As mentioned in our previous GDPR update, the tenth update in this series will deal with penalties. Given the potential for large fines and liabilities under the GDPR as set out below, employers should ensure they are in compliance with the GDPR from 25 May. We have set out below the penalties that may be imposed on companies for non-compliance with the new rules.
One of the most dramatic changes that will occur under the GDPR is the manner in which sanctions will be imposed on employers going forward. This change is significant for two reasons.
Firstly, under current Irish laws, only the Courts can levy fines on offending parties. Traditionally, this has meant that, in every instance, the Data Protection Commissioner (the “DPC”) would have to issue legal proceedings against an offending employer. The GDPR however introduces the concept of ‘administrative fines’. This means that the DPC no longer has to initiate legal proceedings in the Courts but can instead directly impose fines on offending organisations. It appears therefore that it will become much easier and quicker for fines to be imposed and this may result in a stark increase in the number of fines that will be levied in the future.
The second significant change in respect of data protection sanctions is the maximum level of fines that can be imposed. Currently, in Ireland, the maximum monetary fine that the courts can impose under data protection legislation is €100,000. From 25 May 2018, an administrative fine of either 2% of an employer’s annual worldwide turnover, or €10 million (whichever is higher) can be levied for an infringement of the lower-tier provisions. Infringement of the higher-tier provisions of the GDPR can result in an administrative fine of either 4% of annual worldwide turnover, or €20 million (whichever is higher).
Whether the lower or higher tier fines will apply will ultimately depend on the type of breach that has occurred. Examples of infringements that will result in the lower tier of fines include:
- appropriate consent is not received from children;
- failure to appoint a Data Protection Officer;
- security measures in place are inadequate;
- failure to appoint a representative within the EU by non-EU controllers or processors;
- a controller uses a processor that does not meet the standards laid down in the GDPR;
- failure to adhere to record keeping obligations under the GDPR; and
- failure to notify personal data breaches under the new notification regime;
Examples of infringements that will result in the higher tier of fines include:
- failure to adhere to the core principles of data protection;
- infringement of the rules governing the processing of special categories of data (ie, sensitive data);
- breach of the rights of data subjects;
- sharing personal data with non-EEA countries that do not provide sufficient protection and safeguards; and
- failing to comply with an order of the DPC or other supervisory authority. (This category of infringement is noteworthy because a higher tier fine can be imposed on an employer if it does not follow an order from the DPC relating to a lower tier breach).
There is no provision for strict liability under the GDPR but sanctions must be effective, proportionate and dissuasive. The fines outlined above are the maximum caps that may be imposed and in determining the level of a fine, the DPC will look at various factors. These factors include the nature, gravity and duration of the infringement. In addition, the DPC will consider if the breach was intentional or negligent, if any steps were taken to mitigate the damage and the level of technical and organisational measures in place to prevent the breach. The DPC will also assess how it became aware of the infringement (i.e. did the employer notify the infringement or was it discovered by the DPC through an investigation) and assess the level of cooperation provided by the employer to remedy the breach.
In addition to administrative fines, the DPC will also have the power to investigate breaches of the GDPR and to impose “corrective measures” on offending employers. Such corrective measures include the ability of the DPC to:
- order an employer to comply with a data subject's requests to exercise his or her rights;
- order an employer to bring processing operations into compliance with the GDPR (within a specified manner and time);
- order an employer to communicate a personal data breach to a data subject;
- impose a ban on processing;
- order the rectification, restriction or erasure of personal data;
- order a certification body to withdraw a certification issued to the employer; and
- order the suspension of data flows to a non-EEA country.
The DPC must consider all corrective measures when dealing with an infringement. This means that the DPC can levy an administrative fine together with a corrective measure, or impose an administrative fine or corrective measure on its own.
Another key change that will occur under the GDPR is an individual’s ability to seek redress due to the GDPR specifically providing for a right to compensation. This means that any person, who has suffered damage as a result of an organisation infringing the GDPR, has the right to receive compensation from that organisation for the damage suffered.
In this regard, the GDPR provides for a “joint and several” style liability. This means that where a controller and a processor are involved in the same processing, both parties will be fully liable in circumstances where they are both responsible for the damage caused. This provision endeavours to ensure that there is always an effective remedy for a data subject. As a result, data subjects may have a choice of different organisation to pursue, and will likely opt for the one with the greatest resources, which in many cases could be an employer.
The GDPR further clarifies that the damage suffered can be both “material” damage (ie, damage resulting in direct financial loss such as loss of earnings) and “non-material” damage (ie, non-quantifiable damages such as pain and suffering). This is significant because the Irish Courts have not previously recognised claims from individuals in data protection cases for non-material damages. From 25 May 2018 however, this will no longer be the case. This change will mean that employees and other data subjects will be able to sue for stress and emotional suffering as a result of breaches of data protection legislation.
We expect that these new changes will result in a significant increase in litigation from data subjects who feel that their data protection rights have been infringed. As a result, employers should work to ensure that they meet all their obligations and responsibilities under the GDPR.
The substantial strengthening of data protection rules, and in particular the potential liabilities under the GDPR, highlights the need to ensure that each organisation has in place appropriate procedures to ensure compliance with the new rules. If you are interested in further detail on the HR aspects of the GDPR, you can access a panel discussion on this from the Matheson Employment Law Podcast series.