Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.
In addition to setting two levels of administrative fines, Article 83 of the GDPR provides criteria that national supervisory authorities must apply when setting administrative fines. On 3 October 2017, the Article 29 Working Party – a body now called the European Data Protection Board (“EDPB”) – issued guidelines (“EDPB Guidelines”) on the setting of administrative fines.
In an article written for La Revue Des Juristes De Sciences Po, Hogan Lovells partners Winston Maxwell and Christine Gateau consider the criteria for setting administrative fines under Article 83 of the GDPR in light of the EDPB Guidelines, case law of the CJEU and national courts. Where applicable, Maxwell and Gateau compare the criteria in Article 83(2) of the GDPR with those used in setting administrative fines for competition law violations, as well as with the methodology used by authorities in the United States for setting fines. Maxwell and Gateau also consider procedural safeguards under Article 6 of the European Convention on Human Rights.
Pursuant to the EDPB Guidelines, supervisory authorities must consider the proportionality of the corrective measures mentioned in Article 58(2) of the GDPR, including a warning or reprimand, before imposing a fine.
When a fine is considered necessary, we suggest that the EDPB develop a methodology for calculating the amount of the fine, based on a point system. This approach has been used for competition law sanctions, and increases transparency, consistency and legal certainty of sanctions. A major difficulty in the context of GDPR will be translating the point system into economic units corresponding to fines. Competition law violations can be measured in economic terms. Data protection violations are more difficult to measure economically. Therefore, the competition law approach cannot be transposed as it is to the GDPR. Given the human rights focus of the GDPR, data protection authorities are not accustomed to attributing economic values to data protection violations. Yet, translating violations into monetary amount is inevitable when setting administrative fines, so supervisory authorities will need to find a common method for doing so, particularly because fines are likely to become larger under the GDPR.
The scoring system we suggest in this article is first based on the number of data subjects affected by the violation. A violation affecting 3 people would have a lower score than a violation affecting 3 million. Various multipliers would then be applied to this initial score, to reflect the seriousness of the violation, the kind of data involved, the purpose of the processing, and the duration of the infringement. Once an adjusted score is obtained, supervisory authorities would then apply the aggravating and mitigating factors listed in Article 83(2) of the GDPR. In appropriate cases, supervisory authorities could decide to modify the point system, or even disregard it entirely, to reflect the particular circumstances of the case. However, without a common scoring system, setting administrative fines will be based on intuitive and subjective factors that will undermine the GDPR’s objectives of consistency and predictability.
To read the full article, click here.