The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.

Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.

The previous installments in this series have outlined nine significant changes to Europe’s data protection regime under the GDPR. Those changes, however, only impact privacy professionals to the extent they create a risk of enforcement. The introduction of heightened fines and a robust enforcement mechanism suggest that the Regulation’s provisions should be taken seriously. This final installment examines what happens when companies violate the GDPR.

This is the last installment in a series of articles addressing the top 10 operational impacts of the GDPR.

Consequences for GRPR Violation: Complex administrative procedures and hefty fines

More than any new substantive right or complex procedure, the new GDPR measure most likely to draw attention from the C-suite is the provision on penalties and fines. In a stark departure from previous privacy legislation in Europe or elsewhere, the GDPR authorizes regulators to levy remarkably steep fines in amounts exceeding 20 million euros or four percent of annual global turnover, whichever is higher.

This article first sets forth the judicial remedies available to data subjects and then discusses how supervisory authorities may pursue complaints administratively. It concludes with an examination of the Regulation’s administrative fines and penalties.

Circumstances giving rise to fines and factors to be considered

The GDPR empowers supervisory authorities to assess fines that are “effective, proportionate and dissuasive.” It sets forth both mitigating and aggravating factors to help DPAs assess the amount of a fine. For example, intentional violations are worse than negligent ones. Mitigating factors include adherence to a code of conduct or certification mechanisms, minimizing the use of sensitive categories of data, and employing appropriate technical and organizational safeguards. In the event of non-compliance, moreover, controllers or processors may limit the amount of a fine by mitigating “the damaging nature, gravity and duration of the violation,” reporting the violation as soon as possible and cooperating with the supervisory authority.

Aggravating factors generally include the opposite actions – not seeking to mitigate harm or acting contrary to the mitigating factors.

Two “tiers”

The GDPR creates two tiers of maximum fines depending on whether the controller or processor committed any previous violations and the nature of violation. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros , whichever is higher. The lower fine threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.

These amounts are the maximum, meaning supervisory authorities are empowered to assess lower but not higher fines. Specifically, Recital 148 authorizes a DPA to issue a reprimand in place of a fine in cases of a minor infringement where the fine would constitute a disproportionate burden on a natural person. Additionally, fines are not compounded for multiple violations arising from the same incident; the total fine cannot exceed the fine for the gravest violation.

When fines are imposed on a natural person, as opposed to a corporate controller or processor, their general income level and personal economic situation will inform the appropriate amount of fine.

Higher fine threshold

Fines in the higher threshold are assessed for more serious violations by controllers and processors, such as the violation of a data subject’s rights. Specifically, higher fines are assessed for violating,

  • Basic principles for processing data, including consent (Articles 5-7, 9)
  • Data subjects’ rights (Articles 12-22)
  • Data transfer provisions (Articles 44-49)
  • Obligations to Member State laws including the right to freedom of expression and information, collection and use of national identification numbers, employment processing, secrecy obligations, and data protection rules for churches and religious associations. (Chapter IX)
  • Non-compliance with an order or a temporary or definitive limitation on processing or suspension of data flows by a supervisory authority (Articles 58(1), 58(2))

Lower fine threshold

Fines in the lower tier are assessed on controllers, processors, certification bodies or monitoring bodies. Violations of most other provisions are subject to the lower fine tiers or penalties. There are some notable obligations that are specifically subject to the lower fines.

  • Obligations of controllers and processors include:

o   Obtaining a child’s consent according to the applicable conditions in relation to information society services (Article 8);

o   Notifying the supervisory authority of a personal data breach (Article 33);

o   Notifying the data subject of a personal data breach (Article 34); and

o   Designating a data protection officer (and the data protection officer has related obligations to their position). (Articles 37-39).

There are also obligations of certification bodies (Articles 42, 43), and obligations of monitoring bodies (for monitoring of approved codes of conduct) to take appropriate action to enforce code violations (Article 41(4)).

Applicability and consistency of fines in Member States

The national laws of two of the Member States, Denmark and Estonia, do not allow for the imposition of administrative fines as set out in the GDPR. Consequently, Recital 151 provides an exception for those two Member States, allowing competent national courts to impose the fines as criminal sanctions in Denmark and through a misdemeanor procedure framework in Estonia. In those Member States, the supervisory authority refers the case to the relevant courts to initiate the fines. The national courts should, however, “take into account the recommendation by the supervisory authority initiating the fine.”

In general, where the Regulation does not impose administrative fines for infringements, or for other special cases such as serious violations, Member States are required to implement a penalty system. Member States must notify the Commission of any legislation or legislative changes adopted to create penalties for violations outside administrative fines. Similar to administrative fines, penalties must be “effective, proportionate and dissuasive.” Unlike fines, penalties may be criminal under the national law of a Member State.

Lead and concerned supervisory authorities

The Regulation attempts to harmonize administrative proceedings across multiple Member States, each of which must appoint their own competent supervisory authorities (often referred to as “Data Protection Authorities” or “DPAs”) under Article 55. To avoid multiple parallel administrative proceedings, and to ensure decisions are enforceable, the GDPR sets out in Article 51a that each controller or processor will be subject primarily to the authority of a single “lead supervisory authority.” The lead supervisory authority is the DPA of the Member State where the controller or processor has its “main establishment.” If the controller or processor has offices in multiple jurisdictions, the main establishment is “the place of its central administration in the Union” (i.e., its headquarters, in most cases). For controllers or processors located in only one Member State, that State’s DPA will serve as the lead.

Data subjects may file complaints with the DPA of the Member State in which they reside, where they work, or where the alleged infringement occurred. A DPA also may pursue infringement actions on its own accord when there has been an infringement in its Member State or which affects the residents of that State. If the controller or processor subject to the complaint has its main establishment in a Member State other than where the complaint is filed or launched, the original DPA must notify the lead DPA. The lead DPA has three weeks to decide whether to keep the case or delegate it back to the first DPA. In making its decision, it should consider whether the controller or processor has an establishment in the Member State where the action was initiated.

If the lead DPA declines to take the case, the original supervisory authority is allowed to keep it, subject to the procedures in Articles 61 and 62. These provisions mandate cooperation among the DPAs in pursuit of the case and set out specific rules for joint investigations and enforcement actions. If the lead DPA decides to pursue the case, Article 60 ('one-stop-shop mechanism') procedures apply. The original supervisory authority is invited to submit a draft decision to the lead, who “shall take utmost account” of the draft.

Article 54a “one-stop shop” cooperation

Assuming an infringement proceeding involves a controller or processor with establishments in multiple Member States, the lead supervisory authority must cooperate with the other “concerned” supervisory authorities in preparing a decision, incorporating appropriate suggested changes or objections. Article 65 creates a mechanism by which the European Data Protection Board may resolve any disputes among the DPAs. Decisions of the Board and decisions jointly agreed upon by lead and concerned supervisory authorities become binding.

In any case, the lead DPA must notify the accused controller or processor of any final decision, whereas the DPA where the complaint was originally lodged must notify the complainant. The complainant retains its right to an effective judicial remedy against a legally binding decision of a supervisory authority or where the supervisory authority fails to deal with a complaint or inform a data subject about the outcome of a case within three months. Additionally, under Article 83 the “exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in conformity with Union law and Member State law, including effective judicial remedy and due process.”

Damages and compensation for data subjects

Similar to the Directive, the GDPR allows data subjects to seek monetary damages in court from controllers who violate their rights and from processors as well if the processors are liable for a data breach, violate the processor-specific provisions of the GDPR, or act outside a controller’s lawful instruction.

Under Article 79, data subjects may bring an action for damages or compensation before the courts of the Member State state where they reside. They also may bring the action in any Member State State where the controller or processor has an establishment. The GDPR encourages courts to stay proceedings in favor of the first-filed case when a controller or processor faces lawsuits in many jurisdictions for the same incident. Individual causes of action are independent from and without prejudice to an action by a supervisory authority to impose administrative fines.

Data subjects may ask non-profit public interest organizations to bring an action on their behalf, and such organizations may bring an action independently where permitted by Member State state law. Because data subjects have a right to “an effective judicial remedy,” moreover, the GDPR empowers a data subject to bring an action against supervisory authorities in the courts of their Member State when they do not “deal with a complaint” or timely inform a data subject of the complaint’s progress or outcome.

Any non-compliant controller involved in data processing faces liability for damages under Article 82. Processors, however, face liability only when they have not complied with processor-specific regulations or with the controller’s lawful instructions. Both are immune from liability if they can prove they are “not in any way responsible for the event giving rise to the damage.” In other words, after a data subject demonstrates an infringement, the burden shifts to the controller or processor to prove they are not personally responsible.

When the controller and processor are joined in the same judicial proceedings, or when more than one controller is concerned, the data subject is entitled to receive full compensation from any one of the parties. Liability for damages subsequently may be apportioned among them according to their respective responsibility for the harm. When those controllers and processors are also involved in the same processing, each is liable for the entire harm.

Article 26 provides specific provisions for when “two or more controllers jointly determine the purposes and means of processing,” termed joint controllers. Joint controllers are required to create an agreement determining their respective duties to comply with the Regulation. The agreement must be available for data subjects, who may enforce their rights against each of the controllers irrespective of the terms of the agreement. In other words, joint controllers remain jointly and severally liable to data subjects harmed by GDPR non-compliance even if they allocate liability among themselves by agreement.

Conclusion

The Regulation empowers data subjects to seek judicial relief for damages and file administrative complaints with supervisory authorities. The Regulation’s guidance on imposing fines replaces the patchwork enforcement structure of the Directive, while establishing accountability and consistency mechanisms also lacking under the Directive. The hefty fines and penalties for infringement not only encourage accountability, they may be the single most eye-catching feature of the Regulation, causing multinationals and local companies to invest more in compliance. The GDPR’s consistency mechanisms – encouraging supervisory authorities to cooperate and agree on infringement decisions, empowering the Board for dispute resolution, making final decisions binding – will ease burdens on controllers and processors doing business across Member State states by offering more efficient enforcement solutions.