Are the GDPR rules effective in being an actual deterrent with regard to data abuse? What sanctions are available to data protection authorities according to the GDPR? Do they often impose sanctions? What remedies exist for data controllers to successfully combat those fines? What costs are involved in such litigations and who bears the expenses? How likely are the chances for a successful outcome for each of the respective parties?
In her Duet interview with Prof. Dr Joachim Schrey, an authority on data protection, Dr Caldarola, herself a noted legal expert on the various ramifications involved in data processing, discusses the various options available to both data protection authorities and data controllers in a dispute involving data abuse.
The GDPR came into force in May 2018 as the first harmonized data protection law for Europe. One of the main goals was to substantially increase sanctions for data abuse. Prior to the new data regulation, the fines amounted to around €300,000, with the result that data protection activities in companies were “kept on the backburner” and fines were paid out of the “petty cash”. According to GDPR, what sanctions are now available to data protection authorities?
Prof. Dr Joachim Schrey: GDPR sanctions not only cover cases of personal data abuse, but also other offences against GDPR. Art. 83 of the regulation provides for two groups of offences against GDPR: (1) Pursuant to Art. 83 (4) GDPR1, data protection authorities may impose administrative fines on controllers or processors who have not complied with the formal requirements set out in the GDPR, such as the conditions regarding a child's consent (Art. 8), rules concerning processing of personal data not requiring identification (Art. 11), the requirement for privacy by design or privacy by default (Art. 25), the notification requirements (Art. 33 and 34) or the obligation to appoint a data protection officer (Art. 37). These infringements can be penalized by imposing administrative fines up to €10m., or in the case of a company, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The prevailing interpretation of the term ‘company’ in line with recital 150 of the regulation is that the turnover, not only of the infringing legal entity shall apply, but the turnover of the ‘undertaking’ in accordance with Articles 101 and 102 TFEU which means the group of affiliated companies of which the infringing company is a part. (2) Infringements listed in Art. 83 (5) instead refer to the abuse of personal data or cases where the data subject’s rights under GDPR have been disregarded, e.g. basic principles for processing, including conditions for consent (Art. 5, 6, 7 and 9), or the data subject’s rights to information, erasure, correction, data portability, restriction of processing or the right to object against processing based on weighing of interests (Art. 12 to 22). These infringements can be penalized by imposing administrative fines up to €20m., or in the case of an enterprise, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Do data protection authorities make use of those sanctions? The enforcement tracker of CMS2 gives an overview of the number and amount of fines assessed as well of the different activities of national data protection authorities. Does this picture motivate data controllers to manage their data accurately and invest in data protection and data security?
From the list of cases compiled by CMS in their enforcement tracker, it is clear in each case that, unlike traffic offences, the authorities did not penalize every minor infringement immediately by imposing a fine.
Rather, they tend to focus on the massive infringements, with, at least as far as the German authorities go, some of them still getting a handle on the larger fines.
However, it can be seen that the possibilities offered by the GDPR's fines catalogue are increasingly being exploited.
For companies, however, the level of the fine is not the only and often not the most important aspect: The negative press, the damage to the image of the company vis-à-vis potential customers or investors and, last but not least, the compliance deficit that can be brought to light by a fine, which can lead, for example, to critical enquiries from financing banks, are risks that are often perceived by companies as much more threatening than the mere fine. In practice, these consequential risks are much more likely to lead to increased efforts in data protection; seen from this point of view, the system of sanctions of the GDPR thus indirectly achieves a much stronger effect.
Which remedies do data controllers have for sanctions levied by data protection authorities? Are data controllers exposed to fines from different national data protection authorities, for example, if the data abuse occurs in multiple European countries or within various subsidiaries of a company group?
The GDPR refers to national law with regard to the enforcement of fines. In Germany, this is the Act on Administrative Offences (Gesetz über Ordnungswidrigkeiten, "OWiG").
If a data protection supervisory authority imposes an administrative fine notice, the controller has the right to appeal against it. Pursuant to § 68 of the OWiG, the appeal is decided by the local court (Amtsgericht) in whose district the data protection authority in question is located. Any decision of the local court can naturally be appealed again pursuant to § 79 of the OWiG.
An individual controller is subject to the national data protection supervisory authority in whose district the controller in question has either his main establishment or a single establishment; indeed, the said data protection authority even functions as a lead supervisory authority, even in the case of cross-border processing carried out by that controller or processor (Art. 56). The lead supervisory authority must then coordinate its activities with other supervisory authorities which might also be involved due to the data subject affected who could potentially live in the district of another authority in accordance with the procedures set forth in Art. 60 and beyond of the regulation.
Can you give an overview of the legal instances for such a dispute and the cost involved for each party for the entire litigation?
If a data protection supervisory authority imposes an administrative fine notice, the controller has the right to appeal against it.
Pursuant to § 68 of the OWiG, the appeal is decided by the local court (Amtsgericht) in whose district the data protection supervisory authority in question is located. Of course, the decision of the local court can be appealed again pursuant to § 79 of the OWiG.
The court fees as well as the lawyers’ fees depend on the amount of the administrative fine imposed and the status of the court proceeding. Pursuant to the German Act on Lawyers’ Fees (Rechtsanwaltsvergütungsgesetz, “RVG”), however, the lawyers’ fees tend to be very minor (in general less than €1,000 net) so that it can be assumed that a lawyer representing a controller on whom a very high administrative fine of several million Euros was imposed will only work on a time fee basis. The hourly rates of business law firms most presumably engaged for such cases range between €250 and €500, depending on the seniority of the lawyers acting for a controller. Although such fees seem very high, if the defence against a multi-million administrative fine is successful or results in a significantly lower amount being assessed, the seemingly high lawyers’ fees will thus always be worth the money spent.
Are the national data protection authorities sufficiently equipped with enough money and personnel to control data protection infringements, to impose fines and to pursue litigations against data controllers?
My own gut feeling is that the data protection supervisory authorities, which in Germany are state-level authorities (Länder), are not yet fully equipped, in particular with regard to personnel. The remuneration of public servants working for such authorities is financially not very attractive so the authorities have problems hiring appropriate and sufficient people. Economically speaking, intensifying the supervisory activities and thereby heightening the collection of administrative fines would allow for a significant increase in staff appointment schemes.
Are the national data protection authorities allowed to use the collected fines to increase their personnel, equipment and expertise?
No, collected administrative fines are paid to the state treasury so that the authorities do not directly profit from the administrative fines collected.
COVID-19 requires governments, regions and municipalities to spend a lot of money although their budget is already limited while sales and business taxes and other revenues will not provide enough money to cover the expenses and debts incurred. Could the monetary fines for data protection infringement - that can, as previously mentioned, amount to up to 4% of the worldwide turnover of a company group - become a vehicle/source to bolster government budgets?
As seen from the number of proceedings related to administrative fines listed in the enforcement tracker, the current practice of imposing administrative fines by data protection supervisory authorities has not yet become a suitable source for state treasury contributions.
Conversely, if we consider the framework defined in Art. 83, within which authorities may impose administrative fines, it becomes clear that data protection supervisory authorities are well placed to make a much more notable contribution to the state treasury than they do now.
More significant, however, is that authorities should strive to increase controller management awareness for data protection issues and motivate controllers to take data protection much more seriously than is still the case in many companies. The best instrument available under the regulation to increase management awareness is, of course, for authorities to increase enforcement of GDPR rules – not only by imposing administrative fines but also by making use of all the other instruments set out in Art. 58.
It was announced that British Airways (“BA”) would be fined £183m but, in the end, the data protection authority settled on £20m for a data breach of 400,000 customers3. What is the reason for such a reduction? Sympathy because of the current poor economic situation for airlines due to COVID-19? Toothless data protection authorities? Pressure exercised by governments who are themselves concerned for the futures of their industries although data protection authorities are meant to safeguard the interest of the individual and are supposed to be autonomous?
The initial administrative fine of £183m was imposed on BA due to insufficient security measures, such as not using multi-factor authentication, but these procedures were already in place at the time of the assessment.
Pursuant to publicly available sources, the ICO decided to decrease the fine so significantly because BA had made considerable improvements to its IT security since the hacker attack by which the poor data security standard used by BA came to light. Pursuant to Art. 83 (2) lit. (c) and lit. (k), both aspects are to be taken into account when calculating the final administrative fine.
Furthermore, BA had allegedly fully co-operated with the ICO investigation which is pursuant to Art. 83 (2) lit. (f), a very important measure how controllers who have already been caught in a GDPR infringement can reduce the amount of the original assessment of the administrative fine.
The BA case is an exemplary one of a controller, having infringed GDPR rules, and having thus been assessed an administrative fine, still having at its disposal a wide range of possibilities to belatedly exert a significant influence in its favour through well-planned and effective measures.
An additional reason for the ICO was – pursuant to various press publications in UK and Germany – that BA has significantly suffered from the COVID-19 pandemic.
Art. 83 (4) and (5), however, refer to the annual turnover of the preceding financial year, which in BA's case would have meant the 2017 turnover; strictly speaking, Art. 83 does not leave any room for a special discount to be granted due to the impact of a pandemic on the business in question.
The only argument which can be used to justify decreasing the fine is Art. 83 (1), according to which, the supervisory authorities must ensure that the fines imposed are "effective, proportionate and dissuasive". To ensure that fines imposed on companies have a deterrent effect, the actual economic capacity of the relevant enterprise must be taken into account and the sanctions adjusted accordingly. Otherwise, the general preventive purposes inherent in the deterrence requirement could not be achieved. On the basis of this backdoor, ICO could reduce the fine so significantly.
Meanwhile in Germany, the clothing retailer Hennes & Mauritz (H&M) has accepted the current record fine of almost €35.3m on the basis of GDPR. The competent Hamburg data protection supervisory authority headed by Prof Johannes Caspar had ordered the company to pay the fine after massive violations concerning the privacy of employees in a service centre in Nuremberg became known. Although such high amounts of fines are still the exception, GDPR is not as toothless as one might think.
How likely is it that a data protection authority will win the litigation and receive its imposed fine?
As can be seen from the descriptions of the cases in which administrative fines have been imposed, in most cases really massive offences committed in a systematic manner had been sanctioned. Thus, my expectation would be that the authorities win a litigation case as far as the controller’s liability is concerned. With regard to the amount of a fine imposed, the catalogue of criteria to assess the amount in each individual case is quite extensive and offers much room for lowering fines.
If a data protection authority loses the legal instances, who pays the expenses? Do data protection authorities have to pay the expenses from their own budget and does this fact make them hesitate because their budget and personnel is already limited? Or are other governmental resources available? If so, has the use of those budgets had a “negative” effect on careers of data protection authorities? What impact will the Irish High Court’s decision4 have that attorneys employed in Max Schrems' court case before the European Court need to be reimbursed by the Irish Data protection authority and, in the end, by the taxpayer / data subject to the tune of €2.9m?
National data protection authorities are government authorities. If an authority loses a court case, the government ultimately loses the case so that the government, and, in the end, the taxpayer has to pay the lawyers’ fee of the controller and the court costs. Nobody wants to “lose” a court case so that both controller and the authority will have to carefully consider whether to initiate a court proceeding. A well-considered decision to go to court is usually not the single decision of one official only. If the authority nevertheless loses, it was not the individual fault of one official. If, however, the authority lost the case due to a drastic misjudgement on the part of an official, government authorities will not behave differently from any other organization. At least in Germany, civil servants cannot be dismissed; but there are other measures to sanction poor performance, such as transfers to less attractive positions, no more promotions, etc.
The GDPR consists of a lot of rules based on discretion, assessment consideration and interpretation of uncertain legal concepts. Does the way in which the GDPR has been drafted favour the chances of data controllers winning a legal dispute because there is room for interpretation? In other words, does the format and content of GDPR make data protection authorities hesitate to impose fines and to pursue a possible lawsuit because of a high uncertainty regarding the outcome? If the latter is true, can we say that the GDPR is effectively construed to deal with data infringements?
It is correct to assert that GDPR consists of a lot of rules that are based on discretion, assessment consideration and interpretation. This leaves room for consulting, advising and coaching services which is a praiseworthy and very important part of the authorities' work. The more room and capacity authorities have for these kinds of activities, the better data protection will be accepted in business practice. Penalization by imposing administrative fines should be a last resort to be used in cases where GDPR was infringed in a significantly systematic manner and where less severe supervisory measures were not successful.
My opinion when it comes to disputes:
“Data protection enforcement with a sense of proportion will be the key.”
Prof. Dr Joachim Schrey
Data protection laws as well as data protection authorities have already existed for quite a long time. The fines used to be relatively low (€300,000) compared to the new fines under GDPR (€20m, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher). Companies took advantage of the old situation, and the result was that data protection was neglected rather than being perceived as a pressing issue. Companies like Google, Facebook and similar could grow, and processing data trends could be set. Has coaching, advising, understanding and sanctioning proven to be the right path? Or is it now time to change course?
It is true that data protection laws and the related supervisory authorities in Germany are well known and were established in the late 1970s. In other European countries, the data protection directive came into force in 1995, meaning other member states do not have as long a history of data protection as Germany can boast of.
Regardless of the more or less long tradition, one should not forget that technology has significantly changed since the ‘invention’ of data protection commensurate with the business models which have developed to use and exploit data. Every step technology and/or business has taken with respect to processing personal data must be followed, meaning data protection law must inevitably mirror developments.
Practising in data protection law means discovering new challenges every day and developing solutions to them. With regard to such new challenges, coaching, advising and holding a dialogue are still the right tools.
On the other hand, – and the H&M-case referred to above is a good example – administrative fines are the right response to really serious cases of ongoing and deliberate infringements of applicable data protection laws.
A global player, such as Facebook, Microsoft, Google etc., has a different cultural background. In the US, data protection laws were quite unpopular for many years. But, as can be seen from the California Consumer Privacy Act, there is an increasing awareness for a need for data protection in the US which will also force global players to change their strategies and their business.
Today, however, it is a shame to see that, in particular, these global enterprises tend to ignore data protection, as illustrated by the recent Schrems II-decision of the CJEU, which concluded Standard Contract Clauses are no longer sufficient to justify a transfer of personal data into a non-EU/EEA-member state without any complementary measures. Unfortunately, it will be their customers who will have to pay the bill in the form of administrative fines and not just the companies sanctioned.
So, are data protection authorities more likely to enforce a fine now in the early years of GDPR and are they taking advantage of that opportunity? Will the probability of sanctions diminish with the increasing perfection of a data controller’s data management? Is it advisable for data protection authorities to base their fines on concrete grounds to increase the probability of the enforcement of their imposed fines? Do the cases mentioned in the above-mentioned enforcement tracker underline this approach?
As can be seen from the descriptions of the cases in which high administrative fines were imposed, really egregious offences committed in a systematic manner have been sanctioned. It is important for the authorities to make use of the full range of fines within the frameworks set out in Art. 83 to demonstrate that an offence against GDPR is no trivial matter and that the regulation has to be taken seriously. The better controllers manage their data protection, the lower the risk is not only to be penalized by administrative fines, but also to get minor offences excused by the authorities if they have the impression that an offence occurred was a one-off. By having good data protection management in place, controllers may even profit from a kind of positive credit with the authority in question. If penalization by administrative fines is restricted to the really heavy cases of ongoing and deliberate infringements, data protection authorities should have no problem successfully enforcing and obtaining the fines imposed and to obtain acceptance both in business and in the rest of society.
Prof. Schrey, thank you for sharing your insights on dispute options between data protection authorities and data controllers
Thank you, Dr Caldarola, and I look forward to reading your upcoming interviews with recognized experts delving much deeper into this fascinating topic.
1 Henceforth all articles mentioned are found in the GDPR unless otherwise specified.
2 https://www.enforcementtracker.com/
3 https://www.bbc.com/news/technology-54568784
4 https://noyb.eu/de/irisische-behoerde-muss-kosten-fuer-eugh-fall-zu-eu-us-datentransfers-zahlen
