Understanding the scope of your GDPR undertaking

Europe are now collectively beginning to catch their breath.  In contrast, in the last month or two we have seen a dramatic uptick in transnational businesses, especially those that are not headquartered in the EU, seeking guidance on their own potential exposure to the regulation. Most often this is a question of the new territorial reach of the GDPR.  However, one of the other frequent queries relates to the prospective scope of the administrative fines that can be imposed under the GDPR.

Most are well aware of the headline grabbing penalties; the fact that national EU data supervisory authorities now have the legislative power to impose super fines based on percentages of total worldwide annual turnover for the preceding financial year (see our GDPR Fines - Quick Guide for summary details). Naturally, to assess their risk, it follows that multinational businesses want clarity around how these super fines would be calculated. This involves understanding how far the corporate net will be cast in determining "total worldwide annual turnover" for these purposes.  There can be staggering step change in risk between fines based on an EU data controller's own total worldwide annual turnover and its ultimate non-EU parent company's total worldwide annual turnover.

Article 83 of the GDPR states that, if the infringing entity is an "undertaking", then the administrative fines can be assessed on the basis of its total worldwide annual turnover.  Undertaking has the meaning given in Articles 101 and 102 of Treaty on the Functioning of the European Union. In other words, the worldwide annual turnover test is to be applied in a similar way to how fines under European Competition (anti-trust) law are currently assessed. For those unfamiliar with European Competition law principles, the meaning of undertaking has been scrutinised frequently by the courts. The central element is that, if one entity exercises control over another, they both form a single economic entity and are therefore assessed as part of the same undertaking. Control itself is defined widely for these purposes; it can arise by way voting rights, contractual rights or other means which grant the opportunity to exercise "decisive influence" (such as the ability to determine another entity's commercial strategy).

While the case law stops short of prescribing a specific shareholding threshold at which control is triggered, there is a presumption that a parent will exercise control over those group companies in which it has a majority shareholding (the burden of proof is on the parent to demonstrate otherwise). If the parent is a minority shareholder, there is no automatic presumption of control. Instead, the authorities have looked to a range of influencing factors to assess whether the parent, as a matter of fact, does exercise control. These factors have included looking at who sits on the relevant group company's board or evaluating the parent company's rights to influence the commercial direction of the group company (for example holding veto rights over strategic investments or requiring sign off for key decisions such financial budgets or management appointments can infer such influence). 

In view of the above, and in the absence of clear evidence against de facto control, it would be judicious to assume that aggregate group-wide revenues could be at risk of assessment by data supervisory authorities when calculating GDPR related fines against a subsidiary company. Indeed, other corporate investors - funds, private equity, tech incubators and strategic M&A investors – would benefit from understanding the potential risk posed by portfolio companies or target acquisitions. We have previously discussed how data is impacting the M&A process – recognising that diligence into a target's data protection and privacy compliance is essential, but also assessing how an investment target will fit within existing group structure ought to be considered.

That said, it is important not to get carried away over the threat of administrative fines. The GDPR requires data supervisory authorities to ensure fines are proportionate. And Europe-wide regulatory guidance already clarifies that, while fines are an important tool, they should form part of a "considered and balance approach" in response to a breach, together with all other corrective measures available. Indeed, the UK data supervisory body, the ICO, has said openly that, although it will not shy away from issuing fines where appropriate (see also our Byte-sized news below), the GDPR's maximum fines will not become "the norm", instead reminding companies that the regulation gives them a suite of other sanctions – warnings, audits, reprimands, investigations and corrective orders – many of which can be powerful deterrents because of their reputational impact, rather than purely financial.

Accordingly, while it is wholly understandable that global businesses will want to assess the scale of their GDPR undertakings (and hence attendant super fine risk), it is just as important – if not more so – to ensure that those group companies or strategic investments who process personal data in the course of their business approach their GDPR compliance obligations seriously and that this attitude is reflected across their group as a whole.

Byte-sized news

California issues new privacy laws, which will look very similar to those familiar with the GDPR. California has passed the California Consumer Privacy Act of 2018 which is set to be the toughest data protection law in the US. The law gives data subjects similar rights to those under the GDPR including right to access, ability to delete and ability to opt out of data sharing. It will no doubt be met with resistance, however, those organisations that have implemented the GDPR will be well positioned to understand the impact of new data subject rights on their processes. The law will take effect in 2020.

ICO issues fines for failure to register. After ignoring several letters and a formal information notice, the ICO fined a company in Telford, Shropshire a total of £4,500 for a failure to register with the ICO and failure to appropriately notify individuals of processing activities (through use of CCTV). Whilst the fines were issued under the 1998 act, the ICO commented: "Not registering with the ICO and, in addition to this, not complying an information notice are criminal acts - let it act as a stark warning to other companies who flout the law that we will take robust action.” 

The weakest link. Supply chain governance and outsourcing management will need to ensure that data protection and information security are at the top of the checklist. As we see an increase in cyber attacks (with Ticketmaster, Monzo and Fortnum and Masons in the press this week), it is evident that such attacks will continue and therefore key to addressing risks is appropriate contract governance. 

With special thanks to Will Barrow and Helena Brackenridge for their contribution.