On May 12, 2022, the European Data Protection Board (“EDPB”) adopted Guidelines 04/2022 on the calculation of administrative fines under the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines are intended to harmonize the methodology supervisory authorities (“SAs”) use when calculating the amount of a GDPR fine and provide illustrative examples to help organizations understand the calculation method.
The amount of a fine is at the discretion of the SA, subject to the calculation rules laid out in the GDPR. According to Article 83 of the GDPR, the amount of a fine, which must be determined on a case-by-case basis, should be effective, proportionate and dissuasive. The amount of the fine cannot exceed the maximum amounts provided for in Article 83(4)-(6) of the GDPR, i.e., up to €10 million or 2% of an undertaking’s total worldwide annual turnover (whichever is higher), or depending on the GDPR infringement, up to €20 million or 4% of an undertaking’s total worldwide annual turnover (whichever is higher).
In the Guidelines, the EDPB lays out a five-step methodology for calculating the amount of administrative fines for infringements of the GDPR. The EDPB also states that this methodology should not be misunderstood as a form of automatic or arithmetical calculation; a human assessment of all relevant facts and circumstances at hand must always be conducted.
Step 1: Identify the processing operations in the case and evaluate the application of Article 83(3) of the GDPR.
Article 83(3) of the GDPR provides that “If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.”
SAs first will need to consider what conduct the fine relates to, particularly whether concurrent infringements took place. For example, one case could include multiple sanctionable acts that could result in several infringements. The rules on concurrence are outlined in the case law of the Court of Justice of the European Union (“CJEU”), which identified three categories under which a case may fall: (1) concurrence of offense; (2) unity of action/processing; and (3) plurality of actions. The way the fine is calculated will depend on the category of the case at hand. For example, in a “unity of action/processing” case, the fine is limited to the maximum allowed for the gravest infringement, whereas a “plurality of actions” case can result in separate fines being imposed for each conduct, subject to individual maximum amounts.
Step 2: Identify the starting point for further calculation of the fine amount.
There are two categories of infringements under the GDPR that may serve as the starting point for further calculation of the fine: (1) infringements punishable under Article 83(4) of the GDPR by a fine of €10 million or 2% of the undertaking’s annual turnover, whichever is higher; or (2) infringements punishable under Article 83(5)–(6) of the GDPR by a maximum fine of €20 million or 4% of the undertaking’s annual turnover, whichever is higher.
Consideration also must be given to the facts and circumstances of the infringement when evaluating its seriousness. The GDPR requires SAs to consider, in light of the specific case: (1) the nature, gravity and duration of the infringement; (2) the nature, scope or purpose of the processing at stake; (3) the number of data subjects affected and level of damage suffered by them; (4) whether data subjects are directly identifiable; (5) the intentional or negligent character of the infringement; and (6) the categories of affected data. The assessment of those factors will help determine the seriousness of the infringement as a whole (i.e., low, medium or high level of seriousness). Administrative fines will be set between 0 and 10% of the applicable legal maximum for low level infringements; between 10% and 20% for medium level infringements; and between 20% and 100% for high level infringements. Generally, the more severe the infringement under each of these categories, the higher the starting amount of the fine will be.
In addition, SAs may consider adjusting the starting amount using a tiered approach based on the size of an undertaking and its annual turnover, i.e., if an infringement is committed by an undertaking with an annual turnover under €2 million, under €10 million or under €50 million, or an undertaking with an annual turnover exceeding €100 million, €250 million or €500 million. Generally, the higher the turnover of the undertaking within its applicable tier, the higher the starting amount for the calculation of the fine.
Step 3: Evaluate aggravating and mitigating circumstances related to past/present behavior of the controller/processor.
SAs must take into account whether any of the aggravating and mitigating factors listed under Article 83(2) of the GDPR are present, including: (1) any measure (technical and organizational) taken by the data controller/processor to mitigate the damage suffered by data subjects; (2) the degree of responsibility of the controller/processor for the infringement; (3) any prior infringement by the data controller/processor, and the time frame and subject matter of such prior infringement; (4) the degree of cooperation of the data controller/processor with the SA to remedy the infringement and mitigate potential adverse effects; (5) the manner in which the infringement became known to the SA (e.g., did the SA become aware of the infringement by a complaint/investigation or by the data controller/processor’s own motion); (6) compliance with measures previously ordered on the same subject matter; (7) adherence to approved codes of conduct/certification mechanisms; and (8) any other aggravating or mitigating circumstances, such as financial benefits gained or losses avoided directly or indirectly from the infringement.
Step 4: Identify the legal maximum(s) for the infringement(s) and corporate liability.
The GDPR provides overall maximum amounts, rather than setting fixed sums for specific infringements:
- Articles 83(4) and 83(5)-(6) provide for static amount, i.e., up to €10 million or €20 million respectively.
- Alternatively, in case of an undertaking, the fining range may shift towards a higher maximum amount based on the undertaking’s turnover, i.e., up to 2% or 4% of the undertaking’s total annual turnover of the previous financial year. This maximum amount is dynamic and individualized towards the respective undertaking and is intended to achieve effectiveness, proportionality and deterrence.
The GDPR requires SAs to consider the static maximum amount, or the dynamic turnover-based maximum amount, whichever is higher. In practice, this means that the turnover-based maximum amounts will apply only if they exceed the static maximum amounts in the case at hand.
The concept of undertaking is central to determining the correct turnover for the dynamic legal maximum. According to CJEU case law, an undertaking “encompasses every entity engaged in an economic activity, regardless of the legal status of the entity and the way in which it is financed.” In addition, for the purpose of competition law, undertakings are identified with economic units, rather than legal units. This means that a single economic unit can qualify as an undertaking even if it consists of several legal entities. Whether several legal entities form a single economic unit will depend on whether the individual entity is free in its decision-making ability or whether a leading entity (such as the parent company) exercises decisive influence over the other entities. In making that assessment, criteria such as the amount of participation, personnel or organizational ties, instructions and existence of company contracts can be taken into account.
When opting for the dynamic legal maximum, SAs also will need to calculate the undertaking’s annual turnover, i.e., the net sum of all goods and services sold, after deducting sales rebates and VAT and other taxes linked to turnover.
Step 5: Assess the effectiveness, proportionality and dissuasiveness of the fine.
SAs are tasked with verifying that the fine imposed is effective, proportionate and dissuasive in each individual case, or whether adjustments are needed:
- Effectiveness. A fine generally is considered effective if it achieves the objectives with which it was imposed (e.g., reestablishing compliance with the rules, punishing unlawful behavior or both).
- Proportionality. Proportionality requires that measures adopted do not go beyond what is appropriate and necessary to attain the objectives pursued by the law in question. Where there are several appropriate measures, the least onerous ones that cause the least disadvantages must be pursued. In exceptional circumstances, SAs may consider further reducing the fine based on an inability to pay, taking into account the economic viability of the concerned undertaking, proof of value loss and specific social and economic context.
- Dissuasiveness. A fine must have a genuine general deterrent effect (i.e., discouraging others from committing the same infringement in the future) and specific deterrent effect (i.e., discouraging the recipient of the fine from committing the same infringement again). The amount of a fine may be increased if the SA determines that the amount is not sufficiently dissuasive.
The EDPB welcomes comments on the draft Guidelines by June 27, 2022 (the public consultation is available here).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code