The European Parliament has most recently adopted the General Data Protection Regulation (GDPR). Part of this new data protection framework are dramatically increased sanctions for violations of data protection law. When the GDPR enters into force, the blunt sword for enforcing data protection requirements will suddenly turn razor sharp. Companies must then be prepared for fines amounting to millions of Euros.
1. Data Protection Enforcement
Enforcing data protection law is and will in the first place be the data protection authorities’ responsibility. Currently, Section 38 German Data Protection Act (BDSG) establishes the respective competencies including information rights and the power to issue administrative orders and (administrative) fines in case of data protection violations. Respective powers of the data protection authorities are also provided for in Art. 58 GDPR (see item 2.). Further, the courts may impose (criminal) penalties for severe infringements of data protection law (see item 3.) and affected data subjects may enforce their data protection rights individually including damages for data protection infringements (see item 4.).
2. Fines for Data Protection Violations
So far, fines amounting to millions of Euros are rarely seen in the data protection authorities’ enforcement practice. Such spectacular cases were fines in the amount of EUR 1.46 million for 35 Lidl distribution companies, EUR 1.3 million against the Debeka Krankenversicherungsverein e.G. and EUR 1.12 million against the Deutsche Bahn AG.
When the GDPR enters into force, such fines may be imposed more frequently. Art. 83(4)-(6) GDPR increases fines for data protection violations dramatically on a uniform European level. Art. 24 Data Protection Directive (DPD) being the current basis for the rules of the member states on fines for data protection violations left the discretion for the permitted amount of fines to the member States. The consequence are strong discrepancies between the member states data protection laws. In Austria fines may amount to EUR 25,000, in France to EUR 150,000, in Spain to EUR 600,000 and in the United Kingdom to £ 500,000.
For Germany, Section 43(3) BDSG stipulates fines of up to EUR 50,000 for violations listed in Section 42(1) BDSG and fines of up to EUR 300,000 for violations listed in Section 43(2) BDSG. Exceeding these limits, higher finds may be imposed to skim the profits gained from the data protection infringement. Art. 83(4) GDPR increases fines for named infringements up to EUR 10 million or 2% of a company’s worldwide turnover, and Art. 83(5) and (6) GDPR provides for even higher fines of EUR 20 million or 4% of the worldwide turnover.
In order to calculate the worldwide turnover, one must take into consideration the turnover of a company in the meaning of Art. 101 and 102 Treaty on the Functioning of the EU (see Recital 150 GDPR). Accordingly, the turnover of the whole group of companies being affiliated with the data controller turns relevant. It is therefore well possible to even see fines for data protection violation in billions of Euros. The particular amount imposed will of course continue to be dependent on the individual circumstances and may also be far below such record breaking amounts. Criteria for setting the actual amount are stipulated by Art. 83(2) GDPR and include:
- the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- any action taken to mitigate the damage suffered by data subjects;
- the degree of responsibility taking into account technical and organisational measures implemented;
- any relevant previous infringements;
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- the categories of personal data affected by the infringement;
- the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the infringement was notified;
- in case measures have previously been ordered against the data controller or data processor concerned with regard to the same subject-matter, compliance with those measures;
- adherence to approved codes of conduct pursuant to Article 40 GDPR or approved certification mechanisms pursuant to Article 42 GDPR; and
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
As indicated by Recital 150 GDPR, ensuring a uniform application of fines requires the data protection authorities to use the consistency mechanism according to Article 63 GDPR. At the same time, local circumstances such as wage level in the particular member state and economic state of the acting people are to be considered.
For multiple violations, there may be multiple fines as a general rule. This rule is to be restricted, however, where a fine is imposed for the same or connected violations of data protection law, the total amount is limited to the fine for the most severe infringement. This creates a relevant limitation of liability in regard to fines for data protection violations.
3. Penalties for Data Protection Violations
There are no new criminal offences implemented by the GDPR. Rather Art. 84(1) GDPR and Recital 149 GDPR state that member states shall at their own discretion implement respective provisions under criminal law. This fully reflects the current framework under Art. 24 DPD.
Data protection criminal liability in Germany is currently governed by Section 44 BDSG and the German States data protection acts. The latter shall not be subject of this article. Section 44 BDSG refers to administrative offences stipulated in Section 43 BDSG (see above item 2) and imposes criminal sanctions where these administrative offices are committed with the intent of gaining a commercial profit or causing damage to a third party.
In light of this rather broad criminal liability it is to be assumed that infringements of data protection law rather often trigger data protection criminal offences as well. Should this be the case, at least the focus of criminal enforcement authorities is not directed at data protection crimes. As far as known to me, there has only been one data protection criminal case in the German criminal courts leading to criminal sanctions.
Section 43(1) and (3) BDSG, listing administrative offences will be replaced by Art. 83 GDPR. The referral in Section 44 BDSG will then not lead anywhere; accordingly, the German legislator would need to implement new provisions on data protection criminal law in order to keep German data protection criminal law in place.
It must be assumed that the German legislator will implement provisions on data protection crimes. How this will be done technically, remains to be seen. A feasible approach would be to implement a provision in a similar manner as currently Section 44 BDSG referring to administrative offences listed in Art. 83 GDPR and linking criminal sanctions where additional requirements are fulfilled.
4. Damages for Data Protection Violations
Under Art. 82(1) GDPR, any person having suffered material or non-material damages by processing his or her personal data may claim compensation. This claim is in the first place directed against the data controller and insofar reflects the current situation under Section 7 BDSG and Art. 23(1) DPD respectively. In addition, and insofar different from the current situation, there is also a direct claim against the involved data processor.
As currently the case – also under the GDPR – the affected person must establish the infringement caused by the data protection violation and the resulting damage. Such damage may in deviation from the current framework also be non-material.
To successfully claim damages from the data controller, it is required that the data controller is in breach with data protection obligations. To claim damages from the data processor, he has to be in violation of contractual obligations under the data processing agreement with the data controller or with data protection requirements particularly directed to him as data processor. However, there is the assumption that the data controller or data processors have violated their duties unless they prove the opposite. This may have massive effect as it significantly facilitates damage claims for data protection violations. Accordingly, an increase in the number of claims is to be expected.
Art. 82(4) GDPR stipulates the joint responsibility of data controller and data processor in the external relation to the affected data subjects. Article 82(5) GDPR then introduces the framework for internal compensation where either party is held liable and has compensated the data subject. These rules are in line with the principles of joint external responsibility under German civil law, namely Section 421 and 430 German Civil Code (BGB).
In addition to any claims based on the data protection damage compensation framework under Art. 82 GDPR, damage claims may also be based on other civil law actions such as tort under Section 823(2) BGB in connection with an infringed provision under the GDPR.
Rules on data protection administrative offences and damage compensation further develop the European data protection framework without creating revolutionary new obligations. In the same way as under the current framework, data protection authorities will have the power to impose administrative fines. The amount, however, will change dramatically with an upper bound of EUR 20 million or even more. This must be considered in any company’s compliance and risk-management strategy.
Whether or not there will be material changes in data protection criminal law will now depend on the German legislator. While severe changes are unlikely, data protection criminal law is a dormant risk. It is better considered and approached in appropriate manner, as German criminal enforcement authorities may at any time draw their attention to this supposedly new field of criminal law enforcement.
The law of data protection damage compensation under the GDPR brings new direct claims of data subjects against data processors and puts a burden of proof on the addressed data controllers and data processors. This must be addressed in the compliance framework as an increased number of claims is to be expected. The only line of defence – at least against unfounded claims – appears to be proper documentation of any data processing activities.
Other parts of this series:
Part 1: EU Data Protection Regulation – New Series
Part 3: Principles, Consent and Statutory Justifications
Part 4: Commissioned Data Processing and International Data Transfer