26 October 2018 | By Paul Nemitz
Fine-tuning the new data protection rules
With the enactment of the EU General Data Protection Regulation (GDPR) last May, data protection does not only move from a directive to a regulation but also from low (or no) fines to high fines.
Imposing fines will often have a higher disciplinary function than other remedies. Fines serve to discourage further infringements. Article 83 of the GDPR serves both special and general prevention purposes since high fines for misconduct are attracting widespread attention, especially in the case of controllers or processors known in the market and to the general public. They ensure that efforts of compliance are undertaken in addition to pure profitability investments and a fortiori that the economic advantage that controllers or processors derive from infringements of the regulation, if any, do not remain with them.
The fines, if high enough, will provide an incentive to act lawfully and to respect the rights of data subjects in the processing of their personal data. The GDPR thus ensures that the market continues to serve the interests of individuals and the general public.
Private data is not a commodity
The market regards any data more and more as a tradable standardised commodity. Catch phrases like “Data is the new oil” or “Data is the currency of the future” can often be heard. However, personal data cannot legally be treated and traded in Europe like commodities such as oil, or currencies.
Whether Article 83 of the GDPR can fulfil its function in practice largely depends on its implementation by the respective national Data Protection Authorities (DPAs), which will have to impose the fines.
The GDPR’s Article 83 provides for a differentiated and flexible system of fines, which allows and obliges supervisory authorities to sanction violations of the regulations with fines in order to deter future infringements:
- Paragraph 1 of the article sets the standards for the entire sanction system in the GDPR, to which all measures must adhere.
- Paragraph 2 lays down specific criteria to be taken into account when determining the amount of a fine in a specific case.
- Paragraph 3 regulates cases of cumulation of data protection infringements and sets the maximum amount of the fine for them.
- Paragraphs 4 and 5 qualify violations of the provisions of the GDPR depending on their significance, which accordingly result in lower or higher fines.
- Paragraph 6 provides for a further increase in the fine for violations of prior orders from supervisory authorities.
- Paragraph 7 contains a limited opening for Member States, which can exempt the public sector from fines to a limited extent.
- Paragraph 8 clarifies that the fines procedure and the ensuing judicial proceedings must comply with the requirements of the Union and Member State law.
- Paragraph 9 contains special rules for Denmark and Estonia whose legal systems do not provide for the power of authorities to impose fines.
The GDPR fining system is inspired by European competition law and uses its methodology in large part, in particular the determination of fines in terms of a percentage of overall turnover and a cap of fines determined by a set percentage of turnover of the undertaking concerned (4 percent, as specified in Article 83).
Competition law as the model
Both data protection and competition law fall within the category of special economic administrative law. In these fields of law, infringements are often a matter of cost reducing intention or negligence, motivated by the pursuit of profit. There are costs related to compliance and in some cases high financial incentives for both competition and data protection breaches. The experience in competition law also shows that public enforcement is the main driving force for compliance. Private enforcement and actions for damages, even where special legislation for that purpose exists, play a smaller role. In many cases, considerations similar to those in competition law will be applied.
That became apparent recently when the European Commission imposed a fine of €110m on Facebook. This case is important as it demonstrates the risk – one might call it the temptation – to lie when it comes to describing facts pertaining to the processing of personal data to the regulator. This is usually done in the hope that the regulator will not master the technical complexities involved.
DPAs are expected to increase fines at the slightest sign of negligent or intentionally misleading statements made to them as at the core of the duty to cooperate with DPAs (Articles 31 and 39 of the GDPR) is the duty to state the truth.
Guiding principles underlying decisions
According to Article 83, the decision of the supervisory authorities to impose fines must be guided by the principles of effectiveness, proportionality and the objective of dissuasion.
„DPAs can only abstain from a fine in the two cases expressly mentioned in the GDPR, i.e. in case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person.“
According to the case law of the European Court of Justice in the field of competition law, supervisory authorities have no unlimited discretion when it comes to the imposition of fines. The general principles of EU law require that fines are motivated and justified on the basis of the method of calculation used, and this in such a way as to allow the addressee to comply and, if necessary, seek judicial remedy.
Article 83 obliges supervisory authorities in each individual case to fully investigate the matter. In particular, supervisors can oblige companies to provide all the information they need to carry out their duties.
The economic situation of the controller or data processor is irrelevant to the amount of the fine, as long as the fine is not imposed on a natural person. This is based on the consideration that otherwise a controller or processor in economic difficulties might gain illegal and unjustified competitive advantages from illegal behaviour.
However, in all cases the amount of the fine must be based on the principle of proportionality. The number of data subjects concerned may be an important indicator of systemic errors and a lack of proper data protection routines. The fine does not depend on proof of a causal link between the infringement and the damage, but the amount of the damage and the duration of the infringement are criteria to be taken into account.
Who is at fault matters
Article 82 makes it possible to take account of the degree of fault on the part of the data controller or processor. In that regard, the question arises as to which fault of which person should be assigned to a legal person. To require an organ fault, i.e. of the Board or the CEO, is not necessary according to the wording of the regulation. Deliberate or negligent conduct of a manager, a person responsible for processing or even the person entrusted with the specific processing operation, will also have to be taken into account, depending on the circumstances of the specific case.
The allegation against the controller or processor becomes all the more serious (and thus the fine higher) the more signs of organizational negligence can be found, and the more this degree of fault can be attributed to organs of the company, or to senior managers rather than merely to the possibly unforeseeable or unavoidable misconduct of a lower-ranking individual.
Intent or negligence?
The instruction of an organ for unlawful processing is regularly regarded as intent under the GDPR Guidelines. Given the principle that a businessman must know the law and thus take measures to ensure compliance of his company. Given the now numerous actions for awareness-raising and offers to ensure compliance with the GDPR in the markets, it is hard to imagine a constellation with repeated infringements of the GDPR without at least negligence being present.
If data controllers or processors have doubts about the legality of processing, they need to remove these doubts – or stop processing until the doubts are removed. Not taking any action in such a situation constitutes deliberate acceptance of potentially breaking the GDPR and thus certainly gross negligence, if not intent. A scarcity of funds in the implementation of the rules cannot excuse non-compliance.
Negligence shall be considered under the Guidelines if existing data protection policies of the company have not been read or followed or no data protection rules have been adopted by the company in the first place.
Stopping infringements and repairing the damage
Article 83 of the GDPR sets an incentive for controllers and processors to stop infringements committed as soon as possible, immediately reverse practice and make up for damages. A controller or processor must also strive to make up for impairments of non-financial nature in order to benefit. Although not explicitly mentioned by the wording, the supervisory authority will conversely have to take into account that no efforts were made to make amends. The timely and intensive efforts of the controller for “repairs” should, according to the Guidelines, play a role in the determination of the fine, as well as the fact that other involved persons or processors were informed and thus further damage was prevented.
The exemplary financial benefit of a violation will have to correspond to a mathematical value, which in turn must be related to a specific personal date. As an example of a possible way to calculate the value of a record about a person, for example, in a social network, the company value is divided by the number of members of that network. The GDPR Guidelines make it clear that profits from violations in any case give rise to a fine.
If a controller has committed a number of different infringements in the same processing operation or, in the case of ‘linked processing operations’, to several provisions of the GDPR, the total amount of the fine is limited to the amount for the most serious infringement. The purpose of this rule is also to clarify that the quantitatively increased disregard for the provisions of the GDPR is particularly in need of sanction. In practical terms, this means that the fine will be increased.
High fines necessary to enforce better compliance
The European legislator has expressed a clear will that the rules of the GDPR are fully and coherently applied across Europe. DPAs are entrusted with the duty to ensure this and have obtained substantial new powers for this purpose, comparable to those of competition authorities. The experience in competition law shows that high fines are necessary to better compliance, as only they can bring about a deterrent against non-compliance.
Paul Nemitz currently serves as Principal Advisor to the Directorate-General Justice and Consumer Affairs of the European Commission. As the long-time Director for Fundamental Rights, he is one of the architects of the GDPR. A longer print version of this article was published Hart Publishing as part of the CPDP 2017 Conference Book.
Comment or question? Don’t hesitate to contact: email@example.com