A draft set of EDPB guidelines on the calculation of administrative fines under the GDPR is likely to lead to some further consistency among supervisory authorities on how fines are calculated – however, if adopted, the guidance leaves clear room for the current divergent approaches to continue.
On 12 May 2022, the European Data Protection Board (EDPB) adopted the draft Guidelines on the calculation of administrative fines under the GDPR (“the Guidelines”). The Guidelines follow the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The EDPB have stated that the aim of these recent Guidelines is to “harmonise the methodology supervisory authorities use when calculating of the amount of the fine” and ensure consistent application of enforcement of the GDPR.
Under the GDPR, the calculation of the amount of the fine is at the discretion of each supervisory authority. The EDPB has set out a five step approach for supervisory authorities to follow when calculating a fine, although has emphasised that it is not necessary to follow all steps if they are not applicable in a given case.
- Step 1 – identifying the processing operations. This involves first establishing:
- whether or not the circumstances are to be considered as one or multiple sanctionable conducts. The EDPB emphasises that it is important to consider this on a case-by-case basis and gives an example of “the same or linked processing operations” potentially constituting one and the same conduct.
- in case of one conduct, whether or not this conduct gives rise to one or more infringements and, if so, whether the attribution of one infringement precludes the attribution of another infringement or whether they are to be attributed alongside each other.
Under Article 83(3) GDPR, the total amount of the administrative fine must not exceed the amount specified for the gravest infringement. However, the Guidance makes clear that where several provisions of the GDPR have been infringed, these infringements have to be taken into account when assessing the amount of the final fine that is to be imposed – “Article 83(3) GDPR must not be interpreted in a manner where it would not matter if an offender committed one or numerous infringements of the GDPR when assessing the fine”.
- Step 2 – finding the starting point for further calculation based on:
- an evaluation of the classification in Article 83(4)–(6) GDPR – i.e. whether the infringement is punishable by a fine maximum of €10 million or 2% of the undertaking’s annual turnover, whichever is higher; or is punishable by a fine maximum of €20 million or 4% of the undertaking’s annual turnover, whichever is higher;
- the seriousness of the infringement. The GDPR requires the supervisory authority to give due regard to:
- the nature of the infringement;
- the gravity of the infringement, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them, the intentional or negligent character of the infringement and the categories of personal data affected by the infringement; and
- the duration of the infringement – a supervisory authority may generally attribute more weight to an infringement with longer duration.
Based on the evaluation of the factors outlined above, the Guidelines state that the supervisory authority may find the infringement to be :
- of a low level of seriousness -the starting amount for further calculation at a point between 0 and 10% of the applicable legal maximum;
- of a medium level of seriousness – the starting amount for further calculation at a point between 10 and 20% of the applicable legal maximum; or
- high level of seriousness – the supervisory authority will determine the starting amount for further calculation at a point between 20 and 100% of the applicable legal maximum.
The Guidelines conclude that as a general rule, the more severe the infringement within its own category, the higher the starting amount is likely to be. The ranges within which the starting amount is determined remains under review by the EDPB.
- the turnover of the undertaking as one relevant element to take into consideration with a view to imposing an effective, dissuasive and proportionate fine. The Guidelines state that a supervisory authority may consider adjusting the starting amount corresponding to the seriousness of the infringement depending on the turnover of the undertaking. For example, the Guidelines state that for undertakings with an annual turnover of ≤ €2m, supervisory authorities may consider to proceed calculations on the basis of a sum down to 0.2% of the identified starting amount. This is in contrast to undertakings with an annual turnover of €250m or above, where the Guidelines suggest that supervisory authorities may consider to proceed calculations on the basis of a sum down to 50% of the identified starting amount.
- Step 3 – evaluating aggravating and mitigating circumstances (using the criterion set out in Article 83(2) GDPR) –related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly. The Guidelines give an example of a repeat offence with the same subject matter, committed only two years prior, as aggravating factors; and an organisation taking proactive measures to reduce the harm to data subjects as an example of a mitigating factor.
- Step 4 – identifying the relevant legal maximums for the different processing operations. The GDPR does not provide fixed sums for specific infringements – instead the amounts set out in Article 83(4)–(6) GDPR constitute the legal maximum and prohibit the supervisory authorities from imposing fines that exceed these maximum amounts. Increases applied in previous or next steps cannot exceed this amount. However, the Guidelines clarify that in certain circumstances predetermined fixed amounts can be established at the discretion of the supervisory authority, taking into account – above others – the social and economic circumstances of the particular Member State, in relation to the seriousness of the infringement as construed by Article 83(2)(a), (b) and (g) GDPR.
The Guidelines confirm that where the controller or processor is part of an undertaking in the sense of Articles 101 and 102 TFEU, the combined turnover of such undertaking as a whole can be used to determine the upper limit of the fine. In addition, the supervisory authority has the option to hold the parent company jointly and severally liable. For the payment of the fine, the total worldwide annual turnover of the preceding financial year is to be used when calculating the fine – the relevant event for deciding what the term “preceding” relates to being the fining decision issued by the supervisory authority and not the time of infringement nor the court decision.
- Step 5 – analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, or whether further adjustments to the amount are required.
The Guidelines conclude that a supervisory authority may consider to further reduce a fine on the basis of the principle of inability to pay. This has been an important consideration during the Covid-19 pandemic – supervisory authorities, notably the ICO in the UK, have justified considerable downward adjustments due to the economic consequences of the pandemic. The Guidelines confirm a high bar for reducing a fine due to inability to pay, stating that “there has to be objective evidence that the imposition of the fine would irretrievably jeopardise the economic viability of the undertaking concerned” and that the risks need to be analysed in a “specific social and economic context”.
The Guidelines consistently emphasise that the calculation of a fine is “no mere mathematical exercise” and that a case-by-case analysis is required to calculate the final amount. There’s clearly still room for differences in fining approaches by supervisory authorities – particularly given the different approaches taken by supervisory authorities to date when attributing importance to the various factors set out above. However, the EDPB Guidelines are likely to lead to a more consistent approach in relation to the “starting points” for the calculation of a fine and will assist supervisory authorities on cross-border cases.
The Guidelines will open for consultation until 27 June 2022 and a final version of the Guidelines is expected to be officially adopted by the end of 2022.
Please get in touch with your usual DLA Piper contact if you have any questions.