Effective, proportionate and dissuasive 1
The European Union’s General Data Protection Regulation2 (“GDPR”) is based on a clear mission: imposing the European understanding of privacy on the world – or at least on multinational companies. This approach will be enforced by a significant increase of the penalties that until now were only known in anti-trust law. Supervisory authorities will have the power to issue fines of up to EUR 20 million or 4 % of annual turnover – whichever is higher. The latter will only apply to undertakings, but comprises the total worldwide annual turnover in the preceding fiscal year. The recitals of the GDPR remove any doubt and explicitly refer to the definition of an undertaking under EU anti-trust law. Anti-trust lawyers know that this indicates the application of the “single economic entity doctrine”. Thus, non-compliant data processing could lead to fines that take into account the worldwide annual turnover of a local company as well as its parent and affiliated companies. The threat for companies becomes even more obvious in connection with the introductory sentence of art 83 of the GDPR, under which each supervisory authority has to ensure that each fine is effective, proportionate and dissuasive in each case.
In general, the GDPR provisions imposing these sanctions are addressed to the controller – the one who determines the purpose and means of the personal data processing. Usually, the company qualifies as the “controller” – and the GDPR apparently wanted to address its fines at the companies. However, under current Austrian administrative criminal law, companies are only liable if certain criteria are met. The principal rule is that the fine is imposed on the body that is authorised to represent the company externally,3 ie the managing director(s). Although the managing directors would have the option to appoint a responsible representative4, the liability will not entirely pass to this person. Moreover, the responsible representative has to consent to this appointment. In any case, the penalty addressee under the current provisions would be a natural person, meaning it will become difficult and expensive to find a volunteer willing to play this role.
Sanctioned GDPR requirements
What’s more, the threat of extremely high sanctions is not reserved only for gross breaches of the GDPR, but indeed for all kinds of GDPR requirements, especially the ba-sics of data protection. For instance, if the controller processes the personal data of a child without the prior consent of the parent, or if the company lacks appropriate technical and organisational measures to ensure data protection in connection with data protection by design and by default, the fine could be up to EUR 10 million (or 2 % of total global annual turnover).
An even higher penalty of up to EUR 20 million or 4 % of total global annual turnover could be imposed for violations of the basic principles of processing (including conditions for consent) or violations of the data subjects’ rights or non-compliance with international data transfers, to list only a few examples.
While the GDPR establishes these as maximum fines, art 22 para 2 of the Austrian Administrative Penalty Act provides that sanctions can be accumulated. This would be the case, for example, if several GDPR offences are committed with several independent acts. Say, for instance, that a company develops an app which is downloaded on a mobile device and does not comply with the privacy by design/default provisions. The app is designed for minors, but parental consent is not obtained and the data is transferred to the US without having model clauses or the like in place. Insolvency, here we come!
Light on the horizon?
Luckily, the supervisory authorities will take into account certain parameters when issuing the fines. Due regard will be given to the nature, gravity and duration of the infringement, in view of the nature, scope or purpose of the processing in question, as well as the number of data subjects affected and the level of damage they have suffered. The intentional or negligent character of the infringement or the categories of personal data affected by the infringement will also be taken into consideration. The latter obviously leads to a higher compliance benchmark for companies that regularly deal with sensitive data.
The homework assignment is clear: analysing corporate data protection and the current level of compliance, plus setting all necessary preparatory steps. D-Day for data protection compliance is set: 25 May 2018.
1GDPR, Article 83.
2Regulation (EU) 2016⁄679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3Art 9 Administrative Penalty Act (Verwaltungsstrafgesetz, VStG).
4Art 9 Administrative Penalty Act (Verwaltungsstrafgesetz, VStG).