The European data protection authorities forming the European Data Protection Board (EDPB) have published new guidelines on the calculation of administrative fines for violations of data protection law. The object of the new guidelines, which are still the subject of a public consultation process, is to harmonize practices for the imposition of administrative fines in the various EU member states. As a result, companies should be prepared to pay significantly higher fines for violations of data protection law.
Overview of the new Guidelines
Despite fears to the contrary, the administrative fines which have actually been imposed for violations of the GDPR have been lower than expected, aside from a few spectacular cases, such as e.g. that involving the provider of the Grindr app. This is due in part to the fact that some data protection authorities in Europe, and in Germany as well, have so far been reluctant to impose heavy fines. But this will change with the adoption of the new Guidelines, particularly for large companies with substantial revenues. Notably, the EDPB assumes that all actions or omissions by natural persons who are authorized to act on behalf of companies can be attributed to the companies themselves. In accordance with § 30 of the German Administrative Offenses Act (only in German), on the other hand, fines can only be imposed on the company directly in cases where an executive of the company committed a criminal act or administrative offense. The question as to whether or not this statute applies to fines imposed for violations of the GDPR has yet to be determined by the ECJ and is currently the subject of a preliminary ruling procedure (only in German).
Are the Guidelines binding?
The Guidelines stress several times that the actual amount of the fine depends on the circumstances of the individual case. In other words, the EDPB’s five-step model is not a fee calculator which can be used to determine the amount of a potential fine with mathematical precision. However, the division of the process into steps prescribes a methodology which should result in a process which is highly rational and comprehensible. It also raises the question as to the degree to which the new guidelines are binding for data protection authorities. Generally speaking, EDBP guidelines are non-binding recommendations which are designed to ensure consistent application and interpretation of the GDPR. The EDPB itself has stressed this point in the past. But in practice, the courts and data protection authorities may have to meet a higher burden of explanation in the future in order to justify deviations from the EDPB’s guidelines. After all, in accordance with the principle that the administration is bound by its own acts, the guidelines will take on binding effect in the future if data protection authorities convert the Guidelines into routine administrative practice.
Consequences for companies
The new Guidelines have the potential to inject new life into the enforcement practices of the data protection authorities, which have become something of a paper tiger lately. Accordingly, data protection must be part of each company’s compliance strategy. But if a violation of data protection law cannot be avoided despite the fact that a data protection compliance management system is in place, so that the company is facing the possibility of a fine, there is no cause for panic even with the new Guidelines. After all, the new Guidelines still give companies a great deal of leeway to present mitigating circumstances and negotiate with the data protection authorities.
back