New Gui­de­lines published: will com­pa­nies face hea­vier fines for vio­la­ti­ons of the GDPR?

The Euro­pean data pro­tec­tion aut­ho­ri­ties forming the Euro­pean Data Pro­tec­tion Board (EDPB) have published new gui­de­lines on the cal­cu­la­ti­on of admi­nis­tra­ti­ve fines for vio­la­ti­ons of data pro­tec­tion law. The object of the new gui­de­lines, which are still the sub­ject of a public con­sul­ta­ti­on pro­cess, is to har­mo­ni­ze prac­ti­ces for the impo­si­ti­on of admi­nis­tra­ti­ve fines in the various EU mem­ber sta­tes. As a result, com­pa­nies should be pre­pared to pay signi­fi­cant­ly hig­her fines for vio­la­ti­ons of data pro­tec­tion law.

Over­view of the new Guidelines

Despi­te fears to the con­tra­ry, the admi­nis­tra­ti­ve fines which have actual­ly been impo­sed for vio­la­ti­ons of the GDPR have been lower than expec­ted, asi­de from a few spec­ta­cu­lar cases, such as e.g. that invol­ving the pro­vi­der of the Grin­dr app. This is due in part to the fact that some data pro­tec­tion aut­ho­ri­ties in Euro­pe, and in Ger­ma­ny as well, have so far been reluc­tant to impo­se hea­vy fines. But this will chan­ge with the adop­ti­on of the new Gui­de­lines, par­ti­cu­lar­ly for lar­ge com­pa­nies with sub­stan­ti­al reve­nues. Nota­b­ly, the EDPB assu­mes that all actions or omis­si­ons by natu­ral per­sons who are aut­ho­ri­zed to act on behalf of com­pa­nies can be attri­bu­ted to the com­pa­nies them­sel­ves. In accordance with § 30 of the Ger­man Admi­nis­tra­ti­ve Offen­ses Act (only in Ger­man), on the other hand, fines can only be impo­sed on the com­pa­ny direct­ly in cases whe­re an exe­cu­ti­ve of the com­pa­ny com­mit­ted a cri­mi­nal act or admi­nis­tra­ti­ve offen­se. The ques­ti­on as to whe­ther or not this sta­tu­te appli­es to fines impo­sed for vio­la­ti­ons of the GDPR has yet to be deter­mi­ned by the ECJ and is curr­ent­ly the sub­ject of a preli­mi­na­ry ruling pro­ce­du­re (only in German).

Are the Gui­de­lines binding?

The Gui­de­lines stress seve­ral times that the actu­al amount of the fine depends on the cir­cum­s­tances of the indi­vi­du­al case. In other words, the EDPB’s five-step model is not a fee cal­cu­la­tor which can be used to deter­mi­ne the amount of a poten­ti­al fine with mathe­ma­ti­cal pre­cis­i­on. Howe­ver, the divi­si­on of the pro­cess into steps pre­scri­bes a metho­do­lo­gy which should result in a pro­cess which is high­ly ratio­nal and com­pre­hen­si­ble. It also rai­ses the ques­ti­on as to the degree to which the new gui­de­lines are bin­ding for data pro­tec­tion aut­ho­ri­ties. Gene­ral­ly spea­king, EDBP gui­de­lines are non-binding recom­men­da­ti­ons which are desi­gned to ensu­re con­sis­tent appli­ca­ti­on and inter­pre­ta­ti­on of the GDPR. The EDPB its­elf has stres­sed this point in the past. But in prac­ti­ce, the courts and data pro­tec­tion aut­ho­ri­ties may have to meet a hig­her bur­den of expl­ana­ti­on in the future in order to jus­ti­fy devia­ti­ons from the EDPB’s gui­de­lines. After all, in accordance with the prin­ci­ple that the admi­nis­tra­ti­on is bound by its own acts, the gui­de­lines will take on bin­ding effect in the future if data pro­tec­tion aut­ho­ri­ties con­vert the Gui­de­lines into rou­ti­ne admi­nis­tra­ti­ve practice.

Con­se­quen­ces for companies

The new Gui­de­lines have the poten­ti­al to inject new life into the enforce­ment prac­ti­ces of the data pro­tec­tion aut­ho­ri­ties, which have beco­me some­thing of a paper tiger late­ly. Accor­din­gly, data pro­tec­tion must be part of each company’s com­pli­ance stra­tegy. But if a vio­la­ti­on of data pro­tec­tion law can­not be avo­ided despi­te the fact that a data pro­tec­tion com­pli­ance manage­ment sys­tem is in place, so that the com­pa­ny is facing the pos­si­bi­li­ty of a fine, the­re is no cau­se for panic even with the new Gui­de­lines. After all, the new Gui­de­lines still give com­pa­nies a gre­at deal of lee­way to pre­sent miti­ga­ting cir­cum­s­tances and nego­tia­te with the data pro­tec­tion authorities.