GDPR wields a big stick - UK and German approach to determining fines

Non-compliance with GDPR can be a costly mistake for businesses large and small. In January 2021, CNIL (the French data protection authority) issued a fine of 50 million Euros to a large multinational technology company, the highest fine to date, for insufficient legal basis for data processing.

Data protection authorities in Europe and the UK have the ability to issue fines of up to the greater of 4% or €20 million (£17.5 million under the UK GDPR) for infringements of the GDPR and/or UK GDPR as applicable. However, the GDPR doesn't set out any hard and fast rules determining how monetary penalties will be calculated, leaving many organisations unclear on their potential exposure in the case of non-compliance. 

After almost three years, GDPR enforcement trends are beginning to emerge. Examining these trends, together with enforcement guidance from data protection authorities (DPAs) across Europe and the UK, give us a clearer picture of the data protection enforcement landscape. 

In this edition of Data Bytes we consider the guidance issued by the UK and German DPAs regarding their respective approaches to determining fines.

Two tier approach to determining fines

Some breaches of the GDPR are more serious than others. For this reason the GDPR sets out two tiers of fine, with a maximum fine for each tier. Each supervisory authority has a discretion to calculate fines on a case-by-case basis.

Infringement of the following GDPR provisions is subject to Tier 1 fines of the highest level - up to €20 million (£17.5 million under the UK GDPR), or 4% of global turnover, whichever is higher: 

• the basic principles for processing, including conditions for consent (Arts. 5, 6, 7 and 9);
• data subjects’ rights (Arts. 12 – 22);
• international transfers (Arts. 44 – 49);
• obligations under Member State laws; and
• non-compliance with an order imposed by a supervisory authority, or failure to comply with a supervisory authority’s investigation.

Other infringements are subject to fines of up to €10 million (£7.5 million under the UK GDPR) or 2% of global annual turnover, whichever is higher. This second tier of fines applies to breaches of the following obligations: 

• to implement technical and organisational measures to ensure data protection by design and default (Art. 25);
• on joint controllers to agree to their respective compliance obligations (Art. 26);
• on controllers in relation to the engagement of processors (Art. 28);
• to maintain written records (Art. 30);
• to co-operate with supervisory authorities (Art. 31);
• to implement technical and organisational measures (Art. 32);
• to report breaches when required by the GDPR (Arts. 33 – 34);
• in relation to the conduct of a privacy impact assessment (Arts. 35 – 36); and
• in relation to the appointment of Data Protection Officers (Arts. 37 – 39).

In cases where the same or linked processing involves violation of several provisions of the GDPR, fines may not exceed the amount specified for the most serious infringement.

The GDPR (Art. 83) sets out a number of factors to be taken into account by the supervisory authority when determining whether to impose a fine and, if so, the amount of the fine. These include: 

(a) the nature, gravity and duration of the infringement, having regard to the nature, scope or purpose of the processing concerned, as well as the number of data subjects and level of damage suffered by them;

(b) whether the infringement is intentional or negligent;

(c) actions taken by the controller to mitigate the damage suffered by data subjects;

(d) the degree of responsibility of the controller;

(e) any relevant previous infringements;

(f) the degree of co-operation with the supervisory authority;

(g) categories of personal data affected;

(h) whether the infringement was notified by the controller to the supervisory authority;

(i) any previous history of enforcement; and

(j) any other aggravating or mitigating factors applicable to the circumstances of the case (e.g. financial benefits gained, losses avoided, directly or indirectly, from the infringement).

Calculating Fines - UK approach 

In the UK, the Information Commissioner’s Office or ICO (the UK supervisory authority) has recently published draft statutory guidance which includes an explanation on the ICO's approach to calculating fines. The ICO sets out the nine steps listed below, which it proposes would be applied to all fines (whether Tier 1 or Tier 2). 

Step 1: Assess the seriousness of the alleged breach, actions taken to mitigate and the degree of co-operation, and the way the breach became known to the ICO. This is a determination of whether the fine will be in Tier 1 or Tier 2.  

Step 2: Consider culpability, and in particular assessing points (b) and (d) of the GDPR criteria set out above. This will involve an assessment of the measures taken by the organisation to implement the data protection principles, minimise the risks to the rights and freedoms of data subjects and to keep personal data secure. The ICO will also take into account any intentional or negligent steps taken by the controller.

Step 3: Determine turnover of the organisation. The ICO has indicated that it will review relevant accounts, and obtain expert financial or accountancy advice if required, to determine the amount of an entity’s turnover. 

Step 4: Calculate the appropriate starting point. Once assessed, the ICO has suggested it will use the table below, setting out its ‘starting point’ for fines, stated as a percentage of annual worldwide turnover, against which various other factors would be applied. 

Step 5: Consider aggravating and mitigating factors. This is a consideration of financial benefits gained, or losses avoided, directly or indirectly, from the breach. It will also consider the degree of co-operation with the investigation. These would move the starting figure for each band up or down to reflect the ICO’s assessment. 

Step 6: Consider the financial means of the organisation. This is an assessment of the likelihood of the organisation being able to pay the proposed penalty, and whether it might cause undue financial hardship. Recently the ICO has cited the COVID-19 pandemic and its impact on the aviation industry as a reason for reducing the fine to British Airways from £183 million to £20 million. 

Step 7: Assess the economic impact. This is an assessment of any economic impact on the wider sector, or related regulatory impact beyond the organisation itself.

Step 8: Assess the effectiveness and proportionality of the fine, and its ability to dissuade future non-compliance. The ICO has reiterated that the purpose of the fine should be to achieve these objectives, and fines will be adjusted accordingly taking into account these factors.

Step 9: Early payment discount. The ICO would reduce the fine by 20% if it received full payment within 28 calendar days. The discount would cease to be available if the organisation decided to appeal to the First-Tier Tribunal (Information Rights).

What is on the horizon? 

Whilst still in draft form, the guidance provides welcome clarity and insight into how the ICO will determine the amount of any fine levied. In particular, the above table and guidance on how the ICO determines its starting point (step four) will help organisations, and those advising them, to understand their potential exposure in the event of non-compliance.

What is notable about the UK guidance, however, is the ICO's explicit statement that it will consider the financial means of the data controller to pay the fine levied, and the wider impact of the fine upon a sector. The ICO's statement that it will "consider the desirability of promoting economic growth" when exercising its functions will be reassuring for businesses at this challenging time (steps 6 and 7).

Calculating Fines - German approach

The German approach to fines under the GDPR is still crystallizing. The Federal Commissioner for Data Protection has announced in his 2020 Annual Report that the currently published guidance on the calculation of fines is under review. This is due to a recent court decision which materially reduced the fine imposed by a data protection authority. The court based their decision on the argument, amongst others, that the fine had been calculated with an inappropriate and excessive focus on certain economic criteria relating to the company being fined rather than the actual offence itself. 

The calculation of fines in Germany is particularly complex because there are 17 independent data protection supervisory authorities in Germany ("Regulators"). In recognition of the need for a co-ordinated approach, the Regulators published a concept paper in 2019 which details the principles applied for calculating fines.

The concept paper was an attempt to achieve transparency and fairness by considering the circumstances of each individual case. However, this has resulted in a rather complex calculation procedure with considerable discretion given to the Regulators. The prevailing view is that the concept paper has failed to achieve the intended transparency, and does not provide organisations with clear guidance on how fines will be calculated.

The current fining concept is outlined below.

• Steps 1-3: Categorisation of company
  
  Based on the annual turnover, the company to be fined is classified as a Micro (less than EUR 2 million), Small, Medium or Large Undertaking (more than EUR 50 million).
  
  Depending on its specific annual turnover and category, the so-called 'economic value' of the company is calculated which is the basis for the calculation of the fine.
• Step 4: Severity level of offence
  
  In consideration of all circumstances of the case, the offence is classified as light, medium, severe or very severe. The severity level is classified in consideration of the criteria set out in Article 83 (2) of the GDPR, including, in particular:
  • the nature, gravity and duration of the infringement;
  • the nature and purpose of processing concerned;
  • the categories of personal data and the number of data subjects affected and the level of damage suffered by them;
  • the intentional or negligent character of the infringement;
  • damage mitigation actions of the company;
  • adequacy of the technical and organisational measures implemented;
  • previous infringements, and
  • the degree of co-operation with the supervisory authority.
  
  Each severity level is allocated to a range of factors (e.g. light 1-4, very severe 12-14.4) by which the economic value calculated as set out above is multiplied.
• Step 5: Adjustments
  
  Finally, the calculated amount may be adjusted as appropriate considering any additional circumstances of the case in favour or against the company concerned. The adjusting factors don't appear to follow a strict formula, and are at the discretion of the Regulator. Adjusting factors could be:
  • the length of the fine proceedings;
  • any imminent insolvency;
  • actions taken to mitigate the damage;
  • degree of co-operation with the Regulator; and
  • how the offence became known to the Regulator.
  
  The final adjustment may lead to a significant alteration of the fine as calculated in accordance with the preceding steps.

What is on the horizon?

We expect the German Regulators to review and adjust their fining practice in coordination with other EU Regulators over the coming months. This should result in an overall reduction of the level of fines imposed.

As mentioned earlier, this is particularly due to increasing pressure applied by the civil courts on the Regulators to adjust their approach to calculating fines. The Bonn Regional Court (29 OWi 1/20 LG) was the first German court to decide on the appropriateness of a fine imposed under the concept in the above-mentioned matter against 1&1. The court significantly reduced the imposed fine of EUR 9.5 million to a mere EUR 900,000 arguing that the Regulator had failed to sufficiently consider factors reducing the severity of the offence.

The court took the opportunity to comment on the shortfalls of the Regulator's fine calculation concept. In particular the court found that:

• The concept results in inappropriately high fines for companies with higher annual turnovers in the case of minor offences and, in turn, inappropriately low fines for companies with low annual turnover in the case of severe offences.
• While the court acknowledged that annual turnover and other economic factors of the company in breach may be relevant criteria to be considered when determining fines, it held that the current Regulator's concept is focused too strongly on economic factors and needs to focus more on the offence related indicators set out in Article 83(2) of the GDPR (see above).

The Federal Regulator has committed to recalibrating its fining concept as a result of this decision. However, it has also stated that it intends to continue is approach of considering economic criteria, with a view to ensuring that fines are sufficiently high to have a preventive effect for large companies while not being disproportionately high for smaller and medium sized businesses.

Conclusion

Our side by side comparison has shown how regulators take differing approaches to strike a balance between effective enforcement and reasonable economic consequences. Regulators are clearly aiming to provide transparency around how fines are calculated, however this is sometimes difficult to achieve in practice. 

Whilst the enforcement guidance issued by the UK and German regulators is a helpful step towards transparency, regulators still have significant discretion when determining the level of any fine. Even where regulators have taken conceptionally similar approaches in their enforcement guidance (such as the UK and Germany), the fines levied in practice may differ vastly leaving many organisations unclear on their potential exposure in the case of non-compliance. 

Going forward organisations will also need to be cognisant of the fact that the GDPR and UK GDPR are separate regimes. Therefore organisations which process data in both the UK and Europe may be subject to fines under the two parallel regimes. It remains to be seen whether UK and EU regulators will collaborate to avoid fines being levied across multiple jurisdictions for cross-border breaches. 

With thanks to Leonie Schönhagen, François Maartens Heynike, David Schwarze, Josef Matoussi and Saif Khan for their contributions.