Data protection violations may result in German authorities imposing significantly increased fines.
The Conference of the German Data Protection Authorities (DSK) ― the joint body of the German data protection authorities ― has agreed on a radical new model for calculating EU General Data Protection Regulation (GDPR) fines. If adopted, the new fine model will likely lead to fines that frequently approach the maximum limits under Article 83 of the GDPR. Some German authorities have already started applying this new model in practice. For example, the Berlin data protection commissioner recently announced her intention to impose multimillion-Euro GDPR fines. Latham & Watkins’ German data protection team has handled some of the first cases defending clients against fines calculated under this new model. This Client Alert describes the fine calculation model and summarizes Latham’s initial experience with it.
German data protection authorities collaborate on model concept for calculating fines
After intensive preparatory work by the DSK Sanctions Working Group, the German data protection authorities agreed to start testing the complex new fine calculation model in June 2019. According to a recent JUVE magazine report (in German), data protection authorities of the states of Berlin, Lower Saxony, and Baden-Württemberg were particularly active in driving the new fine model, which was discussed and resolved at the DSK Intermediate Conference 2019 in Mainz. The conference minutes and a recently published press release (both in German) provide interesting background on the agreement between the German data protection authorities.
The methodology has also been presented to the “Fining Taskforce” of the European Data Protection Board (EDPB), which aims to ensure consistent, EU-wide GDPR fining practices. In contrast to other models currently under discussion, the German authorities believe that their model guarantees a systematic approach for a transparent and comprehensible calculation of fines. The EDPB may ultimately seek to implement a harmonized fine model across Europe, based on the new methodology applied by the German authorities.
How does the German GDPR fine model work in practice?
The DSK methodology is complex. For example, in a recent decision, the calculation of the fine, together with the associated explanations, was 24 pages long. This complexity is unsurprising, as a simple model might not be able to guarantee the required individual justice and thus the proportionality required in Art. 83 GDPR.
The starting point for the calculation is the aggregate global annual revenue of the undertaking. Based on this, a “daily rate” is calculated, which is then adjusted by the application of various multipliers to reflect the different penalty criteria according to Art. 83 GDPR (e.g., the perceived gravity of the offence, culpability of the organization, extent of the potential harm caused to individuals etc., as discussed further below), and certain other mitigating or aggravating factors at the discretion of the authority.
Overview of the new GDPR fining methodology
The fine model consists of four major steps, each of which require complex calculations and weightings. The below outline summarizes these steps at a high level.
1. Turnover-based calculation of the daily rate
As a first step, the DSK proposes that authorities determine the daily rate by dividing the aggregate global turnover of the undertaking for the previous year by 360 days. The authorities can estimate the relevant turnover figure if the company does not provide this information.
For corporate groups, the DSK is quite clear that the fine calculation is not based on the turnover of only the individual undertaking concerned, but instead on the turnover of the entire group. The DSK states in its respective guidance on this subject (Kurzpapier Nr. 2 Aufsichtsbefugnisse/Sanktionen) that:
Recital 150 GDPR explains how the term “undertaking” is to be understood in connection with the fine proceedings. Accordingly, the broad, functional concept of enterprise borrowed from antitrust law pursuant to Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) applies. The consequence of this is that parent companies and subsidiaries are regarded as an economic unit, so that the total turnover of the group of companies is taken as the basis for calculating the fine.
It is not yet clear what position the courts will take on this issue, in light of the DSK’s approach.
2. Determination of the “regular fine corridors” and the median fine value
The second step is an assessment by the authority of the perceived severity of the specific offence. This severity assessment is based primarily on an overall assessment performed by the authority taking several points into consideration, including the violated GDPR provisions and maximum fine limits set out in Arts. 83(4)-(6) GDPR, with some discretion for the authorities to take into account the level of harm to individuals. The GDPR maximum fine limits may not be exceeded. The DSK’s model sets out four levels of severity (minor, average, severe, or very severe), each with an associated multiplier range.
An essential factor for determining the initial severity of a data protection violation is the classification of the breach according to Art. 83 para. 4, para. 5, or para. 6 GDPR. The decisive factor, however, is ultimately the “unlawful content” of the respective act, which allows discretion for the severity level to be “manually determined” by the authority. For example, an unsolicited advertising email should be regarded as a minor infringement and the unauthorized monitoring of employees as a serious infringement.
The multipliers of the severity level set by the authority are then applied to the daily rate and provide a fine corridor as a result. The more severe an infringement is classified, the higher the corridor rises. The authorities then calculate the median value of the resulting fine corridor, which becomes the basis for further fine calculation.
3. Classification of the specific GDPR infringement
Once the initial gravity of the infringement has been established, there would be further modifications of the fine to take into account the nature of the offence and its consequences in accordance with the following criteria:
Duration of the infringement
Nature, extent, and purpose of the unlawful processing
Number of data subjects involved in the processing
Extent of harm suffered by data subjects
The authorities would then assign a score of zero to four to each of these criteria and calculate the total of those values. The sum of these scores produces a total value that is then entered into a long and complex table (not yet publicly released) in order to determine whether an additional factor should be applied to either increase or decrease the severity level and/or the median value already determined in the previous calculation step.
4. Percentage changes in accordance with Art. 83 para. 2 GDPR — further consideration of the fine
In a further step, the authority would determine any other relevant criteria for assessing fines in accordance with Art. 83 (2) GDPR. This criteria concerns culpability, i.e.,:
- Intent or negligence
- The initiation of measures to mitigate damage
- The degree of responsibility
- The existence of any relevant previous infringements
- Cooperation with the supervisory authority
- The categories of personal data processed within the scope of the infringement
- The type of disclosure of the infringement
- Compliance with any measures previously ordered by the authority
- If applicable, compliance with approved procedural rules or certifications
In this step, increases of up to 300% or reductions of up to 25% can be applied to the previously calculated median value in respect of each of the above-mentioned culpability criteria.
Final consideration of the fine
As a final step, the authority would then examine whether any other aggravating or mitigating circumstances exist that would suggest a further adjustment of the fine determined so far. There seems to be no formula for this further adjustment, so the authorities have particularly wide scope for discretion. In this step, the authority would consider whether the calculated fine is effective and dissuasive, taking into account likely public perception.
In addition, the fine must be proportionate to the infringement. In view of the extremely high value of fines that may result from the application of the new fine model, this aspect in particular is likely to become an important line of defense for companies in future fine litigation.
To the extent necessary, there would also be an adjustment for consistency with the GDPR-mandated maximum fines (as specified in Art. 83 (4) to (6) GDPR). Furthermore, the authorities verify whether the fine falls inside the previously determined fine corridor. Fines may not exceed the maximum amounts stipulated in Art. 83 GDPR.
Initial practical experience shows that the application of the DSK model would lead to significantly higher GDPR fines than those imposed by the German authorities so far. The largely linear calculation method, starting with turnover, leads to serious penalty risks, especially for companies and groups with high revenues.
Whether sanctions imposed under the DSK fine model properly take into account the criteria required by Article 83 GDPR, or can properly ensure that fines are in fact proportionate, is questionable. The DSK model, if adopted and applied, would be ripe for challenge. It could be difficult for data protection authorities to convince courts in administrative offence proceedings that the authorities in fact have determined appropriate, lawful fines using the model.
Given the expected increase in the size of future fines for GDPR infringements, companies should examine their existing data protection structures and processes to determine the extent to which those structures are adequate to mitigate the risk of fines. In particular, large corporate groups and companies that process high volumes of data or sensitive and high risk data would be well advised to plan an effective litigation defense in advance.