High administrative fines for infringements of the GDPR
Current sanctions practice
The GDPR applies to all companies that are based in the EU or that process the data of EU citizens. In accordance with Article 83 GDPR, infringements of the GDPR may result in the imposition of administrative fines of up to €20m or of up to 4% of the total worldwide annual turnover of the preceding financial year – the higher of the two values shall be applicable. The administrative fines that have been imposed in Germany have been relatively moderate. By contrast, France fined Google €50m and the UK fined the Marriott hotel chain €110m and issued the airline British Airways with a fine of €204m.
New concept and higher administrative fines
On 25.6.2019, the Conference of the German Independent Data Protection Supervisory Authorities of the Federal Government and the States (Datenschutzkonferenz, DSK) agreed a new concept for calculating administrative fines that has now been published and could lead to greater transparency but also to higher administrative fines. In proceedings against companies, the calculation of administrative fines under this concept would be performed according to the following steps.
- First of all, the company concerned would be assigned to a size category.
- Next, the average annual turnover of the respective sub-group for the size category would be determined.
- After that, an economic base value would be calculated. This base value would then be multiplied by a factor that would be contingent on the seriousness of the infringement, for instance, a factor between 1 and 4 for a slight infringement and up to a factor of between 12 and 14 for a serious infringement.
- The value that is determined would then be adjusted for circumstances connected with the offender and other circumstances that had not yet been taken into consideration.
Several factors would have to be taken into account when making the adjustment. In cases of minor or unintentional negligence the amount would go down by 25%. For ordinary negligence the amount would remain the same and in the case of the negligence being wilful or deliberate the fine could go up by 25% or even 50%. If the authority had already previously found irregularities at the company then this would likewise be reflected in the calculation of the fine. One new infringement would entail a 50% premium, two would mean a 150% premium and three or more infringements would entail a 300% premium. Furthermore, other factors could also have a negative impact, for example, how the authority assesses the cooperation with it, or also the measures that the company has already taken to mitigate the damage.
Please note: The DSK views this procedure as being appropriate for guaranteeing a verifiable and transparent way of assessing case-specific administrative fines.
Recommendation: The current concept for administrative fines applies solely to German authorities and also only until the European Data Protection Board issues guidelines in this respect. Moreover, the concept is not binding with respect to the fixing of administrative fines by the courts. Nevertheless, in view of the potentially draconian level of administrative fines we strongly recommend closing any existing data protection gaps.