The long-awaited EDPB guidelines on the calculation of GDPR fines have now been published, but the view from data protection authorities reveals some areas for improvement.
The European Data Protection Board has issued guidelines on the calculation of fines under the GDPR. Below, I tried to summarize the main points arising from them, emphasizing arguable points.
In particular, the EDPB argues that a mere mathematical calculation of GDPR fines is not possible but outlines a 5 step process to be followed to determine the fines:
- Identification of processing operations and assessment of the application of Article 83(3) of the GDPR 📌 Relevant on this is the stance on the uniqueness of conduct and the criterion for calculating the fines in case of multiplicity of violations. As such, even though there are multiple violations pursued through the same misconduct, if they are part of a unique course of action, a single fine set based on the highest applicable threshold will be applicable. It seems an obvious conclusion, but data protection authorities did not spell it out in previous decisions;
- Identification of the basis for calculating the fine according to the violation, severity, and turnover of the company 📌 This is the most relevant part of the guidelines because it gives specific criteria for precise calculation of the breach according to bands of turnover and severity of the violation. The effort from data protection authorities to ensure certainty in the calculation of GDPR fines is a good sign. However, the EDPB holds that privacy authorities can also diverge from these criteria in specific circumstances…
- Evaluation of aggravating and mitigating circumstances related to the company’s past or present behaviour 📌 This section risks defeating the entire purpose of step 2 because it is very general and provides too much flexibility to the data protection authorities in adjusting the results of step 2;
- Identification of relevant legal ceilings for different processing operations 📌 The concept of an enterprise is taken up, which is broader than the individual company and could be a risk for very integrated groups (e.g., corporations with a single group DPO). It is interesting that the EDPB holds that the “preceding year” for the purpose of calculating the fine is the one prior to the privacy authority’s decision rather than the one prior to the violation. This conclusion might have substantial impacts in countries like Italy where fines are issued several years after the violation where the business might be growing, also because of inflation, and it appears unfair that such growth implies a higher sanction;
- Analysis of whether the final amount of the calculated sanction meets the requirements of effectiveness, dissuasiveness, and proportionality 📌 It is also unclear here how much flexibility is given to the privacy authority.
The above-mentioned criteria definitely are welcomed since they aim at increasing the certainty of the calculation of the GDPR fines. However, the criteria appear to be the result of a mediation process run by the EDPB, which flagged on each criterion that local data protection authorities keep their right to diverge from the pre-defined criteria on the basis of the peculiarities of the case. Hopefully, companies will achieve more transparency in calculating the risk of potential challenges and potentially contest fines that do not comply with these criteria.
The precedent criteria for the calculation of GDPR fines had been issued by the German data protection authorities (See “Guidelines on the calculation of GDPR fines now issued by German DPAs“) but had been rarely followed by privacy authorities.
The EDPB guidelines on calculating GDPR fines are subject to a consultation process that will end on the 27th of June 2022.