Calculation of administrative fines under GDPR – standardised concept published in Germany
After a month of rumours, uncertainty, and German data protection authorities being non-transparent, the German conference of data protection authorities (Datenschutzkonferenz, DSK) published the concept for calculating administrative fines for data protection violations (Concept, available here) on October 16, 2019.
The Concept sets out a standardized approach regarding the calculation of administrative fines in accordance with article 83(4) and (5) of the General Data Protection Regulation (GDPR) and also takes into account the circumstances of the individual case as described in article 83(2) GDPR. The Concept provides a uniform determination of administrative fines under GDPR without losing the flexibility to consider the individual case and situation of the violating person or organization (Violating Entity).
The Concept is not binding on courts, non-German authorities, or the European Data Protection Board (EDPB) and shall only be used for violations in Germany that are not cross-border cases. The Concept shall only be used until the EDPB has issued its own guidelines for the determination of fines under article 83 GDPR. In addition, the Concept shall not be used for fining associations or natural person outside of their economic activity.
In this blog, we explain the five-step procedure that the DSK applies in the calculation:
Content of the Concept
The procedure for determining GDPR fines described in the Concept comprises five steps:
Step 1 – Classifying the Violating Entity
In the first step, the Violating Entity is classified into specific categories from A to D in consideration of the global annual turnover of the Violating Entity as set out in article 83(4) and (5) GDPR. In accordance with recital 150 GDPR, the DSK determines the annual turnover of the Violating Entity in consideration of articles 101 and 102 of the Treaty of the Functioning European Union (TFEU).
- Category A: up to €2 million annual turnover
- Category B: €2 million to €10 million annual turnover
- Category C: €10 million to €50 million annual turnover
- Category D: above €50 million annual turnover
The categories are also divided into more granular subgroups. The categories shall reflect all different sizes of organizations from micro businesses, to small- and medium-sized organizations, to big organizations.
Step 2 – Average annual turnover
In the second step, the average annual turnover of the category is determined in order to be able to determine the daily rate. The average annual turnover is determined as follows:
Step 3 – Daily rate
In the third step, the supervisory authorities determine a daily rate by dividing the annual average turnover by 360 days as a basis for the calculation of the actual fine.
Step 4 – Degree of severity
In the fourth step, the GDPR violation will be categorized into one of four degrees of severity (low, medium, serious, or very serious), taking into account all factors and circumstances of the individual case as set out in article 83(2) GDPR.
Each degree of severity contains several multipliers that are applied to the daily rates determined in the Step 3.
Step 5 – Adjustment in special circumstances
Fifth, the amount determined in Step 4 will be adjusted in accordance with article 83(2) GDPR but also taking into account other circumstances, such as very long proceedings or impending insolvency of the Violating Entity.
1. Fines are increasing
The Concept is a paradigm shift with regard to administrative fines for data protection violations. Until a few months ago, and even under “old” data protection law, Germany was a safe haven since administrative fines were not high (only ranging up to €200,000). Under the Concept, fines will now increase significantly. For example, the Berlin Data Protection Authority recently announced that it is preparing a fine in the double-digit million amount of euros (more on our blog).
2. Minimum fines may be too high
At first glance, the Concept seems to be reasonable, particularly with regard to smaller Violating Entities. However, the Concept does not provide for a multiplier smaller than 1. This leads to bigger organizations facing high fines even in minor cases. The minimum fine for a medium-sized organization in a minor incident with an annual turnover of €45 million to €50 million is now €125,000. For a bigger organization with a turnover of €450 million, it is already €1.25 million.
Although Step 5 of the Concept provides an opportunity to adjust the fine in accordance with article 83(2) GDPR. However, these considerations have already been used in the Step 4 of the Concept. Thus, in fact the considerations will likely not lead to another result.
3. Is it really the turnover of the whole group of the Violating Entity?
It is questionable whether the annual turnover of the group of undertakings is the correct scale. According to recital 150 GDPR, the definition of the term “undertaking” in article 83(4) and (5) GDPR is to be based on the concept of an undertaking as defined in competition law (articles 101 and 102 TFEU), which is interpreted very broadly (that is, it includes associated companies)
However, the GDPR already defines the term “group of undertakings” (article 4(19) GDPR) so there is no reason why the term undertaking has to be interpreted as group of undertakings (see recital 37, sentence 2). Contrary to the English language version of the GDPR (where recital 150 refers to undertakings and article 4(18) refers to enterprise), other language versions of the GDPR, such as the German, French, Italian, and Dutch language versions, use the same term for undertaking in recital 150 and article 4(18) GDPR. The principle that the criminal law or the law against administrative offences must not be extensively construed to an accused’s detriment (see article 7 ECHR) prohibits the broad interpretation of article 83(4) and (5) GDPR to also cover the group of undertakings where only the violating undertaking’s turnover is mentioned in article 83(4) and (5) GDPR. The text of the GDPR takes precedence over the recitals in the event there is a conflict.
4. Does the DSK even have the competency to create the Concept?
It is not clear if the German DPAs even have the competency to create the Concept. Article 70(1)(k) GDPR provides that it is the task of the EPDB – not the national supervisory authorities – to draw up guidelines for supervisory authorities concerning the setting of administrative fines under article 83 GDPR. The aim of this provision is to harmonize the application of the GDPR across all member states. However, if the member states develop different fine concepts, this goal will not be reached. The DSK has recognized this issue and has limited the scope to Germany and set the Concept under the condition that the EDPB must decide in accordance with article 70(1)(k) GDPR. However, it has to be asked whether a national solo run with the annual turnover as the primary scale was necessary or if an entry to the EDPB without using the Concept on a national level would not have been the better approach.
The EDPB are in a continuous process to streamline the enforcement of the GDPR on an EU level, which started with EDPB’s opinion WP253, where the EDPB said that this is an evolving process. Germany now has provided a blueprint for a unified approach. If the EDPB adopts the Concept, high fines across Europe would be standard.
Spanish Data Protection Authority fines Vueling: Failure to comply to cookie rules
The AEPD has considered that the consent collected by Vueling by means of the “continue browsing” solution is not valid because the company does not offer users with a tool as the one described above. Therefore, the AEPD considers that the airline has infringed Article 22(2) of the Information Society Services Law (“LSSI”). The AEPD has classified the infringement as minor and has fined the company with 30,000 euros. However, since Vueling recognised having infringed the law and since the company was willing to pay promptly, the sanction has lowered to 18,000 euros. With it’s the decision, the AEPD has confirmed that collecting consent by means of a “continue browsing” solution is still valid in compliance with certain requirements. This, despite the recent judgement of the European Union Court of Justice on cookie consent (case C-673/17 – Planet 49).
On 1 October 2019, the Court of Justice of the European Union (the “CJEU”) delivered a significant preliminary ruling in the Planet49 case with regards to cookies and consent under the General Data Protection Regulation 2016/679 (“GDPR”). In the wake of the decision and recent guidance, businesses should be aware that the requirements of cookie consent have evolved considerably in the past few months.
Pre-checked boxes and statements on privacy policies which relate to user’s “passive consent” given through continued use of a website are now highly unlikely to constitute valid consent under EU law. Consent must also be “granular“ – in that consent for one type of processing (for instance – making an online purchase) cannot be automatically inferred as consent for another kind of purchase (such as sharing the information with a third party).
Businesses (particularly those that rely on cookies to provide analytical services and advertising) should review and update their privacy and cookies policies to:
(i) include clear and comprehensive information in relation to cookies (including their duration and any sharing with third parties); and
(ii) ensure that they are fully aligned with the standards for consent set out in GDPR and subsequent regulatory guidance and case law.
Planet49: The Facts
Planet49 established an online lottery that required users to provide personal information to enter. In order to play the lottery, users had to tick two checkboxes. It was not possible to play the lottery without clicking the first checkbox and the second checkbox was pre-checked. The first box allowed Planet49 to share user data with third parties. The second pre-checked checkbox indicated consent to cookies being placed on the user’s device.
The CJEU ruled that consent to the storage of, or access to, information on a website user’s equipment cannot be validly obtained through the use of a pre-checked box. This applies whether the requirement for consent to cookies in the E-Privacy Directive (2002/58/EC) is read in conjunction with GDPR or the Data Protection Directive (95/46/EC).
If consent is pre-determined, a user is not providing active consent, as it would be “impossible” to ascertain whether, by not deselecting a pre-ticked box, a user had provided active consent. The CJEU reiterated that consent must be “specific” and that selecting a button to participate in a lottery is insufficient to conclude that a user has also consented to the storage of cookies.
The requirement for consent to store or access information on a website user’s equipment is unaffected by whether or not such information is personal data. The E-Privacy Directive refers to “storing of information, or the gaining of access to information already stored” and aims to protect users from interference with their private sphere regardless of whether or not that interference involves personal data.
“Clear and comprehensive information” within the meaning of the E-Privacy Directive includes the duration of the cookies and whether third parties have access to them.
Context of the decision
The decision of the CJEU reflects the Advocate General’s Opinion delivered on 21 March 2019 and provides further confirmation that the consent requirement in relation to cookies is now the higher standard of consent, as defined in GDPR.
The decision also follows opinions issued by the European Data Protection Board (March 2019), the Irish Data Protection Commissioner (June 2019) and the UK Information Commissioner’s Office (July 2019) which all concurred that the standard of consent required by GDPR must be freely given, specific and informed, and that there must be an indication signifying a user’s agreement, which is unambiguous and involves a clear affirmative action.
The Third Annual Review on the U.S.-EU Privacy Shield
On October 23, 2019, the European Commission published a report on its third annual review of the Privacy Shield. The results are generally positive with no immediate risk to the Privacy Shield’s existence (as a regulatory matter) for at least another year. While you can read the full report here, the following serves as a brief summary, which will be reviewed in more detail in the weeks to come.
Recall that the Privacy Shield works together in a closely integrated manner with the GDPR. It is not a separate law or a substitute for GDPR compliance. More specifically, and to use a bit of regulatory jargon (we’ll leave unexplained for now in the interest of brevity), the Privacy Shield serves as what is known as a “partial adequacy decision” falling under Article 45 of the GDPR.
Per the US-EU bilateral agreement that resulted in the Privacy Shield, it is subject to annual review by the relevant authority in the EU. If the review goes badly, it would be an existential threat to the Privacy Shield. Thankfully, that did not happen. It is important to note that, this report is, of course, unrelated to the Schrems II case (which we posted on here) and its anticipated follow-on cases which are likely to judicially challenge the Privacy Shield.
Since there’s a lot of confusion, even amongst some practitioners, about what the Privacy Shield is and how it fits in with GDPR, we always feel it’s a good idea to give a reminder whenever we post on the Privacy Shield. So here goes:
Under the Privacy Shield, U.S.-based companies who self-certify can lawfully receive GDPR-governed personal data from companies based in the European Economic Area. Equally as important, Privacy Shield also signals to the marketplace that your company has what we refer to at the end of this post as the “Pareto Principle” of data security and privacy policies – procedures and programs in place that are not only required by GDPR, but are fairly universal across global regulatory regimes. As a result, Privacy Shield self-certification is definitely a plus, but it is not fatal to your company’s ability to receive personal data from the EEA. If you aren’t Privacy Shield self-certified, it just means you can’t rely on GDPR Article 45 to receive personal data.
Instead, you have to look to GDPR Article 46. That Article enumerates a handful of mechanisms that also can be used to lawfully receive EEA personal data transfers. They range from the so-called Standard Contractual Clauses (which are currently under attack in Schrems II) to a costly and complex mechanism called Binding Corporate Rules.
The key take away from today’s report is this: For the third year in a row, Privacy Shield has proven its viability. Becoming Privacy Shield self-certified is worth considering if your business requires regular receipt of GDPR-governed data. It also has some independent value beyond EEA transfers insofar as it shows your company’s security and privacy practices have at least some minimum level of maturity. As we all know and preach, it is essential in today’s global privacy evolution to ensure the development, implementation and continued monitoring and improvement of sound data security and privacy policies and practices.