The data protection agencies have issued enough GDPR fines to draw some conclusions about what actions companies can take to mitigate their punishment. Recently published frameworks and EU opinions also shed light on the future of GDPR fines.

The purpose of the EU’s General Data Protection Regulation was to give everyday EU citizens greater control over how their personal data is collected and used. Given how reliant many companies are on processing their users’ personal data (and how big some of these companies are), to get these companies to comply with GDPR regulations meant the data protection agencies had to have serious teeth to punish infractions. And Article 83 certainly got businesses’ attention with its two-tiered fine structure; relatively minor infringements are “subject to administrative fines up to €10 million, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher” while more serious infractions are “subject to administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.”

The GDPR was passed on May 25, 2018, but it was not until recently that companies had a clear picture of how GDPR fines would be applied. This article will examine the fines that have been assessed so far to see what lessons can be learned. We will also look at two important documents from the EU and the Dutch DPA that contain clues about what GDPR fines will look like in the future.

Lesson 1: Expect more GDPR fines in 2019

The Polish data protection agency, known as the UODO, only issued its first GDPR fine on March 26, a €220,000 fine to an unnamed firm. This firm was found to have intentionally violated the GDPR when it scraped public data on some six million Polish citizens, including their names, email addresses, telephone numbers, and addresses, but only attempted to contact 90,000 data subjects to obtain their explicit consent to use their data.

This ruling provides an important precedent on how the data processing industry scrapes and uses public data. It establishes that these companies must at least make an effort to contact the data subjects to get their consent to use their data. It also shows that nearly one year after the GDPR became the law of the land, we are still in the early days of enforcement.

Part of this is to be expected. The GDPR is as complicated for regulators as it is for businesses being regulated. Many of these regulatory bodies spent most of 2018 staffing up, finalizing their internal procedures, and finishing up last pre-GDPR investigations. Moreover, it was always assumed that there would be a glut of cases at the introduction of the GDPR as businesses adapted to the new regulations. The European Data Protection Board (EDPB) released a preliminary report stating that of the 206,326 cases reported under the GDPR across the 31 countries in the European Economic Area (EEA), the national DPAs have only resolved only 52 percent of them.

As regulators work through this backlog, businesses can expect more fines of greater amounts.

Lesson 2: Businesses can receive reduced GDPR fines by cooperating

One of the first fines levied under the GDPR was against an unnamed German social media provider (later confirmed to be Knuddels.de) for a data breach that exposed 330,000 users’ email addresses in September 2018. Knuddels immediately took steps to resolve the situation (in German), including informing its users of the breach, temporarily deactivating the affected accounts, reporting the breach to the German data protection agency (the LfDI), and taking steps to improve the security of its platform.

In response, the LfDI issued a fine of €20,000, saying it was a proportionate punishment and citing the company’s “exemplary cooperation” and transparency as the reason it did not deliver a more severe punishment.

Lesson 3: GDPR fines are generally well below the maximum amount allowed

The EDPB, which is made up of regulators from across the EEA, released its preliminary report examining the first nine months of the implementation of the GDPR. According to the report, the total of the fines issued under the GDPR totaled €55,955,871—but almost 90 percent of this amount is due to one fine, the €50 million fine Google received from CNIL, the French data protection agency. While the EDPB report does not specify how many fines have been issued, by using the 91 fines described in the DLA Piper survey released in February and removing the Google outlier, we can calculate that the average GDPR fine a company faced was approximately €66,000. Furthermore, when you consider that the report says that DPAs have already handled roughly 100,000 self-reported breaches and user complaints under the GDPR, it becomes clear that most DPAs are being conservative when assessing GDPR fines.

Looking forward: The framework surrounding GDPR fines is still being created

The Dutch data protection agency, the Autoriteit Persoonsgegevens, released the framework it will use to determine how severe a fine will be. While Article 83 was effective at grabbing headlines (a fine of 2 percent or 4 percent of global annual revenue will get any business’s attention) it gave very little concrete guidance as to how a data protection agency should calculate the amount of a fine. (The GDPR does specify 10 criteria DPAs must use to calculate GDPR fines.)

The Dutch framework (in Dutch) has four categories of violations, and each category has a defined “default” fine, along with a range of possible fines depending on the severity of the violation.

Category I applies to relatively simple or clerical violations. Failing to share the contact details of the company’s Data Protection Officer (DPO) or to adequately record the responsibilities of processors or joint controllers both qualify as Category I violations.

Category II refers to when a company does not fulfill specific GDPR requirements regarding data processing. Examples of these violations include when a company does not conclude a data processing agreement with their processor, respect the DPO’s independence, conduct an impact assessment, or adequately secure their users’ personal data.

Category III violations refer to a company’s refusal to be transparent, such as failing to notify users and the Dutch data protection agency of breaches or refusing to cooperate with the Dutch DPA.

Category IV violations are the most severe. They apply to the unlawful processing of special categories of data (such as the national identification number), illegal profiling, or refusing to comply with specific directives from the Dutch DPA.

GDPR scholars will note that the Category I and II violations do not correspond with those that are punishable by the lower tier GDPR fines (€10 million or 2 percent of global annual turnover), nor do Category III and IV violations only correspond with those that are punishable by the upper tier of GDPR fines (€20 million or 4 percent of global annual turnover). The Dutch DPA also reserves the right to levy the maximum fine allowable under the GDPR if it finds this framework not proportionate to the offense.

The head of the UK’s Information Commissioner’s Office (ICO) said they are coordinating with both the Dutch and Norwegian DPAs to create a harmonized framework. Look for more countries to follow the Netherlands’ lead.

Looking forward: ePrivacy violations count toward GDPR fines

On March 12, the EDPB issued an opinion that went a long way toward clarifying the interplay between the ePrivacy Directive and the GDPR. One of the most important rulings was that violations of the ePrivacy Directive could be factored into a GDPR fine as long as a country’s national laws designate the same data protection agency in charge of enforcing both pieces of legislation.

This is an important distinction, because the ePrivacy Directive is implemented through national legislation. While the amount of an ePrivacy fine can vary from nation to nation, they are almost always less than the maximum allowed GDPR fine. For example, the UK’s ICO capped the penalties for violating the ePrivacy Directive at £500,000. However, according to the EDPB’s opinion, certain data processing activities, like using cookies for behavioral advertising, fall under the material scope of both the GDPR and the ePrivacy Directive.

Furthermore, the EU’s Advocate General has now linked the GDPR’s definition of consent, which requires an unambiguous affirmative action, to the ePrivacy Directive. On March 21 in the Planet49 case, the AG’s office ruled that pre-ticked boxes do not qualify as a user’s express consent for cookies, clarifying that GDPR’s strict conditions for valid consent, described in Article 4, are applicable when judging the validity of consent under the ePrivacy Directive, notably under Recital 25. Together, these rulings make underline the proper way to receive a user’s consent and why their consent is so critical.

No company wants to pay a GDPR fine. By using our GDPR checklist and keeping up to date on the latest developments and interpretations of the different regulations, you can avoid costly GDPR violations.