The General Data Protection Regulation (the ‘GDPR’) came into force on 25 May 2018 and is directly effective in each Member State of the European Union (the ‘EU’) with the goal to harmonise data protection laws across the EU. On 24 May 2018, the Data Protection Act 2018 (the ‘2018 Act’) was enacted and the Commencement and Establishment Day orders signed by Minister for Justice and Equality, Charlie Flanagan TD. Since the final text of the GDPR was agreed in April 2016, the administrative fines which supervisory authorities can now impose on data controllers and processors in case of infringements of their data protection obligations became one of the most commented on changes brought about by the new European legislation.
Under the Data Protection Acts 1988 and 2003 (the ‘DPAs’), the Data Protection Commissioner had broad investigation and enforcement powers but did not have the power to impose fines for breaches, which was reserved for the courts. The GDPR introduced in Ireland a two-tiered system of administrative fines for non-compliance of up to €20 million or 4% of the total worldwide annual turnover of the controller or processor in the preceding financial year (whichever is higher).
The lower tier of fines (up to the higher of €10 million or 2% of the total worldwide annual turnover of the controller or processor in the preceding financial year) can be imposed for infringements of obligations relating to the conditions for obtaining a child’s consent, communication of a personal data breach to the supervisory authority or the data subject or the designation, position and tasks of the data protection officers.
The higher tier of fines (up to the higher of €20 million or 4% of the total worldwide annual turnover of the controller or processor in the preceding financial year) can be imposed for infringements of obligations relating to the core data protection principles such as transparency and accountability, the processing of sensitive personal data and data subjects’ rights.
The Irish Data Protection Commission (the ‘DPC’) can impose administrative fines in addition to or instead of other corrective measures such as warnings, reprimands, orders, and limitations and bans on the processing of personal data.
The GDPR expressly provides that administrative fines must be effective, proportionate and dissuasive and lists a number of factors which a supervisory authority must take into account when deciding on the amount of the administrative fine in each individual case. These are:
- the nature, gravity and duration of the infringement;
- the character of the infringement – intentional or negligent;
- the actions taken by the controller or processor to mitigate the damage caused to the data subject;
- the degree of responsibility of the controller or processor;
- previous infringements of the controller or processor;
- the degree of cooperation with the supervisory authority;
- the categories of the personal data affected by the infringement;
- the manner in which the infringement became known to the supervisory authority;
- whether corrective measures have been previous ordered against the controller or processor concerned with regard to the same subject matter and compliance with these measures;
- adherence to approved codes of conduct or certification mechanisms; and
- any other aggravating or mitigating factors applicable to the circumstances of the case.
Given the central role which administrative fines are expected to play in the new data protection enforcement regime introduced by the GDPR and the novelty which they represent in some European countries, the Article 29 Working Party (‘WP29’), which was an advisory body comprising representatives from the data protection authority of each EU Member state (which has since been restructured into the European Data Protection Board), adopted Guidelines on the application and setting of administrative fines (the ‘Guidelines’) which are intended to ensure a consistent approach across the EU.
The Guidelines specify that once an infringement of the GDPR has been established, the competent supervisory authority must identify the most appropriate corrective measure in order to address the infringement. The WP29 identified four principles, which supervisory authorities will observe when using their enforcement powers, namely:
- effectiveness, proportionality and dissuasion;
- individual assessment; and
- exchange of information between supervisory authorities.
The DPC, on reaching a formal decision as to whether an infringement has occurred and, if so, whether to exercise a corrective power, is required to give a controller or processor a notice in writing setting out its decision and the reasoning behind it. This decision may be appealed to the Circuit Court (if the fine does not exceed €75,000) or the High Court (if the fine exceeds €75,000) within 28 days. The Court may confirm, replace or annul the decision of the DPC. Even where a controller or processor does not appeal the imposition of the fine within 28 days, the Circuit Court may still replace or annul the DPC’s decision to impose the fine if the Court sees good reason to do so.
The full impact of the punitive elements of the 2018 Act remain to be seen. Some commentators have already expressed the opinion that the vast discretionary powers which the GDPR grants to supervisory authorities on the imposition of corrective measures and the amount of administrative fines may result in unwanted divergence throughout the EU. Businesses are advised to waste no time in taking active steps towards compliance in order to avoid incurring fines in the first instance.