Fines of up to EUR 20 million or 4% of the total annual global turnover of the preceding financial year. At least since the beginning of 2018, this threat has given the General Data Protection Regulation (GDPR) a massive presence in the media, causing panic among both large and small companies and (at best) prompting them to implement the requirements of the new data protection law. Almost one year later, it appears that the European supervisory authorities are quite willing to make use of the hard sanctions under the GDPR. However, the increasing practice of authorities imposing fines also shows how companies need to act in order to keep fines as low as possible.
France, January 2019: EUR 50 million. In January 2019, France’s data protection supervisory authority imposed on Google the highest fine since the GDPR has become effective. The way Google informed about the processing of personal data when using its services was criticised. The authority said the information was spread over too many different documents and thus could not to be captured easily. Further, it explained that the purposes of the data processing were not sufficiently described. Moreover, Google could not present any valid consent of the users for using their data for advertising purposes.
Germany, December 2018: EUR 5,000. Indeed, not a very high fine, however, an interesting case: The company fined sent data to a data processor without having concluded a data processing agreement before. The data processor continued to refuse concluding such a contract, leading the company to contact the efficient data protection supervisory authority asking for advice. The authority stated that a data processing agreement was necessary and that the company was responsible for the conclusion and existence of such an agreement. The company ignored the remark of the authority and was fined some time later because of the (still) non-existent agreement.
Germany, November 2018: EUR 20,000. In a hacker attack, 330,000 user data of a social network were copied and subsequently published on the internet. Since the data was stored by the social network on its server in plain text instead of pseudonymized, the data protection authority imposed the fine mentioned above. Pseudonymization is – according to GDPR – an effective technical measure to protect personal data.
Portugal, October 2018: EUR 400,000. The fine was imposed on a hospital that had not sufficiently restricted access to patient data. Although the hospital employed only 300 doctors, almost 1,000 active users with a “doctor” profile and corresponding access rights were registered in the IT system.
The practice of imposing fines shows that companies of different size were fined for different violations: For insufficient privacy statements, non-existent data processing agreements, data processing based on an invalid consent or the non-implementation of technical-organizational security measures to protect the data.
The GPDR specifies which criteria (e.g. type, gravity and duration of infringement) the supervisory authority needs to take into account when imposing a fine. However, with regard to the amount of the fine, authorities have a broad discretion and they only need to take into account the statutory criteria (see above) when assessing the infringement. The objective of a fine, though, needs always to ensure that this measure is effective, proportionate and dissuasive in each individual case. In particular, the characteristic of proportionality is an opportunity to reduce a fine. In order to determine a proportionate fine, the supervisory authority will take into account (as it did in the case of the fine imposed in November 2018), how the company concerned reacted after becoming aware of the infringement (keyword: reporting obligation) and what measures the company had already taken (before the infringement) to protect personal data.
On the one hand, the fines imposed show that the authorities comprehensively check compliance with data protection requirements. On the other hand, it becomes clear how the authorities interpret the principle of proportionality with regard to the amount of the fine. In particular, the fine imposed in Germany in November 2018 is an important signal for companies. In the public statement of the supervisory authority, the authority emphasised that the fine
(EUR 20,000) had been that low since the infringing company had cooperated with the authority after becoming aware of the infringement and had willingly disclosed all information on the incident and the data processing in the company. Additionally, the assessment took into account how much the company had already invested in the development of data protection compliance.
From these signals, companies can gain important insights:
It is not enough just to take action for external effect. Technical and organisational security measures taken before the incident are also checked by the authorities.
Supervision by data protection authorities will increase. A “duck and cover” strategy will not be successful in the long run. In particular, companies carrying out a large number of data processing operations or processing particularly sensitive data should not wait and see but they should take the initiative to examine their data protection measures and promptly start to implement measures they may have missed so far – with professional legal and technical support.
If the supervisory authority inspects a company or if a data beach occurs, the efforts made up to that point may be worthwhile. If the supervisory authority, however, finds that the company has been ignoring data protection requirements so far, the incident is likely to become significantly more expensive for the company. The fine will be higher and the implementation measures requested will be carried out under strict observation of the supervisory authority.