A leaked document published by Statewatch suggests that a new three-tiered system of data protection fines could be introduced under the proposed new General Data Protection Regulation (GDPR) (28-page / 96KB PDF).
The document also indicates that national governments will have the freedom to decide whether fines can be issued to public bodies in their country should those bodies breach the GDPR. Governments will also be able to prevent fines being served on businesses "where the infringements … are already subject to criminal sanctions in their national law".
Under the rules on fines being considered, data protection authorities (DPAs) would have to ensure that the fines they issue are "effective, proportionate and dissuasive". The authorities would have to consider a range of factors when determining whether to serve businesses with fines on top of, or instead of, alternative sanctions.
Those factors include "the nature, gravity and duration of the infringement" and "the number of data subjects affected and the level of damage suffered by them", whether a breach of the GDRP was intentional or stemming from negligence, and whether businesses have taken steps to "mitigate the damage suffered by data subjects". Whether an infringement is a first or repeat offence would also be a factor. DPAs would also be required to consider whether an infringing business has financially benefited from the infringement and "the manner in which the infringement became known" to it when deciding whether to serve a fine for that infringement.
If a fine is deemed to be justified, DPAs would then have to consider what level of penalty to impose.
Justice ministers from national governments across the EU have already given their provisional backing to rules which would, if introduced and enforced, allow DPAs to serve a maximum penalty of up to 2% of a business' annual global turnover for a breach of the GDPR.
However, under the latest proposals, a more complex three-tiered system of administrative fines is envisaged. The UK, Ireland and some other EU countries, are "opposed to maintaining different sanctions scales", however, the document said, although "the majority of member states", including Germany, Italy, Spain and the Netherlands, "appear to be in favour". France is not in favour of the plans but is willing to accept the tiered regime, it said.
Under the plans, businesses that intentionally or negligently fail to respond to data subject access requests within the prescribed timescale, or charge a fee for handling such requests, could be fined up to 0.5% of their "total worldwide annual turnover" from the previous financial year.
Fines of up to 1% of annual turnover could be imposed on businesses that intentionally or negligently fail to provide any or all the information necessary to comply with the data subject access requests or if they fail to be sufficiently transparent with consumers about, among other things, the purposes for which they are collecting and processing their personal data.
Similarly, fines of up to 1% of turnover could be imposed if companies intentionally or negligently do not adhere to the rights of consumers to have data about them corrected or erased, including in line with the 'right to be forgotten' principles set out under the GDPR. Fines of that level could also be issued where businesses fail to make consumers' data portable or unjustifiably ignore objections raised by consumers about the processing of their personal information for marketing purposes.
The stiffest fines, of up to 2% of a business' turnover, would be available for DPAs to levy in a number of instances, including if businesses intentionally or negligently process personal data without having a legal basis for doing so, break rules on profiling, fail to notify data breaches or transfer personal data outside of the EU without putting in place adequate data protection safeguards.
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "The maximum fines currently proposed for contraventions of the GDPR are lower than those originally intimated by the Commission but remain linked to global annual turnover. As a result, they remain potentially enormous and – like competition law fines, which are also linked to annual turnover – this will have a substantial impact upon the resources required by DPAs to administer them."
"Firstly, unless there is consistency across different DPAs in when they apply the fines, and in the amounts levied, DPAs can expect to be challenged or, over time, to see data controllers 'forum shopping' for the most favourable jurisdiction in which to establish themselves," he said. "So the amount of cross-border co-ordination required between the DPAs will increase by an order of magnitude. Secondly, well thought-out supervisory guidance will be needed, just as has emerged in competition law, where the guidance on fines is voluminous, for example to explain how fines are calculated, what constitutes relevant turnover and the extent to which this includes turnover of subsidiaries, and many other similar questions."
"Thirdly, and whether there is guidance or not, expect the number of challenges to DPA fines to increase substantially. Wherever there is potentially a lot of money and corporate reputation at stake, this is inevitable. In turn, therefore, DPAs will inevitably find the level of care needed in building the case for issuing the fine and then in administering it will substantially increase. If the Regulation continues to take shape in the way that it has been doing, UK information commissioner Chris Graham is absolutely right in his recent call for adequate resources for DPAs," Dautlich said.
According to the paper, the UK government has expressed concern that giving DPAs the power to serve "high fines" for data protection breaches would lead businesses to challenge those decisions more before the courts and result in organisations seeking "less help to verify a potential breach". It favours a "name and shame" sanction over fines for breaches of the GDPR.
The non-binding document is authored by the Latvian presidency of the Council of Ministers, which along with the European Parliament will need to approve the wording of the GDPR before it can come into force.
The justice and home affairs committee within the Council of Ministers is scheduled to next meet formally in mid-June where it is possible that an announcement that an agreement has been reached by the 28 governments in the EU on the text they would like to see contained in the GDPR could be made. Should such a consensus be reached, it would mean final negotiations on the Regulation's drafting to be opened with MEPs could begin shortly thereafter.