GDPR Penalties - Non-Compliance Could Be Very Expensive
The GDPR gives regulators more investigative and enforcement powers. Penalties of up to 4% of Turnover (which include Group structures) are possible. Individuals can now claim for material or immaterial damages.
Under the previous directives, each member state was free to adopt laws in accordance with the principles, which meant that there were differences in the way each member country implemented and enforced the data privacy directives. The GDPR is a regulation that applies in all member states of the EU. This will help ensure consistency across the EU.
The GDPR provides a new one-stop-shop regulatory framework for the investigation of complaints and enforcement of the GDPR requirements. Under this framework, this will be operated by a member state’s supervisory authority.
Lead Supervisory Authority (LSA)
Each member state’s supervisory authority will act as the lead supervisory authority (LSA) for the controllers and processors whose main establishments are located in its member state. This will permit a controller or processor to rely on the guidance and enforcement procedures of one single EU supervisory authority. In Ireland’s case the LSA is the Data Protection Commissioner (DPC).
If your company has offices across Europe (Google for example), your LSA will be where your EU HQ is located. In Google’s example, this will be in Dublin, Ireland.
If your company does not have an entity in the EU, then you can nominate an LSA. You will need to have a GDPR Representative in place in the country that you nominate as your LSA.
How are the GDPR penalties calculated?
Article 58 of the GDPR provides the supervisory authority with the power to impose administrative fines under Article 83 based on several factors, including:
The nature, gravity, and duration of the infringement;
The intentional or negligent character of the infringement;
Any action taken by the organisation to mitigate the damage suffered by individuals;
Technical and organisational measures that have been implemented by the organisation;
Any previous infringements by the organisation or data processor;
The degree of cooperation with the regulator to remedy the infringement (DPO will be important here);
The types of personal data involved (does this include special category data);
The way the regulator found out about the infringement;
The manner in which the infringement became known to the supervisory authority, in particular, whether and to what extent the organisation notified the infringement;
Whether, and, if so, to what extent, the controller or processor notified the infringement;
Adherence to approved codes of conduct or certification schemes.
The greater of €10 million or 2% of global annual turnover
If it is determined that non-compliance was related to technical measures such as impact assessments, breach notifications and certifications, then the fine may be up to an amount that is the GREATER of €10 million or 2% of global annual turnover (revenue) from the prior year.
Example – if your company does not have a GDPR Representative in place. It can technically be fined €10m or 2% of annual revenue. This will of course depend on the category of data and the nature of the processing. But it remains a substantial fine for a relatively small transgression.
The greater of €20 million or 4% of global annual turnover
In the case of non-compliance with key provisions of the GDPR, regulators have the authority to levy a fine in an amount that is up to the GREATER of €20 million or 4% of global annual turnover in the prior year. Examples that fall under this category are non-adherence to the core principles of processing personal data, infringement of the rights of data subjects and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.
Data breaches like the 2016 Uber data breach is informative here. Uber failed to notify it’s users or the regulator of the data breach and also went as far as covering it up. Under the GDPR the fine for this would have been €260m based on their €6b turnover in 2016.
Can non-EU companies get fined?
Yes, any organisation, whether established in the EU or not, processing the personal data of data subjects located in the EU, and data controllers and processors established in the EU, will be subject to the GDPR penalties.
What about GDPR Penalties for Group Structures?
The GDPR working group answer (WP29) is fairly definitive on this: If a subsidiary is in breach of the GDPR, then the corporate parent is used to determine “global turnover”. Under the guidance, the WP29 writes that “the concept of an undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries.”
At Nathan Trust, we are big fans of MapMyRun. In 2015 when it was bought by Under Armour, it had over 100 million users. MapMyRun is a huge success, and it deserves to be – however the privacy landscape for its European customers is about to change.
MapMyRun records health and fitness data which is considered a “special category” of data. This makes complying with the GDPR more onerous for them – as it should be.
The GDPR maximum fine is 4% of turnover. Under Armour is the parent company of MapMyRun so the maximum fine is $4,800,000,000 * 4% = $192,000,000.
Interestingly, Under Armour bought MapMyFitness for $150m in 2013.
Another global sporting brand which is in a similar situation is Adidas. They bought Runtastic for €220m in 2015. Adidas’ exposure is €19,000,000,000 * 4% = €760,000,000.
These numbers are eye-watering and it can be reasonably argued that fines like this will be very difficult to collect but this is what the law states and the working group reaffirms it.
Don’t forget compensation for Damages
Another important point of the GDPR is the provision, in Article 82, of the right of claimants who have suffered material or immaterial damages as a result of an infringement of the GDPR to receive compensation for the damages suffered.
The GDPR allows the claimant to exercise their right by means of a mandate to an entity, organisation or non-profit association to present and pursue the claim on their behalf. This is essentially a class action suit.
It can, therefore, be expected that the number of complaints received by companies and entities will increase substantially.
Who are these non-profits that pursue these claims?
A good example is the privacy NGO – noyb. It will be able to bring privacy cases in a much more effective way than before. This is being headed up by Max Schrems.
Max Schrems is an Austrian lawyer, author and privacy activist who became known for campaigns against Facebook for privacy violation, including its violations of European privacy laws and alleged transfer of personal data.
In 2013 Schrems filed a complaint against Facebook Ireland Ltd about data transfers by Facebook Ireland to the US in the wake of the Snowden revelations, including the existence of the Prism spying programme. His complaint ultimately ended up before the CJEU in October 2015 and that court struck down the Safe Harbour framework then used by about 4,500 companies, including Facebook, to transfer data to the US.
Noyb is going to look at the smartphone market next. Existing research has e.g. shown that some apps access GPS locations or contacts beyond what is strictly necessary for the function used. The consent and proportionality to the data collection are at best, tenuous.