In the five years since the introduction of the EU GDPR, data protection authorities across the EU have become increasingly comfortable reprimanding companies in breach, albeit the data protection authorities of some Member States are far more proactive than others in issuing administrative fines.
Those authorities have duties to give due regard to certain parameters set out in the EU GDPR, but ultimately the value of a fine rests with their specific evaluation of the case. This has, perhaps inevitably, lead to varying values of administrative fines across different jurisdictions.
In an effort to "achieve consistent approach to the imposition of administrative fines that adequately reflects all of the principles in the GDPR," the European Data Protection Board (EPDB) has issued Guidelines 04/2022 on the calculation of administrative fines under the GDPR (the "Guidelines").
The Guidelines create a harmonised starting point and methodology from which fines will be calculated, as opposed to a tariff or template for expected fines. The data protection authorities retain their discretion in respect the amount of the fine, having followed the foundation of the methodology.
The Guidelines are complementary to existing recommendations on the circumstances in which an administrative fine would be an appropriate tool and interpret the criteria of Article 83 EU GDPR.
Methodology
The Guidelines emphasise that they are not intended to create a precise mathematical formula to be used, instead setting out a methodology for calculating fines with the circumstances of the case ultimately deciding the final amount. The methodology is broken down into five steps:
- The relevant authority has to consider the processing operations relevant in the case, and apply Article 83(3) which guides how fines are to be imposed where there have been infringements of more than one EU GDPR provision.
- Thereafter it should move to consider the classification and seriousness of the infringement, having regard to the company’s turnover and whether the possible fine is "effective, dissuasive and proportionate". The classification of the infringement will be determined by reference to Articles 83(4) to (6); which set out the relevant offences which fall into each classification, and the maximum financial penalty. The seriousness of the infringement will be considered by reference to Article 83(2)(a)(b) and (g); specifically reflecting the nature, gravity and duration of the infringement, whether intentional or negligent and the type of personal data affected.
- Next, it should evaluate any mitigating or aggravating circumstances relating to the past or present behaviour of the controller or processor. The Guidelines highlight that this should include considering when prior infringements have taken place, the subject matter of those infringements, as well as co-operation with supervisory authorities, including mitigation, notification and compliance with previously ordered measures.
- Following this, it should Identify the legal maximums that can be imposed for the different processing operation to ensure that any increases imposed do not exceed those amounts, whether a static or dynamic (based on turnover) amount.
- Finally, it should carry out an overall analysis of the proposed amount to ensure it meets the requirements of effectiveness, dissuasiveness and proportionality. This can result in a further increase or decrease of the fine.
For better or worse?
The Guidelines cover cross border and non-cross border fines, and will likely welcomed by businesses throughout the EU as a relative level of transparency on how fines against them will have been evaluated. For data protection authorities, the pan-European nature of the Guidelines will allow for comparison of how similar breaches are valued following the application of the methodology. Over the longer term, this may lead to a level of consistency in fines relating to specific infringements.
It will be noteworthy to see whether those data regulators who have been comfortable in issuing fines continue to do so, or whether they will become more reticent, and seek to use the range of alternative enforcement measures available.
ICO and the UK
The Guidelines will not apply to the UK, and we do not expect that they will form any part of the regime used by the ICO. The ICO has proved to be a pragmatic regulator, keen to emphasise behaviour change but mindful of the need for appropriate punishment in the event of a serious breach.
