Top 10 EU Privacy Regulation issues – #2 Will fines be really massive?
A major question when it comes to the upcoming EU privacy regulation is about the actual scope of the new applicable massive fines.
Updated on 01.03.2017
What are the new privacy fines?
The EU privacy regulation provides for fines
- Up to € 10 million or 2% of the total worldwide turnover of the previous year in case of breach of obligations relating, among others, to the
- Implementation of a privacy by design and a security by design approach as well as the performance of a data protection risk assessment in case of new technologies such as those of the Internet of Things;
- Recording of data processing activities,
- Data processor’s main obligations,
- Notification in case of data breaches and
- Appointment of a data protection officer (when necessary);
- Up to € 20 million or 4% of the total worldwide turnover of the previous year in case of breach of obligations relating, among others, to the
- Basic principles for data processing, including the conditions for privacy consent,
- Individuals’ rights such as the right of access, the right to be forgotten and the portability right and
- Transfer of personal data outside of the European Economic Area, which will be crucial in the view of the Privacy Shield now agreed as to the transfer of data to the United States.
What are the criteria of their calculation?
The draft EU data protection regulation provides that the applicable fines shall be
- Proportionate and
- Dissuasive (i.e. if a company is large, it is likely to face larger fines than a start up for the same breach).
And such fines shall be issued taking into account, among others,
- The nature, gravity and duration of the infringement taking into account also the number of individuals affected and the damages suffered by them;
- The measures adopted to mitigate the damages suffered by the individuals;
- The implementation of the organizational measures of privacy by design and security by design that consequently become effective tools also aimed at mitigating the amount of fines in case of issued sanctions.
How much money are we talking about?
It is interesting that see that up until now one of the largest fines issued in the European Union for privacy breaches was of € 1 million issued against Google for the data collected through their Street View service. But under the regime established by the EU privacy regulation, it has been calculated that
Google might face a fine up to $ 2.9 billion
Anything else to be worried about?
The new fines operate in addition to
- claims against the company from individuals whose data has been victim of a data breach or just unlawfully processed;
- claims agains the directors and legal/compliance managers of the company from shareholders since with fines of this size the lack of implementation of all the measures necessary to ensure compliance can be considered as a major negligence;
- orders of deletion of personal data unlawfully processed which might cause major damages to companies in a business that is exponentially relying of data; and
- potential criminal sanctions against the directors or the legal/compliance managers of the company liable for the breach in countries where the criminal sanctions for privacy breaches are provided as it is the case in Italy.
The principle of accountability is an additional “weapon” against you
The GDPR provides for the principle of accountability which puts the burden of proof of demonstrating compliance with the obligations of the GDPR on the investigated party which makes the position of the latter even more delicate. The implementation of policies and procedures showing to have adopted whatever is required by the GDPR and the compliance with them of employees and contractors will become crucial.
Is time for a cultural revolution?
As I mentioned in this video, such large fines will oblige companies not to considered privacy compliance as a “nice to have” anymore. So far data is stored in some cases for many years or for an indefinite period of time, but
data might become a ticking bomb
that might endanger the whole company since their unlawful data processing might trigger huge fines. It is necessary therefore to run an audit of the data currently processed in order to make sure, among others, that data has been collected in compliance with privacy laws, that has been stored for no longer than required by applicable laws and that has not been used for purposes other than those for which consent was obtained.
The EU privacy regulation will enter into force in 2 years, but it will apply also to data that has been already collected NOW or in the past by a company.
Also given such large fines, even directors might face liabilities if they do not adopt any measure necessary to ensure privacy compliance.
You may find also interesting
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at email@example.com or firstname.lastname@example.org or via phone at +39 334 688 1147.