A leaked draft proposal posted by StateWatch and created by the European Commission reports that most Member States appear to be in favour of introducing a three-tiered fine system for non-compliance with EU data protection rules. Under the proposal, which was revised as a result of the 21 April 2015 meeting, all Member States are required to implement a system which provides effective, proportionate and dissuasive penalties, and creates three levels of fines at 0.5%, 1% and 2% of an organisation’s total worldwide annual turnover.
The fine criteria is set out under Article 79a of the draft General Data Protection Regulation (the ‘GDPR’), and the amount of the fine will depend upon the nature, gravity and duration of the infringement. As examples, a fine of up to 0.5% could be levied against organisations that fail to respond to data subject access requests within the prescribed period, or that charge a fee for dealing with such requests. Failure to provide the correct information in response to data subject access requests, failure to be transparent about the purposes for processing individuals’ data, or breaches of the right to be forgotten principle may now lead to a fine of up to 1%.
The final level of up to 2%, which could be increased to 5% if the European Commission gets its way, would apply for breaches such as failure to notify data breaches, for transfers of data outside the EU without adequate safeguards, or if organisations negligently or intentionally process personal data without a legal basis for doing so.
An eye-catching proposal is the potentially huge fine applicable to search engine providers for breaches of the right to be forgotten rules, which provide individuals with the right to request search engine providers to remove information that is ‘inadequate, irrelevant or no longer relevant’. This proposal appears to be a direct jab at Google and the growing frustration of the EU data protection authorities in relation to the scope of the right, and whether it applies only to EU domains or to .com as well.
It will be interesting to see what other nuggets of information or other proposals emerge from the trilogue negotiations so that we all have a bit more insight into the final shape a new Data Protection Regulation may take.