knowledge | 20 October 2022 |
Administrative Fines under Article 83 GDPR
As part of our series of briefings on administrative fines in Irish regulatory law, we look at the power of the Data Protection Commission (the “DPC”) under the General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018 (the “2018 Act”) to impose administrative fines for infringements of the GDPR.
Article 83 GDPR
The GDPR provides for the imposition by supervisory authorities of administrative fines for breaches of its provisions, stating that such fines shall in each case be effective, proportionate and dissuasive. In setting out the maximum fines that can be imposed, the GDPR recognises that infringements of certain provisions may be more serious than infringement of others. Accordingly, the infringement of certain provisions, as set out in Article 83(4), is subject to a maximum fine of €10 million or 2% of worldwide annual turnover of the relevant undertaking in the preceding year, whichever is higher. Pursuant to Article 83(5) and (6), the infringement of certain other provisions, or non-compliance with a corrective power ordered by a supervisory authority, is subject to a maximum fine of €20 million or 4% of worldwide annual turnover of the relevant undertaking in the preceding year.
Article 83(2) GDPR sets out factors to which a supervisory authority is to have regard in deciding whether to impose an administrative fine and in deciding on the amount of any such fine. These include, amongst other factors:
- The nature, gravity and duration of the infringement;
- The number of data subjects affected and the level of damage suffered by them;
- The intentional or negligent character of the infringement;
- Any action taken by the controller or processor to mitigate the damage;
- Any relevant previous infringements; and
- The degree of cooperation with the supervisory authority.
Decisions of the DPC
Decisions of the DPC have provided some insight into the approach it takes to calculating administrative fines. The first administrative fine imposed by the DPC was in respect of Tusla Child and Family Agency in April 2020, the DPC imposing a fine of €75,000 for infringements of Article 32(1) and Article 33(1) arising from personal data breaches. Subsequent decisions followed with much higher administrative fines, most notably the imposition of a fine of €225 million on WhatsApp Ireland Limited in August 20211 (currently under appeal) and the imposition in September 2022 of a fine of €405 million on Meta Platforms Ireland Limited in respect of the Instagram platform (also under appeal).
Of note in respect of both the WhatsApp and Instagram fines is that these decisions were subject to the cooperation mechanism under Article 60 GDPR whereby the lead supervisory authority (in these cases, the DPC) is required to share a draft decision with “other supervisory authorities concerned” (i.e. those in other Member States) for their opinion and to take due account of their views. In both cases, the supervisory authorities were not able to reach a consensus and so the European Data Protection Board (the “EDPB”) was required to adopt a binding decision under Article 65 GDPR. The published EDPB decision in the WhatsApp case led to a substantial increase in the level of the administrative fine imposed following reassessment by the DPC and, in the Instagram case, led to the DPC reconsidering certain aspects of the fine imposed and opting for a fine at the top of the range it had identified in its draft decision. Both cases provided insight into the views of other supervisory authorities in respect of administrative fines as well as guidance on the approach adopted by the EDPB.
On 12 May 2022, the EDPB adopted new Guidelines on the calculation of administrative fines under the GDPR (the “EDPB Guidelines”). The EDPB Guidelines are intended to supplement and be read together with earlier guidelines adopted in 2017 (the Article 29 Working Party’s Guidelines on the application and setting of administrative fines (WP253)).
While the calculation of the amount of the fine to be imposed in a given case is at the discretion of the supervisory authority, the EDPB Guidelines set out the methodology devised by the EDPB for calculating fines. In summary, the steps to be taken in this methodology are as follows:
- Step 1: Identify the processing operations in the case and evaluate the application of Article 83(3) GDPR.
Article 83(3) provides that “if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement”. The correct application of Article 83(3) was an issue which arose for consideration by the EDPB in the WhatsApp decision. Other supervisory authorities disagreed with the manner in which the DPC had applied Article 83(3), arguing that it effectively meant that WhatsApp was only being fined for one infringement. The EDPB’s decision provided that all the infringements should be taken into consideration when calculating the amount of the fine. Now, the EDPB Guidelines provide further guidance regarding the approach to be taken to concurrent offences, which is not a straightforward matter.
- Step 2: Find the starting point for further calculation based on an evaluation of:
- the classification in Article 83(4)–(6) GDPR;
- the seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g) GDPR; and
- the turnover of the undertaking, with a view to imposing an effective, dissuasive and proportionate fine, pursuant to Article 83(1) GDPR.
The EDPB Guidelines provide that the starting point in each case should be a percentage of the maximum fine (under either Article 83(4), (5) or (6)) depending on the seriousness of the infringements; 0 – 10% of the maximum fine for low level seriousness, 10 – 20% for medium level seriousness and 20 – 100% for high level seriousness. These starting points can be reduced where an undertaking has a particularly small annual turnover.
- Step 3: Evaluate aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increase or decrease the fine accordingly.
Mitigating factors identified in the EDPB Guidelines include actions taken to mitigate damage suffered by data subjects and cooperation with the supervisory authority. While previous infringements can be an aggravating factor, the Guidelines state that an absence of previous infringements is not a mitigating factor, as GDPR compliance should be the norm.
- Step 4: Identify the relevant legal maximums for the different processing operations by reference to static and dynamic maximum amounts. Increases applied in the previous or next steps cannot exceed this amount.
The GDPR provides static maximum fines (€10 million or €20 million depending on the infringements). For undertakings, this can be replaced by a higher maximum amount based on turnover (2% or 4% of total worldwide annual turnover of the preceding financial year). The EDPB Guidelines provide guidance as regards identifying the “undertaking” and determining the turnover, including clarifying that the relevant event for determining the “preceding year” is the fining decision issued by the supervisory authority rather than the date of the infringement.
- Step 5: Analyse whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Article 83(1) GDPR, and increase or decrease the fine accordingly.
A principle to emerge from the EDPB WhatsApp decision was that turnover is not only relevant for the purposes of determining the maximum fine, but it is also relevant in terms of calculating the appropriate fine to impose and ensuring the fine is effective.
Watch this space
Section 143 of the 2018 Act provides that, where a controller or processor does not appeal a decision to impose an administrative fine, the DPC is required to apply to the Circuit Court to confirm the decision. The Circuit Court, in hearing such an application, shall confirm the decision unless the Court sees good reason not to. To date, applications made under section 143 have been low key and have passed without comment or controversy.
The appeals of the WhatsApp decision and the Instagram decision in the Irish High Court will inevitably bring judicial oversight to the imposition of administrative fines by the DPC. In relation to the WhatsApp decision, in addition to bringing a statutory appeal under the 2018 Act, WhatsApp has also instituted judicial review proceedings in respect of the decision. According to press reports of the application for leave to issue the judicial review proceedings, one issue raised by WhatsApp is the constitutionality of certain provisions of the 2018 Act and the compatibility of those provisions with the European Convention on Human Rights. WhatsApp has also applied to the CJEU to have the decision of the EDPB pursuant to Article 65 GDPR annulled.
Additionally, Meta has issued a statutory appeal in respect of the Instagram decision which, according to a Meta statement, includes issues as to how the fine in the decision was calculated.
The outcome of these appeals will undoubtedly be highly significant for the future of administrative fines under the GDPR/2018 Act and may well have wider application.
- See our briefing on the WhatsApp decision here
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.