We have already discussed in several occasions the new General Data Protection Regulation (GDPR). The implementation date is approaching –25 May 2018– but many doubts remain. For instance, how can we be sure to be compliant, who protects data protectors (DPO), how to implement impact assessments or just how heavy will first fines be…
On this latter point, we have some news. On October last, the Article 29 Data Protection Working Party (which on May 25th will dissolve into a new EU body, the European Data Protection Board) published its Guidelines on the application and setting of administrative fines for the purposes of the GDPR. Fines are now much more similar to Competition Law fines, since they shall be set by reference to a turnover percentage, reaching up to 4% (!). This pursuit of homogeneity is in itself a novelty already, since Article 24 of the Data Protection Directive allowed each Member State to set its own fine ceilings. As a consequence, fines could reach up to € 25,000 in Austria, € 150,000 in France, € 300,000 in Germany, € 600,000 in Spain and even £ 500,000 in the UK.
Will this new unitary ceiling now always be attained? And, should an intermediate percentage be in order, how is it supposed to be calculated? Will good faith, compliance or feeble effects be playing any role in the fine-setting scene? These are exactly the questions that the Working Party tries to answer in its Guidelines, and here are some of its thoughts:
Fines must be effective, proportionate and dissuasive. [Article 83(1) GDPR]. To this end, the relevant turnover shall be that of the offender’s group of companies, inasmuch as they constitute an economic unit or, in the end, a decision unit. In other words, the turnover of the offending legal person or company is irrelevant. Beware of the 4% ceiling, then, since the amount of a fine might be much higher than expected…
The Guidelines also recall that fines are not the only corrective measure foreseen in the GDPR. They are an “additional or substitutive” measure, as the Regulation goes, to warnings or reprimands (whatever the difference may be…) that national regulators may also impose. It is important to bear in mind, though, that these measures do not come in the foul, yellow card and red card order. The Working Party rushed to clarify that this is not necessarily the case and that everything shall depend on the gravity of the infringement, the offender’s intent, its cooperation with the authority, its proactivity to implement corrective measures and, last but most importantly –or so we believe–, the damage caused to individuals’ rights.
Right now, the margin of discretion for national regulators seems huge. Nevertheless, we dare say that potential appeals against the system itself will probably not go a long way. The fining system is virtually identical to the one peacefully (or, in some Member States such as Spain or Germany, almost peacefully) functioning in Competition Law. Pleas of arbitrariness, non-predictability, etc. of a system based solely on maximum turnover limits have sometimes sent a shiver through the system, but never made it collapse… So, be ready for heavy fines also in data protection!