This is the last of my articles on the GDPR for the time being. I have decided to discuss fines because it is one of the topics that has received most publicity recently. The prospect of eye-watering fines has been used by some to raise awareness of data protection and to encourage good practices which must be good but it has also been used more cynically to boost sales of systems and services that may or may not be needed which is not so good.
Art 24 of the Data Protective Directive required member states to "adopt suitable measures to ensure the full implementation of the provisions" of the directive and, in particular, to lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to the directive. However, it left it to the authorities in the member states to lay down what those sanctions should be. In the UK, the Information Commissioner has power to impose monetary penalties under s.55A of the Data Protection Act 1998. S.55A (1) provides:
"The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—S.55A (2) applies if the contravention was deliberate and s.55A (3) if the data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention. S.55A (5) limits the amount of the monetary penalty to "the prescribed amount" which is set at £500,000 by reg 2 of The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010 No 31). The Commissioner has given some guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998. The Information Commissioner will continue to have the power to impose fines under art 58 (2) (i) of the GDPR in accordance with guidelines to be drawn up by the European Data Protection Board (a body consisting of representatives of the EU and national data protection supervising authorities) pursuant to art 70 (1) (k).
(a) there has been a serious contravention of section 4 (4) by the data controller,
(b) the contravention was of a kind likely to cause substantial damage or substantial distress, and
(c) subsection (2) or (3) applies."
The Information Commissioner's power to fine will increase greatly as a result of art 83 of the GDPR. She will have power to impose administrative fines up to €20 million or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher in the circumstances prescribed in art 83 (5). However, any fine that she does impose under that provision must be effective, proportionate and dissuasive. Paragraph (148) of the recitals provides the following guidance as to how the power to fine should be exercised:
"In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process."Paragraph (150) provides the following additional guidance
"In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation."The representatives of the national data protection supervising authorities who will constitute the European Data Protection Board after 25 May 2018 adopted Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 on 3 Oct 2017 which can be downloaded from What's New section of the Information Commissioner's website.
Art 85 (2) provides that administrative fines shall be imposed in addition to, or instead of, the other sanctions that are available to the Information Commissioner under art 58 (2). When deciding whether or not to impose an administrative fine and, if so, the amount due regard must be given to the following considerations:
"(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;In other words, only the most egregious infringements are likely to attract the heaviest fines. Art 85 (4) limits the fine for certain infringements such as failure to obtain the appropriate consent in relation to a child to €10 million or 2% of turnover. In the case of all others, the maximum penalty is €20 million or 4%,
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement."
It is important to note that art 83 (8) GDPR subjects the exercise by the Information Commissioner of her powers to "appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process." In other words, the Commissioner will have to follow due process when imposing a fine and there will be a right of appeal against her decisions probably to the General Regulatory Chamber and from there to the civil courts. Also, for so long as the UK remains in the European Union points of EU law can be referred to the Court of Justice of the European Union,
Should anyone wish to discuss this article, fines, the GDPR or data protection generally he or she should call me on 020 7404 5252 or send me a message through my contact form.
Author and Title
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection