New EU Privacy Law Has Tougher, but More Coherent Fines

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

June 17 — What happens when a peashooter is suddenly replaced by a cannon? That is the question companies are asking about the huge fines that will become available under the European Union's new landmark privacy law.

After the new General Data Protection Regulation (GDPR) takes effect in May 2018 all of the privacy offices in the 28 EU countries will gain powers to levy multi-million euro fines for serious privacy infringements.

U.S. companies should be prepared for possibility of huge fines from EU privacy regulators even if the likelihood of them being assessed feels unlikely or remote, privacy attorneys told Bloomberg BNA. The new privacy law also covers a broader scope of companies than the old law making it even more important to understand the new sanctions regime, they said.

The crucial issue for companies won't be about the levels of potential fines, but how privacy regulators adapt to and exercise their new enforcement powers. For some privacy regulators, the new level of sanctions available under the GDPR will bring a dramatic change in enforcement culture, the attorneys said.

Julie Bossaert, a data protection and information security attorney with CMS DeBacker in Brussels, said that “at the moment there is a high degree of variation” in the powers of EU privacy regulators to sanction privacy breaches. Fines are “peanuts compared to what they will be,” she said.

Millions, Even Billions of Dollar Fines Possible

Under the GDPR, the maximum fines allowed will escalate to 20 million euros ($22.5 million) or up to 4 percent of a company's global revenues, whichever is higher. The high level fines are allowed for violations of data processing consent, individual privacy rights, international data transfer rules and ignoring orders from privacy regulators.

To put the sanctions tied to worldwide revenue in context, 4 percent of Facebook Inc.'s worldwide revenue would be approximately $500 million and 4 percent for Walmart Stores Inc. would be over $19.5 billion.

For other lesser infringements, the GDPR will allow maximum fines of the higher of 10 million euros ($11.25 million) or 2 percent of global revenues. Infringements in this bracket include failure to notify data security breaches, failure to implement preventative measures, failure to correctly maintain records and breaches over the obtaining of consent for the processing of children's data.

fines
Massive New Powers for Some Regulators

How data privacy regulators acclimate to their new enforcement powers is uncertain. Companies may have reason to worry.

Although the GDPR is a single law covering all of the 28 EU countries, enforcement of the privacy rules will continue to take place at the individual country level. National data protection authorities will be responsible for overseeing companies that use personal data that have their “main establishment” in the country.

For many privacy regulators, the new sanctioning powers will be a massive leap.

Bulgaria's Commission for Personal Data Protection, for example, can levy a maximum fine of about $57,500. Ireland's Office of the Data Protection Commissioner has no power to impose fines, although it can refer enforcement actions to a court, which may impose fines of up to 100,000 euros ($112,500).

Regulatory Muscle Flexing?

A concern for companies doing business in the EU is that the sudden increase in fining power for privacy regulators may encourage some to flex their muscles and seek to set a benchmark of tough enforcement.

Frédéric Louis, a data protection partner with WilmerHale in Brussels, warned of the possibility of a rapid ratcheting up of fines.

Fines are “one easy metric for everyone to follow,” Louis said. “As soon as one breaks ranks and imposes a big fine, immediately the others will want to” do the same.

CMS DeBacker's Bossaert said the new law will also in principle allow privacy regulators to levy large fines at an earlier stage of enforcement proceedings.

Martin Fanning, an information technology, intellectual property and data protection partner with Dentons in London, said the potential for high fines has turned data protection into a “top-table board-level issue,” he said.

Likelihood of High Fines Uncertain

WilmerHale's Louis said companies looking to gauge whether privacy regulators will pounce to levy fines may want to look to antitrust enforcement, where the number of cases and levels of fines increased rapidly after the turn of the millennium.

In antitrust, the European Commission and the U.S. Department of Justice got into an “arms race as to who was going to impose a bigger fine.” Similar behavior among EU privacy regulators that “want to be taken seriously” might “lead to very quick development of high fines,” which would then become the norm, Louis said.

But other privacy analysts said it is more likely that EU privacy regulators will adopt a more cautious approach in exercising their new fining authority.

Bossaert said high fines would be a last resort. “I do not see, for example, the Belgian Privacy Commission imposing a fine of up to 4 percent” of a company's global revenues, she said.

Alex Whalen, senior policy manager at DIGITALEUROPE, which represents information technology and consumer electronics companies, said that there remains the possibility that a particular national privacy regulator might try “to make a statement by going after a company to make an example of them.”

However, DPAs would likely be aware that rapid recourse to high fines could deter some companies from investing in the EU, Whalen said. “In general, we find most DPAs to be quite reasonable,” he added.

According to Louis, however, Article 29 Working Party had “not been a force for restraint; rather they have been a force for very strict enforcement of the rules,” and this could indicate a willingness to opt quickly for tough sanctions.

Reach of Privacy Law Expands

The potential kinds of companies that may face privacy fines is expanded under the new privacy regulation. Under the old law, only companies that actually controlled the use of personal data were subject to sanctions. Under the new regulation, companies that are engage in processing personal data, even though they aren't the ones that initially collected or used the data, may also be subject to fines.

Deema Freij, senior vice president with Intralinks, a provider of secure cloud services and thus a data processor, said that data processors are worried about the fines.

“This is the first time that processors have a direct compliance risk,” Freij said. Companies engaged in data processing are going back to data controller companies and asking to revisit contractual obligations, she said.

Little Fining Experience

High fines for privacy violations aren't completely new in the EU. The Dutch DPA, in 2014 threatened Alphabet Inc.'s Google Inc. with daily fines up to a ceiling of 15 million euros for noncompliance with DPA orders (241 PRA, 12/16/14).

The Belgian Privacy Commission in 2015 referred Facebook Inc. to a Belgian court where it received an order to stop tracking non-Facebook users or face a 250,000 euro ($282,171) penalty per day (217 PRA 217, 11/10/15).

Those fines, however, weren't actually enforced.

Even in EU countries where privacy regulators already have authority to impose relatively high penalties, there is limited experience of applying high fines in practice.

In the U.K., for example, the Information Commissioner's Office has the power to issue fines up to 500,000 pounds ($707,250), but the record U.K. fine so far—against Sony in 2013—was only half that amount (136 PRA, 7/16/13).

Mary J. Hildebrand, founder and chair of the Privacy and Information Security Practice at Lowenstein Sandler LLP, in Roseland, N.J., said “there's going to have to be significant guidance in terms of how those fines are levied.”

Guidance might cover the weight DPAs should give to mitigating factors and whether “decisions on fines have precedential value,” Hildebrand said.

Unfortunately for companies, however, guidance might only become available after May 25, 2018, when the GDPR takes full effect.

Under the GDPR, the newly created European Data Protection Board (EDPB) to issue guidance on fines. The EDPB will replace the Article 29 Working Party of EU privacy officials from the 28 EU countries.

Guidance will be significant because it could influence the calculation of fines, which could either “put a damper on the process,” or lead to high fines from the outset, Louis said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com