The Article 29 Working Party (“WP29”) recently issued much-anticipated guidance on administrative sanctions under the General Data Protection Regulation (the “GDPR”). This guidance focuses on the holistic factors which Supervisory Authorities (the “SAs”) are to use in issuing assessments for violations of the GDPR. These factors make clear that WP29 views sanctions issued under the GDPR as a key deterrent and enforcement mechanism.
Article 83 of the GDPR states the general conditions for imposing fines for non-compliance. These fines must be “effective, proportionate and dissuasive” (Art. 83(1)); must vary based on the “circumstances of each individual case” in light of specified factors (Art. 83(2)(a) – (k)); and are subject to varying caps depending on the particular breached obligation at issue (Art. 83(4)-(6)). Article 58(2) outlines the enforcement mechanisms available to SAs – these include the authority to issue reprimands, orders, and sanctions pursuant to Article 83.
Entities that are subject to the GDPR may be particularly concerned with the sizeable sanctions caps codified in Article 83(4) – (6): up to 10,000,000 EUR (or 2% of worldwide annual turnover, in the case of an undertaking), or up to 20,000,000 EUR (or 4% of worldwide annual turnover, in the case of an undertaking), as the case may be.
The notion of an “undertaking,” defined by WP29 as “an economic unit… which may be formed by the parent company and all involved subsidiaries,” magnifies these concerns. SAs may issue fines based on a percentage of the worldwide annual turnover of a company’s global operations without respect to legal divisions between parents and subsidiaries. This flexibility greatly increases the maximum fine.
Corrective Measures and Fines in General
WP29’s guidance provides limited grounding for entities that are looking to understand when and how fines will be assessed. In general, fines are to be “effective, proportionate and dissuasive,” which means that they respond to the nature, gravity, and consequences of the infringement. In the case of an infringement involving the GDPR requirements specified in Article 83(4) – (6), SAs must consider all available corrective measures, including but not limited to reprimands, orders and sanctions.
With respect to fines, WP29 asks: what is the objective of the fine – to establish compliance, to punish unlawful behavior, or both? Whether to issue a fine, and the extent of the fine, will be determined in part based on this question. The guidance adds that individual member states of the European Union may establish enforcement procedures through legislation (notifications, deadlines, appeal, etc.), further complicating the enforcement outlook.
Article 83(2) Individualized Assessment Criteria
The bulk of WP29’s guidance focuses on the assessment factors outlined in Article 83(2). The factors generally fall into three categories: the nature of the infringement, the handling of the infringement, and the prior conduct of the entity subject to the infringement.
Nature of the Infringement
The “nature, gravity and duration” of the breach is a key determinant in the size of any fine. As a preliminary matter, if the infringement does not pose a significant risk to the rights of the data subjects and does not affect the essence of the GDPR’s obligations, the SA may issue a reprimand in place of a fine. In general, the SA will assess the number of data subjects involved, the purpose of the processing and whether the use of the data was compatible with said purpose, the level of damage suffered by the data subjects, and the duration of the infringement.
Similarly, the intentional or negligent character of the infringement is an additional consideration that SAs will take into account and may warrant more severe sanctions. Importantly for entities subject to the GDPR, intent may be established through the explicit authorization of unlawful processing by top management, failure to heed the advice of a Data Protection Officer, or disregard for existing data protection policies.
The categories of personal data affected may further impact the size of any fine. In particular, if the infringement involved sensitive data as specified in Articles 9 and 10 in the GDPR, or would otherwise cause immediate damage or distress to the data subjects if disseminated, a larger fine may be warranted. Finally, any other aggravating or mitigating factor, such as financial benefits gained or losses avoided in connection with the infringement, will be considered.
Handling of the Infringement
SAs will consider the mitigating actions taken by a controller or processor in responding to an incident. WP29’s guidance indicates that SAs should be flexible with entities that have taken responsibility for their actions and have sought to correct or limit the impact of the infringement. SAs will also consider the degree to which the controller or processor has cooperated with the investigation, and relatedly, the manner in which the SA learned of the infringement. For example, did the controller or processor notify the SA as required under the GDPR, and was this notice adequate and complete?
The “degree of responsibility,” in particular with respect to Articles 25 and 32 of the GDPR, is to be factored into the calculation of fines. SAs will consider whether the controller has implemented technical and organizational measures in support of data protection by design and default, as well as an appropriate level of security. The key question with respect to this factor, according to WP29, is: did the controller do what it could be expected to do, in light of industry standards and best practices? An additional and related consideration is whether the relevant data protection routines and policies are known and applied at the appropriate level of management pursuant to Article 24.
SAs will also consider previous infringements, and if corrective measures have been previously ordered pursuant to Article 58(2), the degree to which the controller or processor is in compliance with those measures.
WP29’s guidance provides a helpful overview of how SAs will consider and assess fines under the GDPR. While the guidance lacks a detailed explanation of how fines will be calculated – such details may be the subject of a future guidance – WP29’s guidance makes clear that entities subject to the GDPR should carefully review, on a continuing basis, their GDPR compliance efforts.
The new WP29 guidelines are available here (note: downloads PDF).
Alston & Bird is closely following significant developments in the fields of privacy, data protection and technology. For more information, contact Jim Harvey or David Keating.