After years of a laborious and, at times, controversial process, Europe’s General Data Protection Regulation (GDPR) went into effect a week ago today. The regulation brings significant new requirements for data privacy and data protection to organizations far beyond Europe—including businesses in the United States.
Last fall on The Relativity Blog we published The EU General Data Protection Regulation (GDPR): What You Need to Know, giving you background on the regulation, some of the key provisions, and some tips for compliance. In this GDPR Week One update, we’ll provide some fresh analysis, a deep dive about the potential fines, and some background on the first complaints filed under the GDPR.
GDPR Fines: Y2K for a New Generation?
For better or worse, potential fines have probably been the biggest GDPR topic since the European Parliament approved the regulation in 2016.
Has this preoccupation with fines been a distraction from more substantive conversations on GDPR issues, such as "data protection by design and default” or the derogations for international data transfers articulated in Article 49?
For comparison, let’s turn back the clock almost two decades: people may have been partying as if it were 1999, but many were also obsessed with the impending doom of Y2K.
An abbreviation for “Year Two-Thousand,” it was the fear that—because computer programs were written with only two digits for the year—when January 1, 2000 arrived, computers would go haywire, thinking it was 1900. Banking, transportation, nuclear reactors, and life as we knew it would come to a screeching halt.
Planning committees and conference panels were formed. News specials aired, and people braced for Doomsday as the ball in Times Square started ascending on New Year’s Eve 1999.
Alas, Western Civilization kept rolling right along.
Are GDPR fines the Y2K of a new generation?
The Nuts and Bolts of GDPR Fines
We should never minimize the potential catastrophic impact of the maximum GDPR fine. Four percent of global turnover (the Queen’s English for “revenue”) can be a lot of money.
If we look at Fortune’s Global 100 for 2017, the Number 1 company, Walmart, had global revenue of almost $486 billion, and the Number 10 company, Exxon Mobil, had about $205 billion. If we split the difference and go with Number 5, Toyota Motor, the global revenue is almost $255 billion.
Using that $255 billion figure, the potential GDPR fine is over $10 billion.
But, are you going to get fined $10 billion because you accidentally shipped a data file with some personally identifiable information?
Almost certainly not.
How GDPR Fines Will Work
As we’ve discussed before, the GDPR has a two-tiered structure for administrative fines, located at Article 83 of the regulation.
Some violations (or “infringements of the provisions” in GDPR-speak) have potential fines of up to EUR 10 million or two percent of worldwide annual revenue, whichever is greater.
Other, more serious infractions, such as non-compliance with an order from a supervisory authority, trigger the higher potential fines of up to EUR 20 million or four percent of worldwide annual revenue, whichever is greater.
Of special interest to cross-border e-discovery practitioners is that violations of the provisions on transfers of personal data to a recipient in a third country or an international organization (Articles 44-49) are subject to the heavier penalties.
Having said that, there’s more to the administrative fine structure than merely the two tiers. Section 83 also contains 11 factors to be considered when determining fines. Pulled directly from the regulation (emphasis added), they are:
- the nature, gravity, and duration of the infringement taking into account the nature, scope, or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them pursuant to Articles 25 and 32;
- any relevant previous infringements by the controller or processor;
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- the categories of personal data affected by the infringement;
- the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified of the infringement;
- where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject matter, compliance with those measures;
- adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
As you can see from these provisions, there is a veritable cornucopia of factors supervisory authorities will consider when assessing fines.
Are you a repeat offender? Were you merely negligent or are you an intentionally nefarious data villain? Did you do anything to help mitigate the damage? Did you implement proper technical and organizational safeguards as provided in Article 25 (Data Protection by Design and Default) and Article 32 (Security of Processing)? Did you cooperate with the supervisory authority?
Although the GDPR has been in effect for only one week, depriving us of substantive direction from supervisory authorities, the Article 29 Working Party, a creation of the 1995 Data Protection Directive, issued helpful guidance in October 2017 with Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679. (Note: Regulation 2016/679 is the GDPR.)
Know Your Data Protection Authority
One of the main goals of the GDPR is to harmonize data protection requirements across the European Union and the European Economic Area (the EU plus Iceland, Lichtenstein, and Norway). However, the GDPR provides also that each member state gets a supervisory authority, known as a data protection authority (DPA).
These DPAs do have some discretion, and a recent compendium of DPA perspectives by the International Association of Privacy Professionals (IAPP) provides some insight.
For instance, Helen Dixon, the DPA for Ireland, notes, “There will be fines, and they will be significant,” although she tempers her remarks somewhat by noting these fines will be based on infringements of a “gravity, duration, and scope that is serious.”
British DPA Helen Denham adds, “Voluntary compliance is still the preferred route, but we will back that up with tough action where it’s necessary.”
Andrea Jelinek, the DPA for Austria—who also chairs the Article 29 Working Party—makes reference to the 2016 approval of the GDPR with its two-year period before it took effect.
“It’s not our first task to fine, it’s our first task to see if you’re compliant—and if you’re not compliant, it will be a problem. There are no grace periods because the grace period was already two years,” Jelinek said.
Finally, the French DPA and former Article 29 Working Party chair, Isabelle Falque-Pierrotian, noted the importance of information governance.
“You need to make sure that this question of compliance is not focused on the legal departments, but throughout the company. It is a strategy question; it’s not a technical legal question. It has to raise to all levels of the company and obey to a strategic decision from the top,” Falque-Pierrotian noted.
It’s important to note that—if an organization has operations in more than one member state—it may have to deal with more than one DPA.
What Happens Now?
What was the most significant event of Week One of the GDPR?
It should come as a surprise to absolutely no one that Max Schrems, noble hero for many privacy advocates, but almost constant consternation to many tech companies (after all, he did manage to invalidate the EU-US Safe Harbor Framework), was behind the first complaints filed under the GDPR.
It should also come as little surprise that Schrems’s first targets were Facebook, Alphabet-Google, and the Facebook subsidiaries, Instagram and WhatsApp.
Schrems—through his organization NOYB (None of Your Business)—filed his complaints within an hour of the GDPR becoming effective.
The NOYB complaints allege, among other things, that Facebook’s “forced consent” violated the GDPR. You can see more about the complaints here. Facebook’s chief privacy officer, Erin Egan, has told multiple media outlets of the company’s GDPR compliance efforts.
For the convenience of regulators, Schrems and NOYB provided calculations of what an appropriate fine might be at the end of his complaint. For instance, he calculated Alphabet Group’s revenue at $101.85 billion (about EUR 94.79 billion), and provided the four percent figure for worldwide revenue, about EUR 3.79 billion.
Welcome to the Brave New World of the GDPR.