New guidelines for calculating GDPR fines in the EU for data privacy violations
As the fines for data privacy violations mount, some clarity into how they are levied is being introduced. Enforceable since 2018, the European Union’s General Data Protection Regulation (GDPR) covers data protection and privacy in the European Economic Area and data leaving the EU and EEA. To enforce it there are two sets of penalties depending on the severity of offense. The European Data Protection Board (EDPB), which governs and enforces GDPR in the EEA has published its recommended methodology for calculating fines which are based on the offenders’ turnover.
The total for fines already issued is running into the billions of euros with the largest penalties meted out to large tech firms such as WhatsApp (€225 million) (approximately $237.6 million), multiple fines for Amazon, the largest being €746 million, and Google’s multiple fines of €60, €50, €40 and €7 million. British Airways was fined £183 million in the UK. The regulation has also been used for natural persons, such as a €3,000 fine for a Spanish landlord over video surveillance in an apartment building. A Swedish school was fined €20,000 for using facial recognition surveillance and associated biometric processing.
Adopted on 12 May 2022, the snappily-titled ‘Guidelines 04/2022 on the calculation of administrative fines under the GDPR’, open for public consultation until 27 June 2022, sets out a five-step methodology for calculating fines with the aim of harmonizing the approach of supervisory authorities where GDPR is enforced.
Step 1: identifying the data processing operations that took place in the case and the applicability of Article 83(3) GDPR (which empowers each supervisory authority to impose fines).
Step 2: the starting point for calculation, achieved by classifying the infringement, evaluating the seriousness of the infringement and turnover.
Step 3: evaluating any aggravating and mitigating circumstances for both past and present behavior to increase or decrease the fine.
Step 4: evaluating the legal maximums for the case.
Step 5: analysing whether the calculated amount meets the requirements of effectiveness, dissuasiveness and proportionality. At this stage the fine can be increased as long as it does not exceed the legal maximums.
The guidelines include an example with biometrics for weighing aggravating and mitigating circumstances with figures that provide the starting point for fine calculation:
“A sports club used cameras with facial recognition technology at the entrance of one of their locations for the purpose of identifying their clients upon entry. As the sports club did so in contravention of Article 9 GDPR (processing of biometric data without a valid exception), the supervisory authority competent to investigate the infringement decided to impose a fine. Taking into account all the relevant circumstances of the case, the supervisory authority considered this an infringement with a high level of seriousness, and since the sports club had an annual turnover of €150 million, a starting amount of €2,000,000 (at the very top of the category) was considered appropriate.
“However, the same sports club was fined two years earlier for using fingerprint technology at the turnstiles in another location. The supervisory authority decided to take this into account as a repeat offence (Article 83(2)(e) GDPR). In doing so, it attributed weight to the fact that this concerned nearly the same subject matter and the infringement was committed only two years prior. Because of this aggravating factor, the supervisory authority decided to increase the fine in this particular case to €2,600,000, not exceeding the applicable legal maximum of €20 million.”
The EDPB will constantly review its guidance, along with other areas of regulation such as AI.