The General Data Protection Regulation (“GDPR”) introduces many new obligations for companies (be they controllers or processors) and the question on the minds of most companies is “…and what happens if we don’t comply or get it wrong? What is the risk?”
The level of fines possible under the GDPR (up to 4% of global annual turnover for undertakings or 20,000,000 EUR, whichever is the greatest) mean that data protection can no longer be swept under the carpet.
Furthermore, the GDPR introduces a comprehensive set of rights for data subjects, including the right to an effective judicial remedy against a controller or a processor and the right to compensation. Therefore, in addition to being at the receiving end of an enforcement action, controllers and processors may be subject to court proceedings and have to pay compensation to data subjects for their infringements of the GDPR.
What does the law require today?
Currently under the Directive (95/46/EC) supervisory authorities have certain investigatory powers, e.g. to access a controller’s data to carry out an investigation, to issue a warning to a controller, to order the blocking, erasure or destruction of data or to impose bans on the processing of data. The decision as to what sanctions can be imposed was left up to Member States to decide. For example, the Information Commissioner in the UK currently has the power to fine up to £500,000. However, the number of fines issued by data protection authorities across Europe each year are usually relatively low and high fines are only likely to be issued for the more serious offences.
The Directive provides every person with the right to a judicial remedy for any breaches of applicable national data protection laws. The Directive also recognises that administrative remedies may be actioned before DPAs.
With regard to liability, the Directive provides that any person who has suffered damage for unlawful processing, or for processing operations that are incompatible with national data protection laws, is entitled to receive compensation from the controller. The controller may be exempt from such liability if it proves that it is not responsible for the event giving rise to the damage.
What will the General Data Protection Regulation require?
As with the Directive, supervisory authorities have various types of enforcement powers under the GDPR. Whether such powers will be used by the lead supervisory authority, another supervisory authority, or authorities jointly, will depend on the infringement itself, the controller and the data subjects.
In particular, a supervisory authority will be able to require controllers or processors to provide it with certain information, carry out compulsory data protection audits of the controller or processor (including accessing the controller’s/processor’s premises), inform the controller/processor if there has been an allegation of an infringement under the GDPR and/or review a certification issued under the GDPR.
These are similar to the corrective powers under the Directive and include the issuing of warnings, reprimands, imposing bans on processing, suspending data transfers and ordering the correction of an infringement. The power to issue administrative fines is listed as a corrective power and is, not unexpectedly, the power that is receiving the most attention.
Unlike the Directive, the GDPR specifically sets out the different levels of administrative fines that may be issued by supervisory authorities (along with or as an alternative to the other “corrective” powers). The GDPR makes it clear that supervisory authorities need to think carefully about whether a fine would be the appropriate sanction, taking into account a number of factors such as the number of data subjects affected, whether the infringement was intentional, what action (if any) has been taken to mitigate the damage etc. A fine should not be issued unless it would be “effective, proportionate and dissuasive”.
Essentially, there are two levels of fines:
- fines of up to 10,000,000 EUR or (for undertakings) 2% of total worldwide annual turnover (whichever is the greatest); or
- fines of up to 20,000,000 EUR or (for undertakings) 4% of total worldwide annual turnover (whichever is the greatest).
In terms of actions that could result in a level one fine, it could be for an infringement of any one of 19 different Articles. Level two fines are for the more serious offences, relating to infringement of 23 further Articles.
(Click here to view table on original document)
Under the GDPR, as with the Directive, natural and/or legal persons may lodge administrative complaints before supervisory authorities and seek judicial remedies before courts. However, the set of rights under the GDPR is broader. In particular, the GDPR recognises the following rights:
Individuals’ rights Right to lodge a complaint with a supervisory authority
(Click here to view chart on original document)
What are the practical implications?
For undertakings, the impact of a fine on the business could be significant. Even if a global organisation has a small establishment in Europe, or is a US based organisation targeting goods or services or monitoring the behaviour of EU citizens, the fine is based on total worldwide annual turnover. Data protection should now be taken as seriously as competition law infringements and should be a board level matter.
In addition, there is an increased risk under the GDPR of being scrutinised by regulators and being the subject of enforcement actions and court proceedings – this is because individuals have the right to be represented by, for instance, a privacy rights association, which may encourage individuals to move forward with their claims and actions.
Controllers / processors will also have to be ready to attend court proceedings in the country where the individual has his or her habitual residence, even if this is not the country where the controller / processor has its establishment.
In considering how to approach GDPR readiness, businesses should prioritise their implementation actions by looking at Article 79 and the breaches that will land them in the most serious trouble. In this context, businesses should also take into account the rules on liability in the context of engaging others for the processing of personal data.
It is a good idea to bear in mind that some of the requirements are easy to implement, e.g. keeping a record of all processing, providing information to individuals regarding the processing of data etc. – implementing these requirements are “quick wins” for businesses.
For obligations that require a longer-term strategy, business should look at addressing these requirements as soon as possible. While there is a two year grace period under the GDPR, France is already proposing to introduce GDPR-style fines in advance of the GDPR and other EU Member States may follow suit.