The General Data Protection Regulation (“GDPR”) introduces many new obligations for companies (be they controllers or processors) and the question on the minds of most companies is “…and what happens if we don’t comply or get it wrong? What is the risk?”
The level of fines possible under the GDPR (up to 4% of global annual turnover for undertakings or 20,000,000 EUR, whichever is the greatest) mean that data protection can no longer be swept under the carpet.
Furthermore, the GDPR introduces a comprehensive set of rights for data subjects, including the right to an effective judicial remedy against a controller or a processor and the right to compensation. Therefore, in addition to being at the receiving end of an enforcement action, controllers and processors may be subject to court proceedings and have to pay compensation to data subjects for their infringements of the GDPR.
What does the law require today?
Currently under the Directive (95/46/EC) supervisory authorities have certain investigatory powers, e.g. to access a controller’s data to carry out an investigation, to issue a warning to a controller, to order the blocking, erasure or destruction of data or to impose bans on the processing of data. The decision as to what sanctions can be imposed was left up to Member States to decide. For example, the Information Commissioner in the UK currently has the power to fine up to £500,000. However, the number of fines issued by data protection authorities across Europe each year are usually relatively low and high fines are only likely to be issued for the more serious offences.
The Directive provides every person with the right to a judicial remedy for any breaches of applicable national data protection laws. The Directive also recognises that administrative remedies may be actioned before DPAs.
With regard to liability, the Directive provides that any person who has suffered damage for unlawful processing, or for processing operations that are incompatible with national data protection laws, is entitled to receive compensation from the controller. The controller may be exempt from such liability if it proves that it is not responsible for the event giving rise to the damage.
What will the General Data Protection Regulation require?
As with the Directive, supervisory authorities have various types of enforcement powers under the GDPR. Whether such powers will be used by the lead supervisory authority, another supervisory authority, or authorities jointly, will depend on the infringement itself, the controller and the data subjects.
In particular, a supervisory authority will be able to require controllers or processors to provide it with certain information, carry out compulsory data protection audits of the controller or processor (including accessing the controller’s/processor’s premises), inform the controller/processor if there has been an allegation of an infringement under the GDPR and/or review a certification issued under the GDPR.
These are similar to the corrective powers under the Directive and include the issuing of warnings, reprimands, imposing bans on processing, suspending data transfers and ordering the correction of an infringement. The power to issue administrative fines is listed as a corrective power and is, not unexpectedly, the power that is receiving the most attention.
Unlike the Directive, the GDPR specifically sets out the different levels of administrative fines that may be issued by supervisory authorities (along with or as an alternative to the other “corrective” powers). The GDPR makes it clear that supervisory authorities need to think carefully about whether a fine would be the appropriate sanction, taking into account a number of factors such as the number of data subjects affected, whether the infringement was intentional, what action (if any) has been taken to mitigate the damage etc. A fine should not be issued unless it would be “effective, proportionate and dissuasive”.
Essentially, there are two levels of fines:
- fines of up to 10,000,000 EUR or (for undertakings) 2% of total worldwide annual turnover (whichever is the greatest); or
- fines of up to 20,000,000 EUR or (for undertakings) 4% of total worldwide annual turnover (whichever is the greatest).
In terms of actions that could result in a level one fine, it could be for an infringement of any one of 19 different Articles. Level two fines are for the more serious offences, relating to infringement of 23 further Articles.
|Level 1 fines for Articles relating to:||Level 2 fines for Articles relating to:|
|· consent of a child||· identifying a data subject||· the principles for processing||· conditions for lawful processing|
|· data protection by design/default||· joint controllers||· conditions for obtaining consent||· processing of special categories of data|
|· designating a representative||· processing by a processor||· provision of information to data subject||· provision of information at point of collection|
|· third party processing||· record of the processing||· data not obtained from the data subject||· right to access data|
|· co-operation with supervisory authority||· security measures||· right to obtain rectification||· right to erasure|
|· notification of data breach||· communication of data breach||· right to obtain restriction||· communication to recipients of data|
|· data protection impact assessment||· consultation with supervisory authority||· right to data portability||· right to object|
|· data protection officer (“DPO”)||· role of DPO||· adoption of specific rules by Member States||· automated decision making|
|· tasks of DPO||· certification mechanisms||· failure to comply with an order, limitation or suspension||· transfers to a third country or international organisation|
|· obligations of certification bodies||· obligations of monitoring bodies||· failure to provide access to supervisory authority|
Under the GDPR, as with the Directive, natural and/or legal persons may lodge administrative complaints before supervisory authorities and seek judicial remedies before courts. However, the set of rights under the GDPR is broader. In particular, the GDPR recognises the following rights:
|Right to lodge a complaint with a supervisory authority||
· Who? data subjects that consider that the processing of personal data relating to him or her does not comply with the GDPR.
· Where? With the supervisory authority of the data subject’s habitual residence, the data subject’s place of work or the place of the alleged infringement.
|Right to a judicial remedy against a supervisory authority||
· Who? Natural or legal persons may seek judicial remedy against legally binding decisions of a supervisory authority concerning them. Data subjects may also seek judicial remedy against the failure by a supervisory authority to deal with a complaint lodged by the data subject or failure to inform the data subject within three months on the progress of the complaint.
· Where? Proceedings may be brought before the courts of the Member State where the supervisory authority is established.
|Right to an effective judicial remedy against a controller or a processor||
· Who? Data subjects when they consider that their rights under the GDPR have been infringed as a result of the failure by the controller or the processor to process their personal data in compliance with the GDPR.
· Where? Proceedings may be brought before the courts of the Member State where the controller or processor has an establishment or the courts of the Member State where the data subject has his or her habitual residence.
|Right to compensation||
· Who? Compensation from a controller or a processor may be received by any person who has suffered material or immaterial damage as a result of an infringement of the GDPR (including its delegated and implementing acts and relevant national law specifying rules of the GDPR).
· Where? Proceedings may be brought before the courts of the Member State where the controller or processor have an establishment or the courts where the data subject has its habitual residence.
· What liability? Controllers are liable for the damage caused by the processing that is not compliant with the GDPR whereas processors are only liable for the damage caused by the processing where the processor has not complied with its obligations under the GDPR or when it has acted beyond or contrary to the instructions of the controller.
|Right of representation by a body, organisation or association||
· Who? data subjects may mandate a body, organisation or association to exercise any of the rights described above on his/her behalf. The body, organisation or association must be properly constituted under the law of the relevant Member State, be of non-profit making character, have statutory objectives that are in the public interest and be active in the field of the protection of the data subject’s rights and freedoms.
· Mandate: with the exception of the right to seek compensation, all other rights may be exercised by the body, organisation or association without a mandate of the individual if national laws so provide it. Right of compensation may only be exercised by the body, organisation or association if provided by national Member State law.
What are the practical implications?
For undertakings, the impact of a fine on the business could be significant. Even if a global organisation has a small establishment in Europe, or is a US based organisation targeting goods or services or monitoring the behaviour of EU citizens, the fine is based on total worldwide annual turnover. Data protection should now be taken as seriously as competition law infringements and should be a board level matter.
In addition, there is an increased risk under the GDPR of being scrutinised by regulators and being the subject of enforcement actions and court proceedings – this is because individuals have the right to be represented by, for instance, a privacy rights association, which may encourage individuals to move forward with their claims and actions.
Controllers / processors will also have to be ready to attend court proceedings in the country where the individual has his or her habitual residence, even if this is not the country where the controller / processor has its establishment.
In considering how to approach GDPR readiness, businesses should prioritise their implementation actions by looking at Article 83 and the breaches that will land them in the most serious trouble. In this context, businesses should also take into account the rules on liability in the context of engaging others for the processing of personal data.
It is a good idea to bear in mind that some of the requirements are easy to implement, e.g. keeping a record of all processing, providing information to individuals regarding the processing of data etc. – implementing these requirements are “quick wins” for businesses.
For obligations that require a longer-term strategy, business should look at addressing these requirements as soon as possible. While there is a two year grace period under the GDPR, France is already proposing to introduce GDPR-style fines in advance of the GDPR and other EU Member States may follow suit.