On May 16^th, 2022, the European Data Protection Board (EDPB) unveiled its new provisional Guidelines on the calculation of administrative fines harmonising the methodology used by data protection authorities (DPAs). The guidelines are open for public consultation until June 27th, 2022, and the EDPB will then adopt a final version of the guidelines, taking into account feedback.

Article 83 of GDPR is well known by actors in the privacy eco-system, as it sets the principles and the cap for administrative fines, depending on the type of infringement: up to EUR 10 000 000 / EUR 20 000 000 or up to 2% / 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The guidelines complement Article 83 of GDPR as the EDPB provides a general calculation method and case examples to facilitate further harmonization and transparency on the fining practice of DPAs across Europe.

A 5-STEP METHODOLOGY

1. Step 1. Identifying the processing operations at stake and evaluating the application of Article 83(3) GDPR. The EDPB stresses that before being able to calculate a fine, DPAs should first consider what conducts and infringements the fine is based upon, analysing whether the circumstances are to be considered as one or multiple sanctionable conducts.

• Step 2. Finding the starting point for further calculation based on an evaluation of:
  • the classification according to Article 83(4) to 83(6) GDPR, which provides for different fines caps depending on the types of infringements;
  • the seriousness of the infringementpursuant to (i) the nature, gravity and duration of the infringement, (ii) the intentional or negligent character of the infringement, and (iii) the categories of personal data affected;
  • the turnover of the undertaking, with a view to imposing an effective, dissuasive and proportionate fine. The EDPB provides a grid based on 6 levels from organisations with an annual turnover of ≤ EUR 2 000 000 (calculations based on a sum down to 0.2% of the identified starting amount) up to organisations with an annual turnover of EUR 250 000 000 or above (calculation based on a sum down to 50% of the identified starting amount).

• Step 3. Evaluating any aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and adjusting the fine accordingly.
  • In particular, the adoption of appropriate measures to mitigate the damage suffered by the data subjects may be considered a mitigating factor, decreasing the amount of the fine.
  • DPAs may also consider whether the data in question was directly identifiable and/or available without technical protection.
  • The existence of previous infringements can be considered an aggravating factor in the calculation of the fine, however if there are no previous infringements, this factor should be regarded as neutral.

• Step 4. Identifying the relevant legal maximums for the different processing operations.
  • In cases where the controller or processor is (part of) an undertaking, the combined turnover of such undertaking as a whole can be used to determine the cap of the fine.
  • The total worldwide annual turnover of the preceding financial year is to be used, the relevant event is the fining decision issued by the DPA and neither the time of infringement nor the court decision.

• Step 5. Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, and adjusting the fine accordingly. In particular, the supervisory authority may consider – in accordance with national law – to further reduce the fine on the basis of the principle of inability to pay.

APPLICABILITY OF THE METHODOLOGY

Once the guidelines are final, all DPAs will have to reflect this common approach, in accordance with the local administrative and judicial laws applicable to them. Although the EDPB provides this detailed methodology, it stresses that it is not automatic and should always be based on a human assessment of all relevant circumstances of the case.

The EDPB also provides an alternative method based on fines of a predetermined and fixed amount. Nevertheless, EDPB does not seem to push this option, limited to specific circumstances, and recommends that the amounts and circumstances are made public beforehand anyway.

These guidelines complement the previously adopted guidelines 2016/679, WP253, that focus on the circumstances in which to impose a fine.

PERSPECTIVES IN FRANCE

The French DPA (CNIL) published its 2021 activity report in May 2022, stressing it implemented a proportionate and dissuasive repressive response, with a total cumulated fine amount of EUR 214 106 000. Once adopted, the new EDPB methodology should give more visibility to the stakeholders on the calculation process and the potential mitigants.

In addition, for minor infringements, the CNIL may consider exploring the alternate option of fines of a predetermined and fixed amount for the new simplified sanction procedure that entered into force in April 2022 and already limits fines to EUR 20 000.