliness and effectiveness of such actions.
- The degree of responsibility of the controller or processor.
- Any relevant previous infringements by the controller or processor, and, in particular, whether the controller or processor has a track record of infringement.
- The degree of cooperation with the SA in order to remedy the infringement and mitigate the possible adverse effects of the infringement.
- The manner in which the infringement became known to the SA, in particular, whether (and if so to what extent) the controller or processor notified the infringement.
There is no precise formulae for deciding the weight of each factor, and the SA has discretion as to how to adjust the SPS based on the presence of any aggravating or mitigating factors.
Checking the SPS against the GDPR fine category
Once all of the above factors have been considered, the SA checks that the SPS does not exceed the threshold for the GDPR fine category under Article 83(4) – (6) GDPR.
This includes consideration of whether the maximum fine is set by reference to the static thresholds of €10 or 20 million, or the dynamic threshold established by reference to an undertaking’s annual turnover. A turnover-based maximum will only apply when an undertaking’s total annual turnover of the previous year amounts to more than €500 million.
Ensuring the fine is effective, dissuasive and proportionate
Finally, the SA considers whether the fine is effective, dissuasive, and proportionate.
Proportionality is reviewed by reference to the severity of the infringement and size of the undertaking. The SA may also consider unique social and economic factors, such as whether the fine would irreparably damage the business of the undertaking, as part of a proportionality assessment.
The fine will be considered effective if it achieves the objectives with which it was imposed, such as to re-establish compliance with the rules, to punish unlawful behaviour, or both.
The fine will be dissuasive if it produces a genuine deterrent effect on the infringing body from committing the same infringement.
Implications for data controllers and processors
The Guidelines are expected to result in a more transparent and proportionate approach to fines for small and medium-sized enterprises. The Guidelines will ensure an upward trend in fines to large organisations, particularly where a group of companies are considered as a single undertaking and the fine is calculated as a percentage of the undertaking’s annual turnover.
In the wake of these new Guidelines, it is clear that the days of relatively small fines for large organisations breaching GDPR is in the past. It will be interesting to see the extent to which the methodology set out in the Guidelines are applied to the calculation of any fines imposed on Instagram in the DPC’s decision, which is expected to be issued this month, relating to Instagram’s alleged violation of children’s privacy.
- Claire Morrissey is partner and head of Maples and Calder’s data, commercial and technology team in the Maples Group’s Dublin office.