The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
The previous installments in this series have outlined nine significant changes to Europe’s data protection regime under the GDPR. Those changes, however, only impact privacy professionals to the extent they create a risk of enforcement. The introduction of heightened fines and a robust enforcement mechanism suggest that the Regulation’s provisions should be taken seriously. This final installment examines what happens when companies violate the GDPR.
This is the last installment in a series of articles addressing the top 10 operational impacts of the GDPR.
Consequences for GRPR Violation: Complex administrative procedures and hefty fines
More than any new substantive right or complex procedure, the new GDPR measure most likely to draw attention from the C-suite is the provision on penalties and fines. In a stark departure from previous privacy legislation in Europe or elsewhere, the GDPR authorizes regulators to levy remarkably steep fines in amounts exceeding 20 million euros or four percent of annual global turnover, whichever is higher.
This article first sets forth the judicial remedies available to data subjects and then discusses how supervisory authorities may pursue complaints administratively. It concludes with an examination of the Regulation’s administrative fines and penalties.
Circumstances giving rise to fines and factors to be considered
The GDPR empowers supervisory authorities to assess fines that are “effective, proportionate and dissuasive.” It sets forth both mitigating and aggravating factors to help DPAs assess the amount of a fine. For example, intentional violations are worse than negligent ones. Mitigating factors include adherence to a code of conduct or certification mechanisms, minimizing the use of sensitive categories of data, and employing appropriate technical and organizational safeguards. In the event of non-compliance, moreover, controllers or processors may limit the amount of a fine by mitigating “the damaging nature, gravity and duration of the violation,” reporting the violation as soon as possible and cooperating with the supervisory authority.
Aggravating factors generally include the opposite actions – not seeking to mitigate harm or acting contrary to the mitigating factors.
The GDPR creates two tiers of maximum fines depending on whether the controller or processor committed any previous violations and the nature of violation. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros , whichever is higher. The lower fine threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.
These amounts are the maximum, meaning supervisory authorities are empowered to assess lower but not higher fines. Specifically, Recital 148 authorizes a DPA to issue a reprimand in place of a fine in cases of a minor infringement where the fine would constitute a disproportionate burden on a natural person. Additionally, fines are not compounded for multiple violations arising from the same incident; the total fine cannot exceed the fine for the gravest violation.
When fines are imposed on a natural person, as opposed to a corporate controller or processor, their general income level and personal economic situation will inform the appropriate amount of fine.
Higher fine threshold
Fines in the higher threshold are assessed for more serious violations by controllers and processors, such as the violation of a data subject’s rights. Specifically, higher fines are assessed for violating,
- Basic principles for processing data, including consent (Articles 5-7, 9)
- Data subjects’ rights (Articles 12-22)
- Data transfer provisions (Articles 44-49)
- Obligations to Member State laws including the right to freedom of expression and information, collection and use of national identification numbers, employment processing, secrecy obligations, and data protection rules for churches and religious associations. (Chapter IX)
- Non-compliance with an order or a temporary or definitive limitation on processing or suspension of data flows by a supervisory authority (Articles 58(1), 58(2))
Lower fine threshold
Fines in the lower tier are assessed on controllers, processors, certification bodies or monitoring bodies. Violations of most other provisions are subject to the lower fine tiers or penalties. There are some notable obligations that are specifically subject to the lower fines.
- Obligations of controllers and processors include:
o Obtaining a child’s consent according to the applicable conditions in relation to information society services (Article 8);
o Notifying the supervisory authority of a personal data breach (Article 33);
o Notifying the data subject of a personal data breach (Article 34); and
There are also obligations of certification bodies (Articles 42, 43), and obligations of monitoring bodies (for monitoring of approved codes of conduct) to take appropriate action to enforce code violations (Article 41(4)).
Applicability and consistency of fines in Member States
The national laws of two of the Member States, Denmark and Estonia, do not allow for the imposition of administrative fines as set out in the GDPR. Consequently, Recital 151 provides an exception for those two Member States, allowing competent national courts to impose the fines as criminal sanctions in Denmark and through a misdemeanor procedure framework in Estonia. In those Member States, the supervisory authority refers the case to the relevant courts to initiate the fines. The national courts should, however, “take into account the recommendation by the supervisory authority initiating the fine.”
In general, where the Regulation does not impose administrative fines for infringements, or for other special cases such as serious violations, Member States are required to implement a penalty system. Member States must notify the Commission of any legislation or legislative changes adopted to create penalties for violations outside administrative fines. Similar to administrative fines, penalties must be “effective, proportionate and dissuasive.” Unlike fines, penalties may be criminal under the national law of a Member State.
Lead and concerned supervisory authorities
The Regulation attempts to harmonize administrative proceedings across multiple Member States, each of which must appoint their own competent supervisory authorities (often referred to as “Data Protection Authorities” or “DPAs”) under Article 55. To avoid multiple parallel administrative proceedings, and to ensure decisions are enforceable, the GDPR sets out in Article 51a that each controller or processor will be subject primarily to the authority of a single “lead supervisory authority.” The lead supervisory authority is the DPA of the Member State where the controller or processor has its “main establishment.” If the controller or processor has offices in multiple jurisdictions, the main establishment is “the place of its central administration in the Union” (i.e., its headquarters, in most cases). For controllers or processors located in only one Member State, that State’s DPA will serve as the lead.
Data subjects may file complaints with the DPA of the Member State in which they reside, where they work, or where the alleged infringement occurred. A DPA also may pursue infringement actions on its own accord when there has been an infringement in its Member State or which affects the residents of that State. If the controller or processor subject to the complaint has its main establishment in a Member State other than where the complaint is filed or launched, the original DPA must notify the lead DPA. The lead DPA has three weeks to decide whether to keep the case or delegate it back to the first DPA. In making its decision, it should consider whether the controller or processor has an establishment in the Member State where the action was initiated.
If the lead DPA declines to take the case, the original supervisory authority is allowed to keep it, subject to the procedures in Articles 61 and 62. These provisions mandate cooperation among the DPAs in pursuit of the case and set out specific rules for joint investigations and enforcement actions. If the lead DPA decides to pursue the case, Article 60 ('one-stop-shop mechanism') procedures apply. The original supervisory authority is invited to submit a draft decision to the lead, who “shall take utmost account” of the draft.
Article 54a “one-stop shop” cooperation
Assuming an infringement proceeding involves a controller or processor with establishments in multiple Member States, the lead supervisory authority must cooperate with the other “concerned” supervisory authorities in preparing a decision, incorporating appropriate suggested changes or objections. Article 65 creates a mechanism by which the European Data Protection Board may resolve any disputes among the DPAs. Decisions of the Board and decisions jointly agreed upon by lead and concerned supervisory authorities become binding.
In any case, the lead DPA must notify the accused controller or processor of any final decision, whereas the DPA where the complaint was originally lodged must notify the complainant. The complainant retains its right to an effective judicial remedy against a legally binding decision of a supervisory authority or where the supervisory authority fails to deal with a complaint or inform a data subject about the outcome of a case within three months. Additionally, under Article 83 the “exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in conformity with Union law and Member State law, including effective judicial remedy and due process.”
Damages and compensation for data subjects
Similar to the Directive, the GDPR allows data subjects to seek monetary damages in court from controllers who violate their rights and from processors as well if the processors are liable for a data breach, violate the processor-specific provisions of the GDPR, or act outside a controller’s lawful instruction.
Under Article 79, data subjects may bring an action for damages or compensation before the courts of the Member State state where they reside. They also may bring the action in any Member State State where the controller or processor has an establishment. The GDPR encourages courts to stay proceedings in favor of the first-filed case when a controller or processor faces lawsuits in many jurisdictions for the same incident. Individual causes of action are independent from and without prejudice to an action by a supervisory authority to impose administrative fines.
Data subjects may ask non-profit public interest organizations to bring an action on their behalf, and such organizations may bring an action independently where permitted by Member State state law. Because data subjects have a right to “an effective judicial remedy,” moreover, the GDPR empowers a data subject to bring an action against supervisory authorities in the courts of their Member State when they do not “deal with a complaint” or timely inform a data subject of the complaint’s progress or outcome.
Any non-compliant controller involved in data processing faces liability for damages under Article 82. Processors, however, face liability only when they have not complied with processor-specific regulations or with the controller’s lawful instructions. Both are immune from liability if they can prove they are “not in any way responsible for the event giving rise to the damage.” In other words, after a data subject demonstrates an infringement, the burden shifts to the controller or processor to prove they are not personally responsible.
When the controller and processor are joined in the same judicial proceedings, or when more than one controller is concerned, the data subject is entitled to receive full compensation from any one of the parties. Liability for damages subsequently may be apportioned among them according to their respective responsibility for the harm. When those controllers and processors are also involved in the same processing, each is liable for the entire harm.
Article 26 provides specific provisions for when “two or more controllers jointly determine the purposes and means of processing,” termed joint controllers. Joint controllers are required to create an agreement determining their respective duties to comply with the Regulation. The agreement must be available for data subjects, who may enforce their rights against each of the controllers irrespective of the terms of the agreement. In other words, joint controllers remain jointly and severally liable to data subjects harmed by GDPR non-compliance even if they allocate liability among themselves by agreement.
The Regulation empowers data subjects to seek judicial relief for damages and file administrative complaints with supervisory authorities. The Regulation’s guidance on imposing fines replaces the patchwork enforcement structure of the Directive, while establishing accountability and consistency mechanisms also lacking under the Directive. The hefty fines and penalties for infringement not only encourage accountability, they may be the single most eye-catching feature of the Regulation, causing multinationals and local companies to invest more in compliance. The GDPR’s consistency mechanisms – encouraging supervisory authorities to cooperate and agree on infringement decisions, empowering the Board for dispute resolution, making final decisions binding – will ease burdens on controllers and processors doing business across Member State states by offering more efficient enforcement solutions.
Looking to dive deeper into the General Data Protection Regulation to read the text regarding certifications and codes of conduct for yourself? Find the full text of the Regulation here in our Resource Center.
You’ll want to focus on these portions:
(124) Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.
(125) The lead authority should be competent to adopt binding decisions regarding measures applying the powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process. Where the decision is to reject the complaint by the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint has been lodged.
(126) The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned and should be directed towards the main or single establishment of the controller or processor and be binding on the controller and processor. The controller or processor should take the necessary measures to ensure compliance with this Regulation and the implementation of the decision notified by the lead supervisory authority to the main establishment of the controller or processor as regards the processing activities in the Union.
(127) Each supervisory authority not acting as the lead supervisory authority should be competent to handle local cases where the controller or processor is established in more than one Member State, but the subject matter of the specific processing concerns only processing carried out in a single Member State and involves only data subjects in that single Member State, for example, where the subject matter concerns the processing of employees’ personal data in the specific employment context of a Member State. In such cases, the supervisory authority should inform the lead supervisory authority without delay about the matter. After being informed, the lead supervisory authority should decide, whether it will handle the case pursuant to the provision on cooperation between the lead supervisory authority and other supervisory authorities concerned (‘one-stop-shop mechanism’), or whether the supervisory authority which informed it should handle the case at local level. When deciding whether it will handle the case, the lead supervisory authority should take into account, whether there is an establishment of the controller or processor in the Member State of the supervisory authority which informed it in order to ensure effective enforcement of a decision vis-à-vis the controller or processor. Where the lead supervisory authority decides to handle the case, the supervisory authority which informed it should have the possibility to submit a draft for a decision, of which the lead supervisory authority should take utmost account when preparing its draft decision in that one-stop-shop mechanism.
(130) Where the supervisory authority with which the complaint has been lodged is not the lead supervisory authority, the lead supervisory authority should closely co-operate with the supervisory authority with which the complaint has been lodged according to the provisions on co-operation and consistency laid down in this Regulation. In such cases, the lead supervisory authority should, when taking measures intended to produce legal effects, including the imposition of administrative fines, take utmost account of the view of the supervisory authority with which the complaint has been lodged and which should remain competent to carry out any investigation on the territory of its own Member State in liaison with the competent supervisory authority.
(145) For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.
(146) The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing each controller or processor should be held liable for the entire damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. Any controller or processor which has paid full compensation, may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.
(148) In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.
(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for fixing the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.
(151) The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanor procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.
(152) Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by Member State law.
Article 4, Definitions
- 21, Supervisory Authority
Article 56 – Competence of the lead supervisory authority
Article 58 – Powers
Article 60 – Cooperation between the lead supervisory authority and other supervisory authorities concerned
Article 62 – Joint operations of supervisory authorities
Article 63 – Consistency mechanism
Article 64 – Opinion of the Board
Article 65 – Dispute resolution by the Board
Article 70 – Tasks of the Board
Article 77 – Right to lodge a complaint with a supervisory authority
Article 78 – Right to an effective judicial remedy against a supervisory authority
Article 79 - Right to an effective judicial remedy against a controller or processor
Article 82 – Right to compensation and liability
Article 83 – General conditions for imposing administrative fines
Article 84 – Penalties
If you want to comment on this post, you need to login.