Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The standards for fining companies under a new European Union privacy regime indicate that regulators should neither shy away from levying sanctions nor see them as a last resort, according non-binding but influential guidance from data protection officials from the 28 EU countries.
For the most serious breaches of the European Union General Data Protection Regulation (GDPR), fines imposed on a subsidiary that is found to violate the new privacy scheme should be based on the parent company, the guidance said.
EU data protection authorities will be empowered to fine companies up to 20 million euros ($23.5 million) or 4 percent of their global revenues for violations, whichever is greater, under the GDPR, which takes effect May 18, 2018. The guidance by the Article 29 Working Party is for privacy supervisors but will be read with interest by companies seeking a glimpse into how the potentially massive fines might be imposed.
When deciding on sanctions, including fines, data protection authorities should take into account the number of data subjects involved in a GDPR violation; the damages suffered; the duration of a data breach; and whether the data controller honored “purpose limitation"—meaning that when handling data, it was only used for the purposes for which it was intended by the data subject. The guidance was adopted Oct. 3 and made public Oct. 21.
Sanctions should also take into account factors such as whether there was negligence leading to a data breach, steps taken to reduce the harm caused by a breach, the level of cooperation offered by a data controller and any previous history of data breaches, the guidance said.According to the guidance, privacy regulators should seek to apply sanctions that are “effective and dissuasive” and proportionate. Other important factors to consider include the duration of infringements and the damage caused. The working party said the guidance would help ensure that sanctions for violations of the GDPR are applied in a harmonized way across the EU.
The guidance clarified that the term “undertaking” in the GDPR, meaning a corporate entity, should be understood as referring to “an economic unit, which may be formed by the parent company and all involved subsidiaries.” This definition will bring the GDPR in line with EU antitrust law’s definition of “undertaking.”
Calculating fines relative to the global revenue of corporate groups could theoretically mean that fines rise much higher than the 20 million euros ($23.5 million) listed in the GDPR as the highest for the most serious violations.
For example, a fine calculated based on the revenues of one of the smaller subsidiaries of Alphabet Inc., which owns Google Inc., would be much lower than a fine calculated based on the revenues of Alphabet Inc. Alphabet had revenues of about $90 billion in 2016, but any of its smaller subsidiaries could potentially be on the hook for a fine of 4 percent of $90 billion, the guidance said.
Alja Poler De Zwart, an associate with Morrison & Foerster LLP in Brussels, told Bloomberg Law Oct. 23 that the guidance on calculating fines against corporate group revenues was “an unfortunate development,” because “the hope was that the fine would be calculated over the turnover of the infringing entity only.”
Fines could in theory rise substantially above 20 million euros in cases in which data protection authorities “find it more suitable because of aggravating circumstances,” De Zwart said.
De Zwart said that although the GDPR specifies maximum levels, the guidance “did not provide a starting point for calculating a specific fine to which aggravating and mitigating factors are then applied.”
“This means that additional insights into calculation of fines will only develop through practice when the enforcement actions start trickling in,” she said.
Anna Pateraki, senior data protection associate at Hunton & Williams LLP in Brussels, told Bloomberg Law Oct. 23 that the guidance outlined “how regulators will think” when deciding on sanctions, but many practical questions would only be resolved when there is “more litigation as fines will be subject to appeal before courts.”
To contact the reporter on this story:Stephen Gardner in Brussels at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
The full text of the Article 29 Working Party guidance is available at http://src.bna.com/tAB.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)