Data protection authorities (DPAs) across the European Union have been enforcing the European General Data Protection Regulation (GDPR) more frequently in recent years. But the total number of fines imposed across the union within this timeframe is still opaque since many decisions are not made public. We already touched upon the topic in a separate blog post (LINK).
In terms of the level of fines imposed, the provisions in the GDPR provide for some scary reading. But many business leaders, DPOs, and marketers have been asking how this translates to the real world. What determines the size of the fines DPAs hand down when organisations are found to be in breach of the regulation?
A Quick Guide
The GDPR allows European data protection authorities (DPAs) to fine companies up to 4 per cent of their annual turnover if they violate the regulation’s requirements for the collection, processing and use of data.
However, it is up to the DPAs to determine the level of fines imposed. Article 83 of the GDPR merely provides a framework to be used and taken into account when determining the level of penalties. According to this framework, DPAs must above all ensure that the fines imposed under the GDPR are effective, proportionate and dissuasive. It has also become apparent that DPAs follow the guidance of the European Court of Justice (ECJ) when setting the level of penalties, in particular for high fines.
Accordingly, higher penalties should be imposed if one or more of the following four conditions are met:
Firstly, if the number of data subjects and the resulting harm justify it.
Secondly, where multiple breaches have been committed in a given case, the data protection authority may impose a higher fine and/or impose remedial measures.
Thirdly, the degree of fault should be taken into account in the assessment of fines. For example, the Guidelines state that intentional conduct on the part of the controller or failure to take appropriate preventive measures will play a role in the DPA’s assessment of the amount of the fine.
Fourthly, the duration of the breach is also a determining factor.
Two tiers for GDPR fines
The GDPR also provides for a two-tier system of fines, which allows insight into which elements the legislation considers most important and therefore deserve the highest fines.
The first tier applies to breaches of the obligations of controllers and processors; the certification body and the monitoring body and is capped at €10,000,000 or 2 per cent of total annual global turnover (whichever is higher).
The second tier is capped at €20,000,000 or 4 per cent of total global annual turnover and covers breaches of the principles governing the processing, including conditions of consent; data subject rights; transfer of personal data to a recipient in a third country or to an international organisation; etc.
It is particularly noteworthy here that so far fines have been imposed against about only half of all 42 articles of the GDPR that may lead to sanctions, and the maximum limit has not yet been reached in this respect.
In addition, many articles of the GDPR contain requirements that are a matter of interpretation. For example, Article 5 lists the principles governing the processing of personal data: Lawfulness, Fairness and Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Integrity and Confidentiality, and Accountability.
Violations of these principles can result in the highest fines allowed under the Regulation (Level 2), but several of these high-level principles, which are the main pillars of the GDPR, can be interpreted very differently by data protection authorities. The Regulation does not provide much concrete information in this regard, so case law must be used to answer these questions.
In conclusion, DPAs have a wide margin of interpretation and application in determining the specific level of penalties, based on a flexible system of the above criteria. Nevertheless, it has become clear in the past years that both the number and the penalty amounts imposed have continuously increased and that a decrease is not to be expected.