Act now, 4% GDPR Penalties (and Accountability) go all the way to the top
The Maximum 4% GDPR penalty - what the WP29 are saying
The GDPR working ground (WP29) recently released guidelines on administrative fines and GDPR penalties.
In general, it deals with:
- Assessment criteria so companies can create scenarios
- Failure to listen to your DPO is a bad idea
- Data breach notification
- Profiling and automated decision making
It helps shed more light on what organizations have to do in order to incur that oft-quoted GDPR maximum fine of 4 percent of global turnover.
Who pays the GDPR Penalty?
The GDPR expressly introduces a legal accountability obligation to European data protection law. These new provisions are likely to have far-reaching consequences. Here is an example: I love MapMyRun – it is a great product and has been very successful. In 2015 when it was bought by Under Armour – it had over 100 million users. MapMyRun is a huge success, and it deserves to be – however the privacy landscape for its European customers is about to change. MapMyRun records health and fitness data which is considered a “special category” of data. This makes complying with the GDPR more onerous for them – as it should be.
The GDPR maximum fine is 4% of turnover. Under Armour is the parent company of MapMyRun so the maximum fine is $4,800,000,000 * 4% = $192,000,000. We know this because the WP29 group answered it fairly definitively: If a subsidiary is in breach of the GDPR, then the corporate parent is used to determine "global turnover". Under the guidance, the WP29 writes that "the concept of an undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries." Interestingly, Under Armour bought MapMyFitness for $150m in 2013 for $150m. Another global sporting brand which is in a similar situation is Adidas.
They bought Runtastic for €220m in 2015. Adidas’ exposure is €19,000,000 * 4% = €764,000,000. These numbers are eye-watering and it can be reasonably argued that fines like this will be very difficult to collect but this is what the law is states and the working group reaffirms it.
The GDPR also allows for NGOs to take actions
The new privacy NGO - noyb will be able to bring privacy cases in a much more effective way than before. This is being headed up by Max Schrems.
Max Schrems is an Austrian lawyer, author and privacy activist who became known for campaigns against Facebook for privacy violation, including its violations of European privacy laws and alleged transfer of personal data. In 2013 Schrems filed a complaint against Facebook Ireland Ltd about data transfers by Facebook Ireland to the US in the wake of the Snowden revelations, including the existence of the Prism spying programme. His complaint ultimately ended up before the CJEU in October 2015 and that court struck down the Safe Harbour framework then used by about 4,500 companies, including Facebook, to transfer data to the US.
What can noyb actual do?
noyb will use best practices from consumer rights groups, privacy activists, hackers, and legal tech initiatives and merge them into a stable European enforcement platform. Together with the many new enforcement possibilities under the new EU data protection regulation (GDPR), noyb will be able to bring privacy cases in a much more effective way than before. In addition, noyb will follow the idea of targeted and strategic litigation to maximize the impact on the future of your right to privacy.
When appropriate, noyb will use PR and media initiatives to ensure your right to privacy without even going to court. Finally, noyb is designed to join forces with existing organizations, resources and structures to maximize impact, while avoiding parallel structures.
There are 2 things to take particular note of here:
1. noyb will take class action suits against organisations they feel are flouting privacy law.
2. noyb will publicise organisations that are not respecting privacy laws. Point 2 is probably more damaging, and instantly effective. Max Schrems is high profile and commands a lot of media attention. If noyb decides to publicise that an organisation does not respect the EU privacy laws. This will get a lot of headlines.
What is noyb’s aims?
The aim of NOYB is therefore to ensure that the tech industry is following fully the existing privacy and data protection laws in the European Union, through strategic litigation in the public interest. Just like other areas of law, only the realistic likelihood of enforcement will ensure that laws are generally respected. NOYB will prioritize relevant cases, ensure that relevant violations are uncovered, assess legal and factual situations and use the most effective form of enforcement in each case. This may include the use of automated legal processes and enforcement (“legal tech”).
Need help getting read for the GDPR? Get in touch with us below: