The approach to penalties under the General Data Protection Regulation (GDPR) seems to follow a tried and tested formula; higher penalties for non-compliance often produce higher levels (of at least intended) compliance. In many ways it could be said that the GDPR has attracted the interest of the media and some businesses because of the increased penalty provisions. What's more, Supervisory Authorities (SAs) will have the support of the law behind them to bolster their threat of action. It's almost impossible to imagine a board meeting in the coming months where the GDPR is not discussed at some level as the economic repercussions of not doing so could be massive - up to 4% of total global annual turnover or €20 million, to be precise. However, what is yet to be seen is how this newly carved stick is wielded by SAs. Further, how will they act together to enforce the GDPR and penalties for non-compliance across the backdrop of the one stop shop?
Under the GDPR, SAs are endowed with a number of powers including to issue warnings of non-compliance, carry out audits, require specific remediation within a specified time frame, order erasure of data and suspend data transfers to a third country.
Importantly, some of these powers can be applied in respect of both controllers and processors and so processors can no longer hide under the cloak of the controller in the eyes of the SAs, as they have arguably done to date. In addition, some of the corrective powers of the SAs have potentially significant impact on day-to-day operations, for example, powers to suspend data transfers to third countries.
Supervisory Authority investigative powers include:
- to order the controller and the processor (or applicable representative) to provide any information it requires for the performance of its tasks;
- carry out data protection audits;
- review certifications;
- notify controller/processor of any alleged infringement of the GDPR;
- obtain from controller/processor access to all personal data and all information necessary to perform its tasks; and
- obtain access to any premises of controller and processor including data processing equipment.
Supervisory Authority corrective powers include:
- issue warnings to controller or processor that intended processing is likely to result in infringement of the GDPR;
- issue reprimands to a controller or processor where processing operations have infringed provisions of the GDPR;
- order the controller or processor to bring processing operations into compliance with the GDPR (with specific direction and time period if appropriate);
- order the controller to communicate a personal data breach to the data subject;
- impose a temporary or definitive limitation including a ban on processing;
- order the rectification, restriction or erasure of data or order a certification body not to issue a certificate;
- impose administrative fines; and
- order the suspension of data flows to a recipient in a third country or to an international organisation.
Crucially, SAs are also empowered to issue substantial administrative fines which should be "effective, proportionate and dissuasive". Although dependent on the circumstances of each case, typically penalties will only be imposed in addition to or instead of the SAs' corrective powers.
When deciding whether or not to administer a fine, the following circumstances will be considered:
- nature, gravity, and duration of the infringement (also with regard to the purpose of the processing and the number of data subjects affected and level of damage suffered by them);
- intentional or negligent character of the infringement;
- action taken by controller or processor to mitigate the damage suffered by data subjects;
- degree of responsibility of controller or processor with regard to technical and organisational measures implemented by them;
- any relevant previous infringements by the controller or processor;
- degree of cooperation with the SA in order to remedy the infringement and mitigate any adverse effects;
- categories of data affected by the infringement;
- manner in which the infringement becomes known to the SA (in particular whether and to what extent a controller/processor notifies directly to relevant SA);
- whether any corrective powers have previously been imposed on the controller or processor with regard to the same subject matter;
- adherence to approved codes of conduct or approved certification mechanisms; and
- any other aggravating or mitigating factor such as financial benefits gained, losses avoided, directly or indirectly from the infringement.
Requirements, the infringement of which can attract a fine of up to 2% of total global annual turnover or €10m (whichever is the higher), include:
- parental consent verification in the case of processing personal data of a child (below applicable age as decided by each Member State which shall not be below 13 years);
- informing a data subject that it is not in a position to identify such data subject if such processing does not identify data subjects;
- implementing appropriate technical and organisational measures to ensure data protection is enshrined by design and default (i.e. implementing pseudonymisation and collecting data necessary for each specified purposes only);
- where controllers jointly determine the purposes and means of the processing each must determine their respective responsibilities for compliance with their obligations under the GDPR;
- where a controller or processor is not established in the EU but offers goods and services to data subjects in the EU or monitors behaviour of data subjects in the EU, the controller shall designate in writing a representative in the Union;
- if a processor is engaged, the controller shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures. Such processor cannot enlist another processor without prior specific or general written consent;
- processing must only occur under instructions of the data controller;
- each controller or controller's representative shall maintain a record of processing activities under its responsibility;
- controller, processor and each of their respective representatives if applicable shall cooperate on request with the SA in the performance of its tasks;
- each controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
- controller shall notify the personal data breach to the competent SA without undue delay and where feasible not later than 72 hours after having become aware of it;
- where a data breach is likely to result in a high risk to the rights and freedoms of individuals the controller shall communicate the personal data breach to the data subject without undue delay;
- carrying out data protection impact assessment prior to carrying out processing which is likely to result in high risk for the rights and freedoms of individuals;
- controller shall consult the SA prior to processing of personal data where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller;
- the controller and processor shall designate a data protection officer accordingly;
- controller and processor shall ensure that the data protection officer is properly and without delay involved with all issues which relate to the protection of personal data;
- ensure data protection officer complies with his or her tasks;
- compliance with approved code of conduct of SA; and
- compliance with certification requirements.
Requirements, the infringement of which can attract a fine of up to 4% of total global annual turnover or €20m (whichever is the higher), include:
- personal data must be processed lawfully and fairly in a transparent manner; not considered incompatible with the initial purposes; accurate and kept in a form which permits identification of data subjects;
- processing of personal data should be lawful;
- controller shall be able to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing;
- processing of special categories of personal data is subject to a general rule of prohibition unless certain circumstances apply;
- controller shall provide transparent information, communication and modalities for data subjects to exercise their rights;
- controller to provide information to data subject at the time information is collected from the data subject and/or from any other source;
- data subject shall have the right to obtain from the controller confirmation as to whether their personal data is being processed, where it is being processed and access to it;
- data subject shall have the right to obtain from controller the rectification of personal data where it is inaccurate;
- the data subject shall have rights of erasure of personal data (the so called 'right to be forgotten');
- the data subject shall have the right to obtain from the controller the restriction of processing of personal data under certain circumstances;
- controller shall communicate any rectification, erasure or restriction of processing to each recipient of such data;
- data subject shall have the right to receive personal data concerning him or her which has been provided to a controller in a structured, commonly used and machine readable format (i.e. data portability);
- right to object to processing based on certain provisions (i.e. processing carried out in the public interest, legitimate interests of the controller or third party (which are not overridden by rights of data subject), direct marketing);
- data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects or similar significant effects on the data subject;
- legitimate transfers of personal data outside of the EU made pursuant to exemptions or derogations;
- compliance with an order or a temporary or definite limitation on processing or the suspension by the SA pursuant to their investigatory or correcting powers (see above).
So how will these sanctions be imposed by the SAs? The final versions of the one stop shop, lead authority, cooperation and mutual assistance procedures and concepts are very different from those originally proposed by the Commission which were intended to produce a completely harmonised regime. The result is that the approach is still somewhat fragmented. While it is much too early to tell how different SAs will implement their enforcement powers and when they will issue fines, it seems virtually inevitable that there will be a range of approaches across Member States.
In the first place, Member States will have individual discretion to decide the rules on criminal sanctions for infringements of the GDPR. In addition, the GDPR acknowledges that where a complaint is raised to a SA which is not the lead authority, the lead SA should take into account the views of such SA when taking measures intended to produce legal effects including imposing fines. The GDPR also states that if the complaint relates to processing which is not likely to affect data subjects in other Member States, the SA should seek an amicable settlement with the controller and if this is not successful, go on to use its full range of powers.
The indications are that what we will see will be far from the uniform approach many businesses had hoped would be realised by the GDPR. Having said that, cooperation between the SAs will be the only way to ensure effective enforcement of the GDPR and there are processes in place to facilitate this in the legislation. Given that the burden of imposing the sanctions and fines rests heavily with the SAs, it will be in everyone's best interests to administer the GDPR holistically.
Many current data protection authorities (including the UK's ICO, known for a pragmatic approach) have long argued for the need for an enforcement regime with teeth. While some SAs may turn out to be more proactive than others, it is likely that the strengthened sanctions available will lead to a stepping up of current enforcement practices which makes it all the more important for organisations to get ready for compliance with the GDPR.