The DSK is the joint coordination body of the German data protection authorities. It has recently set out a new model for calculating EU General Data Protection Regulation fines, which, if adopted and applied, is likely to lead to high GDPR fines, more frequently at the top end of the maximum fine limits under Article 83. Some German authorities have started applying this new model in practice; for example, the Berlin data protection commissioner has already announced her intention to impose multimillion GDPR fines based on this model. Some of the first cases defending clients against fines calculated under this new model are being heard.
The German DPAs agreed to test this new model for calculating fines in June. The methodology was also presented to the “Task Force Fining” of the European Data Protection Board, which aims to ensure consistent EU-wide GDPR fining practices. It is, therefore, conceivable that the European Data Protection Board may, in the future, seek to implement a harmonized fine model across Europe, based on the new methodology applied by the German authorities.
How does the fine model work in practice?
The DSK methodology is complex. For example, in a recent decision, the calculation of the fine, together with the associated explanations, is 24 pages long.
The starting point for the calculation is the aggregate global, annual revenue of the undertaking. Based on this, a so-called "daily rate" is calculated, which is then multiplied by a number of numerical factors by reference to the different penalty criteria according to Article 83(2) of the GDPR (e.g., the perceived gravity of the offense, culpability of the organization, extent of the potential harm caused to individuals, etcetera, as discussed further below).
Calculation of the 'daily rate'
As a first step, the DSK proposes that authorities determine the "daily rate" by dividing the aggregate global turnover of the undertaking for the previous year by 360 days.
For corporate groups, the DSK is quite clear that the fine calculation is not based on the turnover of only the individual undertaking concerned, but instead on the revenue of the entire group. The DSK states in its respective guidance on this subject that "parent companies and subsidiaries are regarded as an economic unit, so that the total turnover of the group of companies is taken as the basis for calculating the fine." It is not yet clear what position the courts will take on this issue, in light of the DSK’s approach.
Example: A group of companies generated sales of 90 billion euros in the previous year. This results in a "daily rate" of 250 million euros (i.e., 90 billion euros divided by 360).
Determination of the 'regular fine corridors' and the mean value
The next step is an assessment by the authority of the perceived severity of the specific offense. This severity assessment seems to be based primarily on an overall assessment performed by the authority taking into consideration, among other things, the violated GDPR provisions and maximum fine limits set out in Article 83(4)–(6) of the GDPR, with some discretion for the authorities to take into account the level of harm to individuals (the GDPR maximum fine limits may not be exceeded). The DSK’s model sets out five levels of severity, each with an associated multiplier range:
- Minor infringement: multiplier of 1 to 4.
- Average infringement: multiplier of 4 to 8.
- Severe infringement: multiplier of 8 to 12.
- Very severe infringement: multiplier of 12 to 14.4.
The outcome of the severity assessment is the determination of the so-called "regular fine corridor" by multiplying the "daily rate" by the multiplier range associated with the relevant severity level. The authorities then calculate the median value of the resulting “fine corridor," which becomes the basis for the further calculation of the fine.
Example: In the case of the company mentioned in the previous example, with an annual turnover of EUR 90 billion and a "daily rate" of 250 million euros, the authorities find a minor infringement, i.e., the least severe category with an associated multiplier range of one to four. The authority then multiplies the "daily rate" of 250 million euros by the one to four multiplier range. This results in a regular fine corridor of 250 million to 1 billion euros and therefore a median value of 625 million euros.
Classification of the specific GDPR infringement
Next, there would be further modification of the fine to take into account the nature of the offense and its consequences in accordance with the following criteria:
- Duration of the infringement.
- Nature, extent and purpose of the unlawful processing.
- Number of data subjects involved in the processing.
- Extent of harm suffered by data subjects.
The authorities would then assign a score of 0 to 4 to each of these criteria and calculate the total of those values. Scores of 0 and 1 are given for risk-mitigating factors (a small number of individuals impacted, no/minimal harm suffered, or a short duration of unlawful data processing, etcetera); scores of 2 if there are neither mitigating nor aggravating factors; and scores of 3 or 4 if there are aggravating factors (e.g., the infringement was carried out for a long period of time). The sum of these scores, therefore, produces a total number between 0 and 16. This value is then entered into a long and complex table (not yet publicly released) in order to determine whether an additional multiplier should be applied, to either increase or decrease of the median value already determined in the previous calculation step.
Example: Continuing with the company from our previous examples, if the authority evaluates all the four criteria mentioned in this section as "equal," it will award the score of 2 to each of the four criteria (i.e., four times). With a total score of 8, no additional multipliers are applicable. Therefore, there is neither an increase nor a decrease in the median value already calculated. In our example, the median value of 625 million euros, therefore, remains the same for the purposes of further calculation.
Further consideration of the fine
In a further step, the authority would determine any other relevant criteria for assessing fines in accordance with Article 83(2) GDPR. This concerns culpability, i.e., intent or negligence, the initiation of measures to mitigate damage, the degree of responsibility, the existence of any relevant previous infringements, cooperation with the supervisory authority, the categories of personal data processed within the scope of the infringement, the type of disclosure of the infringement, compliance with any measures previously ordered by the authority, and, if applicable, compliance with approved procedural rules or certifications.
Final consideration of the fine
As a final step, the authority would then examine whether any further aggravating or mitigating circumstances exist that would suggest a further adjustment of the fine determined so far. There seems to be no formula for this further adjustment so that the authorities have particularly wide scope for discretion in this step. To the extent necessary, there would also be an adjustment to be consistent with the GDPR-mandated maximum fines.
Outlook
Initial practical experience shows that the application of the DSK model would lead to significantly higher fines than those imposed so far by the German authorities since the GDPR came into force. The largely linear calculation method, starting with revenue, leads to serious penalty risks, especially for companies and groups with high turnover.
It is arguably questionable whether sanctions imposed under the DSK fine model properly take into account the matters required by Article 83 of the GDPR and/or can properly ensure that fines are in fact proportionate. The DSK model, if adopted and applied, would certainly be ripe for challenge, and it could be difficult for data protection authorities to convince courts in administrative offense proceedings that they have in fact determined appropriate, lawful fines using it. In particular, large corporate groups and companies that process high volumes of data or sensitive or high-risk data should prepare themselves for an emergency and plan an effective litigation defense in advance.
Photo by Ingo Joseph from Pexels
Approved1 Comment
If you want to comment on this post, you need to login.
Please also note that the Conference of the independent German DPAs ("DSK") took an official position on the GDPR Fining Guidelines on Sep 17, 2019, whose announcement made a great stir in recent weeks. According to the official press release, the Guidelines are to guarantee "a systematic, transparent and comprehensible fine allocation." (You may find the Press Release (in German) at https://www.datenschutzkonferenz-online.de/media/pm/20190917_bu%C3%9Fgeldkonzept.pdf ) According to the DSK, the Guidelines were still at a draft stage while being consulted "in an accompanying way" in recent fine proceedings to check their suitability and accuracy in practice. In any event, Art. 83(2) GDPR and its criteria shall prevail. Several privacy pros have tried to achieve a publication of the Guidelines via FOI requests—all without success, to the best of my knowledge. The draft shall be harmonised with similar guidelines from other EU DPAs by the EDPB under Art. 70(1)(k) GDPR. Negotiations to develop a European concept are currently underway. At the 3rd interim conference on Sep 12, 2019, the DSK decided that the Guidelines should be discussed further at the Nov 3/4 conference. After prior examination, a decision on publishing the Guidelines shall be reached at this date.