The data protection authority in Germany, the German Datenschutzkonferenz (DSK), has published a new model for calculating fines pertaining to GDPR violation. Under the new framework, fines will be calculated as per Article 83 of the GDPR and will result in higher fines than Germany has so far imposed.
Data Protection Report, which publishes legal insights, covered the new, expected heftier, fine model and says:
“The largely linear calculation method, starting with turnover, leads to serious penalty risks, especially for undertakings and groups with high revenues.”
The DSK’s framework is a five-step model. The first step assigns a company in violation to a classification group based on its total turnover during the prior year. The resulting categories are very small, small and medium sized, or large. There are then sub-groups. The DSK qualifies that as GDPR expects fines on an “undertaking,” the size of an entire organisation will be used for the category qualification instead of the size of a subsidiary at fault.
In step two, Germany’s DSK determines the average annual turnover for the “undertaking.” If this is less than €500,000 a fixed annual turnover fee is allocated. For companies, or groups, with an annual turnover above €500 million Article 83’s maximum percentage fines would be applied to the “actual annual worldwide turnover.” These fines would be either 2% or 4% depending on the type of GDPR violation. Step 3 is a “daily rate” determination, dividing the prior year’s average annual turnover by 360 days.
Step four is an assessment of how serious the infringement is and is based on the GDPR violation and the maximum fine limits. Germany’s authorities will also use their discretion based on the perceived harm to the individuals affected in a breach or violation, but they cannot exceed GDPR’s maximum penalties. Severity is decided on a case by case basis and there are four levels of severity separated into two groups, as per Data Protection Report, these are:
“A technical infringement (formeller Verstoß) of the GDPR, i.e. violation of the requirements listed in Article 83 (4) GDPR, such as missing or incomplete data processing or joint controllership agreement, violation of privacy by design and default, failure to appoint a data protection officer, etc.”
“A material infringement (materieller Verstoß) of the GDPR, i.e. violation of the requirements listed in Article 83 (5) GDPR such as violation of data subject rights, data transfer to countries outside the EEA whose data protection laws have not been deemed adequate, unlawful data processing, etc.”
The classification of the infringement severity then has a multiplier as follows:
If the perceived gravity of the infringement is:
- minor then the multiplier range for
- technical infringements is 1 to 2,
- material infringements is 1 to 4;
- average then the multiplier range for
- technical infringements is 2 to 4,
- material infringements is 4 to 8;
- severe then the multiplier range for
- technical infringements is 4 to 6,
- material infringements is 8 to12; and
- very severe then the multiplier range for
- technical infringements is 6<,
- material infringements is 12<.
What then results, in the DSK’s fine imposition, will be a “regular fine corridor” a multiplication of the daily rate by the multiplier that applies to the severity level decided. A median value results and this becomes the basis for the fines calculation.
DSK’s last step is a classification of the specific infringement and any discretionary adjustments to the fine calculation in step four based on the nature of the offence and the impact on those affected. Data Protection Report says:
“In particular, this includes all circumstances referred to in Article 83 (2) GDPR (e.g. nature, extent and purpose of the unlawful processing, number of data subjects involved in the processing, extent of harm suffered by data subjects, etc.) as well as other circumstances, such as duration of the infringement or any threat of insolvency for the company.”
The report says that Berlin’s data protectors have been clear on their intentions to impose multimillion-EURO GDPR fines. The DSK has presented its model to the European Data Protection Board’s (EDPB) “Fining Taskforce,” and believes its model is systematic and transparent.
Data Protection Report says the linear calculation based on revenue could be contested, particularly on whether the resulting fines are proportionate:
“While the model may be proportionate in relation to data-driven companies that generate a high profit from their revenues, we have substantial concerns as to whether it would be proportionate for companies generating a low profit ratio relative to their turnover, or where the data processing in question only plays a minor role in the business of the company in question. In addition, the model does not seem to take into account different business models. It remains to be seen whether the final calculation in Step 5 could be a corrective step.”
The publication believes Germany’s new GDPR fine framework could be tested in the courts and challenged, especially by global corporations who are likely to want to escalate fine impositions to the European Court of Justice.
In January 2019, Google was hit with a record fine of $44 million by French data regulators. GDPR also bared its teeth in July when the UK Information Commissioner’s Office (ICO) set fines for British Airways and Marriot Hotels. BA’s fine is potentially £183.4 million and Marriott’s £99 million.