Guidance Issued on EU GDPR Privacy Fines, Regulator Standards

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

The standards for fining companies under a new European Union privacy regime indicate that regulators should neither shy away from levying sanctions nor see them as a last resort, according non-binding but influential guidance from data protection officials from the 28 EU countries.

For the most serious breaches of the European Union General Data Protection Regulation (GDPR), fines imposed on a subsidiary that is found to violate the new privacy scheme should be based on the parent company, the guidance said.

EU data protection authorities will be empowered to fine companies up to 20 million euros ($23.5 million) or 4 percent of their global revenues for violations, whichever is greater, under the GDPR, which takes effect May 18, 2018. The guidance by the Article 29 Working Party is for privacy supervisors but will be read with interest by companies seeking a glimpse into how the potentially massive fines might be imposed.

When deciding on sanctions, including fines, data protection authorities should take into account the number of data subjects involved in a GDPR violation; the damages suffered; the duration of a data breach; and whether the data controller honored “purpose limitation"—meaning that when handling data, it was only used for the purposes for which it was intended by the data subject. The guidance was adopted Oct. 3 and made public Oct. 21.

Sanctions should also take into account factors such as whether there was negligence leading to a data breach, steps taken to reduce the harm caused by a breach, the level of cooperation offered by a data controller and any previous history of data breaches, the guidance said.According to the guidance, privacy regulators should seek to apply sanctions that are “effective and dissuasive” and proportionate. Other important factors to consider include the duration of infringements and the damage caused. The working party said the guidance would help ensure that sanctions for violations of the GDPR are applied in a harmonized way across the EU.

The guidance clarified that the term “undertaking” in the GDPR, meaning a corporate entity, should be understood as referring to “an economic unit, which may be formed by the parent company and all involved subsidiaries.” This definition will bring the GDPR in line with EU antitrust law’s definition of “undertaking.”

Calculating fines relative to the global revenue of corporate groups could theoretically mean that fines rise much higher than the 20 million euros ($23.5 million) listed in the GDPR as the highest for the most serious violations.

For example, a fine calculated based on the revenues of one of the smaller subsidiaries of Alphabet Inc., which owns Google Inc., would be much lower than a fine calculated based on the revenues of Alphabet Inc. Alphabet had revenues of about $90 billion in 2016, but any of its smaller subsidiaries could potentially be on the hook for a fine of 4 percent of $90 billion, the guidance said.

Alja Poler De Zwart, an associate with Morrison & Foerster LLP in Brussels, told Bloomberg Law Oct. 23 that the guidance on calculating fines against corporate group revenues was “an unfortunate development,” because “the hope was that the fine would be calculated over the turnover of the infringing entity only.”

Fines could in theory rise substantially above 20 million euros in cases in which data protection authorities “find it more suitable because of aggravating circumstances,” De Zwart said.

De Zwart said that although the GDPR specifies maximum levels, the guidance “did not provide a starting point for calculating a specific fine to which aggravating and mitigating factors are then applied.”

“This means that additional insights into calculation of fines will only develop through practice when the enforcement actions start trickling in,” she said.

Anna Pateraki, senior data protection associate at Hunton & Williams LLP in Brussels, told Bloomberg Law Oct. 23 that the guidance outlined “how regulators will think” when deciding on sanctions, but many practical questions would only be resolved when there is “more litigation as fines will be subject to appeal before courts.”

To contact the reporter on this story:Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The full text of the Article 29 Working Party guidance is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security