Businesses should expect greater consistency in the way fines for breaches of data protection law are calculated across the EU following the publication of new guidance, an expert has said.
Nienke Kingma of Pinsent Masons in Amsterdam, who specialises in data protection law, was commenting after the European Data Protection Board (EDPB) published a new methodology and accompanying guidelines on the calculation of administrative fines under the General Data Protection Regulation (GDPR) (48-page / 787KB PDF).
The guidelines sit alongside earlier EDPB guidance on the application and setting of administrative fines. They have immediate effect and are to be applied by national data protection authorities in EU member states.
Kingma said: “Until the publication of these guidelines, each data protection authority in the EU had its own rules for determining how GDPR fines should be calculated. Harmonisation of the methodology for the calculation of GDPR fines ensures a consistent application and enforcement of the GDPR throughout the EU. However, individual data protection authorities will continue to have discretion when determining the amount of the fine, in line with the methodology to be applied. This is no simple mathematical exercise and the fines levied will be circumstances-dependant – these guidelines are therefore merely the starting point and serve as a common orientation.”
“For businesses, however, the new guidelines will help them understand better how fines should be calculated in every EU country,” she said.
Under the GDPR, data protection authorities have a range of enforcement options. Where they elect to impose a fine in respect of infringements, they must ensure the penalty in those cases is “effective, proportionate and dissuasive”.
The methodology the EDPB has adopted for the calculation of GDPR fines envisages a five-step process.
First, data protection authorities should identify the processing operations relevant to the case and evaluate whether Article 83(3) of the GDPR applies – this sets parameters on the level of fines that can be imposed in cases where there are multiple infringements of GDPR provisions and these are made intentionally by businesses or as a result of their negligence.
In the second step, data protection authorities are to determine which fine classification is relevant in the case; the seriousness of the infringement; and specifically consider the company’s turnover as a relevant factor in whether the fine being considered meets the requirements of being effective, proportionate and dissuasive.
Under the GDPR, there are three fine classifications. The classification that a case falls subject to depends on the type of infringement at issue. The maximum penalty that can be imposed differs depending on which classification the case falls into and can be calculated with reference to the business’ annual global turnover. According to the EDPB’s guidelines, the starting point for determining the level of fine at step two in the process would depend on whether the infringements could be classed as low, medium or high in terms of their level of seriousness, with different bandwidths set in each of the three categories – only if infringements were classed as high in terms of their seriousness can data protection authorities consider penalties of up to 100% of the maximum level in the relevant fine classification as a starting point in their calculations.
Under the EDPB’s methodology, the third step will involve evaluating whether there are any aggravating and mitigating circumstances related to the business’ past or present behaviour that should lead to the fine being increased or decreased.
Fourth, data protection authorities should identify what is the legal maximum they can impose for the different processing operations and ensure that any increases imposed do not exceed that amount.
Finally, they should analyse whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, and, if not, increase or decrease the fine accordingly.
While the methodology provides a harmonised starting point for determining the level of fines to be issued, the EDPB made clear in its guidance that data protection authorities can set a fine of a “predetermined, fixed amount” applicable to certain infringements, provided that is compatible with the GDPR’s provisions.
Kingma said: “The EDPB guidelines take precedence over any national guidelines that data protection authorities may have previously adopted in relation to calculating GDPR fines. In the Netherlands, this means that there should now be a greater consideration of a company’s turnover as a factor in setting the level of penalty. It will also mean that seriousness of infringements will have to be categorised as either low, medium or high, in line with the EPDB’s guidelines, which in turn will determine the bandwidth for the starting amount of any fine.”
“The existing guidelines of the Dutch data protection authority will continue to apply to the calculation of GDPR fines to be imposed against government agencies in the Netherlands,” she said.