Briefing

The European Union’s data protection regulators have decided to significantly increase General Data Protection Regulation (GDPR) enforcement cooperation. In April 2022, the regulators published the Vienna Statement on Enforcement Cooperation. In May 2022, the European Data Protection Board (EDPB) published Guidelines 04/2022 on the calculation of administrative fines under the GDPR. The EDPB opened a period of consultation.  Since GDPR came into force in 2018, EU GDPR regulators have developed their own enforcement strategies, investigation thresholds and methodologies for calculating and imposing fines. Many of these were unpublished. As GDPR regulators began to deal with cross-border investigations and complaints, differences in approach began to strain co-operation.  Greater unity and clarity on fines and calculation methods will create more transparency for data controllers, processors, supply chains and individuals. It also helps EU GDPR regulators to practically deal with the same cases in similar ways, which builds trust and confidence.

EU GDPR Fine Rules and New EDPB Guidelines 2022       

The GDPR is clear that the calculation of fines is left to the discretion of each EU GDPR regulator, in line with the law. Each fine must be effective, proportionate and dissuasive. Data protection regulators must consider the circumstances relevant to the infringement, such as its seriousness or consider the character of the perpetrator. The level of the fine should not exceed the maximum amounts listed in the GDPR of €10,000,000 or 2% of worldwide annual turnover (whichever is higher) and €20,000,000 or 4% of worldwide annual turnover (whichever is higher). Each fine must be specific to that case and be calculated according to the elements set out in the GDPR.

In May 2022, the EDPB published the following five-step methodology for calculating GDPR fines. It aims to build on the GDPR’s rules but also expand the types and levels of analysis to improve transparency, accountability and enforcement cooperation between the EU’s data protection regulators. The Guidelines cover EU cross border cases and non-cross border cases.

Step 1Identify the processing operations in the case and evaluate the application of GDPR Article 83(3).
Step 2Find the starting point for further calculation based on an evaluation of:
a) the classification in GDPR Article 83(4)–(6);
b) the seriousness of the infringement based on GDPR Article 83(2)(a), (b) and (g);
c) the turnover of the organisation as one relevant element to take into consideration in order to impose an effective, dissuasive and proportionate fine, in line with GDPR Article 83(1).  
Step 3Evaluate aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increase or decrease the fine accordingly.
Step 4Identify the relevant legal maximums for the different processing operations. Increases applied in previous or later steps cannot exceed this amount.
Step 5Analyse whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by GDPR Article 83(1) GDPR, and increase or decrease the fine accordingly.

The EDPB Guidelines state that the calculation of GDPR fines should not be a mere mathematical exercise. The circumstances of each specific case will ultimately determine the final amount between any minimum and the legal maximum. These Guidelines are intended to help EU data protection regulators consistently apply and enforce the GDPR and set out the EDPB’s common understanding of the rules in the GDPR.  The Guidelines also aim to create harmonised starting points and shared methodology for all EU GDPR regulators, but not necessarily harmonised outcomes. The Guidelines apply to all sorts of private sector controllers and processors and extend to the public services, in so far as, national member state laws allow.

High GDPR Fine Patterns Since 2018

Together with the power to stop or suspend data processing, the power under the GDPR to issue 2% or 4% fines of annual worldwide turnover are powerful enforcement tools. GDPR fines vary greatly. The highest fines announced have been Amazon (€746 million) in Luxembourg, Facebook: WhatsApp (€225 million) In Ireland, H&M  (€35 million) by Hamburg in Germany,  TIM (€27.8 million) in Italy, British Airways (€22 million) in the UK , Clearview AI (€20 million) in Italy, Caixabank (€6 million), The Dutch Tax and Customs Administration (€3.7 million) in the Netherlands, National Revenue Agency (€2.6 million) in Bulgaria. These fines were issued largely using each regulator’s own internal and unpublished methodologies and analysis, guided by their interpretation of the law.  Several GDPR fines have been challenged in courts and have been upheld. A few of the fine amounts have been reduced.

GDPR Fines Guidance in the Netherlands, Germany and the UK

In 2019, the Dutch data protection regulator, published GDPR fines guidance for companies and government organisations. The guidance emphasised the organisation’s revenue stream as being a key factor in the final fine, to be considered at the final stage of the calculation. In 2019, Germany’s data protection authorities published a concept paper on methods for calculating GDPR fines for companies. The concept paper focused on turnover, with a detailed methodology. This approach has not proved sustainable and has been challenged. In 2020, the UK data protection regulator published draft guidance setting out four categories of culpability, included the organisation’s turnover and proposed fine reductions to encourage early payment. Post-Brexit, the UK GDPR draft fine guidance was updated, simplified  and received consultation responses in 2022.

Future EU GDPR Fines: Looking Ahead

These EDPB Guidelines are likely to change with consultation and over time. Businesses and organisations will be better able to understand the important elements that make up a GDPR fine. The themes of proportionality, transparency and EU enforcement interoperability now appear to be the driving forces in EU GDPR financial penalty calculations. It is unclear whether this will encourage or discourage appeals against the amount and calculation methods of GDPR fines. However, it is important to remember that these are guidelines. Each EU data protection regulator has scope to decide how much of the guidelines to apply in each case.  The ability of EU data protection regulators to issue dissuasive or exceptional fines remains. The decision-making autonomy of each regulator, on a case by case basis, continues to operate.

For assistance with EU/UK GDPR compliance, data protection regulatory investigations, GDPR enforcement support, data breach response and our Legal & Regulatory Support services, contact Privacy Solved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS062022