Should GDPR Fines Be Higher?
Do all European Union members agree on the level of fines imposed on companies who are found to be in violation of the General Data Protection Regulation (GDPR)?
The Data Protection Commissioner in one member state appears to think current fines should be set closer to the maximum fine limits under GDPR Article 83.
Germany’s association of German Supervisory Authorities for Data Protection (Datenschutzkonferenz or DSK) has published new guidelines for determining fines for violations of the GDPR.
If adopted, the new model could lead to higher GDPR fines, potentially reaching the maximum fine limits according to GDPR Article 83.
A number of German authorities have already begun applying this new model in practice. For example, the data protection commissioner in Berlin has announced her plans to impose multi-million Euro fines based on this model. In fact, the first cases defending clients against fines calculated under the new methodology are being heard.
It is therefore possible that the European Data Protection Board may seek to implement a unified fine model across the EU, based on the new methodology currently being applied by German authorities.
How does the new fine calculation work in practice?
A calculator is highly recommended for this section, since the DSK’s new model is far from straightworward.
The calculation of the fine, along with all associated documentation, runs to some 24 pages.
The calculation begins with the aggregate global, annual revenue of the undertaking. Based on this figure, a "daily rate"is calculated and multiplied by a number of numerical factors by reference to the different penalty criteria according to GDPR Article 83(2). For example, the perceived gravity of the offense, culpability of the organization, extent of the potential harm caused to individuals, etc.
Now, for some, this might appear to be a fairly simple starting point. But there’s moire, as we explain in te following five steps:
STEP 1 ~ Calculating the “Daily Rate”
Firtly, as briefly mentioned above, authorities need to calculate the "daily rate" by dividing the aggregate global turnover of the undertaking for the previous year by 360 days.
For corporate groups, the calculation is not based on the turnover of the individual undertaking alone, but on the revenue of the entire group.
In its guidance document the DSK states that "parent companies and subsidiaries are regarded as an economic unit, so that the total turnover of the group of companies is taken as the basis for calculating the fine." However, it is not yet clear what position the courts will take on this issue, in light of the DSK’s approach.
Example: A group of companies generated sales of 90 billion euros in the previous year. This results in a "daily rate" of €250 million (€90 billion divided by 360).
STEP 2 ~ Determining the “Regular Fine Corridors” and Median Value
Next, comes an assessment of the perceived severity of the specific violation. This severity assessment appears to be based on an overall assessment carried out by the authority, taking into account the violated GDPR provisions and maximum fine limits set out in GDPR Article 83(4)–(6).
There is some discretionary allowance granted to authorities, to consider the level of harm to individuals (the GDPR maximum fine limits may not be exceeded). The DSK model sets out five levels of severity:
Minor infringement: multiplier of 1 to 4
Average infringement: multiplier of 4 to 8
Severe infringement: multiplier of 8 to 12
Very severe infringement: multiplier of 12 to 14.4
The result of the severity assessment is the determination of the "Regular Fine Corridor" by multiplying the "daily rate" by the multiplier range associated with the relevant severity level.
The authority then works out the median value of the resulting “fine corridor". This becomes the basis for the further calculation of the fine.
Example: In the case of the company mentioned in the previous example, with an annual turnover of €90 billion and a "daily rate" of €250 million, the authorities find a minor infringement, i.e., the least severe category with an associated multiplier range of one to four. The authority then multiplies the "daily rate" of €250 million by the one to four multiplier range. This results in a regular fine corridor of €250 million to €1 billion and therefore a median value of €625 million.
STEP 3 ~ Classifying the Specific GDPR Violation
Next, there would be further modification of the fine to take into account the nature of the violation and its consequences in accordance with the following criteria:
Duration of the infringement
Nature, extent and purpose of the unlawful processing
Number of data subjects involved in the processing
Extent of harm suffered by data subjects
The authority then assign a score of 0 to 4 to each of these criteria and calculate the total of those values. Scores of 0 and 1 are given for risk-mitigating factors (a small number of individuals impacted, no/minimal harm suffered, or a short duration of unlawful data processing, etc.); scores of 2 if there are neither mitigating nor aggravating factors; and scores of 3 or 4 if there are aggravating factors (e.g., the infringement was carried out for a long period of time).
The sum of these scores produces a total number between 0 and 16. This value is then entered into a long and complex table (not yet publicly released) in order to determine whether an additional multiplier should be applied, to either increase or decrease of the median value already determined in the previous calculation step.
Example: Continuing with the company from the previous examples, if the authority evaluates all the four criteria mentioned in this step as "equal", it will award the score of 2 to each of the four criteria (i.e., four times). With a total score of 8, no additional multipliers are applicable. Therefore, there is neither an increase nor a decrease in the median value already calculated. In our example, the median value of €625 million, therefore, remains the same for the purposes of further calculation.
STEP 4 ~ Further Consideration of the Fine
The authority now needs to determine any other relevant criteria for assessing the fine, in accordance with GDPR Article 83(2). This concerns culpability, i.e.:
intent or negligence;
initiation of measures to mitigate damage;
the degree of responsibility;
the existence of any relevant previous violations;
cooperation with the supervisory authority;
the categories of personal data processed within the scope of the violation;
the type of disclosure of the violation;
compliance with any measures previously ordered by the authority; and if applicable,
compliance with approved procedural rules or certifications.
STEP 5 ~ Final Consideration of the Fine
As a final step, the authority would examine whether any further mitigating circumstances exist, which could suggest a further adjustment of the fine determined so far.
There seems to be an absense of any formula for this further adjustment so that the authorities can exercise a significant degree of discretion in this step, to the extent necessary. There would also be an adjustment to be consistent with the GDPR-mandated maximum fines.
Initial practical experience shows that the application of the DSK model would lead to significantly higher fines than those imposed so far by the German authorities since the GDPR came into force. The largely linear calculation method, starting with revenue, leads to serious penalty risks, especially for companies and groups with high turnover.
It is arguably questionable whether sanctions imposed under the DSK fine model properly take into account the matters required by Article 83 of the GDPR and/or can properly ensure that fines are in fact proportionate.
The DSK model, if adopted and applied, would certainly be ripe for challenge, and it could be difficult for data protection authorities to convince courts in administrative offense proceedings that they have in fact determined appropriate, lawful fines using it. In particular, large corporate groups and companies that process large volumes of data, or sensitive or high-risk data should prepare themselves for an emergency - and plan an effective litigation defense in advance.