GDPR Fines: Carrot, Stick or a Complex Calculation?
October 30, 2019
On 17 September 2019 the association of German Supervisory Authorities for data protection (the “DSK”) confirmed that it was preparing guidelines (“Guidelines”) intended to assist supervisory authorities better determine what level of fines should be issued under the General Data Protection Regulation 2016/679 (The “GDPR”). These Guidelines were published on 14 October 2019 and have the potential to increase the likelihood of maximum level GDPR fines being issued more regularly.
What are the fines under the GDPR?
Article 83 of the GDPR imposes a two tier system for fines:
Standard Fine under Article 83(4):
Generally speaking, a fine of 2% of the total worldwide annual turnover of the preceding financial year, or €10,000,000 could be imposed for an infringement of an obligation under the GDPR.
Maximum Fine under Article 83(5) and (6):
If the infringement relates to the contravention of a principle or right etc, then a fine of 4% of the total worldwide annual turnover of the preceding financial year, or €20,000,000 could be imposed.
A change in tack?
Supervisory Authorities such as the Information Commissioner’s Office have previously suggested that maximum level fines under the GDPR would be rare:
“...it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm...We have always preferred the carrot to the stick.” (Information Commissioner's Office - Blog: GDPR – sorting the fact from the fiction - 9 August 2017)
However, the Berlin Commissioner for Data Protection and Freedom of Information recently confirmed they plan to issue a large fine to a company for violations of the GDPR, ranging in the tens of millions of Euros for the infraction. This statement could suggest a change in sentiment when determining fines. Indeed, the European Data Protection Board (the “EDPB”) are currently considering an approach for the harmonization of GDPR fines across Member States.
The EDPB are not the only body considering fining levels under the GDPR. The DSK are due to meet on 6-7 November 2019 to discuss its proposed Guidelines for determining what level of fines should be issued. These Guidelines take a calculated approach, looking beyond a carrot or stick. Below, we consider and explain these Guidelines in detail, as well as how they could be used in practice.
A Calculated Approach - Breaking Down the Guidelines
The Guidelines take a five step approach to calculating fines under the GDPR. In essence the considerations are as follows:
1) Consider the size of the organisation and apply a day rate
If an organisation has an annual turnover of over €500,000,000, the actual annual turnover is taken into account when calculating a fine. However, where an organisation has an annual turnover of less than €500,000,000, the Guidelines break-down organisations into different size classifications. These are: (a) micro, (b) small and (c) medium-sized enterprises as well as (d) large enterprises. These size classifications are the first steps for determining what level of fine might be issued.
These size classifications are then broken down further, into sub-groups within categories (a) to (d).
The bands relating to these sub-groups are then averaged. A day rate is then calculated using the average annual turnover.
It is also important to note that if an organisation does not provide information as to its annual turnover, this can be estimated by the supervisory authority.
The table found in the Guidelines relating to small organisations is provided below to illustrate this method:
|(b) Small Organisation: Annual Turnover of €2,000,000 to €10,000,000||(b) Average Annual Turnover||(b) Day Rate|
|(b.i) €2,000,000 to €5,000,000||(b.i) €3,500,000||(b.i) €9,722|
|(b.ii) Over €5,000,000 to €7,500,000||(b.ii) €6,250,000||(b.ii) €17,361|
|(b.iii) Over €7,500,000 to €10,000,000||(b.iii) €8,750,000||(b.iii) €24,306|
A practical example of how this might apply to an organisation is as follows: An organisation with an annual turnover of €5,750,000 would be deemed to have an annual turnover of €6,250,000. This means a day rate of €17,361 will be applied.
2) Assessing the severity of the non-compliance
The Guidelines then consider the severity of the non-compliance in terms of: (i) low; (ii) medium; (iii) high; or (iv) very high, assigning a rating of 1-12 depending upon the level of severity. This level of severity is then multiplied by the day rate.
The table found in the Guidelines is provided below:
|Severity||Infringement Relating to Standard Fine||Infringement Relating to Maximum Fine|
|Very High||6 or less||12 or less|
Continuing with the previous example: An organisation suffers a significant data breach, disclosing card details, sensitive personal data and affecting millions is judged to be a very high severity with a rating of 12. This could lead to a fine of €208,332.
3) Aggravating and Mitigating Factors
The factors described under Article 83(2) must also be taken into account as potential aggravating or mitigating factors.
What this means for you?
Whilst the Guidelines may not represent a change in tack by the German Supervisory Authorities, it does mean that the level of fines might be more predictable.
If a similar approach is considered by the EDPB, and harmonized amongst Member States more widely, this might help provide organisations with more clarity on the level of fines they could be subject to. It could also assist in contract negotiations, as it would enable an organisation to have a better sense of what level of fine they may face allowing for sensible discussions around liability caps.
How can PwC help?
As with all matters relating to compliance, the best approach is to put in processes and governance designed to ensure the worst does not happen. PwC has a range of tools designed to help an organisation understand where gaps may be found or to demonstrate accountability. Please see the below link for more information: https://www.pwc.co.uk/issues/data-protection/compliance-accountability.html. Should the worst happen, PwC can also assist with crisis management. PwC’s contentious data privacy practice is well versed in providing a robust challenge to adverse scrutiny, regulatory or otherwise.
Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)  OJ L119/1