The EU General Data Protection Regulation, which came into effect pre-Brexit in May 2018, introduced a consistent framework of fines to enforce compliance with data protection regulations across the EU. Some five years later, the European Data Protection Board released new guidelines on calculating administrative fines under the GDPR 24 May. These new guidelines aim to provide clarity and consistency in the calculation of fines across all EU member states and, in the EDPB's own words, "aim to harmonise the methodology data protection authorities use to calculate fines and include harmonised 'starting points.'"
It is noted the new guidelines are intended to work simultaneously with the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253).
The EDPB's new guidelines
The new guidelines provide much-needed clarity and consistency in the enforcement of the GDPR. They aim to ensure fines are applied consistently across all EU member states and organizations are treated fairly. However, they leave the calculation of the fine amount at the discretion of the supervisory authority. The EDPB envisages harmonization on the starting points and methodology used to calculate a fine rather than harmonization of outcomes.
Subject to the rules provided by the GDPR, namely that the amount of the fine shall in each individual case be effective, proportionate and dissuasive (Article 83(1)) as well as that in setting the amount of the fine, supervisory authorities shall give due regard to the seriousness of the infringement and character of the perpetrator (Article 83(2)), the new guidelines provide a five-step approach for calculating fines.
Step 1 involves identifying the processing operations in the case and evaluating the application of GDPR Article 83(3) to establish which is deemed the gravest infringement. This step requires the supervisory authority to determine which specific processing operation led to the infringement and to assess any concurrence of offenses, unity of action or plurality of actions. It is noted that these different categories of concurrences should not conflict with each other but have different scopes of application and fit into place in a coherent overall system.
Step 2 involves finding the starting point for further calculation based on an evaluation of the following:
- The classification within GDPR Article 83(4)-(6).
- The seriousness of the infringement pursuant to GDPR Article 83(2)(a), (b) and (g).
- The turnover of the undertaking with a view to impose an effective, dissuasive and proportionate fine pursuant to GDPR Article 83(1).
After assessing the seriousness of the infringement, the infringement would be considered:
- Low: where the starting amount for further calculation is between 0-10% of the applicable legal maximum.
- Medium: where the starting amount for further calculation is between 10-20% of the applicable legal maximum.
- High: where the starting amount for further calculation is between 20-100% of the applicable legal maximum.
The new guidelines also provide guidance on starting amounts that take into account the turnover of an undertaking. Adjustments are considered, for example, for micro, small and medium-sized enterprises. It is noted as a general rule that the higher the turnover of the undertaking within its applicable tier, the higher the starting amount is likely to be.
Step 3 involves assessing the controller/processor's past or present behavior and adjusting the fine accordingly. Each criterion of Article 83(2) GDPR should only be taken into account once. Intentional infringement, previous infringements, failure to cooperate with supervisory authorities, and failure to mitigate the damage suffered by data subjects are examples of aggravating factors. Examples of mitigating factors include taking corrective action, cooperating with supervisory authorities, and demonstrating a low level of culpability. The absence of previous infringements is not a mitigating factor, as compliance with the GDPR is expected to be the norm. The manner in which the infringement became known and any financial benefits gained or losses avoided are also factors to consider.
Step 4 involves identifying the relevant legal maxima for the different processing operations. This step requires the EDPB to consider the maximum amount of administrative fines that can be imposed for the specific type of infringement, as set out in GDPR Article 83(4)-(6).
Step 5 involves analyzing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by GDPR Article 83(1), and increasing or decreasing the fine accordingly.
The new guidelines may result in higher fines for organizations. The base amounts for violations are generally higher, and the adjustments for aggravating or mitigating factors may significantly increase fines across the EU. There is a general trend of "penalty inflation" over time, which creates a greater body of authority for regulators to benchmark scenarios and corresponding penalties. While the EDPB guidelines are not legally binding, they are persuasive and likely to be influential in the application of fines across the EU. Organizations should consider them when assessing their GDPR compliance and the consequences of noncompliance.
The U.K. ICO's guidance on administrative fines
The U.K. Information Commissioner's Office's currently applicable position on fines is outlined in its Regulatory Action Policy. Some indication as to their developing thoughts on the subject can also be found in the previously published draft Statutory Guidance on Regulatory Action. The RAP sets out that fines are to be used as a last resort and that the ICO will first try to work with organizations to achieve compliance. The RAP is a short document somewhat lacking in detail regarding the methodology for calculating fines. By contrast, the draft SGRA sets out in much greater detail the factors that should be considered when determining the amount of a fine, such as the severity of the breach and the organization's cooperation with the ICO, similar to the new guidelines. However, the SGRA has yet to be adopted, meaning the ICO still operates with the older, shorter RAP as its current process. The timeline for the ICO's published materials and consultations is:
- July 2018: The ICO published its RAP, outlining its approach to enforcing the GDPR and the use of administrative fines.
- October/November 2020: The ICO ran a consultationon the SGRA, which was not adopted. It was noted that it would "publish this guidance after the U.K. has left the EU and (it has) therefore drafted it accordingly."
- March 2022: ICO ran another consultation on the draft RAP, statutory guidance on our regulatory action and statutory guidance on the ICO's Privacy and Electronic Communications Regulations powers. This consultation considered an updated version of the SGRA, dated 2021, which has not to date been adopted.
As part of the summary of responses from the October 2020 statutory guidance public consultation, the ICO flagged the following feedback in particular:
- Some respondents expressed the view that the draft SGRA took a high-level and strategic approach, with insufficient detail, making it difficult to understand what would guide the ICO's regulatory decision-making in practice. Further clarity, explanations and "real life" examples were suggested.
- It was also noted that "this could leave the average person not much clearer about when it will act. There was a related call for the Statutory Guidance to be less vague and more definite, rather than sometimes making some general statements about what the ICO may or may not do."
- The relationship between the RAP and SGRA left some feeling it would have been more beneficial for both sets of documents to have been consulted on at the same time.
Given the level of detail in the new guidelines, and considering that the ICO's only current adopted guidance is the RAP, there is now a significant disparity between the EU and U.K. positions in respect to applicable guidance on the calculation of financial penalties.
What's next for the UK?
As stated above, the U.K. position on how fines should be calculated lags behind the current European guidance. While, in the post-Brexit landscape, the U.K. is not constrained to follow EDPB guidance or engage in the Article 60 consistency mechanism, there remains a striking disparity between the level of detail set out in the new guidelines as set against the ICO's current model.
The ICO might seek to adopt some aspects of the new guidelines as they could be helpful in reaching an effective proportionate and dissuasive amount in any particular case. However, at present, they remain constrained to follow their existing process, given that the principles of public law require them, as a U.K. regulator, to follow their own published and consulted upon policy, absent good reason to depart from it in any particular case. It is of note also that, while in some circumstances public authorities have at their discretion whether or not to issue a policy on any particular matter, section 160 of the Data Protection Act 2018 specifically obliges the ICO to issue guidance about how they propose to exercise their functions, inter alia, in connection with penalty notices which must include an explanation of how the commissioner will determine the amount of such penalties. In short, the ICO must issue guidance on how they will calculate penalties, and, once issued they are bound to follow it or risk procedural challenges before the tribunal or by way of judicial review.
As to where the ICO may go next, previous consultations suggest it has considered expanding upon the existing framework but has yet to decide how best to do so. Now that the new guidelines are in place, the ICO may decide to issue new guidance which closely follows the EDPB position or something which diverges from it to a greater or lesser extent to assert independence post-Brexit. Either way, this is a matter which will merit being closely followed. The question of how exactly penalties are arrived at, and whether the applicable policies to do so have been accurately adhered to, will be of considerable importance to organizations facing such penalties.