EU lays down the basis for calculating data protection fines
Published on 28th Sep 2023
The guidelines do not define a formula for automatic calculation of fines but establish a common method for harmonisation
The implementation of the General Data Protection Regulation (GDPR) as of 25 May 2018 marked a significant milestone in data protection regulation in Europe and transformed the privacy regulatory framework.
One of the most prominent changes was the strengthening of the enforcement powers granted to Member States' data protection authorities, along with the introduction of significantly higher financial penalties than those previously foreseen for data controllers and processors who failed to comply with the regulatory framework.
The method for determining the specific fine amount within the range established by the GDPR has become an issue of great practical importance for companies as it can be substantial and potentially devastating for business development.
The GDPR provides that fines can reach up to 4 per cent of the undertaking total annual turnover or a maximum of €20 million, whichever is higher. In addition, the risk of facing financial administrative sanctions has also increased significantly as data protection authorities have been exercising their powers more often in recent years, being 2022 a record year for both the number and amount of fines levied for breaches of the GDPR in 2022. This new landscape has prompted companies to put compliance with data protection regulations at the top of their agenda, aware of the serious economic and reputational consequences that can result from non-compliance.
On May 12, 2022 the European Data Protection Board (EDPB) published Guidelines 04/2022 on the calculation of administrative fines under the GDPR which were last updated on 29 June 2023. These guidelines complement the previously adopted by the EDPB on the application and determination of administrative fines under the GDPR, which focus on determining the situations leading to the imposition of penalties. The EDPB's objective with these recent guidelines is to harmonise the methodology used by supervisory authorities to calculate the amount of fines, providing companies with greater certainty and clarity on how penalties are determined.
Notwithstanding the obligations of cooperation and consistency set out in the GDPR, the determination of the amounts of a fine is always at the discretion of each supervisory authority. With these guidelines, the EDPB establishes five steps for Member States' supervisory authorities to calculate fines, thereby seeking to promote consistency and harmonization in the fine calculation methodology. However, the EDPB has stressed that authorities are not obliged to follow all the steps if they are not applicable to a specific case, nor to justify why they have not applied certain aspects of the guidelines.
The guidelines establish the following five-step scheme for the calculation of fines:
Identify the data processing operations in the applicable case in order to determine whether they should be considered as a single sanctionable conduct or multiple sanctionable conducts, as well as to determine whether the sanctionable conduct results in one or more infringements. In situations where one conduct results in multiple infringements, the guidelines explain how to determine whether the attribution of one infringement precludes the attribution of another infringement or whether they should be imputed together.
The EDPB provides practical examples to help differentiate between separate and linked processing operations, as well as to establish whether one infringement can be considered subsidiary to another. In addition, it addresses the issue of unity of action, which arises when conduct is subject to several legal provisions or, in special cases, when a single action infringes the same legal provision several times.
Establish the starting point for further calculation of the amount of the fine. The starting point is comprised of three key elements:
- The categorisation of infringements according to their nature, this is, those with a maximum fine of €10 million or 2 per cent of the undertaking's annual turnover, and those which are sanctionable with a maximum fine of €20 million or 4 per cent of the undertaking's annual turnover.
- The seriousness of the infringement depending on whether the infringement is of low, medium or high. For this purpose, factors such as the nature, scope or purpose of the data processing, the number of data subjects concerned, the level of damage suffered by these individuals, as well as whether the infringement was intentional or negligent and the categories of personal data affected are analysed. Depending on the level of gravity, the supervisory authority will set the initial amount for the further calculation of the fine (that is, low level of severity, 0-10 per cent of the applicable legal maximum; medium level, 10-20 per cent of the applicable legal maximum; and high level, 20-100 per cent of the applicable legal maximum).
- The turnover of the undertaking as a factor that may be indicative of the size and economic power of the infringing companies. The EDPB provides for different decreases and increases in the amount of the fine on the basis of this criterion.
Assess aggravating and mitigating circumstances, such as the existence of previous infringements, the measures taken by the controller or processor to mitigate the damage suffered by data subjects, the degree of responsibility of the controller or processor and the degree of cooperation of the organization with the supervisory authority.
The EDPB notes that the aggravating or mitigating circumstances of the seriousness of the infringement is open-ended and allow for consideration of any other factors related to the legal, socioeconomic or market context in which the infringing controller or processor operates. For example, the economic benefit obtained as a result of the breach or the influence of extraneous events (for instance, pandemics) on the way personal data are processed may be considered.
Determine the legal maximums for the different processing operations, so that the increases applied on the basis of the previous or following steps cannot exceed these maximum amounts.
This step focuses specifically on the so-called "dynamic maximum" amounts of fines under the GDPR, which are 2 per cent or 4 per cent of the undertaking's total annual turnover in the previous financial year. The EDPB provides a detailed explanation on the concept of "undertaking" in the context of EU law, providing numerous examples of various corporate structures and explains the method for calculating the total annual turnover.
Assess whether the calculated fine would meet the requirements of effectiveness, dissuasiveness and proportionality, and determine whether a further adjustment of the fine is necessary. For example, enforcement authorities may consider reducing the fine to take into account its impact on the economic viability of the company and the particular social and economic context. This could include situations such as a sector experiencing a crisis, an increase in unemployment in the territory or the potential deterioration of related economic sectors.
Each step includes references to articles of the law, case law of the Court of Justice of the European Union and numerous practical examples. This final version of the guidelines also incorporates an annex with a reference table illustrating the fine calculation methodology, as well as two detailed examples of practical application.
Relevance to the business environment
While the guidelines do not set out an automatic or arithmetical method of calculation that would allow companies to know the precise amount of fines for data protection infringements, they do give them the opportunity to understand the principles that guide the supervisory authorities in determining such amounts. Moreover, they emphasise the importance for companies to work closely with the supervisory authorities and to take appropriate measures to reduce the likelihood of facing high fines.
Osborne Clarke comment
Despite the significant disparities in how different supervisory authorities determine the imposition of fines, we see potential value in these guidelines in promoting greater consistency in the calculation of fines, particularly in cross-border data protection infringements, and in enabling companies to anticipate and manage data privacy breaches more efficiently.