GDPR Fines: Ramping up and DPAs Setting standards
European Supervisory Authorities imposed more than €158m in fines under the General Data Protection Regulation (GDPR) during 2020; close to a 40% increase on the previous 20-month period. This brings the total amount of fines to more than €272m in the period from May 2018 to end 2020.
Increase in fines issued by the Irish Data Protection Commission (the DPC)
Supervisory Authorities, such as the DPC, can issue maximum fines under the GDPR of the greater of €20m or 4% of total global turnover for severe breaches and €10m or 2% of global turnover for less severe breaches. Under the Data Protection Act 2018, public sector bodies can be fined up to a maximum of €1 million.
Ireland's DPC has now issued a total of €715,000 in GDPR fines since May 2018, ranking 14th in Europe in terms of highest monetary value. Initial GDPR fines, ranging from €40,000-€75,000, were issued by the DPC to semi-state bodies.
At the end of last year, the DPC announced its first cross-border fine when it fined Twitter €450,000 under the GDPR for a breach that was discovered by the company in 2018 but notified to the DPC in 2019. The level of fine imposed on Twitter was regarded by the DPC to be an "effective, proportionate and dissuasive" measure, taking into account all the circumstances of the case.
The Twitter case had a number of 'firsts'. It was the first matter to be decided under GDPR's Article 65 'Dispute Resolution' process since the introduction of the legislation and also the first where all Supervisory Authorities were considered Concerned Supervisory Authorities (CSA).
GDPR Dispute Resolution Mechanism
Article 65 GDPR sets down a procedure through which Supervisory Authorities can raise 'relevant and reasoned' objections within four weeks of the draft decision being submitted by the relevant Lead Supervisory Authority in a case. Following its issuance, a number of CSAs expressed objections to the DPC's Draft Decision in the Twitter case, including that the DPC should have considered additional GDPR provisions as part of its inquiry and that it should impose both a reprimand and a higher administrative fine than that proposed in the DPC's Draft Decision of between €135,000-€275,000. The DPC considered the objections raised but, despite seeking a consensus with the CSAs, was unable to follow the objections in an amended Draft Decision. On this basis, the DPC referred the matter to the European Data Protection Board (EDPB) for determination pursuant to the GDPR dispute resolution mechanism.
The EDPB's binding decision, published in November 2020, enumerates the CSAs' objections and sets out its assessment of those of the objections classified as sufficiently 'relevant and reasoned'; being the applicable GDPR threshold. Notably, the EDPB, in concluding that CSA objections to the level of the fine had merit and that the fine must be 'effective, dissuasive and proportionate', referred the matter back to the DPC for reconsideration which ultimately resulted in the DPC imposing an increased fine of €450,000 on Twitter.
The DPC's Annual Report 2020 showed that there are many ongoing investigations into data protection breaches concerning companies whose EU headquarters are currently in Ireland. It is believed that the DPC will issue decisions on these investigations in the course of this year, with further large fines expected in the near term.
Other EU Supervisory Authorities issue large fines in 2020
- But the DPC is not the only Supervisory Authority in the EU to issue fines under GDPR. Other significant fines issued by Supervisory Authorities include:
- Google – the CNIL (French DPA) issued a €50m fine for allegedly breaking EU privacy laws.
- H&M – the German DPA issued a fine of €35m, the second highest to date, for storing and exposing data on staff health and religious beliefs.
- Telecom Italia – the Italian DPA issued a €27.8m fine for a series of infractions and violations that had accumulated over the last several years.
- British Airways – ICO (the UK DPA) issued a £26m fine for a breach which took place in 2018. This is considerably less than the £238m fine that was originally issued.
- Marriot Hotels – the ICO issue a €20.4m fine which was also reduced from the £123m fine that was originally issued when 383 million guests' (including 30 million EU residents) records were exposed after the hotel chain’s guest reservation database was compromised.
- Notebooksbilliger.de – the German DPA issued a €10.4m fine for penalties relating to how NBB used CCTV cameras to monitor its employees and customers.
Throughout 2020, EU Supervisory Authorities have arguably adjusted or brought into focus, the expected GDPR compliance benchmark and the risks of non-compliance. Businesses now have greater insight into, and detail about, the amount of potential financial penalties for failing to comply with the GDPR. A core purpose of the GDPR and its enforcement regime is to drive organisational change. The increase in GDPR fines issued in 2020 reflects EU Supervisory Authorities pursuit of this objective and highlights key GDPR issues such as data minimisation, security, and transparency.
Article provided by: Leo Moore (William Fry, Ireland)
Dr. Tobias Höllwarth (Managing Director INPLP)