In short On 16 October 2019, the German data protection supervisory authorities published their new model for calculating fines in reaction to breaches of the General Data Protection Regulation (GDPR). The joint committee of all data protection authorities of the federal states of germany, the Data Protection Conference (DSK), has developed a concept to make the imposition of fines more uniform and comprehensible. Last week, the authorities released the English translation of the concept.
In the past, German authorities have been reluctant to impose fines for breaches of data protection laws largely adhering to the principle "cooperation before punishment". The authorities’ intention was to instruct companies to follow the provisions of the GDPR and to introduce processes that are compliant with the law on their own initiative, instead of simply reacting to the risk of being fined. Other EU countries have already made extensive use of the possible fines. In 2019, the British data protection authority ICO imposed fines as high as EUR 200 million on British Airways and EUR 100 million on the Marriott hotel group. Even before that, the French supervisory authority fined Google for EUR 50 million. The new fine model will converge the German practice with the one in France and Great Britain and will therefore lead to significantly higher fines. Announcements from Berlin concerning the fines on Delivery Hero (of approx. 200,000.00 €) as well as on Deutsche Wohnen amounting to EUR 14.5 million should only mark the beginning of this new development.
The new concept is supposed to provide the data protection supervisory authorities with a uniform method that allows for a systematic, transparent and comprehensible calculation of fines. The resulting higher fines are meant to have a deterrent effect and to ensure that data protection laws are observed. From now on, the new calculation basis will be binding for all German data protection supervisory authorities. Nevertheless, the model is not binding for the European courts or authorities. Yet, it is possible that the German model will establish itself - at least in part – as a standard even at the European level. This is due to the fact that the European Data Protection Board (EDPB) is still to determine a standard calculation model or to introduce a calculation model of its own. The German Data Protection Conference already announced that such a European model would replace the current German concept once it enters into force.
The new calculation model is essentially based on the provisions of Art. 83 GDPR and is divided into five steps:
The new calculation model has already been tested by single authorities and its consistent application throughout Germany will occur more frequently in the coming months. Legal uncertainties may arise from the considerable margin of discretion that is granted to the authorities in assessing the circumstances of each individual case. For example, the level of severity which is assigned to a particular violation is still subject to the authority’s judgement.
However, the more transparent calculation model may also have advantages for companies: their risk managers and data protection officers can now anticipate the amount of a potential fine much more precisely, although an exact calculation is not possible.
The GDPR generally does not provide for any reduction if a company has committed several violations. As a result, the supervisory authorities intend to asses each breach individually and to determine the final amount based on the combined value of the fines. This might initially suggest that fines will be exceedingly high. Nevertheless, there is also the possibility that the final amount calculated might be lower than the sum of all fines added together since individual circumstances can be considered.
The rule "better safe than sorry" is truer than ever. Companies should seize the opportunity to critically asses how they organize their data protection. The most effective way of avoiding millions of euros in fines is to have a well thought-out data protection system based on the requirements specified by the GDPR.
But even if an investigation into a data protection incident or data breach is already underway and the imposition of a fine is looming, there are still ways to reduce it. In particular, comprehensive and transparent cooperation and communication with the supervisory authorities should have a mitigating effect on the amount of the fine. If the determination of the fine according to the model leads to considerable financial disadvantages, e.g. if the fine based on annual turnover and the company’s profit are out of proportion, companies may take legal action against a fine. Since the model is not legally binding for the courts, they can determine the amount of the fine during the proceedings themselves and, if necessary, adjust the amount according to the circumstances.
Companies should also observe the execution of the new calculation concept at German level and the developments concerning a coordinated model at European level to be able to adjust their risk management accordingly.
Ann Cathrin Müller