In 2018, the European legislator laid the legal foundation for data protection in the EU with the General Data Protection Regulation (GDPR). Today, it already serves as a model for other jurisdictions around the world.
As a result, companies operating in the European market, regardless of size and industry, have been saddled with the obligation to adapt their internal processes to the far-reaching requirements of the GDPR. Even for large corporations, this has proven to be a time-consuming and resource-intensive challenge. Not to mention small and medium-sized businesses.
The GDPR imposes strict penalties for infractions, calculated as a percentage of global revenue, which can reach many millions for large companies.
Initially, European data protection authorities seemed to focus on information and cooperation instead of warnings and fines – which led to some relaxation in many companies. However, in 2020, data protection authorities ramped up enforcement considerably.
Number of fines according to GDPR Enforcement Tracker (cumulated)
Number of fines according to GDPR Enforcement Tracker (cumulated)
Overall sum of fines according to the GDPR Enforcement Tracker (cumulative)
This statistical data reflects the publicly known cases. However, most of the proceedings of the data protection authorities take place behind closed doors, so the actual number of fines imposed remains largely unknown.
GDPR fine iceberg, inspired by CMS Legal
According to a recent study by DLA Piper, more than 130,000 personal data breaches were reported to European data protection authorities in 2021 alone – an average of 356 notifications per day, an 8% increase from the average of 331 notifications per day in 2020.
As a logical consequence, total fines have increased almost sevenfold compared to the previous year, reaching the billion mark, according to the study.
In a national comparison, Germany takes the top spot in terms of the number of data protection violations reported and, at 35 million euros, is also among the countries with the highest individual fines imposed.
According to published decisions of data protection authorities, insufficient legal basis for data processing and disregard of General Data Protection Principles are the most frequently fined offences.
The third most common offence is insufficient information security measures – a data protection breach that has attracted the attention of supervisory authorities in Austria, France, Italy, and Denmark in light of the CJEU’s Schrems II ruling.
Data protection authorities (DPAs) across the European Union have been enforcing the European General Data Protection Regulation (GDPR) more frequently in recent years. But the total number of fines imposed across the union within this timeframe is still opaque since many decisions are not made public. We already touched upon the topic in a separate blog post (LINK).
In terms of the level of fines imposed, the provisions in the GDPR provide for some scary reading. But many business leaders, DPOs, and marketers have been asking how this translates to the real world. What determines the size of the fines DPAs hand down when organisations are found to be in breach of the regulation?
A Quick Guide for the level of GDPR fines
The GDPR allows European data protection authorities (DPAs) to fine companies up to 4 per cent of their annual turnover if they violate the regulation’s requirements for the collection, processing and use of data.
However, it is up to the DPAs to determine the level of fines imposed. Article 83 of the GDPR merely provides a framework to be used and taken into account when determining the level of penalties. According to this framework, DPAs must above all ensure that the fines imposed under the GDPR are effective, proportionate and dissuasive. It has also become apparent that DPAs follow the guidance of the European Court of Justice (ECJ) when setting the level of penalties, in particular for high fines.
Accordingly, higher penalties should be imposed if one or more of the following four conditions are met:
Firstly, if the number of data subjects and the resulting harm justify it.
Secondly, where multiple breaches have been committed in a given case, the data protection authority may impose a higher fine and/or impose remedial measures.
Thirdly, the degree of fault should be taken into account in the assessment of fines. For example, the Guidelines state that intentional conduct on the part of the controller or failure to take appropriate preventive measures will play a role in the DPA’s assessment of the amount of the fine.
Fourthly, the duration of the breach is also a determining factor.
Two tiers for GDPR fines
The GDPR also provides for a two-tier system of fines, which allows insight into which elements the legislation considers most important and therefore deserve the highest fines.
The first tier applies to breaches of the obligations of controllers and processors; the certification body and the monitoring body and is capped at €10,000,000 or 2 per cent of total annual global turnover (whichever is higher).
The second tier is capped at €20,000,000 or 4 per cent of total global annual turnover and covers breaches of the principles governing the processing, including conditions of consent; data subject rights; transfer of personal data to a recipient in a third country or to an international organisation; etc.
It is particularly noteworthy here that so far fines have been imposed against about only half of all 42 articles of the GDPR that may lead to sanctions, and the maximum limit has not yet been reached in this respect.
In addition, many articles of the GDPR contain requirements that are a matter of interpretation. For example, Article 5 lists the principles governing the processing of personal data: Lawfulness, Fairness and Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Integrity and Confidentiality, and Accountability.
Violations of these principles can result in the highest fines allowed under the Regulation (Level 2), but several of these high-level principles, which are the main pillars of the GDPR, can be interpreted very differently by data protection authorities. The Regulation does not provide much concrete information in this regard, so case law must be used to answer these questions.
In conclusion, DPAs have a wide margin of interpretation and application in determining the specific level of penalties, based on a flexible system of the above criteria. Nevertheless, it has become clear in the past years that both the number and the penalty amounts imposed have continuously increased and that a decrease is not to be expected.
For further information on how to avoid fines, we recommend the comprehensive guide by the legal experts of DataGuard: Fines and GDPR: How to avoid penalties.