Data protection deficits are becoming extremely expensive, especially for subsidiaries of global corporations in Germany. However, any company in Germany should also take the latest publication of the Data Protection Conference of the Federal Government and the Federal States (Datenschutzkonferenz - "DSK") on the future assessment of fines as an opportunity to examine its handling of personal data thoroughly and to ensure data protection compliance.
A penalty of up to 4% of the worldwide annual turnover is a severe threat to companies for breaches of certain data protection regulations. However, there is a wide area for regulatory discretion. Almost 1.5 years after coming into force of the GDPR, which created the basis for these sensitive fines, the DSK now presents a concept on how the German data protection authorities should determine fines in the future (available only in German here).
DSK does not make it easy for itself to exercise its discretion. In future, fines will be calculated in five steps:
- In the first stage, the company in question is categorized according to its annual turnover. There are four categories (micro, small, medium and large enterprises) and further subcategories exist. While a turnover of €700,000 in category A.I represents the smallest annual turnover limit, companies with an annual turnover of more than €500 million belong in the highest turnover category.
- The mean value of the respective turnover category calculated on the second level is then broken down to daily rates in order to determine a basic value, which is then multiplied at level 4 by a factor (1 to 12) dependent on the severity of the case. If groups of companies are involved that exceed the 500 million EUR turnover limit, the actual annual group turnover is used for the daily rate calculation.
- Finally, the fine thus determined is adjusted at level 5 on the basis of "perpetrator-related and other circumstances" which are not further defined.
Although the DSK may have followed the guidelines on fines of the German Federal Cartel Office (Bundeskartellamt – “BKartA”) and the European Commission in antitrust proceedings, there is a severe difference: The DSK refrained from defining a factor that reflects the extent of an infringement. While the BKartA and the European Commission's guidelines on fines provide for a calculation, which is strictly based on a fact-based annual turnover (i.e. the turnover specifically favored by a cartel infringement), DSK's concept bases all further calculation on the total annual turnover of the company in question. Only the severity of the data breach and further non-defined circumstances are taken into account as factors serving as a corrective.
The following example illustrates the striking differences between the calculation of fines regarding an antitrust infringement and the calculation of fines if data protection law is violated:
Antitrust Law: A subsidiary S, which is active in the production of printing machines (annual turnover: €100 million) is part of a large conglomerate M (annual turnover: €200 billion), which, beside S's activities, is not active in the market for printing machines. T enters into anti-competitive agreements with competitors. The basis for assessment would be €100 million.
Data protection: S inadvertently discloses the personal data of its 150 employees to an online shop for advertising materials without the prior consent of the employees. This data provides information about their union membership, among other things. The data is sent directly to the internet and leads to spam mails. The assessment basis here is now €200 billion.
Which action is more reprehensible under regulatory law? Damage to the entire competitive structure with considerable disadvantages for competitors - or admittedly annoying but relatively easy to turn off spam mails for 150 employees? The striking difference compared to possible fines triggered by restrictions of competition, which can ruin entire companies, is difficult to comprehend – and to accept.
Therefore, DSK’s new concept is unlikely to last. However, it shows that the German data protection authorities are taking data protection more and more seriously and will sanction data protection violations much more severely than before.