EDPB issues Guidelines on GDPR fines

The European Data Protection Board (the "EDPB") announced its adoption of Guidelines 04/2022 on the calculation of fines under the GDPR (the "Guidelines"). While the Guidelines provide some clarity to businesses on the methodology data protection authorities ("DPAs") may use in calculating fines, it remains to be seen how the Guidelines will be applied in practice, and whether they will lead to more consistent GDPR fines.

The Guidelines' stated aim is to "harmonise the methodology" used by DPAs to calculate fines, and to provide consistent "starting points" for the imposition of fines under Article 83 GDPR. The Guidelines are intended to be complementary to the old Article 29 Working Party Guidelines in WP253, which focus on the circumstances in which fines can be imposed.

The calculation of fines is largely at the discretion of the DPAs, which has led to materially different approaches from one EU Member State to the next. Article 83(1) GDPR requires that fines must be "effective, proportionate and dissuasive", but these criteria are open to interpretation, and Article 84(1) GDPR allows EU Member States to set their own rules on this issue. As a result, the Guidelines do not enable businesses to make a precise mathematical calculation of the expected fine.

Five-Step Methodology

The Guidelines set out the following five-step methodology that DPAs should use when calculating fines:

1. Identify the relevant sanctionable conduct and infringement(s). The first issue is to identify the relevant processing activity(ies). If there are multiple sanctionable processing activities, or infringements of multiple provisions of the GDPR, this may affect whether the relevant DPA issues a single fine or multiple fines.

2. Assess the starting point of the fine. This is based on an assessment of:

   • The type(s) of infringement(s) (i.e., whether they fall into the lower or upper maximum limits under Article 83(4)-(6) GDPR);
   • The seriousness of each infringement (by analysing the nature, gravity and duration of the infringement) – the Guidelines propose that seriousness should be categorised as "low", "medium", or "high", based on the facts; and
   • The turnover of the "undertaking" (this is an EU competition law term that refers to the relevant economic unit, without reference to corporate structure).
      

   Controversially, the Guidelines state that the EDPB "considers that it is fair" for a DPA to apply discounted fines as a starting point for smaller businesses, but provide no such discounts for businesses whose turnover exceeds €500 million. There is a risk that this effectively becomes a penalty for success, with large businesses facing disproportionately higher fines simply because they are large. It appears that the EDPB has based this approach on its interpretation of EU competition law, as the GDPR itself does not provide any explicit justification for this approach.

3. Evaluate the remaining aggravating and mitigating factors. This requires a review of the factors listed in Article 83(2) GDPR (to the extent not already considered in Step 2 above). Each factor, whether considered in this step or the previous one, should only be taken into account once as part of the overall assessment. Relevant factors may include the adoption of appropriate measures to mitigate the damage suffered by data subjects (put in place before the commencement of the DPA's investigation into the undertaking), the degree of responsibility of the controller or processor, previous infringements and the means by which the DPA became aware of the infringement (in particular, whether they were notified by the controller or processor).
4. Identify the relevant legal maximum fines for the infringement(s). Increases to the fine(s) applied in the previous or next steps cannot exceed the maximum amounts specified in the GDPR. Under Article 83(3) GDPR, fines for "the same or linked processing operations" are capped at the amount of the fine that applies to the gravest infringement. The Guidelines state that "[a] sufficient link should not be assumed easily", though there does not appear to be any basis in the GDPR for this presumption.
5. Assess the requirements of effectiveness, dissuasiveness and proportionality. The GDPR requires the DPA to impose fines that are effective, dissuasive and proportionate. Effectiveness requires that the fine achieves the DPA's objectives in imposing the fine. Proportionality requires the DPA to consider a range of factors (noting that a fine can only be reduced due to an inability to pay in exceptional circumstances). Dissuasiveness requires the DPA to ensure that any fine provides an effective deterrent.

The Guidelines also now include an annex (which was not included in the initial version) with tables summarising the methodology described above, particularly in relation to Step 2, as well as providing worked examples for illustrative purposes of the process DPAs may go through when calculating administrative fines.

Importantly, the Guidelines note that DPAs are not obliged to follow all of the above steps if they are not applicable to the specific case and, in any event, that these steps simply amount to a general method for the calculation of fines, and by no means provide for a form of "automatic or arithmetical calculation". This leaves DPAs with broad scope to depart from the Guidelines, potentially undermining the stated aim of ensuring harmonization on this issue.

Impact on businesses / Next steps

While the Guidelines offer no method to predict fines accurately, they do at least enable businesses to understand the principles that DPAs are likely to follow when calculating such fines. The Guidelines also emphasise the importance for businesses of cooperation with DPAs and taking appropriate mitigation measures in order to reduce the likelihood of a high fine, to the extent possible. It remains to be seen how DPAs will apply this methodology in practice and whether these Guidelines will actually result in greater consistency in the fines issued by DPAs.

Tom Bent, an Associate and Elizabeth Hanson, a Trainee Solicitor at White & Case, London assisted to the development of this publication.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2023 White & Case LLP}