Some time ago I wrote about “how GDPR fines work”, be calculated, including what technical aspects may be considered during such a calculation, the article is here, and it is quite a case study. It’s still good and all, but this time, finally, EU data protection authorities agreed on some common grounds. Because, according to GDPR, these rules should be consistent. Can it be harmonised in practice without causing a regulatory or a (domestic) political upheaval?
Fines, what they are good for
In general, the role of a fine is a corrective one. It should be calibrated to be a correction, but also a dissuasion. There are no minimum fines. There are maximum fines (20M/10M EUR, or “up to” 2%/4% turnover).
According to GDPR Article 83(2), those should be considered:
(a) the nature, gravity, and duration of the infringement taking into account the nature scope, or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c ) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
The fine waterfall process
To put it into practice, the EDPB suggests dividing the art of fining into several steps:
1) Identifying the processing operations, 2) Finding the starting point for further calculation based on an evaluation of the classification, 3) Evaluating aggravating and mitigating circumstances 4) Identifying the relevant legal maximums for the different processing operations. 5) Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness, and proportionality.
So it’s a multi-step approach. In general, the opinion is heavily legalistic and quite no-exactly-user-friendly.
But of particular note as to the assessment of gravity of the infringement is the number of data subjects, which may also include those potentially affected. In general, more affected data subjects/users should mean a higher fine. But it is not stated how exactly this impacts the fine. Like, what’s the difference between 100, 50000, and 10 million? One could imagine that in 2022 one could say, more or less, what’s the factor of the number of users on the calculation of the final figure. Yet, it seems this is not the case. On the one hand, I can understand that the DPAs do not wish to tie their hands and the scheme must be ‘responsive’ and ‘adaptable’, on the other hand, and come on - a communication here would greatly improve the transparency over EU data protection process.
In the same manner, it is also said that “a supervisory authority may generally attribute more weight to an infringement with longer duration”. So, what does it mean, exactly? We won’t get an answer.
It is, of course, also always “depending on the circumstances of the case”. But sometimes I feel that this stressing of a “case-by-case” need is mudding the water. Is it really necessary?
Later on, we read that “GDPR clearly highlights the types of data that deserve special protection and therefore a stricter response in terms of fines”. This is true, information about religion, disability, etc. is sensitive and protected. Now, how does it impact the fine? Does this make this factor of fine 2x higher? 4x? Again, we don’t know.
But don’t despair completely, there are some clarifications. For example:
“When calculating the administrative fine for infringements of a low level of seriousness, the supervisory authority will determine the starting amount for further calculation at a point between 0 and 10% of the applicable legal maximum”
“When calculating the administrative fine for infringements of a medium level of seriousness, the supervisory authority will determine the starting amount for further calculation at a point between 10 and 20% of the applicable legal maximum.“
“When calculating the administrative fine infringements of a high level of seriousness, the supervisory authority will determine the starting amount for further calculation at a point between 20 and 100% of the applicable legal maximum.“
So it’s an interval of three regions: [0,10], [10, 20], [10, 100]. Consequently, the low level of seriousness may sometimes mean the monetary max of fine capped at 2M EUR. Similar calculations are also done in the case of the turnover threshold.
I’ll also spare you the details of the “undertaking’s turnover and corporate liability” aspect, which is perhaps not exactly the most exciting thing (and admittedly it is complex, involving also the aspects of competition and anti-trust legal opinions) for a blog post...
I understand that some DPAs desired to create some kind of equation/formulas (even if just “indicatory”) but it appears that the matter is perhaps too difficult to describe in this way?
In general, this opinion is informative and to some extent useful... Yet, we went through Covid-19, now we’re during a high-intensity war in Europe... It would be nice to have actionable opinions during such times of crisis. I’m not sure if the EDPB guide to fines is the case, though? This fully acknowledges that “GDPR does not tag fixed sums to specific infringements”, which I completely agree with.
Of course, one may wonder whether this guide is intended for the DPAs, not the data processors/controllers… But since the opinion is being made public, it is clear that the end consumer should also be the processors, controllers, legal foundries, consultants, all that. On the other hand, I must admit that this particular opinion is not geared toward the technical domain – it is more of a legalistic, supervisory, and enforcement domain.