Whereas public supervisory authorities granted an informal grace period to implement the new provisions of the EU General Data Protection Regulation (GDPR) and allocated many resources to awareness-raising campaigns in 2018, their focus clearly shifted towards enforcement in 2019. The risk of sanctioning proceedings and the imposition of high fines by state agencies overseeing GDPR compliance increased dramatically.
Who is supervising GDPR compliance?
To get an overview of enforcement practices by public authorities and to assess liability risks based thereon, it is necessary to understand the concept of distributed responsibilites for enforcement within the EU. In fact, even though most of the national privacy laws were harmonized on EU level with the GDPR’s coming into force in May 2018, the EU member states alone remain responsible for supervision and enforcement.
Divided responsibilities and cooperation
Owed to this concept of divided responsibilities, liability risks may vary throughout the EU, depending on the respective authority’s readiness to follow a strict approach in interpreting the requirements of the GDPR and to exhaust the scope of possible fines within its discretion. However, regulators also created the European Data Protection Board (EDPB), an independent EU advisory body consisting of representatives from all national data protection authorities. The goal of this cooperation body is to avert an inconsistent interpretation of the GDPR in the EU.
And the EDPB’s work indeed greatly improves legal certainty. Its guidance on the interpretation of the GDPR provides a comprehensive framework for the most relevant privacy topics and is applied by the national authorities in their daily work. The EDPB also strives to standardize fining under the GDPR with its guidelines on the application and settings of administrative fines, which are, however, rather broad and expected to be complemented later – particularly regarding the calculation basis for the amount of fines. Meanwhile, some national authorities try to bridge the gap by publishing their own criteria, which we will outline in this article.
Determining the competent authority
In general, any national supervisory authority competent for cases "on the territory" of its own EU Member State” (Art. 55 GDPR). In a digitized world, in which cross-border data flows have become the norm, this concept raises many follow-up questions. Recital 122 of the GDPR provides some clarification by stating that a national authority is competent for data processing "in the context of the activities of an establishment of the controller or processor on the territory of its own Member State” and for “processing affecting data subjects on its territory”. Hence, as a general rule, it can be said that the authority competent to enforce the GDPR is the one of the country where the company's establishment or the data subject affected by the data processing is located.
With regard to cross-border data processing, multi-national companies maintaining establishments in more than one EU member state may rely on the concept of the “lead supervisory authority” (Art. 56 and 60 GDPR). Under this one-stop-shop mechanism, the supervisory authority of the main establishment in the EU must cooperate with other enforcement bodies but is exclusively competent to enforce the GDPR against this company. For example, a company with a main establishment in France and small branch offices in Poland and Hungary may only be fined by the French authority for non-compliance in cross-border cases.
The principle of one "lead authority" does not apply to companies without any establishment in the EU which still fall within the scope of the GDPR, irrespective of whether they have appointed an EU representative or not. Regarding enforcement, Recital 122 of the GDPR says that a national authority is competent for data processing operations “carried out … when targeting data subjects residing on its territory”. Therefore, various authorities remain simultaneously competent if the company market its products in more than one EU member state. For example, it must deal with French authorities if a data subject who is residing in France lodges a complaint, and with Portuguese authorities if a customer from Portugal makes a complaint there. Companies with a GDPR representative do, however, benefit from a one-stop shop for security incident reporting.
What are the legal basics of GDPR enforcement?
When the GDPR came into force in May 2018 and replaced the former national privacy laws for all EU member states, it was particularly praised by politicians and civil rights activists for enabling the supervisory authorities to issue much higher penalties in case of non-compliance with the legal requirements than under the previous national regimes.
Indeed, Art. 84 GDPR allows for drastic fines if companies disobey their data privacy obligations. All requirements for data controllers and data processors under the GDPR are grouped into two categories, subject to different limits for the maximum amount of the fine:
- Violations of the first category of obligations may result in a fine up to 10mio. EUR or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. This category includes infringements such as the absence of data processing agreements with IT vendors (Art. 28 GDPR), insufficient data security standards (Art. 32 GDPR), non-compliance with reporting obligations in the event of a data breach (Art. 33-34 GDPR) or, if applicable, failing to appoint a Data Protection Officer (Art. 37 GDPR).
- Violations of the second category of obligations may result in a fine up to 20mio. EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. This category includes infringements such as non-compliance with the principles of the GDPR (Art. 5 GDPR: data retention limitation, purpose limitation, etc.), unlawful processing of personal data (Art. 6 GDPR), failing to comply with data subjects’ rights (Art. 12-22 GDPR), or unjustified international data transfers (Art. 44-49 GDPR).
According to the law, in the individual case, fines must be “effective, proportionate and dissuasive”. Art. 83 para. 2 GDPR contains a list of criteria to be taken into account when deciding on the amount of the administrative fine:
- the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them (Art. 25 and 32 GDPR);
- any relevant previous infringements by the controller or processor;
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- the categories of personal data affected by the infringement;
- the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
- where measures such as warnings, orders, or bans on certain processing (Art. 58 para. 2 GDPR) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
- adherence to approved codes of conduct (Art. 40 GDPR) or approved certification mechanisms (Art. 42 GDPR); and
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
National provisions on the rights and obligations of enforcement bodies apply additionally, such as the details of the administrative proceedings, including the exercise of the perpetrator’s right to object to an authority’s decision and to take further judicial remedies.
How was the GDPR enforced in 2019?
In 2019, seven cases that exceeded the 1mio. USD mark have attracted public attention:
- The British supervisory authority issued the highest individual fines against British Airways (approx. 230 mio. USD) and Mariott Hotel (approx. 125 mio. USD), in both cases due to an insufficient level of data security.
- Google was hit by the third-highest fine of the year, imposed by the French authority and amounting to approx. 57mio. USD for insufficient and non-transparent privacy policies, resulting in unlawful data processing operations.
- The Austrian Post suffered from an approx. 20mio. USD penalty for unlawfully profiling Austrian citizens by their political opinions, which also encouraged consumers to claim compensation for non-material damages in court.
- The highest fines imposed by the German authorities ranked 5 and 6 in 2019 with approx. 16mio. USD on a real estate company (Deutsche Wohnen) that failed to delete old and outdated customer information, and approx. 10.6mio. USD on a telecom service provider (1&1) whose customer service disclosed sensitive personal information to inquirers on the phone without appropriately ensuring that it was the actual customer calling.
- In Bulgaria, the National Revenue Agency was fined approx. 2.9mio. USD after personal information on six million persons was illegally accessible due to a lack of data security measures.
- The Dutch supervisory authorities imposed an approx. 1mio. USD fine on an employee insurance provider for non-compliance with GDPR data security standards, as employers were able to access health data of their employees without applying a multi-factor authentication.
Even though these outstanding cases imply that insufficient data security standards are a major trigger of investigations and penalties, an overall consideration of enforcement activities shows that violations of almost all GDPR obligations have been sanctioned. This includes infringements like the absence of a legal basis for data processing, insufficient privacy statements, non-compliance with data subjects’ rights (such as the right to access and the right to be forgotten) or the obligation to report data breaches, and infringements of GDPR principles like limitation of data retention periods, data minimization, and purpose limitation.
Data published by the European Data Protection Board reveals that, from May 2018 to November 2019, the national supervisory authorities altogether received 275,557 complaints and issued 785 fines. According to a survey conducted by the German newspaper Handelsblatt, altogether in 2019, the various regional authorities in Germany alone imposed administrative fines in at least 187 cases.
Are there efforts to streamline fining practices?
The German and the Dutch supervisory authorities published concepts for calculating administrative fines in case of GDPR infringements, aiming to streamline enforcement practices within the framework set out in the GDPR (see above, max. 10 mio. EUR / 2% of the annual turnover or 20 mio. EUR / 4 % of the annual turnover, depending on the respective obligation which has allegedly been infringed). Both are intended to be an interim solution until the EDPB issued final and exhaustive guidance to be applied throughout the EU.
After summarizing the concepts, we will apply them to Example, Inc. in the following (simplified) fictional setting: the company had a turnover of 6mio. EUR in the last financial year and based certain data processing operations on consent but negligently failed to meet the conditions for obtaining valid consent under Article 6 GDPR, resulting in an unlawful use of personal information of 2,000 users. Following a request by the competent supervisory authority, Example, Inc. made major efforts in quickly rectifying the shortcomings and cooperated closely with the authorities.
The Dutch fining concept
In the guidelines of the authority of the Netherlands (only available in Dutch), all obligations under the GDPR are grouped into four categories, and each category is attributed with a (a) standard fine bandwidth and (b) a standard fine, which is the middle value of the standard fine bandwidth. Consequently, the paper mentions a couple of criteria to be considered for the decision of whether it is required to deviate from the standard penalty within the standard fine bandwidth. These criteria reflect the aspects to be considered under Art. 83 para. 2 GDPR, which we summarized above.
The standard penalties of the four categories are 100,000 EUR, 310,000 EUR, 525,000 EUR, and 725,000 EUR. In exceptional cases, such as repeated infringements (automatic increase of 50% if the company was fined for similar violations in the past 5 years) or if the penalty seems inappropriate in the individual case, the authority may deviate from the scale and impose higher fines up to the maximum limits.
The violations by Example, Inc. (Art. 6 GDPR) are grouped into category 3 with a standard fine of 525,000 EUR. Taking into account the efforts of the company in mitigating the consequences of the infringement and its will to cooperate with the authorities, the penalty is adjusted within the standard fine bandwidth ranging from 350,000 to 830,000 EUR. Due to the high number of affected users, it will still be above the lower limit. Consequently, Example, Inc. may potentially receive a penalty notice in an amount between 400,000 and 500,000 EUR.
The German fining concept
The German board of authorities also set up a concept for the calculation of administrative fines (available in English language), which is similar in many aspects, but puts a stronger focus on the financial capacity of the company by considering the company’s sales. Fines are calculated based on a multi-step approach:
- Based upon its total worldwide annual turnover of the preceding financial year, the undertaking is allocated to one out of four size categories (divided into 20 sub-categories) as published by the authority. Example, Inc. (annual turnover of 6mio. Euros) falls into category B.2.
- The middle value of turnovers falling into this category is the basis for further calculating the fines. Regarding Example, Inc., category B.II comprises companies with an annual turnover ranging from 5 to 7.5mio. Euros (middle value: 6.25mio. EUR). Example, Inc. is consequently treated as if its annual turnover would be 6.25mio. Euros.
- The average turnover is then divided by 360 (days) in order to determine an average daily rate. For Example, Inc., this means a daily rate of 17,361 EUR.
- This daily rate is multiplied by a factor that reflects the severity of the deed. The infringement in question is measured on one of two different scales as published by the authorities, depending on whether the lower (scale 1) or higher (scale 2) maximum fine under the GDPR applies to the respective obligation. Subject to a normative assessment based upon the criteria under Art. 83 para. 2 GDPR, the scale ranges from “slight” up to “very severe” breaches, attributed to factors from 1 to more than 12. Non-compliance with Art. 6 GDPR of Example, Inc. triggers scale 2. If the circumstances of the individual case (high number of individuals affected and negligent character of the deed vs. will to cooperate) allow to classify the breach as being “medium”, factor 6 could be applied and multiplied with the daily rate of 17,361 EUR, amounting to a penalty of 104,166 EUR.
- If the calculated fine does not seem appropriate regarding all circumstances of the individual case which have not been considered in the previous step, it is adjusted accordingly (e.g. a long duration of the proceedings is considered in favor of the infringer).
Same law, different sanctions?
Comparing the two approaches leads to the finding that Example, Inc. would be affected much more severely under the supervision of the Dutch authorities. This result is owed to the fact that their concept disregards the company’s sales. If Example, Inc. had a turnover of 30mio. instead of 6mio. EUR, the German concept would lead nearly to the same amount as the Dutch one.
Both concepts indicate that authorities will only exhaust the maximum limits for administrative fines under the GDPR in case of grave infringements. However, it should be kept in mind that multiple violations, e.g. revealed in the course of an extensive investigation triggered by a single small incident, may quickly sum up to severe penalties. Furthermore, both concepts leave a substantial leeway for the authorities to adjust fining in the individual case.
What to expect in the future?
The supervisory bodies’ willingness to sanction GDPR infringements by means of administrative fines and orders increased in 2019, and this trend is expected to continue. In the past, investigations have been triggered primarily by complaints and inquiries of affected consumers. Recent activities of the authorities indicate, however, that they also strive for a more systematic approach on enforcement by defining “typical GDPR breaches" as a starting point for a comprehensive roll-out of sanctions.
Regarding fining, supplementing guidelines by the EDPB on the calculation of the amount of a fine may enable companies to conduct an appropriate risk management of their privacy obligations. Admittedly, no one really knows when to expect such guidance. Also, it won’t be the supervisory authorities but the courts who will have the last say on the appropriateness of fines in the individual case, in case the perpetrator decides contest the enforcement body’s decision.