A major question when it comes to the GDPR the scope of applicable privacy fines, how to calculate them, and how to mitigate risks.
Below is a video (in Italian) on the topic as part of my videoblog Diritto al Digitale and a more detailed article in English on the matter
What are the new privacy fines?
The EU privacy regulation provides for fines
- Up to € 10 million or 2% of the total worldwide turnover of the previous year in case of breach of obligations relating, among others, to the
- Implementation of privacy by design and security by design approach as well as the performance of a data protection risk assessment in case of new technologies such as those of the Internet of Things;
- Recording of data processing activities,
- Data processor’s primary obligations,
- Notification in case of data breaches and
- Appointment of a data protection officer (when necessary);
- Up to € 20 million or 4% of the total worldwide turnover of the previous year in case of breach of obligations relating, among others, to the
- Basic principles for data processing, including the conditions for privacy consent,
- Individuals’ rights such as the right of access, the right to be forgotten, and the portability right and
- Transfer of personal data outside of the European Economic Area, which is a major issue after the Schrems II decision.
The fines above are peculiar because they do not set a minimum amount for each breach, which will grant higher flexibility to data protection authorities in determining the appropriate penalties. However, this approach is expected to lead to a higher risk of challenges and never-ending disputes on the number of penalties.
On what are the fines percentages calculated? The concept of undertaking
The GDPR provides that fines are imposed on an “undertaking” and the Article 29 Working Party in its guidelines clarified that the notion of undertaking is provided for by the CJEU for the purposes of the application of Article 101 and 102 TFEU and shall be interpreted under EU law and case-law as
“an undertaking must be understood to be the economic unit, which engages in commercial/economic activities, regardless of the legal person involved“.
The matter is not analyzed in detail by Article 29 Working Party, but the definition of an undertaking is a competition law concept. And indeed, we are using competition law cases to give clients indications on the actual level of risk exposure that can be triggered by GDPR fines. And it derives from the above:
- Fines might not be calculated on just the turnover of the “breaching legal entity,” or the data controller/process found performing the challenged conduct, but might be determined to take into account all the entities involved in the challenged activity;
- A consequence of the conclusion above is that a strong intragroup integration on matters that are more exposed to privacy fines, such as the creation of a centralized marketing or HR department serving the whole group, might increase the risk of penalties to be calculated on the turnover of the entire group or in general terms extended to more entities of the group;
- A group reorganization, especially in businesses that considerably rely on the exploitation of large quantities of personal data, should be assessed to limit the privacy law related risk exposure of the whole group; and
- It should be assessed whether having a single group DPO ensuring consistency on privacy law compliance across the group can, on the one hand, ensure better control over the privacy strategy of all the subsidiaries, while on the other hand, might increase the risk of a “domino effect“ across the group in case of challenged privacy breaches.
What are the criteria for their calculation?
The EU data protection regulation provides that the applicable fines shall be
- Proportionate and
- Dissuasive (i.e., if an undertaking is massive, it is likely to face more considerable fines than a start-up for the same breach).
And such fines shall be determined based on the nature, gravity, and duration of the infringement, taking into account, among others, of
- The number of individuals affected and the damages suffered by them;
- The purpose of challenged processing;
- The level of damages suffered by individuals;
- The intentional or negligent character of the infringement;
- Any action taken to mitigate the damage suffered by individuals;
- The implementation of the organizational measures of privacy by design and security by design that consequently become effective tools also aimed at mitigating the amount of fines in case of issued sanctions;
- Any relevant previous infringements by the controller or processor, i.e., the track record of the challenged undertaking will matter;
- The degree of cooperation with the supervisory authority to remedy the infringement and mitigate the possible adverse effects of the infringement;
- The categories of the personal data affected by the infringement, e.g., if health-related data has been affected by the infringement or data is identifiable, the potential fines might be higher;
- How the infringement became known to the supervisory authority, in particular, whether, and if so, to what extent, the controller/processor notified the infringement. And this has a major impact in determining the strategy to be adopted in case of a data breach;
- The adherence to codes of conducts and
- Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained or losses avoided, directly or indirectly, from the infringement.
How much money are we talking about?
It is interesting that see that, up until the applicability of the GDPR, one of the most considerable fines issued in the European Union for privacy breaches was € 1 million issued against Google for the data collected through their Street View service, followed more recently by the € 11 million privacy fine issued against by the Italian data protection authority. But under the regime established by the EU privacy regulation, it has been calculated that
Google might face a fine up to $ 2.9 billion
Anything else to be worried about?
The new privacy fines operate in addition to
- claims against the company from individuals whose data has been the victim of a data breach or just unlawfully processed;
- claims against the directors and legal/compliance managers of the company from shareholders since with sanctions of this size, the lack of implementation of all the measures necessary to ensure compliance can be considered as significant negligence;
- orders of deletion of personal data unlawfully processed which might cause major damages to companies in a business that is exponentially relying on data; and
- potential criminal sanctions against the directors or the legal/compliance managers of the company liable for the breach in countries where the criminal sanctions for privacy breaches are provided, as is the case in Italy.
The principle of accountability is an additional “weapon” against you
The GDPR provides for the principle of accountability, which puts the burden of proof of demonstrating compliance with the obligations of the GDPR on the investigated party, which makes the position of the latter even more delicate. The implementation of policies and procedures showing to have adopted whatever is required by the GDPR and the compliance with them of employees and contractors will become crucial.
Is time for a cultural revolution?
As I mentioned in this video, such large sanctions will oblige companies not to considered privacy compliance as a “nice to have” anymore. So far, data is stored in some cases for many years or for an indefinite period of time, but
data might become a ticking bomb
that might endanger the whole company since their unlawful data processing might trigger huge privacy fines. It is necessary therefore to run an audit of the data currently processed to make sure, among others, that data has been collected in compliance with privacy laws, that has been stored for no longer than required by applicable laws, and that has not been used for purposes other than those for which consent was obtained.
The EU privacy regulation is in force and will also apply to data that has already been collected NOW or in the past by a company.
Also, given the size of privacy fines, even directors might face liabilities if they do not adopt any measure necessary to ensure privacy compliance.