The most significant change that GDPR made to EU data privacy law was to enhance enforcement and create a framework for increased fines for non-compliance. Four years after the GDPR started to apply, and as enforcement action picks up across the EU, the EDPB has finally issued draft guidelines on the calculation of administrative fines under the GDPR (the “Guidelines”). The EDPB aims to create a single methodology for calculating fines issued under the GDPR (for both cross-border and non-cross border cases), and thus should replace existing national frameworks, that diverge from the Guidelines. The Guidelines will sit alongside existing guidelines that focus on the circumstances in which to impose a fine.
These Guidelines and the related consultation that the EDPB has launched are likely to attract significant attention as some aspects of the proposed methodology and underlying legal analysis are unclear and/or controversial. We set out a high-level summary of the proposed methodology below, as well as the next steps in relation to the consultation.
Step 1: One or Multiple Infringements?
The guidelines set out a step-by-step approach for calculating fines. At the same time, the EDPB is at pains to stress throughout the draft that fine calculation is not a simple mathematical exercise, that supervisory authorities must exercise their judgement, and that authorities “are not obliged to follow all steps if they are not applicable in a given case, not to provide reasoning surrounding aspects of the Guidelines that are not applicable”.
First, the Guidelines state that the supervisory authority (“SA”) should establish whether the sanctionable conduct involves a single set of linked processing operations that infringe one or more provisions of the GDPR, or if there are multiple, separable operations involved. This will help the SAs establish whether a single legal maximum (i.e., EUR 10m / 2% of the worldwide annual turnover of the undertaking, or EUR 20m / 4% of the worldwide annual turnover of the undertaking, as applicable under Articles 83(3)-(6) GDPR) applies, or if there will be separate legal maximums for separate infringements.
Step 2: Establishing the starting value of the fine
The Guidelines then set out a process for establishing the “starting point” for an administrative fine, (but also emphasize that supervisory authorities should not be required to state the exact starting amount).
This involves first establishing the “seriousness” of the infringement. To make this assessment, SAs will take account of:
- whether the infringement is punishable by the lower maximum fine under Article 83(4) GDPR (EUR 10m / 2% of worldwide annual turnover), or the higher maximum fine under Article 83(5)-(6) GDPR (EUR 20m / 4% of worldwide annual turnover);
- the nature, scope, context, and purposes of the processing (including whether the processing is part of a controller or processor’s “core activities”);
- the number of data subjects both actually and potentially affected;
- the level of damage suffered by data subjects, which includes (according to the Guidelines, referring to recital 75 GDPR), physical, material or non-material damage;
- the duration of the infringement – as a general rule, the longer the duration of the infringement, the more weight the SA should may attribute to this factor. The guidelines note that “if permitted by national law, both the period after the GDPR’s effective date and the previous period may be taken into account when quantifying the fine”;
- whether the infringement was intentional or negligent; and
- the categories of personal data affected.
These are three of the factors set out in Article 83(2) GDPR, and the EDPB states they are the factors that relate directly to the infringement itself. Based on these criteria, SAs will assign an infringement as being of a “low”, “medium”, or “high” seriousness. They will then assign a starting point for the fine:
- For “low” seriousness infringements: between 0 and 10% of the legal maximum;
- For “medium” seriousness infringements: between 10 and 20% of the legal maximum; and
- For “high” seriousness infringements: between 20 and 100% of the legal maximum.
The guidelines include various examples to help illustrate these proposed calculations, including infringements involving marketing, data breaches, and data subject access requests.
SAs can then choose to (but are not required to) reduce the level of the starting point. This depends on the turnover of the undertaking in question. For example, for undertakings with a low turnover (less than EUR 2m), SAs can reduce the starting point to as little as 0.2% of the original amount, but for undertakings with high turnover (greater than EUR 250m), SAs can only reduce it to a minimum of 50% of the original amount. Again, the guidelines include various examples, including hypothetical scenarios ranging from a supermarket chain with a turnover of EUR 8 billion being fined EUR 25 million for an infringement deemed to be “of a low level of seriousness”, to a start-up dating app with a turnover of EUR 500,000 being fined EUR 16,000 for selling sensitive personal data (deemed to be “of a high level of seriousness”).
Step 3: Aggravating and Mitigating Circumstances
After calculating the starting point, SAs have discretion to adjust the amount of the fine by reference to the remaining factors set out in Article 83(2) GDPR, for example any actions taken by the controller or processor to mitigate damage suffered by data subjects, any previous infringements, and the degree of cooperation with the SA. The Guidelines state that “measures spontaneously implemented prior to the commencement of the supervisory authority’s investigation becoming known to the controller or processor are more likely to be considered a mitigating factor, than measures that have been implemented after that moment”; and that due to increased accountability requirements under GDPR, “only in exceptional circumstances, where the controller or processor has gone above and beyond the obligations imposed upon them, will [the degree of responsibility of the controller/processor] be considered a mitigating factor”.
Step 4 – Check against legal maximum
As a fourth step, SAs should check that the fine they intend to impose does not exceed the applicable legal maximum. Notably, the EDPB uses the same definition of “undertaking” as is set out in EU competition law, which presumes that (directly or indirectly) wholly-owned subsidiaries form part of the same “undertaking” as their ultimate parent. This could have the effect of significantly increasing the legal maximum fine for multinational organizations.
Step 5 – Effectiveness, Proportionality And Dissuasiveness
Finally, SAs must conduct a final assessment of whether the fine is “effective, dissuasive, and proportionate” as required by Article 83(1) GDPR. This means that the fine must achieve its goals (which might be to establish compliance or to punish), must have a “genuine deterrent effect” on both the infringing controller or processor and others that might commit the same infringement, and must not go beyond what is necessary to achieve the goals of the GDPR.
The Guidelines are currently under public consultation, which closes on 27 June. After the public consultation, the EDPB will adopt a final version. The accompanying press release indicates that this version will include a reference table setting out examples of how the seriousness of an infringement and the turnover of an undertaking might be assessed to calculate the starting value of a fine.