Context: On June 7, 2023, the European Data Protection Board (EDPB) made an announcement regarding the adoption of the Guidelines on Administrative Fine Calculation under the General Data Protection Regulation (GDPR). The EDPB’s objective with these guidelines is to establish a standardized approach for data protection authorities (DPAs) when determining fines, incorporating consistent starting points. The EDPB emphasized that three key factors are taken into account: (i) classifying the nature of the violations, (ii) assessing the severity of the breach, and (iii) considering the business’s revenue.
The European Data Protection Board (EDPB)’s recent adoption of the finalized guidelines on the calculation of fines under the General Data Protection Regulation (GDPR) marks a significant step towards ensuring a fair and consistent approach to penalizing GDPR violations. With big fines levied against notable companies like Meta (FaceBook, WhatsApp, Instagram), Amazon, and Spotify, questions have arisen about the appropriateness of these penalties in relation to the breached data and the revenue of the companies involved.
Why are we talking about this?
The Data Supervisory Authorities [DSAs] have faced criticism for fining far below the 4% annual revenue threshold for large violations – a €1.2bn fine for Meta sounds like a large sum, but when we consider that Meta (Platforms) reported revenue of €107.96bn in 2022, 4% would equal a much higher €4.31bn. Coupling this with the fact that Meta are a repeat offender, does Meta deserve the benefit of the doubt after multiple serious GDPR violations? I, personally, do not think they do. Perhaps this new guidance from the EDPB will help the DSAs to ensure that the amounts they fine accurately reflect the violation and company resources. This, in turn, could affect smaller businesses if the authorities know when and where they should fine.
What does the Guidance say?
The EDPB’s guidelines introduced a comprehensive five-step methodology that empowers DSAs to determine suitable fine amounts for breaches and violations. Rather than restricting the discretion of DSAs, the guidelines provide much-needed clarity on the factors they should consider when reaching their decisions – in a harmonised manner, applicable in all EU Member States.
The five-step methodology includes:
- identifying the processing operations in the case and evaluating the application of Article 83(3) of the GDPR;
- finding the starting point for further calculation based on an evaluation of:
- the classification;
- the seriousness of the infringement; and
- the turnover of the undertaking as one relevant element to take into consideration with a view to imposing an effective, dissuasive, and proportionate fine;
- evaluating aggravating and mitigating circumstances related to past or present behavior of the controller/processor and increasing or decreasing the fine accordingly;
- identifying the relevant legal maximums for the different processing operations – notably, increases applied in previous or next steps cannot exceed this amount; and
- analyzing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness, and proportionality, and increasing or decreasing the fine accordingly.
The EDPB are providing a clear methodology for DSAs to follow, and have released that to everyone. This should result in a more detailed evaluation of future fines from DSAs, and I’m sure also from privacy pros.
What does this mean for smaller companies?
Previously, the lack of clear guidelines may have led to hesitancy among DSAs in imposing fines – and different amounts for comparable infringements/revenue situations. However, with the EDPB’s standardized approach, DSAs will have clearer parameters to work with, making it more likely for fines to be imposed where warranted. This shift can be seen as a positive development or a negative development as a small-medium enterprise [SME]:
- Positive – as it strengthens the enforcement of data protection regulations and creates a level playing field for all businesses, regardless of their size.
- Negative – as it guarantees that DSAs will not be hesitant to set fines for SMEs
I personally believe that we could see more fines for smaller businesses as a result of these guidelines, though that will rely on many other factors. DSA resource allocation appears to be targeted at the larger offenders – think the Metas, Amazons, Googles of the world – than smaller organizations, but this could change in the future.
Is standardization even possible? Will the guideline be ignored?
While the question of standardization remains a valid concern, it is essential to recognize that the EDPB’s guidelines aim to establish a consistent approach to fine calculation. The German Federal Commissioner for Data Protection and Freedom of Information [BfDI], the Hessen data protection authority [HBDI], and the Berlin data protection authority [Berlin Commissioner], specifically welcomed the new guidelines, saying that standardization is possible and this framework will only help DSAs around Europe to commit to fines. They are saying that by providing a harmonized methodology, the EDPB intends to – and can succeed in – minimizing discrepancies and ensuring fairness in the application of fines across the European Union.