Since the first enforcement actions have been initiated, some with significant fines, many companies may find themselves somewhat at a loss as they may not fully know how to assess the risks involved and how to react should an enforcement action be initiated against them. Here we will give a high-level overview on risks and strategies in enforcement actions.
In the first part of this overview, we will provide an overview of the more significant administrative fines imposed by the European supervisory authorities in proceedings over the past 12 months to help gain a better understanding of the overall enforcement landscape and how enforcement actions have developed.
In the second part, we will elaborate on the Guidance on the Assessment of Fines the German Conference of the independent data protection authorities of the German Federal State and the Länder (“DSK“) published on 14 October 2019. This guidance can help companies better assess risks either in an ongoing enforcement proceeding or also more prospectively, for example, in cases when investors want to better understand the risks of certain businesses before making a purchasing decision.
In the third part, we will outline how companies should react in the case they are contacted by a supervisory authority. While supervisory authorities will most often begin an investigation by sending a letter containing infringement allegations with a request seeking further information, an overly comprehensive response may often, but will certainly not always, be appropriate. We will illustrate the degree to which companies are obliged to participate in enforcement proceedings and the potential consequences a lack of participation in such proceedings can have.
I. Enforcement Proceedings in 2019
The EU General Data Protection Regulation 2016/679 (“Regulation” or “GDPR“) harmonized and significantly increased the requirements for compliance in European data protection law. The more stringent requirements are safeguarded by the threat of significant fines which have to be assessed as follows: Art. 83 (1) GDPR states that the imposition of administrative fines “shall in each individual case be effective, proportionate and dissuasive“. It is noteworthy, that in particular the dissuasive effect of a fine has been recently used by an authority in a fine proceeding. The State Commissioner for Data Protection and Freedom of Information for Rhineland-Palatinate in connection with several breaches of the Regulation relating to sensitive patient data justified the fine, inter alia, by the fact that overall substantial progress should be made in “health data protection” (please find the German language press release here). This means no less than that the fine should have a dissuasive effect.
As a result, companies that do not comply with data protection requirements face an increasing risk of substantial fines. Over the past year, European supervisory authorities have imposed in some cases remarkably high fines for infringements of the Regulation.
Since May 2018, the European data protection supervisory authorities have received tens of thousands of reports of breaches and violations of the applicable data protection law. The fines of the ten highest fines imposed by supervisory authorities alone amount to EUR 402.6 million in 2019. The most remarkable proceedings in this respect are the following:
The lead position for the highest fine goes to the UK Information Commissioner’s Office (“ICO“) which issued a notice on 8 July, 2019 of its intention to impose a fine on British Airways amounting to EUR 204.6 million (please find the press release of the ICO here). The ICO imposed the fine for inadequate technical and organizational measures that allowed attackers to forward traffic of the British-Airways website to a fraudulent site. Through this false website, the attackers harvested details of approximately 500,000 customers. In 2018, British Airways had a worldwide annual turnover over of GBP 13 billion which resulted in a fine to the annual turnover ratio of roughly 1.5 %.
The ICO is also responsible for the second highest fine. The notice of its intention to impose a fine of EUR 110.4 million was issued on 9 July, 2019 against the hotel group Marriott International (please find the press release here). Due to inadequate technical and organizational measures, more than 339 million guest records worldwide were unintentionally disclosed in the period of 2014 through 2018. The ICO believes that the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer data was not discovered until 2018. The ICO’s investigation led to the conclusion that Marriot failed to undertake sufficient due diligence when it bought Starwood and should have also done more to secure its IT systems. In 2018, Marriott International had a worldwide annual turnover over of GPB 20.75 billion which resulted in a fine to the annual turnover ratio of roughly 0.5 %. This demonstrates how important it is to conduct a thorough and comprehensive due diligence of the potential liability risks associated with a target’s data protection compliance and its IT security measures in M&A transactions.
On 21 January, 2019, the French supervisory authority CNIL imposed a fine of EUR 50 million on Google LLC (please find the press release here). It is remarkable in this case that Google LLC was not sanctioned based on a data breach, but rather on the findings of a lack of transparency, inadequate information and a lack of valid consent regarding personalization of advertisements. This means that high penalties can be imposed even if a violation does not lead to a data breach, but rather when the principles of the Regulation are not observed. In 2018, Google LLC had a worldwide annual turnover over of USD 136.91 billion, which resulted in a fine to the annual turnover ratio of roughly 0.03 %. In absolute figures, the fine appears to be significant, but may be considered negligible in relation to the group’s turnover.
The highest fine issued to a German company to date of EUR 14.5 million was to, Deutsche Wohnen SE, a real estate company, by the Berlin Commissioner for Data Protection and Freedom of Information (“Berlin Commissioner“) (please find the press release here) which was issued on 30 October, 2019. Deutsche Wohnen SE used an archive system for the storage of personal data that did not allow for the deletion of personal data which was no longer required. Further, the personal data of tenants was stored without an assessment on whether the processing is permissible or even necessary. In the opinion of the Berlin Commissioner, Deutsche Wohnen SE had thus fundamentally violated the GDPR principles for the processing of personal data. In the assessment of the fine, the Berlin Commissioner had particularly noted and taken into account that Deutsche Wohnen SE had been previously advised to change its archiving system after a first audit in 2017, but by the next audit in March 2019, nine months after the GDPR came into force, no legally compliant solution had been implemented. In 2018, Deutsche Wohnen SE had a worldwide annual turnover over of EUR 1.1 billion which resulted in a fine to the annual turnover ratio of roughly 1.3 %. The severity of the fine was largely influenced by the fact that the company had not remedied an existing infringement after the initial investigation. Even without explicit mention, the Berlin Commissioner applied the newly established principles for the admeasurement of fines in proceedings described below in order to calculate this fine.
The German regulators are now obviously getting more active: On December 9th, 2019, the Federal Data Protection Commissioner issued a fine in the amount of EUR 9.55 Mio EUR against a German telecommunication service provider for lack of sufficient security against spying of customer data even though the service provider had cooperated with the Federal Data Protection Commissioner (please find the press release here). Obviously, a collaborative approach is no longer a secure path to prevent significant fines.
These enforcement proceedings are illustrative of the fact that the assessment of a fine is dependent on the circumstances of each individual case. The German supervisory authorities have now on 14 October 2019 published a concept for the assessment of a fine (“Concept“) which gives some further guidance and framework to work with. The English text of the Concept is available here.
II. DSK Guidance
The principles for the assessment of fines by the European data protection authorities are based upon certain guidelines established by the Article 29 Data Protection Working Party (WP 253) which have been accepted by the European Data Protection Board (“EDPB“). The EDPB intends to issue further guidelines on the setting of administrative fines pursuant to Art. 70 (1) lit. k GDPR for supervisory authorities.
The Concept has only a limited scope of application. It applies only to German supervisory authorities and could be superseded by the final guidelines to be adopted by the EDPB. Furthermore, the Concept does not apply to individuals or associations outside their economic activities, and it is neither binding for cross-border cases nor for fines determined by courts of law. However, the Concept does provide general principles which might be followed by supervisory authorities in Europe in determining fines pursuant to Art. 83 GDPR.
The Concept follows a five-step approach which starts by determining the worldwide annual turnover of the preceding fiscal year of the undertaking in question. The DSK believes that the annual turnover of an undertaking “represents a suitable, appropriate and fair basis to guarantee effectiveness, proportionality and dissuasiveness when imposing significant fines”.
Based on the annual turnover, the undertaking is categorized into one of four groups based on size:
- “micro enterprises” of up to EUR 2 million;
- “small enterprises” of between EUR 2 million and EUR 10 million;
- “medium enterprises” of between than EUR 10 million and EUR 50 million; and
- “large enterprises” of more than EUR 50 million.
Each group provides for further sub-categories depending on the annual turnover, e.g., micro enterprises with an annual turnover of more than EUR 700,000 up to EUR 1.4 million. These sub-categories are used to calculate the average annual turnover in the next step. The DSK believes that based on recital 150 GDPR, the term “undertaking” has to be understood in accordance with Art. 101 and 102 of the Treaty on the Functioning of the European Union (“TFEU“). As a consequence, the DSK not only looks at the turnover of the allegedly infringing company alone but also at the one of the entire group of affiliated companies. This all significantly increases the liability risk of non-European group companies for their European subsidiaries. International corporations are therefore encouraged to also implement adequate data protection measures on their subsidiaries through sufficient control and guidance.
In the second step, the average annual turnover of the sub-category, into which the undertaking was allocated, has to be determined. The average annual turnover of each sub-category is calculated based on the minimum and maximum annual turnover of each sub-category. This step is required to determine the economic basic value in the next step.
In the third step, the economic basic value is calculated by dividing the average annual turnover of the respective sub-category by 360 (days). The result is an average daily rate which builds the basis for the application of multipliers determined in steps 4 and 5.
In the fourth step, the fining framework is determined depending on whether a formal (Art. 83 (4) GDPR) or material (Art. 83 (5), (6) GDPR) infringement occurred. The degree of severity of the act would then be determined in light of the circumstances of each individual case and based on the criteria laid down in Art. 83 (2) GDPR. The authorities in particular would take into account:
- the nature, gravity and duration of the infringement;
- the intentional or negligent character of the infringement;
- any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- any relevant previous infringements;
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; and
- the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor reported the infringement.
The severity of the infraction can then be classified into light, medium, severe and very severe. The multiplier for formal infringements can vary between one and six for slight to severe deeds and over six for very severe deeds. The multiplier for formal infringements can vary between one and 12 for slight to severe deeds and over 12 for very severe deeds. In the case of very severe deeds, it must be ensured that the fining framework of Art. 83 GDPR is not exceeded.
In the last step, the multiplier determined under step 4 can be adjusted based on all circumstances that are for and against the alleged perpetrator, provided they have not already been taken into consideration under step 4.
The principles for the assessment of fines are very similar to the principles for calculating fines under German criminal law. Thus, some parallels drawn from this area of law might help undertakings reduce fines. Because the undertaking has control over the actions taken to mitigate the damages suffered, the degree of cooperation with authorities and the manner in which the infringement became known to the supervisory authorities, there is much potential to positively influence the admeasurement of a fine. However, this requires immediate, strategic and well-planned actions. Undertakings should therefore have an appropriate data breach policy, and its personnel should have been trained by conducting data breach tabletop exercises.
III. Strategy Considerations in Administrative and Fine Proceedings
How to react when you receive a letter from a supervisory authority?
It is common practice of the supervisory authorities to reach out to a company in form of an informal initial request, e.g., to gain further information on a complaint made by a data subject. Such requests are not considered formal administrative proceedings (Verwaltungsverfahren). However, according to Art. 31 GDPR, it could be interpreted that companies are required to cooperate with the authorities since “the controller and the processor […] shall cooperate, on request, with the supervisory authority in the performance of its tasks“.
Authorities may send such a request to the data protection official or the representative of the undertaking. Considering the fact, however, that there are severe consequences in providing wrong or too much information which may reflect negatively on the current state of data protection compliance, it is highly recommended to control all further correspondence with the authorities and get the strategy reviewed by Legal.
Authorities may also compel the cooperation of the controllers or data processors by entering into a formal administrative proceeding based on its investigative powers. The exercise of the powers conferred on the authorities are subject to appropriate safeguards, including effective judicial remedy and due process.
However, the rules for the requirements to cooperate in enforcement proceedings that can result in fines (Ordnungswidrigkeitenverfahren) are likely determined in each member state by its procedural enforcement rules and depend on the form of enforcement the authorities initiate its proceeding. It must be distinguished between informal, formal and fine proceedings. However, in general, the powers to enforce a cooperation are very limited, in particular, the supervisory authorities are in general not empowered to impose fines for a lack of cooperation.
The lack of empowerment in particular includes informal proceedings. There is no legal requirement to cooperate nor can the same be derived from GDPR. Further, as in criminal proceedings, the principle against self-incrimination applies in enforcement proceedings that can result in fines. The European Court of Justice (“CJEU“) in decisions on antitrust law recognized the principle against self-incrimination, meant primarily for individuals, applies to undertakings as well. If such a fundamental principle of criminal law can be transposed and applied in the context of a civil law proceeding such as in antitrust cases, one may more than reasonably and credibly infer that the same would apply in the context of data protection cases.
In Germany, the scope to which authorities can use information provided by an undertaking are limited by the BDSG. According to BDSG, authorities are not allowed to use information gained by undertakings’ fulfilment of obligation to notify the authorities and data subjects pursuant to its obligations under GDPR (data breach notification) in fine proceedings or criminal proceedings against the one who is under the obligation notify. However, the provisions of the BDSG only limit the utilization of such information in proceedings under German Law. Thus, a risk remains that other European data protection authorities might request and use this information via administrative assistance proceedings. Therefore, in course of such proceedings, undertakings should always consider to provide comprehensive information, in particular if the data breach only refers to Germany. However, this may not reduce the already existing risk that authorities may initiate investigations to assess the undertakings overall compliance with data protection laws. One should thus carefully weigh these competing interests taking into account the general level of compliance of a company and how much information is sensible to provide – a lack of cooperation in an administrative proceeding may have negative implications on the authority’s decision whether to impose a fine and the amount of a fine.
IV. Analysis and Takeaways
Companies should be prepared for administrative proceedings due to the breadth and reach of the GDPR. The record fines imposed in 2019 proved, for example, that inadequate technical and organizational measures, the processing of personal data without a corresponding or sufficient legal basis in the GDPR and a noncompliance with the principles of data processing can lead to considerable fines. In addition to the actions which could be taken by authorities for GDPR infractions, other consequences of a data breach or data protection violations, such as claims for damages by data subjects, should also be taken into account. In particular, the number of potential claims for damages is unpredictable but may result in additional substantial financial losses.
As far as undertakings are faced with inquiries or requests by supervisory authorities, e.g., due to a complaint by data subjects or due to the notification obligations pursuant to Art. 33 GDPR, a cooperative approach is generally recommendable but not legally required. In fine proceedings, in particular, cooperative behavior by the company must be taken into account by the authorities as a mitigating factor when calculating a fine. However, companies should be aware that cooperation cannot really be forced, in particular, in informal proceedings and in fine proceedings. In fine proceedings, the requirement to cooperate might conflict with the general legal principle against self-incrimination. Multinationals should also need to consider, in particular, whether a broad cooperation with European supervisory authorities could have adverse legal consequences, for example with respect to the attorney-client privilege in their domestic jurisdiction. To find the appropriate balance between cooperation and freedom from self-incrimination and other legal requirements, companies should consult their internal legal department or external legal advisors at an early stage.
If, in spite of all the precautions that have been taken, fine proceedings are nevertheless initiated, the concept of the DSK is a valuable instrument for determining the financial impact of an infringement. Undertakings may establish appropriate provisions in accordance with the information available to them. Whether the concept of the DSK will serve as a blueprint for the concept to be established by the EDPB in the near future is still uncertain.