When they go low, we go high?

One of the most frequent questions I get asked by clients is: how much could we be fined under the GDPR for [insert minor or major] compliance/non-compliance issue.

I still find it such a cool thing to think about precisely because it’s more an art than a science.  Some regulators issue hundreds of three-, four- and five-figure fines for a wide range of issues, whereas others tend to be more selective — but when they enforce, they go really big.  Clearly, those divergent approaches make it difficult for organisations to assess their potential exposure — particularly where regulators have different views on quantum for the same infractions (see, for example, the Irish DPC vs. Almost Everyone Else).

That may soon be a thing of the past (at least, that’s the theory). On Monday, the European Data Protection Board issued its long-awaited guidelines on calculating penalties under the GDPR.  The guidelines are designed to foster harmonisation and transparency for regulators and regulated entities alike — things that GDPR enforcement sometimes (often?) fails to achieve.  

If you’re still reading this: (1) thank you; but (2) I’d encourage you to also read the guidelines in full. They're actually really pretty good.  In the meantime, the following points stood out to me on my early readings of the document.

• The EDPB reminds us that the calculation of a fine is not a mathematical exercise and the circumstances of each case will ultimately determine the final penalty (and that applies equally to your thinking about enforcement risk and potential quantum).  But whilst circumstances will vary, regulators will need to follow the EDPB’s five-step methodology for calculating fines.  In other words: harmonisation of methodology, rather than harmonisation of outcome. 
• Regulators can determine that certain infringements are punishable with a fine of a predetermined, fixed amount.  I’m not aware that this type of practice is currently happening, but it would make for an interesting approach to enforcement — and, actually, perhaps also not the worst thing for those businesses who are still being scared with the talk of fines of UP TO FOUR PER CENT OF GLOBAL TURNOVER!!! for a whole range of otherwise minor-ish infractions.  Knowing in advance that x = y is helpful.
• As a starting point, regulators should consider the conduct and infringements upon which each fine is based — including where the conduct gives rise to one or more infringements, and whether those infringements can be attributed separately or together.  The EDPB provides useful examples on these points, which are worth reading for additional colour on what will be expected of regulators when assessing penalties.  I won’t tell you whether or not I agree with each of their assessments, but get in touch if you want to compare notes.
• Taking into account the nature, gravity and duration of the infringement (including the scope and purposes of processing, the number of affected individuals, the types of personal data involved and the level of damages suffered), the EDPB’s calculator groups fines into low, medium and high buckets.
  • Low: the starting point for fines will be between 0% and 10% of the applicable legal maximum.
  • Medium: the starting point for fines will be between 10% and 20% of the applicable legal maximum.
  • High: the starting point for fines will be between 20% and 100% of the applicable legal maximum.
• The EDPB reiterates that fines should be “effective, proportionate and dissuasive” in each case — which it accepts can lead to significant increases or decreases in the amount of the fine, depending on the circumstances of the case.  In respect of reductions, this means that:
  • For undertakings with an annual turnover of less than €2 million, regulators can adjust calculations down to 0.2% of the starting amount.
  • For undertakings with an annual turnover of less than €10 million, regulators can adjust calculations down to 0.4% of the starting amount.
  • For undertakings with an annual turnover of less than €50 million, regulators can adjust calculations down to 2% of the starting amount.
  • For undertaking with an annual turnover of between  €50 million and EUR 100 million, regulators can adjust calculations down to 10% of the starting amount.
  • For undertaking with an annual turnover of between €100 million and EUR 250 million, regulators can adjust calculations down to 20% of the starting amount.
  • For undertaking with an annual turnover of €250 million and above, regulators can adjust calculations down to 50% of the starting amount.

There are also various helpful nuggets throughout the guidelines on the scope of corporate liability and mitigating and aggravating factors, amongst other things. The guidelines are open for consultation until 27 June, after which they’ll be finalised and issued.  It’s possible that they will change in small ways, but I'd say that what we have now is a good reflection of the EDPB's thinking.

It's also important to remember that, ultimately, the guidelines are only a starting point.  A helpful starting point, for sure, but not a crystal ball.  Like a snowflake, no compliance/non-compliance is the same, so hopefully the how-much-could-we-be-fined question isn't going away any time soon.