Whenever developments around the EU General Data Protection Regulation (GDPR) made the news during the last couple of years and months, the introduction of high fines for violations caught much attention. Where previous drafts for the GDPR mentioned fines of up to 10% of a company's annual turnover, the most recent – and probably final – text provides for slightly different figures, which are nonetheless substantial. Some EU Member States already anticipate the expected higher fine levels: the Netherlands has introduced (as of 1 January 2016) administrative fines of up to € 820,000 or 10% of a company's annual turnover.
Fines and penalties in the GDPR
The GDPR grants data subjects various rights to legal remedies against data controllers and processors, as does the current Data Protection Directive. More interesting, though, are the new provisions regarding fines and penalties which may be imposed by supervisory authorities (Section 79 of the 15 December draft of the GDPR). The violation of a substantial number of provisions of the GDPR is made subject to a fine of up to € 10 million or 2% of a company's annual turnover (Section 79(3)). These include, for instance:
- violation of the provisions regarding data security obligations and privacy-by-default measures that need to be taken to protect data from unauthorised access;
- violation of the PIA (privacy impact assessment) requirement;
- violation of the requirement to conclude a processing agreement with data processors that are engaged; and
- violation of the requirement to keep a record of the processing activities carried out.
Violations of core provisions may result in a fine of up to € 20 million or 4% of a company's annual turnover (Section 79(3)(a)). These include, for instance:
- violation of the basic principles for processing personal data;
- violation of provisions regarding a data subject's rights – including the "right to be forgotten", the rights of access and erasure and the right to receive information regarding the processing of personal data; and
- violation of the provisions regarding the transfer of personal data to third countries.
Some matters left for national law
According to Section 79b, Member States must lay down their own rules on penalties applicable to violations for which no administrative fines are mentioned in the GDPR. This means that the GDPR is not exhaustive when it comes to the penalties that may be imposed by supervisory authorities. A basic requirement set by the GDPR is that a fine must applied by taking account of the nature, gravity and duration of the violation at hand and of its consequences and the measures taken to ensure compliance and to prevent or mitigate the consequences of the violation. A fine may not always be the appropriate penalty. The newly added recital 118b confirms this by stating: "In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine." It will ultimately be up to the local authorities to determine whether a penalty can be imposed and, if so, what kind of penalty this should be – a fine or some other penalty.
Furthermore, recital 119 provides that Member States may lay down the rules on criminal sanctions for infringements of the GDPR, provided that one particular violation of the GDPR cannot be subject to criminal law as well as administrative law enforcement – a violation of the basic legal principle of ne bis in idem.
Administrative fines in the Netherlands
The Dutch legislator, by substantially increasing the administrative fines level per 1 January 2016, fulfilled the Dutch Data Protection Authority's long-cherished desire for more 'teeth' to bite with. As a result, the DPA can now impose administrative fines of up to € 820,000 or 10% of a company's annual turnover for a substantially extended number of violations of the Data Protection Act. In its 2016 policy guidelines, the DPA explains how and for which types of violations it intends to impose fines. Only in the case of wilful intent or gross negligence may the PDA impose a fine directly, without having to issue a so-called binding instruction first (allowing the violation to be remedied within a certain period of time). This approach seems to be in line with the GDPR's call for proportionality, as discussed above. Interestingly, a violation of the data controller's obligation to ensure that it has a written data processing agreement in place with any data processor it engages, is not made subject to an administrative fine. Under the GDPR however, violation of this processing agreement criterion will be fineable under Section 79(3)(a).