Sanctions and offences
Data controllers face the following forms of enforcement risk under the Regulation:
- administrative fines of up to 4% of annual worldwide turnover or £20m, whichever is the greater
- public warnings and reprimands issued by supervisory authorities
- supervisory authority orders (for information/remedial action/rectification of data/suspension of processing and/or transfers of data outside of Europe)
- supervisory authority audit rights (access to personnel/documents/premises)
- private rights of action for affected individuals
The current EU data protection enforcement regime varies from country to country as a result of the differences in local implementing legislation. The various supervisory authorities have the power to issue fines with the maximum level tending to be in the several hundred thousand Euro region (UK - £500,000; Germany - €300,000; France - €300,000; Spain - €600,000). In addition, individuals tend to have rights to claim compensation and supervisory authorities have investigatory powers as well as the power to require certain action to be taken or stopped.
Changes in detail
The maximum fine that may be levied by a supervisory authority under the Regulation (Article 79) is the greater of €20m or 4% of annual worldwide turnover. The supervisory authorities are directed to make the sanction applied in each case “effective, proportionate and dissuasive” but that does not necessarily mean that a fine must be issued as supervisory authorities are also given the option of issuing a warning (or reprimand) or conducting regular, periodic data protection audits.
There are two tiers of fine applying in different scenarios:
|Greater of €10m or 2% of annual worldwide turnover
||Great of €20m of 4% of annual worldwide turnover
- Article 8: consent for processing data relating to a child
- Article 10: processing not requiring identification
- Article 23: data protection by design/default
- Article 24: joint data controllers
- Article 25: representative for a non-EU controller
- Articles 26/27: data processors
- Article 28: records of processing activities
- Article 29: co-operation with the supervisory authority
- Articles 30-32: data security
- Articles 33/31: impact assessments and high risk processing
- Articles 35-37: data protection officers
- Article 39: certification
- Article 5: the data protection principles
- Article 6: legal basis for processing personal data
- Article 7: conditions for consent
- Article 9: legal basis for processing personal data
- Articles 12-20: data subjects’ rights
- Articles 40-44: transfers of data outside the EU
- Non-compliance with supervisory authority and orders
In setting the sanction to be applied, the supervisory authority must take into account:
- the nature, gravity and duration of the breach
- whether the breach was intentional or resulted from negligence
- previous breaches
- any repetition of the same breach
- co-operation with the supervisory authority
- the nature of the data in question
- the harm or damage suffered by affected individuals
- mitigating action taken
- financial benefit derived from the breach
- technical and organisational measures taken to achieve compliance with the Regulation (e.g. impact assessments/appointment of a Data Protection Officer)
In addition to the power to apply sanctions as described above, supervisory authorities are also given the power (under Article 53) to:
- order the remediation of a breach/compliance with individuals’ rights under the Regulation
- order the organisation to provide relevant information
- require the rectification/erasure/destruction of data
- impose a temporary or permanent ban on data processing
- suspend data flows outside Europe
- audit organisations
Individuals are also given direct rights under the Regulation (Articles 75 and 77) and have the right to obtain a “judicial remedy” in respect of infringement of their rights under the Regulation. This would seem likely to be a court order requiring action to be taken or stopped rather than damages as compensation is dealt with separately.
In relation to financial compensation, individuals will have the right to claim for “material or immaterial damage” which results from a breach of the Regulation. It is not clear why both “material” and “immaterial” damage are specifically called out if both are recoverable and it is also interesting that the Regulation does not (as previous drafts did refer to non-pecuniary damage.
Where there is more than one controller or processor involved in the processing, they will each have joint and several liability for the full amount of the damage unless:
- they are joint controllers and they have entered into a written agreement apportioning responsibility, or
- they are not responsible for the event giving rise to the damage (and this exemption can apply in whole or in part)
One of the major headlines surrounding the implementation of the Regulation has been the level at which the maximum amount has been set. The potential fines are a significant move up from current levels albeit slightly reduced from the levels sought by the European Parliament. As a result, data protection compliance becomes a Board level issue if it is not already.
The two tiers of fines is, in places odd and sometimes confusing for example, it is strange that compliance with the data security obligations (Articles 30-32) sits in the lower tier whilst compliance with the rules on transfers of data outside the EU sits in the upper tier. Data security breaches are of primary concern to individuals, represents the greatest area of threat for individuals and have been the primary focus for significant enforcement by data protection authorities. By contrast, the transfer of data outside the EU does not attract the same level of concern or regulatory focus. It is also not clear why Article 22 (requirement to adopt appropriate measures (policies to ensure compliance) has not been listed in either tier.
The tiering also introduces ambiguity in that breaches could fall into different categories. Where this happens the higher level of fine will apply. However, in relation to data security breaches (subject to lower tier fines) would also be a breach of the data security principle (Article 5 – subject to upper tier fines) it is not clear when the lower level of fine would apply to a data security breach.
The other powers given to supervisory authorities are, in the main, reflective of powers that supervisory authorities tend to already have under the current regime. However, the ability to order the suspension on a temporary or permanent basis of data processing or even just data flows outside Europe will be new in a number of EU countries and could present a major business risk depending on the data processing in question.
Similarly, the right for individuals to obtain court orders to enforce their rights and the right to obtain compensation are not new. The new element in the Regulation is that parties involved in the data processing will be jointly and severally liable. This includes both data controllers and data processors and, in the case of processors, that exposes them to a potential liability that would not be a consideration under the current data protection regime. Some comfort is given to organisations in that the Regulation states that they will be exempted from liability, in whole or in part, if they prove that they are not responsible for the event giving rise to the damage.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.