Many organisations are already aware of the fact that the General data protections regulation (‘GDPR’) considerably extends the power to impose fines by the Supervisory Authorities. This extended power is undoubtedly a strong incentive for organisations implement the GDPR and become privacy proof.
But what extra obligations does the GDPR impose compared to the older general data protection directive (this directive is in the Netherlands implemented in the Wet Bescherming Persoonsgegeven (WBP)) that it will replace ? How high can these fines be under the GDPR? And when are the Supervisory authorities entiteld to impose a fine? These and other questions will be discussed in this article.
The Supervisory Authorities supervise the compliance with privacy legislation in the Member states. In the Netherlands this is the Autoriteit Persoonsgegevens. The Supervisory Authorities have a number of powers. For example, they can warn, give binding instructions and impose a temporary or definitive ban on processing.
An organisation can also be ordered to comply with a request from a data subject for the exercise of his or her rights. Last but not least, an administrative enforcement action, an order for an (incremental) penalty and/or fine can be imposed.
Based on the WBP a maximum fine of € 820,000 can be imposed for a violation. However the policies concerning fines of the Dutch Data Protection Authority (hereinafter: ‘the Authority) indicate that the maximum fine will only be imposed in very specific cases, for example when violating the prohibition on the processing of the special categories personal data.
Above that, under the WBP a fine may only be imposed after the Authority has given a binding instruction. The only exception of this principle is when the breach was committed intentionally or is the result of grossly culpable negligence on the part of the data controller.
In the binding instruction, the Authority will indicate what conduct is expected of the offender on the basis of the WBP and, if possible, instruct the offender to remedy the breach in whole or in part. The Authority will set a time limit within which the instruction must be complied with. If the instruction is not complied with, this is already sufficient to to impose a fine. The combination a binding instruction with the authority to fine, resembles an incremental penalty.
Under the GDPR, the Authority will be able to impose much higher fines. The maximum fine will be € 20 million or 4% of the total worldwide annual turnover. This maximum fine can be imposed if basic principles concerning data processing or the rights of data subjects have been violated or if an order of the Authority has not been complied with.
A maximum fine of €10 million or 2% of total global annual sales applies to roughly all breaches of obligations and responsibilities. For example, if a data breach has not been reported to the Authority.
Another important difference with the Wbp is that the GDPR does not include any formal thresholds for the imposition of a fine. The GDPR does for example not prescribe that a binding instruction must precede before a fine can be imposed. However, the Dutch Raad van State (who advises the Dutch government about new legislation) notes that this does not mean that the prior binding instruction is definitively off the table.
The GDPR also states that a number of circumstances that must be taken into account when the Authority considers to impose a fine and when determinig the amount thereof. These circumstances relate to the nature, seriousness and duration of the infringement under the GDPR, its deliberate nature, the degree of responsibility, previous relevant infringements and so on. It is therefore not expected that a fine will be imposed just like that. The Article 29 Working Party has in its guidelines set out how the different elements should be weighed against eachother when imposing an administrative fine.
The Dutch Implementation Act
Furthermore, the Dutch legislator has indicated in its Explanatory Memorandum preceding the GDPR Implementation Act (Uitvoeringswet AVG) that the Authority and industrie in the Netherlands are both familiar with the application of the incremental penalty and the order under administrative coercion. According to the Dutch legislator, these instruments have proved to be effective means of rapidly terminating violations of (amongst others) privacy legislation without the need to impose an immediate fine. These instruments are therefore maintained under the Implementation Act.
Considering the beforementioned, it would not surprise us if the Dutch enforcement regime would – at least in the next few years – hardly changes in practice.